Not really. In the article it says hackers are getting malware onto the hotel's computers using social engineering. That's really hard to counteract. They could steal cookies, or also just control the existing session using the malware. 2fa won't help if you're already logged in and the hacker hacks your computer.
Booking is the largest and thus a juicy target for both attackers and articles. Having worked there, I know that competitors had the same problems though.
If you have malware on the hotel computers presumably you could make the malware make the request.
You can't get too aggressive with your geo/browser checks because there are probably a lot of legitimate logins where the owner is doing some work from home or from a different location.
I mean if the malware has total control of the computer, there is nothing you can do. But if it’s just stealing cookies, then there’s already a lot of existing technologies to prevent that.
And 'after hours' if you happen to come by the front desk it isn't all that rare to see the computers up and running but unattended because the desk clerk stepped away for a moment.
The hotel gets "an" account for Booking. We now need to provide a 2FA credential that essentially needs to be accessed by any hotel front desk/office staff. What methods do we use for "many 2FA, one account"? (And then, how do all those second-factors get secured? Email accounts? Shared phones? Shared token? Shared Authenticator?).
It's probably bad enough the password's probably on a post-it under the front desk keyboard, but I don't think the average hotelier is going to be standing up something like Delinea Secret Server. ;)
The ideal solution is that each of the front desk / office staff use their work credentials to access booking.com. One customer accounts, many user accounts. Use OIDC so you’re not entering your work password on booking.com.
I know it’s not gonna happen industry-wide. But this is how we do things everywhere I’ve worked for the past many years.
"We" don't. "We" need to create individual accounts for each eligible staff member and provide each with a 2FA system, for example a Fido key or a TOTP auth app, or an app that uses push notifications and asks for a "yes".
A Booking.com spokesman said: "While this breach was not on Booking.com, we understand the seriousness for those impacted, which is why our teams work diligently to support our partners in securing their systems as quickly as possible and helping any potentially impacted customers accordingly, including with recovering any lost funds."
I call BS. It's Booking.com's responsibility to ensure that the people logging into their portal are the actual hoteliers. Time to mandate 2FA.
That's not Booking.com's fault though. Many hotels are hopelessly behind the times and they don't have the capability to process the charges any other way and so there is quite a bit of pressure on booking.com to keep this functionality alive. This is a problem all over the hospitality industry. At least PCI/DSS compliance ensures that there is some minimum level of security involved and ultimately the merchant that is the recipient of that information is on the hook for all of the charges they make if you should dispute them. Credit cards have more consumer protection built in than most other forms of payment.
If they wouldn't send the card information 'in plain text' it would be useless to the hotel. And every time you visit a hotel and hand them your card they tend to make an imprint of the card, the only thing the hotel doesn't have is the CVC and in the normal flow this isn't exposed, only when you escalate to some level of exception (and I'm not sure what the criteria are for that).
Kinda is their fault... the recipient might be the dictator but the sender can choose not to play or can display a checkbox to consumers authorizing an unsafe transmission so they can make an informed decision. Instead they just do it and you assume the store is secure because isn't store security mostly a solved problem at this point?
Those of us who transact directly with the hotel instead of booking agents stay winning I guess.
I am not a marketing professional but what about something like this. "Our booking service is xxx MM consumer's first choice for planning trips. Get access to our customer base and reduce administrative workload by adding our integration to your point of sale system. 4 competitors within 5 miles of you are already booking with us!"
They already do so. The card data is not stored 'in plain text', but encrypted at rest. But for the Hotels there are interfaces that allow these to be exposed to the Hotel employees (accesses of such information are logged). Just prior to displaying them they are decrypted.
For the “encrypted at rest” statement I guess it depends on your definition of “at rest”. Email passes through many hands, and random mom-and-pop shops definitely aren’t using PGP. So any emailed credit card information is being stored on many different computers. In theory those kinda of logs should be purged regularly, but who knows.
It's 2023 and my credit card is left wide open to fraud and booking.com facilitates this. I presume when you choose "pay at the hotel" and have to enter your full details including CVC, this is in order for the hotel to charge you in the case you decide to not pay. But in that case booking.com should handle the dispute, as opposed to introducing another compromise vector for any attacker. I've literally seen my details printed on paper at a small hotel in Tyrol. God knows what security they are running at the front-desks at these places.
