130 comments

[ 2.0 ms ] story [ 229 ms ] thread
Seems like a problem booking.com could instantly eliminate by enforcing 2FA for hoteliers.
Not really. In the article it says hackers are getting malware onto the hotel's computers using social engineering. That's really hard to counteract. They could steal cookies, or also just control the existing session using the malware. 2fa won't help if you're already logged in and the hacker hacks your computer.
Then why is only booking affected? Surely many of these hotels are also affiliated with hotels.com and similar portals.
Every big hospitality broker is under these kinds of attacks. Hotels.com data got exposed en-masse through one of their service providers.
Booking is the largest and thus a juicy target for both attackers and articles. Having worked there, I know that competitors had the same problems though.
you can always do geo and browser signature checks aginst sessions
If you have malware on the hotel computers presumably you could make the malware make the request. You can't get too aggressive with your geo/browser checks because there are probably a lot of legitimate logins where the owner is doing some work from home or from a different location.
I mean if the malware has total control of the computer, there is nothing you can do. But if it’s just stealing cookies, then there’s already a lot of existing technologies to prevent that.
And 'after hours' if you happen to come by the front desk it isn't all that rare to see the computers up and running but unattended because the desk clerk stepped away for a moment.
(comment deleted)
This begets a new problem.

The hotel gets "an" account for Booking. We now need to provide a 2FA credential that essentially needs to be accessed by any hotel front desk/office staff. What methods do we use for "many 2FA, one account"? (And then, how do all those second-factors get secured? Email accounts? Shared phones? Shared token? Shared Authenticator?).

It's probably bad enough the password's probably on a post-it under the front desk keyboard, but I don't think the average hotelier is going to be standing up something like Delinea Secret Server. ;)

The ideal solution is that each of the front desk / office staff use their work credentials to access booking.com. One customer accounts, many user accounts. Use OIDC so you’re not entering your work password on booking.com.

I know it’s not gonna happen industry-wide. But this is how we do things everywhere I’ve worked for the past many years.

"We" don't. "We" need to create individual accounts for each eligible staff member and provide each with a 2FA system, for example a Fido key or a TOTP auth app, or an app that uses push notifications and asks for a "yes".
(comment deleted)
A Booking.com spokesman said: "While this breach was not on Booking.com, we understand the seriousness for those impacted, which is why our teams work diligently to support our partners in securing their systems as quickly as possible and helping any potentially impacted customers accordingly, including with recovering any lost funds."

I call BS. It's Booking.com's responsibility to ensure that the people logging into their portal are the actual hoteliers. Time to mandate 2FA.

What would 2FA do to stop malware installed on hoteliers' computers?
Nothing. However 2FA could prevent those hackers from being able to login to booking.com using stolen credentials and perpetrating this scam.
Booking responsible only for payments.

They will do nothing except of refund if you are scammed by hotel with false advertising.

Did you know that booking.com stores your credit card information and sends it, in plain text to the hotels - allowing them to charge you? [1]

[1] https://partner.booking.com/en-us/help/policies-payments/gue...

The Phuck - who is that allowed?!!! <after review> Ah - there are some quirks allowed by PCI from device to device (E2E) with TLS.
That's not Booking.com's fault though. Many hotels are hopelessly behind the times and they don't have the capability to process the charges any other way and so there is quite a bit of pressure on booking.com to keep this functionality alive. This is a problem all over the hospitality industry. At least PCI/DSS compliance ensures that there is some minimum level of security involved and ultimately the merchant that is the recipient of that information is on the hook for all of the charges they make if you should dispute them. Credit cards have more consumer protection built in than most other forms of payment.

If they wouldn't send the card information 'in plain text' it would be useless to the hotel. And every time you visit a hotel and hand them your card they tend to make an imprint of the card, the only thing the hotel doesn't have is the CVC and in the normal flow this isn't exposed, only when you escalate to some level of exception (and I'm not sure what the criteria are for that).

Kinda is their fault... the recipient might be the dictator but the sender can choose not to play or can display a checkbox to consumers authorizing an unsafe transmission so they can make an informed decision. Instead they just do it and you assume the store is secure because isn't store security mostly a solved problem at this point?

Those of us who transact directly with the hotel instead of booking agents stay winning I guess.

If the sender doesn't play ball, they won't have any business.

Third-party aggregators and hotels are a complete shit-show. But as long as I can save $30 on my trip, I will keep using them...

I am not a marketing professional but what about something like this. "Our booking service is xxx MM consumer's first choice for planning trips. Get access to our customer base and reduce administrative workload by adding our integration to your point of sale system. 4 competitors within 5 miles of you are already booking with us!"
Especially since I have zero fraud liability as a customer. No real incentive for me to care.

