Please sign in to post.

hotel website failing security software scan/credit card breach

I would appreciate any advice on this issue as this has happened to me two years in a row. I made hotel reservations on European hotel sites that are secure https. I am very careful with my card. Then, in a month or so, I have my credit card number breached and have to get a new card number. Last year, I did not tell a hotel about the number change, and arrived with my family of 4 in Bruges to be told my reservation was cancelled 24 hours before. Then, the gentleman didn't want to take my new number. He was going to refuse us rooms! Luckily, I convinced him to change his mind and we got our 2 rooms. I contacted the hotel the week before and was told everything was in order, so I was very unpleasantly surprised.

So, this year, I'm taking my youngest son on a RS family tour, Amsterdam to Rome, just the 2 of us. I make my reservations in January, way early, at the two tour hotels at the front and end of the tour, both having secure reservation systems. A month later, again, my card is breached with a 20+k jewelry purchase! I go back to check the hotel website, and now my security software shows an alert. I am afraid to let the reservations stay as-is, knowing what happened last year. I am also afraid of giving the hotels my new card number. Would it be reasonable to call a few weeks before my reservation and give my new number over the phone instead of through their online system? I was thinking to use a secondary card to hold the reservation, and pay cash in person. Not that it might make the difference. I would hate to arrive jetlagged in Amsterdam with a 14 year old to find our room cancelled. Or perhaps being part of a large tour group would make a difference?

Thanks so much for your help!

Posted by
16895 posts

I think the best plan is to give your new card number over the phone, as you proposed. (I'm not sure that I've seen online engines that would process that update.) Being part of the group should help, but I wouldn't want to count on it.

Posted by
2857 posts

Do you know for certain that the breach came from giving the credit card number overseas? Where was the purchase made? I also can't see why there should be an issue with the card being cancelled as long as you are giving them cash or a new card number when you show up. Unless they are collecting a specific deposit amount when you reserved, the only purpose of you giving your lodging a cc number is for them to then bill your card if you don't show, and they are not supposed to ahve any pending reserve lodged against your card before then.

Posted by
7158 posts

I also am not sure how you can tell exactly where the breach was. How do you know it was the hotel reservation site that was the issue?

Posted by
23626 posts

Try to take this a piece at a time. Frequently when a hotel has taken a credit card number to hold a reservation, they will run the credit card just make sure it is valid. They might try a dollar charge to see if it goes through. So when he tried to verify your card and found that the number was bad, he assumed the worse. He may have tried the number in the week before. So what do you expect him to do? Trust you with another bad credit card number? You are one not being honest with him. So that doesn't surprise since had some responsibility.

Second, credit card can be compromised anywhere, anytime. Sometimes batches of numbers will be stolen but not used for a few months to help mask where they were stolen from. So you cannot assume that the last place you use your card will be the place where the number was stolen. We have given our card number dozen of time for hotel reservations with no problem. The hotel may or may not be the problem.

Posted by
2857 posts

I will second Frank's last paragraph. A couple years back we had two cards compromised, one in the data breach in the Albertson's Supermarket chain, the other in the Home Depot breach. In both cases, it was several months later that our card's data was cloned, manufactured, and sold in the market. In the Albertson's hack the info came out at the same time data was used, in the Home Depot attack we had forgotten that we had made one last purchase on this card at Home Depot and had stopped using it, so we did not take the account down when the news hit, and sure enough it was captured. We have also lost a card here due to its having been copied by a skimming machine,

We have yet to have any problems with any of our cards coming from our use in Europe starting in 2009, and that includes one of our kids using the cards for 4 months while in St Petersburg on an exchange program.

Posted by
27 posts

Credit cards also have a certain pattern and it's possible for criminals to use bots and online sites like Amazon to find current patterns. One of my new non-chip & pin credit cards was used at a pub in Germany for two charges that totaled over $500. I had authorized the card through my bank, but not used it for any purchases on-line or in person. The bank was aware of this, so they reversed the charges.

I work at a hotel, contact the hotel before you get on your flight and confirm that you are arriving and give them an ETA. They can then check to make sure everything is good with your reservation.

Happy Travels

Posted by
19274 posts

I've only once been asked for my credit card number when booking a hotel in Germany, and that was just to guarantee the room for late arrival, never for booking, and the card was never charged. I guess it's the practice for large hotels and booking websites to take your card, but the type of small Mon & Pop places where I stay don't ask for one (and I don't think they even take credit cards for payment).

