Forgot your password?
typodupeerror
Crime Security IT

Hotels Lead the Industry In Credit Card Theft 135

Posted by kdawson
from the shred-everything dept.
katarn writes "A study released this year found that, of the credit card hacking cases last year, 38 percent involved the hotel industry. At hotels with inadequate data security, the greatest amount of credit card information can be obtained using the simplest methods. It doesn't require brilliance on the part of the hacker. Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to store or transmit this kind of data properly, and that starts with the point-of-sale credit card swiping systems."
This discussion has been archived. No new comments can be posted.

Hotels Lead the Industry In Credit Card Theft

Comments Filter:
  • Wait...what? (Score:1, Redundant)

    by Pojut (1027544)

    Hotels lead the industry in credit card theft.

    Wait...which industry? The hotel industry? So hotels lead the hotel industry in credit card theft?

    Redundant statement is redundant. Or poorly worded. Or just plain stupid.

    • by Voulnet (1630793) on Friday July 09, 2010 @09:26AM (#32849840)
      Pedantry. One of the disadvantages of living with a nerd.
      • by Pojut (1027544) on Friday July 09, 2010 @09:29AM (#32849876) Homepage

        And nose snorts. Don't forget about the nose snorts.

      • >>>>>Pedantry. One of the disadvantages of living with a nerd.

        Where I come from, we call them anal-retentive bastards. Or grandpas. Same difference.
        .

        >>>Wait...which industry? The hotel industry?

        "Hotels lead the [credit] industry in credit card theft." There. Fixed that for you. Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=14s [youtube.com]

        I was a victim of this. I stayed in a Motel 6 in Oregon. About two months later

        • Re: (Score:3, Insightful)

          Seems obvious because you didn't use the card ever again after that?

          I could be wrong, but if I were walking into a Walmart with a rigged-up card, I think I'd want a fresh number, something from the previous 48 hours, maybe. Sixty days seems like an awfully long time in hot-CC-number-years. If nothing else, it shows tremendous restraint on the part of a small-time criminal, most of whom can't seem to wait sixty minutes before they spend the money (unless, of course, her name badge read, "D. B. Cooper.")

    • I read the article (Score:5, Informative)

      by tepples (727027) <{moc.liamg} {ta} {selppet}> on Friday July 09, 2010 @09:27AM (#32849856) Homepage Journal
      Based on the article, it appears to mean that 38 percent of the fraud across all merchants that take payment cards involves a hotel. So the "hotel industry" is responsible for 38 percent of payment card fraud in "industry" in general.
    • >>>Wait...which industry? The hotel industry?

      "Hotels lead the [credit] industry in credit card theft." Fixed it. Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=13s [youtube.com]

      I think I was a victim of this a few years ago. I had driven to Oregon for a vacation where I stayed in a Motel 6. About two months later some guy in California spent $3500 at Walmart on my Discover credit account. Of course I didn't have to pay, since my sig

      • by Sporkinum (655143)

        This just happened to us on a trip to Colorado. We stayed at a Super 8 and a Motel 6 while there, and at a Super 8 in Omaha. About a week after we got back we got 4 charges on our card that appeared to originate in Mexico. 2 of them were blocked by fraud detection of the card issuer, and 2 made it through. As it was a debit card, we were liable for $50 of the $600 in charges that made it through. Card was canceled and a new one issued. We are also going to use a credit card instead, so the card company in o

        • >>>As it was a debit card, we were liable for $50 of the $600

          Why oh why do people continue using debit cards? If you had used a credit card, you would have been liable for *nothing*. And even if the Visa/Mastercard company tried to collect, you don't have to pay the bill. The money would be sucked from their account, not yours.

          >>>We are also going to use a credit card instead

          Good.

    • Re: (Score:1, Offtopic)

      by mcgrew (92797) *

      Redundant statement is redundant. Or poorly worded. Or just plain stupid.

      Like the guy who moderated your post "redundant". Why are people with two digit IQs allowed at a nerd site, anyway?