The real solution is for the credit card companies to lay down requirements for these merchants (no storing in plain text).

They already do so. The card data is not stored 'in plain text', but encrypted at rest. But for the Hotels there are interfaces that allow these to be exposed to the Hotel employees (accesses of such information are logged). Just prior to displaying them they are decrypted.
Would it pain you to spell out which of the facts are wrong?
For the “encrypted at rest” statement I guess it depends on your definition of “at rest”. Email passes through many hands, and random mom-and-pop shops definitely aren’t using PGP. So any emailed credit card information is being stored on many different computers. In theory those kinda of logs should be purged regularly, but who knows.
Looks to me like you got your facts wrong. And your definitions too...
It's 2023 and my credit card is left wide open to fraud and booking.com facilitates this. I presume when you choose "pay at the hotel" and have to enter your full details including CVC, this is in order for the hotel to charge you in the case you decide to not pay. But in that case booking.com should handle the dispute, as opposed to introducing another compromise vector for any attacker. I've literally seen my details printed on paper at a small hotel in Tyrol. God knows what security they are running at the front-desks at these places.
That flaw is inherent in credit cards and you as the user have a dispute process at your disposal for charges that you don't want to be on the hook for.

The CVC is just slightly less problematic than the rest of the card data.

And that small hotel in Tyrol is probably ok, but I had my card cloned within minutes of eating at a restaurant in Toronto. The whole concept of a bunch of numbers that allow for arbitrary charges against you is flawed.

Booking.com doesn't facilitate fraud any more than your credit card company does, and so far I've been able to successfully dispute every charge that I did not agree with on my card. The day that changes I'll stop using them entirely.

PCI DSS requirement 4.2 explicitly forbids sending credit card data via email.

https://pcidssguide.com/pci-compliance-and-email-security/

And even though I've not worked there in many years, I can tell you with extreme certainty that booking doesn't do that. They're also (hopefully obviously!) PCI compliant.
And they do not. What they do do is offer a portal where the hotel can look this information up and they very explicitly caution against photographing or doing other stuff to that number other than to enter it into their POS to perform some transaction.
I’ve been to hotels in Brazil where they literally copy your CC information completely into a text box in the hotel’s check in system. After that experience once, never ever again…
> And every time you visit a hotel and hand them your card they tend to make an imprint of the card

I haven't had my card imprinted (or, later, photocopied) in hotels since a long time. Now it's just a pre-authorization.

Although recently I had my credit card photocopied by a car rental agency so they would be able to phone the card processor and cancel the pre-auth manually. Absolute madness.

> the only thing the hotel doesn't have is the CVC

Considering the most recent credit cards that I have been issued, most lost the embossing and now print the PAN on the back together with the CVC, so if some hotel photocopies the card - as nobody have the imprinters anymore - the CVC is there. This also applies to the last embossed card that I have in my wallet, an Amex card, which always had the CVC on the front that wasn't captured with an imprinter. Now with photocopiers, it is.

I've still had it happen this year, but I visit weird places :)
why does it feels like I read this exact chain of thread few days ago? the only thing different is that chsin mentioned UK too.
"Plain text" over an encrypted connection you mean?

How else could it work?

Probably meant sending the payment details without tokenization, which in practice means sending a merchant-specific (in case of this one, hotel-specific) card details (https://www.emvco.com/emv-technologies/payment-tokenisation/). A lot of hotels, for some reason that I still don't know, are still relying on MOTO methods to process payments, and MOTO requires the whole card number/PAN, name on file, expiry, and CVV to be sent (which I encounter from-time-to-time because my non-MOTO Mastercard is being rejected for being too weird). Combine that with the fact that US cards don't really enforce 3DS means that you'll have a card number bonanza usable for most American stores.
A)

1. Booking request made, Booking.com holds card details

2. Hotel requests payment

3. Booking.com makes transaction from your card to hotel

B)

1) Booking request made

2) Booking.com requires card details for immediate payment to them

3) Booking.com sends money from their account to hotel

C)

1) Booking request made, Booking.com requires guest identity only

2) Hotel takes payment on arrival

At least for me it usually works that way when I’m paying immediately/directly in booking.

The charge comes from Booking itself and I assume they ten transfer the money to the hotel/etc

Every time I've reserved a hotel room with Booking.com, the payment has required 3-D Secure verification. For me, this involves entering my VISA card's PIN into a card reader, thus needing both physical access to my card and knowledge of my PIN. That might not be very much consolation, but it's at least some protection against having your account fraudulently drained.
Just last month I reserved on Booking.com, arrived at the hotel and to my surprise they said "we already charged you with the card you have on Booking".

