Saturday, April 09, 2011

Beware of Credit Card Fraud After a Hotel Stay

I've written in the past about fraudulent credit-card charges that can quietly appear on your statement after a hotel stay.

Yup, just checked my American Express statement after a two-day stay at a hotel, and there it was: A charge for $23.76 from some outfit called Etunes LLC of Van Nuys, Calif. A quick Google search shows others complaining about non-authorized charges from Etunes -- a company I have never done business of any kind with and, in fact, would not know from Looney Tunes.

The last time this occurred, again after hotel stays, the phony charges, a bunch of them amounting to over $400 -- were from Itunes, a legitimate business. Investigators told me that hackers can readily access hotel point-of-sale computer systems and grab your data. They then often probe with charges, sometimes to legit businesses, to see if the info they've stolen is good. And to see how closely you're paying attention to alien charges.

As to this most recent fraud, I don't know yet what the hotel where I stayed this week has to say about it, so I won't name them till after I have spoken with them on Monday to see whether they know that they have a security problem.

And by the way, I have not been exactly thrilled with American Express recently. Today, when I phoned Amex Platinum to report the clearly fraudulent "Etunes" charge, the man on the phone sounded awfully casual about it. In fact, he was way more interested in trying to sell me American Express Fraud Protection services ("We'll notify you of suspicious activity") than in addressing the issue of doing business with obvious crooks who are seeking to defraud your best customers.

So be careful out there with your credit card statements, and especially check your statements after hotel stays. Be careful not to leave personal data, like that found on a hotel bill, lying around. Hotels are one of the most perilous places for credit-card fraud, and the hotel industry has been very remiss in not addressing this problem head-on.

I wrote a column about this last July and followed that up with a post here in August about the issue.

Here's my blog post in its entirety from last August:


Your credit card is far more likely to be hacked at a hotel than anywhere else you use it. According to a report in January by Trustway SpiderLabs, 38 percent of the hacking breaches it investigated last year occurred in hotel credit card systems.

That was way more than breaches in other hacker favorites, including retail and restaurants.

The most recent example of hotel hacking, discovered last week, occurred starting in May at the Doherty Hotel, a convention hotel in Clare, Mich. About 150 people have reported that fraudulent charges appeared after they patronized the hotel. A Secret Service spokesman told the Clare Times online (report is here) that the hotel's guest computer system had been identified as the target of the hacking attack.

It is clear that lots of hotels have these issues. It isn't clear exactly how many. But the reports are troubling.

In June, it was reported that Destination Hotels, a chain of 30 luxury hotels, had been the target of what ABC News called "an intense database attack" that compromised at least 700 customer credit cards. Also in June, Wyndham Hotels said that a "sophisticated hacker" had gained access to credit-card data at up to 31 of its hotels between last November and January 23, 2010, when the attack was discovered.

For Wyndham, it was the second time in two years that credit cards had been hacked.

Wyndham and other hotels named in recent reports on the problem have said they are improving their point-of-sale and other credit-card data technology systems in response.

After I wrote about the Wyndham and Destination incidents, I got a lot of calls from national and local radio stations asking me to discuss the issue. Why hotels? they all wanted to know. And what can we do to protect ourselves?

Well, the reason hotels are a good target is that hotels collect a lot of customer data that a hacker can fairly easily access through point-of-sale systems and readily score enough information to be able to steal a credit card's data.

Mainly, this is because individual hotels are often owned by small or regional entrepreneurs -- investors who actually build, develop and own the properties, many of whom have been frantic in recent years as rates and occupancy have plunged. (Big hotel chains like Hilton or Marriott mainly manage the various brands, and charge the actual owners hefty fees for being associated with, and adherent to the standards of, a given brand).

With less money coming in following the Wall Street collapse, after a heady period of the best prosperity in the hotel industry's history, many hotel owners were caught flatfooted. Even while revenue plunged, they had to invest heavily in improving technology in immediate guest-demand things like better Wi-Fi and high-definition TV. At the same time, global hackers discovered that hotel point-of-sale systems were particularly vulnerable. In many instances, hotel owners simply have not yet invested what they need to in making their back-office data-processing technologies more secure against the new breed of hackers.

It often takes a hotel months to even discover that its system has been hacked.

Consumers have a degree of protection in credit-card fraud -- assuming they notify their credit card issuer promptly of a fraudulent charge.

But I've been advising people that it's easy to get blindsided even with this protection. For one thing, frequent travelers often don't carefully review their credit-card purchases on the road and may overlook fraud. For another, we're all now so accustomed to whipping out that credit card for small purchases, even a coffee at Starbucks, that we are more likely to not notice on our credit-card activity-reports the kind of small, frequent illegitimate charges that hackers first start hitting your card with, just to probe it, or in a case of basic hit-and-run.

In the last six months, both my wife and I have had credit cards we use for travel hacked. In both cases, the fraud began with multiple small charges listed as being for numerous Apple iTunes purchases, all in a very short period. In both cases, the fraud totaled over $400 before we contacted our credit card companies. (Neither of us has an Apple iTunes account, incidentally.)

In both cases, the fraudulent charges were removed. However, in both cases, the credit card company canceled our existing cards and issued new ones. With new numbers, of course.

Oops, that led to a problem I hadn't anticipated. Like many people in recent years, especially travelers who are away from home a lot, I tended to put routine household and other bills on credit card "auto-pay." Works beautifully. But when your credit card number changes, those auto-pays suddenly can get rejected if you haven't gone to the trouble of changing them to the new card number. I thought I caught most of them in time, but I overlooked a couple like the water bill. That took more phone calls to fix than I cared to make.