      • by Pojut (1027544)

        Because they would sue for discrimination otherwise. One has to wonder if they crash Mensa parties...

    • Poorly worded. I think industry is supposed to be the credit card industry, not the hotel industry.
  • by Tisha_AH (600987) <Tisha.Hayes@gmail.com> on Friday July 09, 2010 @09:26AM (#32849848) Journal

    What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.

    • they can also clone your card to a room key as well if they want to I don't think they do that by default any more.

      • by Anonymous Coward on Friday July 09, 2010 @09:40AM (#32849990)

        Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...

        • Re: (Score:3, Informative)

          by Tool Man (9826)

          Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...

          They don't need to create new, valid-looking cards on-site. Besides, all the fun stuff is replicated in tracks 1 and 2.

          The room-key card system could provide a means of swiping (hah!) customer credit cards that doesn't require the same level of auditing that the actual payment systems should have. That could give them an easy way to grab the data for later.

        • On television they showed how waitresses, clerks, and other staff snake-in a machine (looks like a cellphone) and swipe the card directly through it. They can compile about 100 numbers per day and then produce fake cards in their home basement. ----- I was a victim of this. I stayed in a Motel 6. About two months later some guy in California spent $3500. Seems obvious the girl behind the desk swiped the number off my card.

          >>>Wait...which industry? The hotel industry?

          "Hotels lead the [credit] in

      • Re: (Score:2, Insightful)

        by JDmetro (1745882)
        Wouldn't it just be easier to have some blank mag-stripe cards? One of the local computer stores sells them for $60 for a 25 pack.
    • by garcia (6573) on Friday July 09, 2010 @09:39AM (#32849982) Homepage

      We have been vacationing on Hilton Head Island for over 20 years. Back in the late 1980s/early 1990s we were ripped off in a hotel employee scam. My mother would always pay in cash. Four crisp 100 dollar bills were laid on the counter and slid across to the staffer behind for our week long stay in paradise (we always found it hilarious that it was 1/6th as expensive as a shitty two bed hotel room on the Jersey shore). This year, however, the clerk requested that we put down a credit card to cover any damages which may occur during our stay. My mother, not one for hucksters, agreed reluctantly only because a young boy of no more than 10 or 11 was whining in the backseat of the minivan about how he had to pee.

      After another excellent vacation we arrived home and a letter came in the mail with our receipt of a credit card charge in the amount of $400. My mother knowing this had to be a mistake as she had a similar receipt for $400 in cash called and explained the situation and expected it to be cleared up--after all we always paid with cash and never had problems before. After accusations of lying and trying to scam the resort out of money it was later determined that 7 or 8 other families met similar fates.

      One of the employees was pocketing the cash and charging the credit cards. We were later begged to stay, free of charge, the next summer. My parents ignored the request and we spent the next few years in a far less cozy location on the other side of the island.

      So yeah, some employees truly do suck--always have and always will.

      • by Yvanhoe (564877) on Friday July 09, 2010 @10:11AM (#32850244) Journal

        So yeah, some employees truly do suck--always have and always will.

        And should not be trusted with consumer financial data, which is a management error that is totally avoidable.

        • by homer_s (799572)
          And who is the "management" if not employees themselves?
      • by guruevi (827432) <evi@@@smokingcube...be> on Friday July 09, 2010 @10:12AM (#32850260) Homepage

        That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.

        • Re: (Score:3, Insightful)

          by JWSmythe (446288)

          Cash may be outdated, but it's really hard for someone to duplicate your cash and make it disappear from your pocket. Credit cards on the other hand, are trivial to duplicate, and if you know the mark is traveling, it's easy to get away with charges for days before they find out there is any fraudulent activity.

          Cash is hard to lose, if you maintain proper control over it. If you aren't advertising that you carry large amounts of cash, random people won't know you have it. The

          • by radish (98371)

            The physical risk of being liberated of the cash is then just as good as the physical risk of being liberated of your credit cards

            But the amount of the loss is 100% vs 0%. I simply don't understand carrying anything other than trivial amounts of cash - why take the (small, but non-zero) risk of loss? Why deal with the inconvenience of running out at an inopportune moment? Sure I'm trading away some degree of privacy, and if that's an issue for you then fine. It's not for me.