Charge came from Panama (the country) and the hotel isn't anywhere near.

No physical card or further verification.

(comment deleted)
Now I understand why hotels.com charges your credit card, then gives the hotel a different card number to charge.
Hotels.com (Expedia) also has an option to pay the hotel directly. They used to require paying Expedia, and then Expedia pays the hotel, and I am guessing it was to expedite receipt of commissions (since they receive cash immediately and pay hotel the same cash minus commission at a later date).

However, I think the integrations and payment terms with the major hotel brands have gotten good enough that Expedia now prefers to be paid a commission by the hotel. This benefits Expedia as they are no longer wasting money dealing with chargebacks and card processing fees.

FYI, typically, a hotel franchisee will pay 10% to 15% to the hotel brand franchisor (Hilton/marriott/etc), and if the guest uses a travel agent like Expedia or Booking or any of the corporate travel ones, another 15% or more to the travel agent, and then the 3% to the payment processors. So for a guest who reserved via travel agent at a franchised hotel, ~30% of the room rate right off the top will not make it to the hotel itself.

And that is excluding the typical 10% to 20% sales tax the guest pays the government on top of the room rate!

> Hotels.com (Expedia) also has an option to pay the hotel directly. They used to require paying Expedia, and then Expedia pays the hotel, and I am guessing it was to expedite receipt of commissions

Depending on the jurisdiction, if credit card commissions are high and the vendor/hotel aren’t setup for bank transfers, this avoids paying 2x Amex/mastercard/visa commissions.

At least (?) that's in an app. But it's worse. A hotel told me it's sometimes plaintext over email.

https://arstechnica.com/information-technology/2023/02/myste...

That has to be a PCI violation. Maybe it doesn’t have any teeth. The CC networks seem lax with their rules.
I wonder if the hotel uses an incoming-fax-to-email system.
Nice catch! That was indeed something we found about a decade ago when I worked there. I don't recall what the security folks tried to do about it.

Generally, though, more and more hotels shifted from faxes to API integrations via channel managers. But that's a whole extra step in sophistication.

I worked on some of these systems as well. Credit card details haven't been sent by emails for many many years, and I believe the last fax Booking ever sent was somewhere in 2018 or 2019, the whole fax system was decommissioned. By the time I left I believe they were still showing CC details to hotels via the extranet or an app though. A virtual CC thingy exists, but like someone said upthread, hotels are very set in their ways and often behind the times.
Oh hilarious! The business logic for getting optimal routing for faxes was... quirky. Picking the right source country/line/carrier to get the best quality line while getting the lowest cost and balancing capacity. In the old days all held in a complex queue in a MySQL db (sigh). I recall getting paged out of bed a number of times as an escalation to get it all working again after we hit yet another lock contention issue in MySQL.

Good times!

Are you 100% positive on that? Because last time that I saw that number in my family’s old hotel I remember it being “a virtual number” rather than the customer’s real card.

https://partner.booking.com/en-us/help/policies-payments/pay...

The fact that it stores your card is pretty much an unescapable reality. Just like car rentals, they reserve the right to charge you before, during or after your stay, for the booking or for damages.

If this counts as PCI compliance, I'm doing way too much work... How does this possibly count?
I always use virtual numbers.

Too bad that those are not so popular and only few banks activate the service (I believe it's handled by Visa or Mastercard).

(comment deleted)
This sounds more like a problem with banks, to be honest.

Why the hell don't banks get their shit in order? And why am I paying an X% commission for that crap?

Charge backs on "card not present" transactions are incredibly easy.
Within the last few days I booked a hotel on Booking.com and then got a call the next day from the hotel saying they actually don't use the Booking.com anymore (and that their account is inactive so they can't log in) and that I needed to cancel the stay through booking.com (the booking was pay on arrival but I still entered a CC).

I re-booked with the hotel directly through their site (small independently owned hotel in a ski town). The whole process felt _shady_ but also it seems like the owner couldn't find a way to get their Booking.com listing removed. I am regretting not using a virtual card number for the initial booking through Booking.com.

Is this 'virtual card number' something that Booking.com provides as an option to you, or do you have a third-party service for this?
I don't know what kubectl_h does, but I have a virtual card from Revolut
A lot of banks offer those nowadays. Wise has virtual cards and Revolut even has single-use cards, just to mention the most popular ones.
Privacy.com has a 1password integration so I have it create cards instead of filling in my real card

https://blog.1password.com/privacy-virtual-cards/

Just an FYI, Privacy won't help you out if something gets charged fraudulently to a card.