That flaw is inherent in credit cards and you as the user have a dispute process at your disposal for charges that you don't want to be on the hook for.
The CVC is just slightly less problematic than the rest of the card data.
And that small hotel in Tyrol is probably ok, but I had my card cloned within minutes of eating at a restaurant in Toronto. The whole concept of a bunch of numbers that allow for arbitrary charges against you is flawed.
Booking.com doesn't facilitate fraud any more than your credit card company does, and so far I've been able to successfully dispute every charge that I did not agree with on my card. The day that changes I'll stop using them entirely.
And even though I've not worked there in many years, I can tell you with extreme certainty that booking doesn't do that. They're also (hopefully obviously!) PCI compliant.
And they do not. What they do do is offer a portal where the hotel can look this information up and they very explicitly caution against photographing or doing other stuff to that number other than to enter it into their POS to perform some transaction.
I’ve been to hotels in Brazil where they literally copy your CC information completely into a text box in the hotel’s check in system. After that experience once, never ever again…
> And every time you visit a hotel and hand them your card they tend to make an imprint of the card
I haven't had my card imprinted (or, later, photocopied) in hotels since a long time. Now it's just a pre-authorization.
Although recently I had my credit card photocopied by a car rental agency so they would be able to phone the card processor and cancel the pre-auth manually. Absolute madness.
> the only thing the hotel doesn't have is the CVC
Considering the most recent credit cards that I have been issued, most lost the embossing and now print the PAN on the back together with the CVC, so if some hotel photocopies the card - as nobody have the imprinters anymore - the CVC is there. This also applies to the last embossed card that I have in my wallet, an Amex card, which always had the CVC on the front that wasn't captured with an imprinter. Now with photocopiers, it is.
Probably meant sending the payment details without tokenization, which in practice means sending a merchant-specific (in case of this one, hotel-specific) card details (https://www.emvco.com/emv-technologies/payment-tokenisation/). A lot of hotels, for some reason that I still don't know, are still relying on MOTO methods to process payments, and MOTO requires the whole card number/PAN, name on file, expiry, and CVV to be sent (which I encounter from-time-to-time because my non-MOTO Mastercard is being rejected for being too weird). Combine that with the fact that US cards don't really enforce 3DS means that you'll have a card number bonanza usable for most American stores.
Every time I've reserved a hotel room with Booking.com, the payment has required 3-D Secure verification. For me, this involves entering my VISA card's PIN into a card reader, thus needing both physical access to my card and knowledge of my PIN. That might not be very much consolation, but it's at least some protection against having your account fraudulently drained.
Just last month I reserved on Booking.com, arrived at the hotel and to my surprise they said "we already charged you with the card you have on Booking".
Charge came from Panama (the country) and the hotel isn't anywhere near.
Hotels.com (Expedia) also has an option to pay the hotel directly. They used to require paying Expedia, and then Expedia pays the hotel, and I am guessing it was to expedite receipt of commissions (since they receive cash immediately and pay hotel the same cash minus commission at a later date).
However, I think the integrations and payment terms with the major hotel brands have gotten good enough that Expedia now prefers to be paid a commission by the hotel. This benefits Expedia as they are no longer wasting money dealing with chargebacks and card processing fees.
FYI, typically, a hotel franchisee will pay 10% to 15% to the hotel brand franchisor (Hilton/marriott/etc), and if the guest uses a travel agent like Expedia or Booking or any of the corporate travel ones, another 15% or more to the travel agent, and then the 3% to the payment processors. So for a guest who reserved via travel agent at a franchised hotel, ~30% of the room rate right off the top will not make it to the hotel itself.
And that is excluding the typical 10% to 20% sales tax the guest pays the government on top of the room rate!
> Hotels.com (Expedia) also has an option to pay the hotel directly. They used to require paying Expedia, and then Expedia pays the hotel, and I am guessing it was to expedite receipt of commissions
Depending on the jurisdiction, if credit card commissions are high and the vendor/hotel aren’t setup for bank transfers, this avoids paying 2x Amex/mastercard/visa commissions.
I worked on some of these systems as well. Credit card details haven't been sent by emails for many many years, and I believe the last fax Booking ever sent was somewhere in 2018 or 2019, the whole fax system was decommissioned. By the time I left I believe they were still showing CC details to hotels via the extranet or an app though. A virtual CC thingy exists, but like someone said upthread, hotels are very set in their ways and often behind the times.