        • That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.

          Define reputable bank. When the idiot Lypozene scam kept charging my card, after I'd notified them to stop (in writing even), the cc company did "investigate" and reversed the charges - then added back the charges, even though I cited the fraud charges against them, simply because they claimed the Lypozene people claimed their website said what they were doing was ok.

          The bank was Chase, btw.

          • by guruevi (827432)

            I've heard similar stories from Chase so they might not be as good with it. PNC Bank also seems hesitant sometimes (will wait for the vendor to explain) but in the end always delivers. I have very good experiences with BoA (world platinum cards - immediately taking charges off the account, not charging interest while investigating), HSBC (commercial accounts) and local credit unions.

        • I keep a low-credit limit card from a large bank just for this purpose. I make various online purchases with it and use it for proof of solvency for reserving a room at a hotel or such, but never make a purchase over about $50 with it. Its very very easy to spot any fraud on the bill at the end of the month, and very easy to call and explain and have the charges removed. As a Canadian I can heartily recommend both Canadian Tire Credit and the Bank of Montreal Mastercards for being very quick and easy goi

      • by rtb61 (674572)

        Let's be fair. You take people, pay them minimum wage, a wage that provides for now future with the claim that they deserve it for not trying hard enough whilst simultaneously claiming that must fawn and bend over backwards to serve the slightest whim of whiny pretentious customers, that sort of psychological stress will result in poor behaviour.

        It would be interesting to see if this tendency is global or whether it's frequency closely aligns with with the paltriness of the salary and the attitude of cus

      • My mother knowing this had to be a mistake as she had a similar receipt for $400 in cash called and explained the situation and expected it to be cleared up--after all we always paid with cash and never had problems before. After accusations of lying and trying to scam the resort out of money it was later determined that 7 or 8 other families met similar fates.

        Your mother called who? The hotel, or the credit card company? You'll almost always have better results (and fewer accusations of lying) with the lat

    • by NoPantsJim (1149003) on Friday July 09, 2010 @09:56AM (#32850148) Homepage
      I used to be one of these night shift people. I was definitely underpaid, but I used my spare time on the job with a laptop and a book learning to program.

      Here's the scary thing, plenty of people made it extra, extra easy for an employee to steal. We had this ridiculous backup process that had to be run nightly which would make our computers inoperable for about 90 minutes. If someone with a reservation came to check in I could do so, but any walk-ins would have to wait. Around 2-3 times a month people would come in so exhausted from driving all day that they'd just hand me their credit card and say "I'll pick it up in the morning, just give me a room key". I think that since it was an upscale Marriott people just assumed everything was safe.
      • If they have a decent bank behind their credit card or an AMEX, they weren't liable for anything over $50 - for personal cards. Business cards there's no limit on the liability. (Never get a 'business'' credit card. Use a personal CC and reimburse yourself.)

        Anyway, if you went apeshit, they could dispute the charges as fraud. It's kind of a pain in the ass (faxed signed affidavit ) but if you have a decent bank, they'll stand behind you.

        • by pandrijeczko (588093) on Friday July 09, 2010 @10:14AM (#32850278)

          My company insists we put business expenses on company-provided AMEX cards.

          However, about four years ago, AMEX started requesting to do personal credit checks before they renewed expiring cards and I refused to let them do it; my credit rating is fine, I've nothing to hide, but I just don't like AMEX as a company and don't want my personal details on their's (or any other company I refuse to deal with) database.

          The company couldn't force me to give them permission to do the credit check on me, so I now use my personal credit card and enjoy the loyalty bonuses as a result.