Had a place triple charge me, place ignored all CS attempts from me. Privacy refused to help basically saying all three must have been valid and "they have policies with banks" that meant they "couldn't chargeback".

Isn't that what the spend limit option is for?
While I agree that allowing a fraudulent charge to appear on your card in the first place is user error (they should all be paused when not in use, and anything that remains unpaused should have strict spend limits set to within a dollar), the inconvenience of doing this properly can be too great for someone who makes purchases regularly.

Or someone who uses Amazon at all, because they don't actually charge your card when you make a purchase, they charge it randomly about 6 hours later. This trips me up all the time.

> Just an FYI, Privacy won't help you out if something gets charged fraudulently to a card.

Yes they will. I tried to buy a VPS from OVH, and then they immediately locked my account, demanded ID, and refused to refund. Contacted Privacy support to file a chargeback, and they just gave me an equivalent amount of Privacy credit and said not to worry about it, since an actual chargeback would be far more inconvenient for me.

How large was the fraudulent charge?

privacy.com is not good. one loses the cashback or points. privacy.com wants the bank account details aka access. one loses any credit card related protections like insurance, price protection, charge back, fraud etc.
Your credit card most likely offers the service
For supported cards, this function is built straight into Chrome. Works on my AmEx for example, every time Chrome prompts to auto-fill payment details one of the options is a one-time virtual card that gets automatically handled by Chrome itself. Works a treat!
That seems very shady. Surely there must be a financial institution behind the virtual number, no? Is Chrome a white label for one of these financial services?
Nothing shady, just an alias to your real account #/card number, its got to be supported by your bank and ties back to a real account. Thought it'd been commonplace for quite a while.
nothing shady. you add the actual card number in chrome. chrome saves it. chrome knows this card supports virtual card numbers. at the time of any payment, chrome gives option to autofill card details with actual card or virtual card. if virtual selected, chrome gives/send/syncs that virtual card with issuer/original card.

capital one supports it. Amex too.

Is this only on Android, with Google Pay integration? Or desktop Chrome too? News to me!
Capital One makes it very easy to generate virtual card numbers that map to a credit card account.
If a property asks you to cancel your booking on Booking, please make sure that Booking knows the real reason.

(I'm leading a very nomadic lifestyle and I've used Booking over 50 times)

I used Booking way more times. I'd say just call support and explain what happened.

Also maybe do not provide card info "for card confirmation". It literally gets just sent to the place in the clear. Many of them print it and keep for who knows how long for anyone to see.

(comment deleted)
> Also maybe do not provide card info "for card confirmation".

I could be wrong but I don't believe I was given the option not to. I was unaware it was sent in the clear until now.

Some listings support pay via Booking now, I prefer those unless I trust the place enough. Otherwise I would choose a debit card that I wouldn't have much balance on.
> It literally gets just sent to the place in the clear.

Nowadays they send a virtual card that has been generated by booking.com to the hotel. The card details of the guest stay with booking.com

A few years I saw paper sheets with my card info printed at the hotel. Good to know it changed
I've used booking.com hundreds of times, but would not recommend using them currently with all of the problems that they have had paying hotels for the past 6 months.
I asked my last two hosts and both told me they had no problems what so ever with booking

Do you know what region/hotels are actually affected by this?

Is it possible they just wanted you to book direct so they don't pay the Booking.com commission?
Maybe, though the owner seemed legitimately annoyed with Booking.com having the listing still active. Their direct price ended up being 10-15% cheaper in any case.
I've heard from friends o friends who use Booking.com that their payment system broke down earlier this year and booking.com still has not paid them hundreds / thousands they are owed. So might be why they're avoiding taking bookings through the site.
> that their payment system broke down earlier this year and booking.com still has not paid them hundreds / thousands they are owed.

"Aw, shucks, the payment system is still broke. Just be a few months before the repair company can be by to fix it. Nothing to worry about here. No need to contact a lawyer or the AG's office." ?

Sounds a lot like the bad-old-days of taxi's where the driver would say "the credit card machine doesn't work.
Copenhagen, 2023. And Uber is banned.
If you booked with Booking, and the hotel called you back, and told you they don't use Booking any more, how do you imagine did they get the information needed to call you back and knew of the booking?

What you have here is commission fraud on behalf of the hotel against Booking.com, and if you call back Booking.com and tell them about it, they will set the hotel straight.

Or you get back to the hotel, tell them you understand how commission fraud works and if they are willing to split that commission (18%) half and half with you.

> how do you imagine did they get the information needed to call you back and knew of the booking?

Maybe booking.com sends an email to the hotel, but they legitimately don't have the login credentials to cancel the reservation?