If a place (or site) asked for my credit card in advance, I'd go somewhere else.

Posted by
233 posts

Giving your card number over a cordless phone or to an individual using a cordless phone isn't necessarily safe, since those calls are easily intercepted. We have two credit cards that offer "disposable" numbers, which are merchant-specific and can be set for a specific amount and to expire at a particular date. Meaning that if you give one of those to a merchant, only that merchant can use the number. We give such numbers to the hotels that require a valid credit card to book, but actually pay in cash. We use these frequently for internet transactions of all sorts and have never had one of these compromised. We have also taken to generating a few numbers for modest amounts before foreign travel and hiding the numbers in a secure location. That way we don't need to use our permanent card for internet credit card transactions on hotel computers whose security we can't be sure of. I agree with the others that it's as or more likely to be miscreants at home that are stealing your credit card number - our physical cards have had to be replaced every couple of years because of fraud.

Posted by
9 posts

I hear your frustration and I get it! I was totally hacked about two months ago and am sopping up the mess to this day. This is my advice...Call and give credit card #'s. Confirm a week or so out. Or email two separate emails with one half of your card number.

My biggest advice is to NEVER EVER EVER USE PUBLIC WIFI...like at a starbucks! I just turn my data on and off now. I was totally compromised probably sitting drinking a lovely latte. Anything you open becomes prey to the dark side! Believe me, it is a nightmare. It is not worth it.

Posted by
233 posts

Or email two separate emails with one half of your card number.

Even better, call one half in and e-mail the other (I've had my whole email account hacked and if the hotel is using a cordless phone, the phone call can be intercepted.)

Also...
It's amazing how many people do not realize how unsafe it is to use public hotspots for sensitive transactions. We use a VPN when we are forced to connect mobile devices to the internet via wireless. However, I would still not do any truly sensitive transactions unless absolutely necessary via wireless when traveling because even with a VPN, the security of your information is still only as good as the security of the server and the integrity of the persons who control the server. In addition, there's usually a short time between connecting to the internet and starting your VPN and modern cell phone apps may connect to the internet (exposing their login credentials) before the VPN is up and running. Finally, do not assume that computers in hotels are hard-wired to the internet. They may be connected wirelessly (I'd wager that these days they probably ARE connected wirelessly) and therefore their security is only as good as the hotel sets it up to be (and assumes the hotel's server has not been compromised by a hacker).

Posted by
32350 posts

"It's amazing how many people do not realize how unsafe it is to use public hotspots for sensitive transactions."

I definitely agree! I don't use Wi-Fi (espcially public Wi-Fi at cafés or whatever) for financial transactions or anything of that nature. If I only need brief access to a bank account, I switch off the Wi-Fi and use LTE/3G as that's more secure.

Posted by
408 posts

Alas, our American cards are still more vulnerable to fraud than foreign cards and the criminals know this. So, they seek out American credit cards to fake. The old cards with no chip are especially vulnerable since they are so easy to fake.

Supposedly, the criminals know our magnetic strip cards are easier than those of other countries to fake and use, so they have been targeting them for whatever time they remain in circulation. It's their last chance to easily make fake credit cards and use them. Aren't we Americans lucky?!?!!?

True chip-and-pin cards will also help, but we all know what the big banks think of them. Perhaps this will change. Discover Card has announced they will go to true chip-and-pin cards, though that is not much help overseas.

Posted by
4535 posts

American chip (EMV) cards are no more or less vulnerable to duplication fraud than any other EMV card. The main weakness right now is that so many American businesses failed to convert their processing systems to EMV and still process the magnetic strip. So criminals can still duplicate the magnetic strip part of the card and use them all over the US. That is on merchants, not the banks or credit cards.

Until US businesses are almost completely using EMV processing, any EMV card (including European ones) will be vulnerable to duplication fraud here. It will be years since so major retailers have not yet done the switch over going on 8 months past the October 2015 deadline and the deadline for gas pumps isn't even until October 2017.

Posted by
5837 posts

EMV, even chip and pin, is still vulnerable to Card Not Present (CNP) transactions. Hard to stick your card into the slot of a telephone, internet, or mail-order transaction.

If a property tried to verify one's card in advance, and it failed, it would be good business for the property to contact the card holder. Of course, that assumes that the hospitality provider wants your business. That said, it doesn't hurt to confirm bookings. Misunderstandings happen.