          • I now use my personal credit card and enjoy the loyalty bonuses as a result

            My company also forces us to use a corporate Amex card for all business-related expenses ... and I am happy to do so because the Amex rewards program is actually way better than any of the other loyalty programs I've come across. The rewards points accrue to me, personally, rather than my company, and the rewards/expenditure ratio is really nice.

          • by hab136 (30884)

            So, you're able to hand in expenses using your personal card? (which contradicts the part about your company insisting on a corporate AMEX) Or you just don't get reimbursed?

            At my old company, your choices were comply with the requirements, don't get reimbursed, or leave the company (voluntarily or not). With dozens of thousands of people, they just didn't care about your personal feelings on third party vendors.

        • You're right, but it still struck me as odd that people would just say "Hey stranger, take my card for the next 8 hours." It was pretty rare that I would still be there in the morning when they checked out, so that means I'd have to pass their card off to another low-wage employee to trust it with.

          It was kind of crazy how often my GM would have to fight these dispute charges. People would get enraged that their breakfast wasn't gluten free or that the tv in the room wasn't big enough and then have their
        • by wkk2 (808881)

          There might be problems with using a personal CC in the near future. I believe you will be required to give every vendor a 1099 for business purchases over $600/yr. The record keeping will be a lot of trouble. I'm sure it's only the first step to a VAT.

    • by ericbrow (715710)
      Amen to that. When I worked 3rd shift at a hotel while going to college, the pay was crap. I got a "raise" of 10 cents above minimum, then minimum wage went up 15 cents, and they called it another raise. 23 years old, and the only employee on site in charge of a multi-million dollar property and hundreds of lives, getting paid minimum wage. I was never tempted to steal, but I was often tempted to walk out.
    • What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.

      New York has enacted legislation to help prevent some of this type of fraud, by making it illegal to print whole CC numbers on receipts or to store them in the terminal (meaning immediate processing, with batches being done by transaction number IDs and not the CC number).

      Problem is, I have STILL walked into places where the whole CC number and exp date are printed - even though it's in violation of the law. Makes it pretty easy to print out a list of the day's cc receipts, whole credit card numbers and e

      • by Ritchie70 (860516)

        There are in fact Federal laws about that - look here: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt007.shtm [ftc.gov] - but even if there weren't, there are many state laws, and there are network rules about it too, which you clearly know.

        A merchant cannot show more than the last 5 digits of the card number or the expiration date on the receipt.

        If you encounter a merchant in violation you can complain to the FTC.

        I made a bunch of changes to a POS system 7 to 8 years ago to start accepting credit cards. Our dat

    • by Talahaski (711819)
      Fault of the Hotel, Credit Card information should NOT be accessible to ANY staff member after the initial swipe into the computer system. Get some software that immediately encrypts the credit card information at check-in and does not allow anybody to view the unencrypted information after that.
    • I travel a lot, and frequently grit my teeth when I call a hotel I've stayed at before and confirm only my name before they ask if I'd like to use the same card I used before, then reserve the room for me on the stored card info.

    • True! As an overnight front desk employee of a well-known, international hotel brand, I have access to a HUGE supply of credit/debit card numbers (often the actual physical card), and most of the customers' personal information. Add some malicious intent, and the whole scene becomes very ugly for everyone else very quickly.
  • Not surprising... (Score:5, Informative)

    by duplicate-nickname (87112) on Friday July 09, 2010 @09:30AM (#32849884) Homepage

    I recently had a hotel leave one of those quick check-out forms partially slid under my door. The problem was that it had my credit card information printed on it. It would have been quite easy to walk down the how and grab a dozen names, credit card numbers and expiration dates. On top of that, who knows what happens to the forms once you sign them as I highly doubt they go through a shredder.

    • by v1 (525388)

      I highly doubt they go through a shredder.

      Paranoid as I tend to be, I would hope most of them would. Dumpster diving at a hotel would seem like an otherwise excellent way to dug up some fraud otherwise. If not just for the hotel staff then for the patrons. Makes one wonder just how much sensitive information gets casually tossed in the hotel room trashscan by the average guest? I can't say that I've EVER seen a shredder next to the bible and alarm clock before.

