NEW YORK (MainStreet) — It is hazardous to your financial health to turn over your credit card information to a hotel.
Remember that when you are booking your summer vacation.
Also See: Hip, Affordable Hotels in the Best Cities
Don't even think about handing over a debit card - that is financial Russian roulette where you may wind up economically dead.
That warning is from Consumer Reports, a leading watchdog, which has issued a frightening alert about "hacker friendly hotels" that practice poor credit card data security that may leave your information vulnerable to attack by cyber criminals.
Also See: Four Seasons Has a New Way to Pamper You: Its Own 757 Jet
Exhibit A is a trio of attacks on Wyndham Worldwide - operator of 7,000 hotels including Ramada, Days Inn, Super 8, Dream Hotels, and Wyndham Hotels. The Federal Trade Commission in a complaint alleges that Wyndham computer systems were breached in April 2008, March 2009 and again in 2009 by a gang of Russian hackers. The Russians, said the FTC, made off with information on 619,000 accounts.
According to the FTC, "Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network... In addition, the defendants allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text."
Also See: Headed to Europe? What You Need to Know About Credit Card Technology
Wyndham, for its part, has sought to get the FTC lawsuit dismissed on jurisdictional grounds. That has been rejected by the court and the case is scheduled to go to trial.
Wyndham is not alone. The latest Verizon 2014 Data Breach Investigations Report bluntly said: "The industries most commonly affected by POS [Point of Sale] intrusions are of no surprise: restaurants, hotels, grocery stores, and other brick-and-mortar retailers are all potential targets."
Hotels in particular are emerging as tasty targets for criminals. Their guests, almost by definition, have money to spend and that is proven by their staying in a hotel.
Tune into the breach at 14 hotels managed by White Lodging, a large hotel management company based in Merrillville, Ind. Over a span from March 20 to December 16 2013, a number of Marriott, Westin and Renaissance hotels managed by White Lodging were continuously breached.
In the White Lodging case, apparently the breach impacted only guests who used payment cards at the hotel food and beverage facilities. Said White Lodging in a prepared statement, "The preliminary results of the forensic review do not indicate the presence of malicious software on the property management system used at the front desk to process room charges."
On the other hand, White Lodging properties were breached for some nine months without the company's detection of the problem - so take their assurances in that context.
In 2010, Englewood, Co. based management company Destination Hotels - which then managed around 30 properties - said that it had suffered a breach that stole credit card information on guests in 21 of its hotels.
The list could go on.
Fact: "There is huge variability in security standards among hotels," said Hugh Thompson, chief security strategist at Blue Coat Systems, a cyber security company in Sunnyvale, Calif.
There's a sense among many in security that - post the Wyndham FTC filing and the White Lodging embarrassment - the big chains and large hotel management companies have accepted that data breaches have to be defended again and they have accordingly upped their defenses.
Particularly vulnerable to breaches are "the small chains and mom and pop hotels," said Anthony DiBello, a security expert with Guidance Software in Pasadena, Calif. "They may be running old, unpatched computers. They don't have a computer security professional on staff."
He added, "They think, who would target me?" But there is evidence that skilled hackers are moving down the food chain, trying less to penetrate well-defended big name brands and aiming instead at tiny outfits that are doing little to defend their credit card data.
"The bulk of hospitality has a long way to go," said DiBello.
Thompson threw out another, big worry: "The insider threat problem is underaddressed."
Hackers are not the only problem, they may not even be the biggest. The hotel employee with a credit card skimmer - it copies the personal information on the magnetic stripe, so a duplicate of the card can be printed out - or maybe simply with a USB stick for downloading credit card payment files is a giant problem but, suggested Thompson, many hotels do not have that issue on their radar.
That leaves guests in great jeopardy.
What can you do to defend yourself? When checking in, said Consumer Reports, ask to see the hotel's "Attestation of Compliance," a document they are required to have and which says they have met the prevailing security standards as of the date of issuance. It is not typical for a guest to request this but, said Consumer Reports, it sees no good reason why a hotel would not show it. Mention them when you ask to see it. That may add weight.
Yours refuses? Some experts now advise using low value prepaid cards when staying at hotels and to keep tossing ones that are used up and buying new. That accomplishes two things: the value on the card is controlled and old cards are no longer in use and have no value at all.
For its part, Consumer Reports advises only paying with a credit card at hotels because disputes generally resolve in the consumer's favor and consumer defenses are high.
As for debit cards - which offer substantially less protection than do credit cards -- Consumer Reports said, don't use them at hotels. "Avoid paying by debit card at suspect hotels. But if you must use your debit card, use it as a credit card, which means that you select the 'credit' option on many card readers—even though you're using a debit card—and sign to authorize your payment instead of punching in a PIN number."
That will accord you protections granted credit card users.
And whatever you do, if you stay in hotels even a little, closely monitor charges on whichever cards you use at them. That's how to dodge getting stuck with fraudulent use of your credentials.
--Written by Robert McGarvey for MainStreet