Oh hilarious! The business logic for getting optimal routing for faxes was... quirky. Picking the right source country/line/carrier to get the best quality line while getting the lowest cost and balancing capacity. In the old days all held in a complex queue in a MySQL db (sigh). I recall getting paged out of bed a number of times as an escalation to get it all working again after we hit yet another lock contention issue in MySQL.
Are you 100% positive on that? Because last time that I saw that number in my family’s old hotel I remember it being “a virtual number” rather than the customer’s real card.
The fact that it stores your card is pretty much an unescapable reality. Just like car rentals, they reserve the right to charge you before, during or after your stay, for the booking or for damages.
Within the last few days I booked a hotel on Booking.com and then got a call the next day from the hotel saying they actually don't use the Booking.com anymore (and that their account is inactive so they can't log in) and that I needed to cancel the stay through booking.com (the booking was pay on arrival but I still entered a CC).
I re-booked with the hotel directly through their site (small independently owned hotel in a ski town). The whole process felt _shady_ but also it seems like the owner couldn't find a way to get their Booking.com listing removed. I am regretting not using a virtual card number for the initial booking through Booking.com.
Just an FYI, Privacy won't help you out if something gets charged fraudulently to a card.
Had a place triple charge me, place ignored all CS attempts from me. Privacy refused to help basically saying all three must have been valid and "they have policies with banks" that meant they "couldn't chargeback".
While I agree that allowing a fraudulent charge to appear on your card in the first place is user error (they should all be paused when not in use, and anything that remains unpaused should have strict spend limits set to within a dollar), the inconvenience of doing this properly can be too great for someone who makes purchases regularly.
Or someone who uses Amazon at all, because they don't actually charge your card when you make a purchase, they charge it randomly about 6 hours later. This trips me up all the time.
> Just an FYI, Privacy won't help you out if something gets charged fraudulently to a card.
Yes they will. I tried to buy a VPS from OVH, and then they immediately locked my account, demanded ID, and refused to refund. Contacted Privacy support to file a chargeback, and they just gave me an equivalent amount of Privacy credit and said not to worry about it, since an actual chargeback would be far more inconvenient for me.
privacy.com is not good. one loses the cashback or points. privacy.com wants the bank account details aka access. one loses any credit card related protections like insurance, price protection, charge back, fraud etc.
For supported cards, this function is built straight into Chrome. Works on my AmEx for example, every time Chrome prompts to auto-fill payment details one of the options is a one-time virtual card that gets automatically handled by Chrome itself. Works a treat!
That seems very shady. Surely there must be a financial institution behind the virtual number, no? Is Chrome a white label for one of these financial services?
Nothing shady, just an alias to your real account #/card number, its got to be supported by your bank and ties back to a real account. Thought it'd been commonplace for quite a while.
nothing shady. you add the actual card number in chrome. chrome saves it. chrome knows this card supports virtual card numbers. at the time of any payment, chrome gives option to autofill card details with actual card or virtual card. if virtual selected, chrome gives/send/syncs that virtual card with issuer/original card.
I used Booking way more times. I'd say just call support and explain what happened.
Also maybe do not provide card info "for card confirmation". It literally gets just sent to the place in the clear. Many of them print it and keep for who knows how long for anyone to see.
Some listings support pay via Booking now, I prefer those unless I trust the place enough. Otherwise I would choose a debit card that I wouldn't have much balance on.
I've used booking.com hundreds of times, but would not recommend using them currently with all of the problems that they have had paying hotels for the past 6 months.
Maybe, though the owner seemed legitimately annoyed with Booking.com having the listing still active. Their direct price ended up being 10-15% cheaper in any case.
I've heard from friends o friends who use Booking.com that their payment system broke down earlier this year and booking.com still has not paid them hundreds / thousands they are owed. So might be why they're avoiding taking bookings through the site.
> that their payment system broke down earlier this year and booking.com still has not paid them hundreds / thousands they are owed.
"Aw, shucks, the payment system is still broke. Just be a few months before the repair company can be by to fix it. Nothing to worry about here. No need to contact a lawyer or the AG's office." ?