      • While a horrible practice, this is why the security code is printed on the back of the card and not included in normal credit card number print-outs.

        The security code should be required for any payment, but is never displayed for security reasons.

    • by mcgrew (92797) *

      Technology is supposed to solve problems, but often creates problems. Back before computers and the internet when a CC transaction involved simply a pre-printed form with carbon paper and the card's embossed name/number, these security problems were very rare. But technology isn't the problem here, it's merchants who treat the new technology like it was identical to the old technology, and governments who fail to keep regulation up to date being aware of how new technology can create new problems. Merchants

      • carbon paper and the card's embossed name/number, these security problems were very rare

        Rare, but not unheard of.

        I know of somebody who had a fraudulent transaction applied against their credit card, and after investigating the police determined that some fraudster must have gone dumpster diving for discarded carbon slips, and copied the information/signature from there.

        • by Ritchie70 (860516)

          And some here will no doubt remember when those carbon forms went from having a single piece of carbon paper to a piece that was perforated half-way through where the card number would hit. Half the carbon would go in the garbage, the other half stayed with the merchant copy if I remember correctly.

      • by rjstanford (69735)

        Merchants are lax with security because there's no reason not to be.

        Not exactly the case... a merchant found to be in breach of their PCI standards (which you agree to when you set up a gateway account) can have their charge privileges suspended or denied. And a hotel who couldn't process Visa/MC/Amex/Disc cards wouldn't last very long at all. You can argue that there should be more sport-checks, but PCI auditing is already a very expensive process, especially for smaller companies (you can easily spend $50K+ on an audit at PCI level one).

      • by sjames (1099)

        All of this because banks REFUSE to implement simple and effective security procedures using smart cards even though the technology to do so has been easily available for decades now.

        • by mcgrew (92797) *

          They have no incentive to do so. If they had to pay through the nose for data breaches, you can bet that they would impliment those technologies.

          • by sjames (1099)

            I'm sure they would. But that means it's not a failure of technology, it's a failure of businessmen to do the right thing.

            As you say, as long as they are allowed to externalize the costs of their repeated failures, they will continue.

    • I have noticed that about the quick check-out forms. I have also had an issue where someone elses room was charged to my CC. I have also had situation where I give them the new card or a different card and they charge the one that's on file.
    • Re: (Score:3, Funny)

      by sconeu (64226)

      They don't. I'll name names.

      I was at the Doubletree in Crystal City, VA (just outside DC). I used the "Print from your room" facility.

      My printout was on the BACK of printouts that included names, addresses, and phone numbers (no CC's though). I told the front desk that they might want to look into their paper recycling policy...

  • by JSBiff (87824) on Friday July 09, 2010 @09:37AM (#32849958) Journal

    Obviously, at the time of transaction, the CC info is needed to make the transaction, but why do they retain the info after that? Don't the credit card networks issue a transaction ID for every transaction? If, after a transaction, the hotel needs to do something like refund part or all of the charge (e.g. returning a deposit), it would seem like they should be able to do that with just the transaction ID. Is there something I'm missing?

    This, it seems to me, applies to almost every merchant - retail, dining, entertainment, services, hotels, whatever. Why do they need to retain the info?

    If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants. A hacker can't steal what isn't there (although, a hacker could still potentially capture the CC info in real-time at the moment of the transaction, but at least you've reduced stored-data attacks).

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      I think with hotels the issue is less of a refund than it is an extra charge. Let's say someone checks out at 10am and leaves town. The cleaning staff get to the room at 11:30 to find that anything not nailed down was taken (carried out a side door at 2am) and the room completely trashed. Hotels keep those numbers to protect themselves without putting a reserve of $1,000 on your card for a one-night stay in a two-star hotel.