Had this. That was exactly what happened to me. It was refunded and I decided never to use booking.com ever again.
Good choice, for several reasons.
This was it. They add calendar events too apparently.
There's 0% chance this is what happened. Hotels can get in touch with booking easily by phone or e-mail to fix any login issues, or to delist from booking if they don't want to be partners. Also, why would they have to log in? Booking.com sends their invoices by e-mail as well.

This case was commission fraud by the hotel against booking.com

IIRC when I worked at booking until 2017, they had already stopped the practice to share customer data via email for privacy+security reasons years ago.
All reservations are forwarded to the hotel; otherwise, how does the hotel know who’s coming?
> Or you get back to the hotel, tell them you understand how commission fraud works and if they are willing to split that commission (18%) half and half with you.

That sure sounds like a crime in itself, no?

It sounds ridiculous. You pay that 18% so how would they even split it?
> You pay that 18% so how would they even split it?

You don’t. You cancel on Booking.com and then pay the hotel 90% of what Booking quoted.

Booking.com hasn't paid some hotelliers for months, so there you have it. It's not comission fraud, it's either loss mitigation or the very same scam that the article describes.

https://www.theguardian.com/business/2023/oct/01/booking-com...

Having been scammed by booking.com car rentals myself, I see no surprises there.

Ouch:

> an Australian running a two-bedroom villa in Bali [--] managed to get paid out last week for the A$11,000 she was owed since March by tracking down a finance officer on Facebook.

More likely you'll be staying for free and they might toss in a dinner. They live and die by booking.com/hotels.com/expedia etc.

Then again: these 'new middlemen' are all equally shady themselves.

(comment deleted)
How would splitting a commission that you pay for anyway even work?
You cancel the original booking then place a second one direct with the hotel at cost A-(A-B)/2.

I've done this many times (not exactly the same, see below) with AirBnB and Redweek rentals -- once you get to know the property owner by staying there once or twice through Redweek they will happily agree to a better rate to deal direct.

> commission fraud

Is it fraud? Sounds like bog-standard disintermediation.

(comment deleted)
In my industry, we are seeing skillful phishing attempts compromising experienced and well-connected businesses. Those connections are immediately leveraged to strike again.

The MO is the same as described in the article -- a well-crafted email with a link to a file in a respected cloud host.

Is there a centralized place (FBI ?) to report these attacks? The bad actors will be obvious in aggregate.

I work in this industry and the rate of fraud from bcom bookings is massively higher than other channels.
>Criminals then send a Google Drive link to the staff saying that it contains an image of the passport. Instead the link downloads malware on to staff computers and automatically searches the hotel computers for Booking.com access.

How does clicking a link install and run an executable?

There are many scams in vacation rentals, of which Booking has many. However, there are fewer scams when booking via the big sites, Airbnb, Vrbo, and Booking.

https://HiChee.com lets hosts "verify" their listings to offer book direct pricing. Plus, guests can pick which platform has the lowest price for a chosen rental.

I fell for this, though I realised it was a scam in time and locked my card quickly enough that I didn't lose any money.

I'm pretty sure it's the first time, in over 20 years of using the internet, that I've fallen for a phishing scam.

It completely gets through your defences because the message is sent via the Booking.com app and is about a legit hotel booking you've made. Very nasty.

But very poor of Booking.com to not be better at detecting these messages. The first consumer reports I can find about this scam go back to January [1], and it shouldn't need very sophisticated text classification to recognise and block them.

More details about the scam here [2].

[1] https://insideflyer.co.uk/2023/01/beware-of-this-booking-com...

[2] https://perception-point.io/blog/booking-com-customers-hit-b...

I got one like the second link you posted a few months ago.

Had a trip booked to Japan, multiple hotels reserved with booking and Agoda.

At some point I received one of those messages, which arrived directly through Booking's system. As mentioned in the article it's not even though SMS -- technically it did come to my email but just as an email copy of the message from their system.

The oddest thing was that a couple days later I got a follow-up message with a profile icon matching the hotel, but a message written as if from a customer, and they said something about trying the spam link, putting their CC info in, and nothing happening.

I wasn't sure if that was the scammer trying to impersonate a customer or if somehow another customer was attached to my message thread.

If the latter, I'd surmise that Booking's message underlying system is email and somehow when the scam was sent out, it was done with cc or bcc to a set of customers rather than only me.

If the former, it doesn't really make sense to act like it didn't work otherwise the targeted customer is less likely to try it.

So odd.

Well if it is through Booking.com message system it’s their problem not yours. The card would promptly get you a chargeback if they charged you