The credit card industry 9to protect itself, not consumers, of course) is now pushing hard for hotels and other businesses to adopt uniform standards for data security. Consumers, meanwhile, need to be simply up to date on issues such as credit card fraud. The Privacy Rights Clearing House has useful information on this.

I spoke recently with one of the leading experts in credit-card fraud, Anthony C. Roman, a private investigator in New York who now specializes in high-tech fraud investigations, but who once worked as a bodyguard for the infamous hotelier Leona Helmsley.

Here's some of what he said about hotels and credit-card hacking:

Hotel credit card point-of-sale systems (which begin at the place where your card is physically swiped through the machine) often offer a hacker the greatest trove of personal data for the least effort, he said. Hackers can work on site, or more often remotely online, using readily available personal information, sometimes culled from customer receipts and bill print-outs.

In the hotel industry, "the collection, storage and transmission of credit-card information is of particular importance," he said.

At many hotels, "upper executive management is developing more secure systems and procedures with regard to personal-data security, including the personal data on the magnetic strip on the back of credit cards, including things like date of birth, Social Security number, home address -- that kind of thing. That stuff is actually on the credit card."

Credit card issuers are trying to crack down harder to comply with standards that encompass "maintaining a secure computer network, which includes the computer network from the POS, point of sale, from the card-swiper through the internal network and terminals at the front desk or in executive or administrative offices. And after that, the broader network between that particular hotel site and the corporation at large all need to be secure," he said, adding:

"The best method to protect the data is by having a POS [point-of-sale] system that uses a transaction code in which the data is immediately encrypted when it hits the machine, and therefore not hackable for most casual hackers. It is, though, still somewhat hackable for the geniuses -- but most hackers are not geniuses or even brilliant. So we're talking about mitigating the vast majority of attacks" with a more secure point-of-sale front-end system that is protected through encryption.

"It’s not a standard created by the hotel, it's a worldwide standard created by the credit card industry," he said. "It requires purchasing not only of software and hardware technology, firewalls, encryption programs, et cetera, it also requires putting in place standardized procedural methods that are administrative in nature." That includes procedures for complex passwords that change at "rate differential periods" so no regular pattern can be discerned, he said.

This means spending more dough, if you're a hotel owner.

Also, he said, "there should be an audit trail to everything, as well as standardized preliminary and ongoing training of staff, and an overall system reflecting when and if privacy-sensitive data is released, to whom, and under what circumstances."

Hotels are by nature customer-service friendly. This builds a weakness into the system. A hacker with one stolen (or otherwise obtained) document, even a discarded bill, can sometimes call a hotel and say he or she needs a new copy of a bill. Hotels tend to comply.

"RevPARS [revenues per available room] are down dramatically as result of the economic turndown," he said. Many hotels "simply don’t have the money, and aren’t making the investment [in better technology security] at this time," he said.

The message hotel owners are hearing from credit card companies and even hotel chain management is this: Find the money and fix your systems. And as these instances of hacking continue, consumers are going to be demanding the same.



Boston Jake said...

I thought bed bugs were bad enough - now this!

Anonymous said...

I'm sure you're right about hotels, but in this case the Etunes scam must have used a different method. I haven't stayed in any hotels for many months but Etunes charged my Amex, as well as hundreds if not thousands of others.

Merchant Services said...

I thought I should only avoid using my credit card in restaurants in fear of cloning. Now, I should add hotels on my list. What's next? Instead of addressing the issue, it seems like the industry found a new business out of it. Credit card protection, insurance, etc. I wouldn't be surprised if they're somehow involved in these fraudulent acts.


Adam said...

The Park Plaza Hotel in London charged me $10,300.00 cancellation fee for a per night hotel room reservation. They said it is a one month penalty because they claim I did not give them 48 hours cancellation notice when in fact I gave them 13 days cancellation notice!!! All attempts to resolve the issue with the hotel have gone unsuccessful so far. They charged $10,300 to my American Express Platinum card. Amex so far decided that I am guilty and sided with the hotel but they would not tell me why and they don't tell me why when I asked them several times. Even though everyone in Amex and Carlson Group that i spoke with admit that they never heard of a one month cancellation fee of $10,300.00!!! Amex so far has not provided the protection that I expected from them against this kind of unheard of, outrageous and incorrect cancellation fee. You would think Amex will protect you when you use their Platinum card to book a hotel. They charge you $500 annual fee for poor and sometimes rude service and no protection whatsoever against incorrect and unfair charges like this case and no returned phone calls by their dispute and fraud department or their President's office. Park Plaza Hotel Vice President in charge of Europe will not return my call either. I have emailed and called the Park Plaza Hotel in London which is part of the Carlson Group no less than 30 times trying to resolve this issue and they insist that I am guilty but will not show proof of their claim. I called Amex and emailed them no less than 40 times and no body would give me an answer. When you call Amex they put you through a maze of answers like we have no answer and they claim that only an specialist in the Amex dispute department knows and she does not call me back when I requested many times. Amex claims that only this specialist can decide and I can NOT escalate above her head and talk to anyone else in management. I have tried to ask what other channel I can use to escalate this issue and all they could offer is reopen the investigation with the same specialist who will not return my calls, who appears not to understand this case at all, and who is convinced that I stayed at the hotel for the one month that they charged me when even the hotel is not claiming that I stayed during the month in question!!, This is a nightmare which exposes huge loop holes that exposes a consumer using a credit card to book a hotel on a per night basis to be charged obscene amounts of money for cancellations. I am still hoping that Amex and the hotel will do what is right in this case and refund my money soon!!!