      I can't think of any reason for other merchants to keep your data beyond the poin

      • by delinear (991444)
        So if I check out at 10am, some guy comes in and trashes the place, steals everything not nailed down and bails, the hotel are going to automatically charge my credit card and let me sort out the fallout? Surely a better system would be for them to, I don't know, check my room as I leave. When I get a hire car they always check over the vehicle with me when I hand the keys back, they don't leave it a few hours and if someone clips it with their 4x4 on the way out of the car park, just charge my credit card.
      • by rjstanford (69735)

        With a decent gateway you don't even have to do that. You take your gateway credentials and the credit card information, and use them to create a unique storable key. The only thing you can do with that key is to move money between that one particular CC and your gateway account (refund, add'l charge, etc). Technically someone could steal it and either issue refunds or make additional charges, but they generally wouldn't because there's no incentive for them to do so. Far safer (and more PCI compliant)

    • by MobyDisk (75490) *

      Hotels might have a valid reason. Other merchants do not. They can refund charges without having the number. This is another case where I think we have to resort to legislation making it illegal to retain credit card numbers. It's stupid though on so many levels though.

      1. The merchant shouldn't retain the credit card number (it is in their own best interest NOT to, since they are liable for the resulting fraud).
      2. The credit card company shouldn't let the store retain the credit card information (fraud

    • by billtom (126004)

      It's my understanding that the CC companies are moving towards what you are talking about (store transaction tokens, not CC details). But the CC companies are very reluctant to really push all the merchants to upgrade their systems.

      The merchants, of course, don't want to spend any money updating their systems. And the CC companies can't afford to simply cut off large numbers of merchants that won't upgrade or comply to guidelines.

    • Re: (Score:3, Insightful)

      by mounthood (993037)

      If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants.

      They used to call it Fraud and it was the banks problem. Now they call it Identity Theft and it's your problem.

    • by mybecq (131456)

      If, after a transaction, the hotel needs to do something like refund part or all of the charge (e.g. returning a deposit), it would seem like they should be able to do that with just the transaction ID. Is there something I'm missing?

      The fact that VISA/Mastercard/etc (or by proxy, most payment processors) provide no way to do that.

      Why do they need to retain the info?

      When the customer inquires about a charge, they don't/can't/won't have a transaction identifier. There is no transaction identifier issued

  • by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Friday July 09, 2010 @09:47AM (#32850072) Homepage Journal

    I recently stayed at a cheap chain motel while traveling for a softball tournament. They had a sign posted (in the disused lavoratory, etc.) along the lines of:

    Theft is a problem. We have a safe in your room. If you use it and someone steals your stuff, we'll insure you up to $10,000. For your convenience, a $1.50 charge will be added to your bill for the rental of the safe. If you don't want to pay the charge, let us know and we'll remove it.

    (Part in bold is as verbatim as my memory allows.)

    When I checked out the next morning, I asked the clerk to remove the $1.50 fee. She kind of huffed, spent the next 5 minutes messing around with the computer, then gave me a receipt for the correct amount that I expected to pay. Two days later, I noticed that my online statement was off $1.50+tax. Sure enough, they'd charged me anyway. When I called them to say that I wanted it fixed - yes, I am that stubborn and nitpicky - they assured me that this never happens and they were so sorry.

    As cheap as the motel was, that was an extra 3% or so in automatic free revenue. If they're operating at a 10% profit margin, that's about a 66% increase in actual profit. How many times to people look that closely at their credit card bills? I'd be willing to bet that 99 times out of 100, people see that the charge was correct to the nearest $10 and don't check it to the penny, or they figure it's not worthwhile and don't follow up on it.

    • by tkohler (806572) on Friday July 09, 2010 @12:04PM (#32851510)
      One time I was staying at a not-so-cheap hotel in upstate UK. The hotel offered a choice of breakfasts: Continental or Full, with about a US$10 price difference. Each day I chose a breakfast, changing based on mood and hunger, about splitting the choices evenly through my 5 day stay. (I was attending a conference at the same hotel) The waiter took my selection and room number each day. Upon checkout, I found they had charged me (and everyone else) for the Full breakfast everyday. I asked them why and they said they assumed that everyone would chose the "much better breakfast" and made that section for them "as a convenience". I then asked why the waiter bothered to ask the choice if they were going to only charge one price. The desk clerk had corrected the charge and finished my bill and now was just concerned with getting rid of me so he finally said, "Sometimes, sir, hotels just try to rip you off". I had no response.
      • The desk clerk had corrected the charge and finished my bill and now was just concerned with getting rid of me so he finally said, "Sometimes, sir, hotels just try to rip you off". I had no response.