If you booked with Booking, and the hotel called you back, and told you they don't use Booking any more, how do you imagine did they get the information needed to call you back and knew of the booking?
What you have here is commission fraud on behalf of the hotel against Booking.com, and if you call back Booking.com and tell them about it, they will set the hotel straight.
Or you get back to the hotel, tell them you understand how commission fraud works and if they are willing to split that commission (18%) half and half with you.
There's 0% chance this is what happened. Hotels can get in touch with booking easily by phone or e-mail to fix any login issues, or to delist from booking if they don't want to be partners. Also, why would they have to log in? Booking.com sends their invoices by e-mail as well.
This case was commission fraud by the hotel against booking.com
IIRC when I worked at booking until 2017, they had already stopped the practice to share customer data via email for privacy+security reasons years ago.
> Or you get back to the hotel, tell them you understand how commission fraud works and if they are willing to split that commission (18%) half and half with you.
Booking.com hasn't paid some hotelliers for months, so there you have it. It's not comission fraud, it's either loss mitigation or the very same scam that the article describes.
> an Australian running a two-bedroom villa in Bali [--] managed to get paid out last week for the A$11,000 she was owed since March by tracking down a finance officer on Facebook.
You cancel the original booking then place a second one direct with the hotel at cost A-(A-B)/2.
I've done this many times (not exactly the same, see below) with AirBnB and Redweek rentals -- once you get to know the property owner by staying there once or twice through Redweek they will happily agree to a better rate to deal direct.
In my industry, we are seeing skillful phishing attempts compromising experienced and well-connected businesses. Those connections are immediately leveraged to strike again.
The MO is the same as described in the article -- a well-crafted email with a link to a file in a respected cloud host.
Is there a centralized place (FBI ?) to report these attacks? The bad actors will be obvious in aggregate.
>Criminals then send a Google Drive link to the staff saying that it contains an image of the passport. Instead the link downloads malware on to staff computers and automatically searches the hotel computers for Booking.com access.
How does clicking a link install and run an executable?
There are many scams in vacation rentals, of which Booking has many. However, there are fewer scams when booking via the big sites, Airbnb, Vrbo, and Booking.
https://HiChee.com lets hosts "verify" their listings to offer book direct pricing. Plus, guests can pick which platform has the lowest price for a chosen rental.
I fell for this, though I realised it was a scam in time and locked my card quickly enough that I didn't lose any money.
I'm pretty sure it's the first time, in over 20 years of using the internet, that I've fallen for a phishing scam.
It completely gets through your defences because the message is sent via the Booking.com app and is about a legit hotel booking you've made. Very nasty.
But very poor of Booking.com to not be better at detecting these messages. The first consumer reports I can find about this scam go back to January [1], and it shouldn't need very sophisticated text classification to recognise and block them.
I got one like the second link you posted a few months ago.
Had a trip booked to Japan, multiple hotels reserved with booking and Agoda.
At some point I received one of those messages, which arrived directly through Booking's system. As mentioned in the article it's not even though SMS -- technically it did come to my email but just as an email copy of the message from their system.
The oddest thing was that a couple days later I got a follow-up message with a profile icon matching the hotel, but a message written as if from a customer, and they said something about trying the spam link, putting their CC info in, and nothing happening.
I wasn't sure if that was the scammer trying to impersonate a customer or if somehow another customer was attached to my message thread.
If the latter, I'd surmise that Booking's message underlying system is email and somehow when the scam was sent out, it was done with cc or bcc to a set of customers rather than only me.
If the former, it doesn't really make sense to act like it didn't work otherwise the targeted customer is less likely to try it.
130 comments
[ 2.0 ms ] story [ 229 ms ] threadThe hotel gets "an" account for Booking. We now need to provide a 2FA credential that essentially needs to be accessed by any hotel front desk/office staff. What methods do we use for "many 2FA, one account"? (And then, how do all those second-factors get secured? Email accounts? Shared phones? Shared token? Shared Authenticator?).
It's probably bad enough the password's probably on a post-it under the front desk keyboard, but I don't think the average hotelier is going to be standing up something like Delinea Secret Server. ;)
I know it’s not gonna happen industry-wide. But this is how we do things everywhere I’ve worked for the past many years.
I call BS. It's Booking.com's responsibility to ensure that the people logging into their portal are the actual hoteliers. Time to mandate 2FA.
