A day after Sheilah Reardon checked into the Bellagio Las Vegas, she received an e-mail alert from American Express warning that her credit card had been compromised. Among the fraudulent charges: a $67 bill from an online memorabilia store.
A day later, her friend Jennifer Henderson got a call from a MasterCard representative. Her card number had also been stolen. The thieves had made a $67 charge at the same online store moments after they hit Reardon’s account.
“We had checked into the Bellagio at the same time, side by side,” says Reardon. She and Henderson believe that their credit cards were targeted while they were at the resort — most likely while they were checking in — because it was the only time when their cards were used together. Reardon says that she hadn’t used her card, a “travel-only” Amex, since a trip to Florida last summer.
This kind of identity fraud cost American businesses and consumers $21 billion in 2012, the most recent year for which numbers are available, according to Javelin Strategy & Research. It found 12.6 million victims of identity fraud in the United States that year, the highest level since 2009. Javelin’s figures also include data breaches and other types of fraudulent purchases.
Identity fraud is a perennial concern for travelers, and particularly for hotel guests whose cards are frequently used on the road. But the problem seems to be getting worse, and there’s no quick or easy fix.
Bellagio claims that it takes “strict precautions” to maintain the security of its guests’ digital information. After Reardon complained of the breach, it contacted her multiple times in an effort to take a full report, but she declined to give one, according to the hotel.
“We regret we were unable to utilize our full resources to bring this matter to a more satisfactory conclusion, but maintain that our security measures are effective,” says Mary Hynes, a spokeswoman for the resort.
Reardon, a school administrator from Raynham, Mass., insists that she filed a complaint but didn’t have time for the lengthier debriefing, since she was on vacation. Besides, she says, she was left with the impression that the hotel was indifferent to her and her friend’s problems while they were staying there. “At least they could have pretended to care,” she says.
But Bellagio’s initial response as described by Reardon may be typical of the hotel industry, which is often careless about customer data and dismissive of fraud complaints, say experts and guests.
“Hotels are a massive source of credit card fraud,” says John Sileo, a digital privacy expert who runs the Web site Sileo.com. “In fact, the travel industry in general is ripe for the picking because of a variety of factors, including the distraction of travelers, high usage of credit and debit cards, high turnover of employees, and failure to perform employee background checks.”
Sileo believes that Henderson’s and Reardon’s breaches probably occurred at their hotel, but he can’t be sure who was behind the theft. Their cards may have been compromised while they checked in, with an employee swiping their cards and then feeding the information to someone else. Or someone else standing near the check-in area and using a smartphone could have recorded their card numbers and verbal data, leading to the compromise. “The chances of it not being internal to the hotel — either an employee or a thief standing nearby — is minuscule,” he says.
I checked in with a reader who works in the security department of a major chain hotel in New Orleans about the precautions hotels do and don’t take when it comes to their customers’ security. He said that guests might be shocked if they took a look at the computers being used to check them in. He recently inspected front-desk terminals at his hotels, even though information technology isn’t part of his job.
“They hadn’t been updated in years, with thousands of updates needed,” he says. “I discovered that one computer was filled with adware, which is bad enough, but the other had a full virus network, with keyloggers as well as worms. It had its own database and a way to send guests’ personal information off-site to its own servers.”
For the non-techies out there, keyloggers record passwords and other secure information and send it to a third party; a worm is a form of computer malware that replicates itself to spread to other computers.
How can hotel guests protect themselves?
“They can’t,” says Robert Siciliano, a security expert who publishes the site BestIDTheftCompanys.com. “Credit cards can’t be protected.”
The only way to minimize the damage is to monitor your credit card statement and report any suspicious activity. A longer-term solution, which is to upgrade credit cards to more expensive and secure chip-and-PIN technology, is on the horizon, but probably not in time for your next hotel visit.
Both Henderson and Reardon quickly verified the fraudulent activity on their cards. Their financial institutions removed the bogus charges, canceled their cards and promptly issued new ones.
The Bellagio, for its part, wasn’t entirely unsympathetic. Even though the guests didn’t complete a formal report, the hotel zeroed out their mandatory $25 a day “resort fee,” which includes in-room high-speed and wireless Internet, in-room local and toll-free calls, fitness center access and airline boarding pass printing.
Over six days, that shaved $150 off each of their bills, which is almost better than an apology.