        I worked the night shift at a reasonably nice motel when I was in college so that I could study during all the down-time. Although the management had their own set of annoyances like overcharging for every little thing, they were scrupulously honest. For example, the phones had the ridiculous rates printed on the face around the buttons so you could easily see the prices, and part of my night audit job was to compare the phone system's logs with the room charges. If I found that we'd accidentally overcharge

  • Thank you (Score:3, Insightful)

    by tpstigers (1075021) on Friday July 09, 2010 @09:49AM (#32850086)
    I'd just like to thank the author for not using the ridiculous term 'identity theft'.
    • by Sulphur (1548251)

      Does using your email name for spam qualify?

      --

      I was cold called by someone offering "indemnity theft."

  • by cybrthng (22291) on Friday July 09, 2010 @10:07AM (#32850220) Journal

    Hackers often target hotel pbx systems to call rooms and "confirm" credit cards with people staying there.. Its one of those big issues you never hear about until someone is caught and its easily done since 99% of the hotel rooms don't offer any caller-id functionality. So if you get a call while in a room to confirm your credit card, just ask to go downstairs and confirm at desk.

  • Although it was about traveling outside the country.

    He was teaching the Networking course, and during a brief section on security and encryption he mentioned how he had recently been traveling (he wouldn't say where, but he was born in India) and stayed at a five-star hotel while he was out of the country. He then pointed out how he had requested a new/temporary credit card from his bank for the trip, which he only used to pay for the hotel, and he canceled the card as soon as he was back in the US.

    By the

  • Wardriving (Score:4, Interesting)

    by CODiNE (27417) on Friday July 09, 2010 @10:22AM (#32850350) Homepage

    I remember years ago I drove around a little with my laptop on the passenger seat recording the SSIDs I'd passed. Always fun to see how people name things. One that stood out was a Pik N Save or something... they strangely had a Wifi setup but the name was.

    PIKSAVPOS

    Yeah, their Point of Sales network was unencrypted and accessible throughout the huge parking lot and onto the main road.

    Nice.

    Perhaps the hotels used the same contractor. Very cheap and fast setup, works great.

    • Just one observation...

      Of course an unecrypted WLAN is a *VERY BAD* idea but just because the WLAN isn't encrypted doesn't mean you'll be able to sniff anything on it if all the transmissions on it go over SSL or some other encryption method.

      Personally, I'd hope that anything involving a credit card transaction anywhere goes over SSL by default.

      • by CODiNE (27417)

        That's true but anyone could sit in the parking lot and record everything going over that wire for months. Or hide a little sniffer box under a bush somewhere and record all year long. It was probably around 2000 that this happened so I'm gonna guess they weren't using RC4 or anything like that. Eventually you could brute force it with so many samples.

        Shoot in those days I opened up my laptop at work, it automatically joined the open wireless there and my boss screamed that I'd "Hacked" into the network.

        • Oh, don't get me wrong - just because the connection is encrypted does not mean that you can't just hop onto the WLAN, hack a user account on a server somewhere and pull unencrypted credit card information from server itself!

        • by PTBarnum (233319)

          Wait, you had your laptop configured to automatically join any available open wireless network? And you are worrying about other people's security practices?

        • Re:Wardriving (Score:4, Interesting)

          by kent_eh (543303) on Friday July 09, 2010 @01:48PM (#32852718)

          Now with smartphones people aren't quite so retarded.