They will do nothing except of refund if you are scammed by hotel with false advertising.
[1] https://partner.booking.com/en-us/help/policies-payments/gue...
If they wouldn't send the card information 'in plain text' it would be useless to the hotel. And every time you visit a hotel and hand them your card they tend to make an imprint of the card, the only thing the hotel doesn't have is the CVC and in the normal flow this isn't exposed, only when you escalate to some level of exception (and I'm not sure what the criteria are for that).
Those of us who transact directly with the hotel instead of booking agents stay winning I guess.
Third-party aggregators and hotels are a complete shit-show. But as long as I can save $30 on my trip, I will keep using them...
The real solution is for the credit card companies to lay down requirements for these merchants (no storing in plain text).
The CVC is just slightly less problematic than the rest of the card data.
And that small hotel in Tyrol is probably ok, but I had my card cloned within minutes of eating at a restaurant in Toronto. The whole concept of a bunch of numbers that allow for arbitrary charges against you is flawed.
Booking.com doesn't facilitate fraud any more than your credit card company does, and so far I've been able to successfully dispute every charge that I did not agree with on my card. The day that changes I'll stop using them entirely.
https://pcidssguide.com/pci-compliance-and-email-security/
I haven't had my card imprinted (or, later, photocopied) in hotels since a long time. Now it's just a pre-authorization.
Although recently I had my credit card photocopied by a car rental agency so they would be able to phone the card processor and cancel the pre-auth manually. Absolute madness.
> the only thing the hotel doesn't have is the CVC
Considering the most recent credit cards that I have been issued, most lost the embossing and now print the PAN on the back together with the CVC, so if some hotel photocopies the card - as nobody have the imprinters anymore - the CVC is there. This also applies to the last embossed card that I have in my wallet, an Amex card, which always had the CVC on the front that wasn't captured with an imprinter. Now with photocopiers, it is.
How else could it work?
https://blog.payjunction.com/moto-processing-definition
1. Booking request made, Booking.com holds card details
2. Hotel requests payment
3. Booking.com makes transaction from your card to hotel
B)
1) Booking request made
2) Booking.com requires card details for immediate payment to them
3) Booking.com sends money from their account to hotel
C)
1) Booking request made, Booking.com requires guest identity only
2) Hotel takes payment on arrival
The charge comes from Booking itself and I assume they ten transfer the money to the hotel/etc
Charge came from Panama (the country) and the hotel isn't anywhere near.
No physical card or further verification.
However, I think the integrations and payment terms with the major hotel brands have gotten good enough that Expedia now prefers to be paid a commission by the hotel. This benefits Expedia as they are no longer wasting money dealing with chargebacks and card processing fees.
FYI, typically, a hotel franchisee will pay 10% to 15% to the hotel brand franchisor (Hilton/marriott/etc), and if the guest uses a travel agent like Expedia or Booking or any of the corporate travel ones, another 15% or more to the travel agent, and then the 3% to the payment processors. So for a guest who reserved via travel agent at a franchised hotel, ~30% of the room rate right off the top will not make it to the hotel itself.
And that is excluding the typical 10% to 20% sales tax the guest pays the government on top of the room rate!
Depending on the jurisdiction, if credit card commissions are high and the vendor/hotel aren’t setup for bank transfers, this avoids paying 2x Amex/mastercard/visa commissions.
https://arstechnica.com/information-technology/2023/02/myste...
Generally, though, more and more hotels shifted from faxes to API integrations via channel managers. But that's a whole extra step in sophistication.
Good times!
https://partner.booking.com/en-us/help/policies-payments/pay...
The fact that it stores your card is pretty much an unescapable reality. Just like car rentals, they reserve the right to charge you before, during or after your stay, for the booking or for damages.
Too bad that those are not so popular and only few banks activate the service (I believe it's handled by Visa or Mastercard).
Why the hell don't banks get their shit in order? And why am I paying an X% commission for that crap?
I re-booked with the hotel directly through their site (small independently owned hotel in a ski town). The whole process felt _shady_ but also it seems like the owner couldn't find a way to get their Booking.com listing removed. I am regretting not using a virtual card number for the initial booking through Booking.com.
https://blog.1password.com/privacy-virtual-cards/
Had a place triple charge me, place ignored all CS attempts from me. Privacy refused to help basically saying all three must have been valid and "they have policies with banks" that meant they "couldn't chargeback".