          Ummm... We found one of the office girls plugged in her little Apple Air-Port Express to the LAN under her desk, so she could use the WLAN on her iPhone at her desk.
          When was confronted, she couldn't comprehend why it was a bad thing she was doing.
          Fortunately the policy (which we thoughtfully presented her with a paper copy of) clearly states that allowing strangers onto the company LAN can be a firing offense.
          That she understood (if not why)

  • Do the credit card companies care yet? when my friend's identity was stolen a few years back, they had no interest in finding and prosecuting those responsible, even when he did the research and found them. It was cheaper for them to just pay him off and forget about it. So if it's a no-risk crime, then it doesn't matter which industry leads the ... uh... industry. I'd prefer to see how many such crimes are solved and prosecuted successfully.
    • Unfortunately, you've highlighted the major problem with business today.

      No business nowadays is ever interested in striving towards ensuring every customer gets the best possible service from them, they just puff their chests out and crow when they achieve a particular statistical level of performance.

      "95% of calls to us are answered within 10 seconds" - the 5% of callers who were cut off or who sat were sat listening to ringing tone for 10 minutes do not matter.

      "Acme Disinfectant kills 99.9% of all germs"

      • by Eskarel (565631)

        Come on. That's totally pathetic.

        To try and make a point about people evaluating the cost of particular actions(like prosecuting credit card fraud) and occasionally choosing an option which is cheaper for them but worse for everyone else, which is bad, and then try to compare it to companies being realistic about their ability to deliver. Then you throw in a dig towards the US.

        You can't ever guarantee 100% of anything. No matter how many people you employ in your call center there's always a call rate which

        • It's not the nature of their work that makes them see it this way, it's the lack of responsibility for their impact on me. They should have to pay a heavy financial penalty when identity theft occurs, if all they care about is money. Then they will take action. The penalty should be automatic and paid to me personally since they are negligent in their security practices.
  • ...granted many years ago. But at that time, at check in, we took an imprint of the CC info, got an authorization for the expected amount of the stay. Then after check out, the imprinted forms were updated with the actual amount of the bill and signed (if the guest came to the desk), and left for the night audit crew.

    The night auditors would go through the thousand or so CC slips, and using CC software on a PC, pull up the authorization by CC Number and enter the final amount.

    Anyway... long story longer

  • I had a business trip there about 15 years ago. About a year later, I got a snail mail birthday card greeting from the hotel. I thought that is was kind of cute, and mentioned it to another colleague who often traveled to Geneva at that time. He is a security weenie, and told me:

    Just think what will happen when the hotel retires their PC, and gives it to a child of one of the employees, without scrubbing the disk.

    There goes your name, credit card number, and birthday info . . .

  • There are two ways to steal credit card numbers: getting them from a computer system of some kind (up to an including things like putting a stripe reader on the front of an ATM) and the old-fashioned way of a clerk or waiter or whoever just looking at a card and copying the numbers. Does anyone know of any data showing which is more common?

  • We'll be working on a build of our opensource POS designed for hospitality starting in October and ready for release early next year. We've gone through the PA-DSS audit process and frankly, with todays payment systems, if your POS system is storing any card holder data, you're doing it wrong. We off load that data to the CC processor and only store either a transaction ID that can referenced later or a token of that card, not the card data itself.

    • by Ritchie70 (860516)

      Unless you're using POTS and modems for authorization, you're going to have some down time due to connectivity outages, due to the cheapo DSL your locations will probably have.

      During that time, it probably won't be acceptable to not accept credit cards, so what you do is accept it, save the card info, and hope it gets approved when connectivity returns. There's some risk to that method, but really, the vast majority of transactions get approved, so there isn't that much risk. And it's better than pissing of

  • The only time my credit card was robbed was by a hotel, in Paris. The FBI ignored me, the French police ignored me, my credit card company ignored me after they canceled the charge (without evidence). It's a "cost of doing business" to them, but my hours of time, long distance phone bills, and inconvenience are a cost to me. And to the next person that hotel robs, or the hotel down the street.

    It's obvious that credit cards should have one-time passwords for distribution. One password per transaction, assign

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...