Or someone who uses Amazon at all, because they don't actually charge your card when you make a purchase, they charge it randomly about 6 hours later. This trips me up all the time.
Yes they will. I tried to buy a VPS from OVH, and then they immediately locked my account, demanded ID, and refused to refund. Contacted Privacy support to file a chargeback, and they just gave me an equivalent amount of Privacy credit and said not to worry about it, since an actual chargeback would be far more inconvenient for me.
How large was the fraudulent charge?
capital one supports it. Amex too.
(I'm leading a very nomadic lifestyle and I've used Booking over 50 times)
Also maybe do not provide card info "for card confirmation". It literally gets just sent to the place in the clear. Many of them print it and keep for who knows how long for anyone to see.
I could be wrong but I don't believe I was given the option not to. I was unaware it was sent in the clear until now.
Nowadays they send a virtual card that has been generated by booking.com to the hotel. The card details of the guest stay with booking.com
Do you know what region/hotels are actually affected by this?
Found this article from last month about places still waiting for their money with no signs of when or if it might come.
https://www.theguardian.com/travel/2023/nov/10/booking-com-t...
"Aw, shucks, the payment system is still broke. Just be a few months before the repair company can be by to fix it. Nothing to worry about here. No need to contact a lawyer or the AG's office." ?
What you have here is commission fraud on behalf of the hotel against Booking.com, and if you call back Booking.com and tell them about it, they will set the hotel straight.
Or you get back to the hotel, tell them you understand how commission fraud works and if they are willing to split that commission (18%) half and half with you.
Maybe booking.com sends an email to the hotel, but they legitimately don't have the login credentials to cancel the reservation?
This case was commission fraud by the hotel against booking.com
That sure sounds like a crime in itself, no?
You don’t. You cancel on Booking.com and then pay the hotel 90% of what Booking quoted.
https://www.theguardian.com/business/2023/oct/01/booking-com...
Having been scammed by booking.com car rentals myself, I see no surprises there.
> an Australian running a two-bedroom villa in Bali [--] managed to get paid out last week for the A$11,000 she was owed since March by tracking down a finance officer on Facebook.
Then again: these 'new middlemen' are all equally shady themselves.
I've done this many times (not exactly the same, see below) with AirBnB and Redweek rentals -- once you get to know the property owner by staying there once or twice through Redweek they will happily agree to a better rate to deal direct.
Is it fraud? Sounds like bog-standard disintermediation.
The MO is the same as described in the article -- a well-crafted email with a link to a file in a respected cloud host.
Is there a centralized place (FBI ?) to report these attacks? The bad actors will be obvious in aggregate.
How does clicking a link install and run an executable?
https://HiChee.com lets hosts "verify" their listings to offer book direct pricing. Plus, guests can pick which platform has the lowest price for a chosen rental.
I'm pretty sure it's the first time, in over 20 years of using the internet, that I've fallen for a phishing scam.
It completely gets through your defences because the message is sent via the Booking.com app and is about a legit hotel booking you've made. Very nasty.
But very poor of Booking.com to not be better at detecting these messages. The first consumer reports I can find about this scam go back to January [1], and it shouldn't need very sophisticated text classification to recognise and block them.
More details about the scam here [2].
[1] https://insideflyer.co.uk/2023/01/beware-of-this-booking-com...
[2] https://perception-point.io/blog/booking-com-customers-hit-b...
Had a trip booked to Japan, multiple hotels reserved with booking and Agoda.
At some point I received one of those messages, which arrived directly through Booking's system. As mentioned in the article it's not even though SMS -- technically it did come to my email but just as an email copy of the message from their system.
The oddest thing was that a couple days later I got a follow-up message with a profile icon matching the hotel, but a message written as if from a customer, and they said something about trying the spam link, putting their CC info in, and nothing happening.
I wasn't sure if that was the scammer trying to impersonate a customer or if somehow another customer was attached to my message thread.
If the latter, I'd surmise that Booking's message underlying system is email and somehow when the scam was sent out, it was done with cc or bcc to a set of customers rather than only me.
If the former, it doesn't really make sense to act like it didn't work otherwise the targeted customer is less likely to try it.
So odd.