Finding the source of credit card fraud, and not really caring

Back in January I received a fraud alert from Chase, letting me know of unauthorized charges on my primary travel card. It was mildly annoying but the new card arrived quickly as I learned the new number and, generally speaking, it was a non-event. Now I have a pretty good idea where the fraud came from.

Turns out that HEI Hotels & Resorts, owner of 60+ hotels across the country, was the target of hackers who compromised the payment processing software at some 20 of the company’s hotels. I finally saw the list today (thanks, Stephan) and I immediately recognized one of the listed properties.

In 2015 I was working in Nashville for a couple months. I stayed at the Sheraton Music City a few times until I got the proper corporate booking code from the company I was at. And that Sheraton was included in the list of affected hotels during the time I was staying there. Oops.

List of the affected hotels and dates from HEI
List of the affected hotels and dates from HEI

On the one hand, I guess I’m happy to have an idea of where the problem started, though zero chance of confirming that for sure. On the other hand, I can’t say that it really matters all that much. I suppose that’s the real benefit of zero liability to me from the banks and their ability to reissue cards overnight if needed. Sure, I was annoyed to learn a new CC number, but it really made no difference inter end. And it won’t change my booking patterns in the future. Would it change yours?

Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.

16 Responses

  1. Keith Murray
    Keith Murray at |

    Yeah, it would change my habits. My example from real life is buying habits, not booking habits, but the principle is the same.

    Back in 2013 in the couple of months when Target had a data breach, I used a Chase Visa card at Target one whole time. Chase detected I was in the affected group, said they saw no evidence of fraud, but wanted to send me a new card anyway. They did, it came, I memorized the new number, and changed all my recurring payments over to it. But Chase said we’ll still leave the old one valid for 30 days just in case you have any more charges out there. On the 29th day – I’m not kidding – I logged into my Chase account and there were $800 of overnight bogus charges from the Minneapolis area, hundreds of miles from where I lived in Wichita. So I called Chase, the bogus charges were written off down to zero liability, and other than learning a new credit card number, notifying them of the fraud, and changing my recurring payments, I was out nothing.

    But I was so mad at Target for letting it happen in the first place to all those people, that I didn’t set foot in one of their stores for a full year. And to this day, I am still not a regular again.

    So yes, to answer your question, things like that do change my habits.

  2. Stephen Evans
    Stephen Evans at |

    Their fees they pay to the merchant/cc companies will make them care, but only about the fees not their customers.

  3. justinbachman
    justinbachman at |

    Doing this twice in nine months tells me they don’t actually care about account security at Chase.

  4. charles
    charles at |

    Lodging locations are run by mid sized corporations, not by the name on the door. These firms often are regional or have several regions run by one main office. I assume the run their own billing software and training programs. Ultimately, the real risk is more likely the honesty of the clerk running the front desk!

  5. Sebastian White
    Sebastian White at |

    I had my debit card number used Saturday at Dunkin in the Bronx. Can you imagine?!

    1. Blandon Belushin
      Blandon Belushin at |

      Your bank should be suspicious if your card is used north of 23rd St!

    2. Neil Herland
      Neil Herland at |

      I miss Dunkin

    3. askmrlee
      askmrlee at |

      Mistake number one. Using a debit card at retail. Yes there’s zero liability, but your checking account gets hit first, vs. a credit line.

  6. Ozaer Najim
    Ozaer Najim at |

    1018.11??? dont they know WM doesn’t take Vanilla cards anymore??

  7. Glenn
    Glenn at |

    Not sure in this case, but apparently a bunch of the hotel breaches are due to VISA itself, or more precisely Oracle:

    http://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/

    Meaning that in those cases anyway, you can’t really blame the hotel management company. Doesn’t make it right of course.

    1. askmrlee
      askmrlee at |

      Similar, the Oracle breach is due to hackers attacking Micros registers and software. You may have not noticed, but you’ll usually see Micros terminals at airport and hotel restaurants and the like.

      Also thanks to Krebs, I’ll avoid Triton ATMs. These are grey independent ATMs that often find in independent convenience stores and hotels. So many loopholes and these are often attacked.

  8. Chris Rauschnot
    Chris Rauschnot at |

    $75 at a cinema?!

  9. Sice
    Sice at |

    I’m curious @seth if you received notice from the hotel chain of the hack? I’d be more concerned if they didn’t notify any potentially affected customers and if your only notice was from Chase…

  10. Seth Kaplan
    Seth Kaplan at |

    I did boycott CVS for a long time after I found out my info had been stolen as part of the big CVS Photo hack (actually a supplier to CVS which also supplied Costco and others). What angered me wasn’t the fact that it happened but the fact that CVS’s communication to me informing me of the breach was a heavily lawyered email that expressed no contrition and provided little information regarding how I could help myself but droned on for paragraphs about why it wasn’t CVS’s fault (because I, as a consumer, should have known that CVS Photo – with CVS’s logo all over it and me redirected there from CVS’s site – really has nothing to do with CVS).

  11. Nick
    Nick at |

    A few months ago I noticed suspicious pending charges on my chase acct and called to notify them. They insisted they were in person charges and not suspicious. Then a few days later someone charged $17k on my card. I of course was not liable. I no longer call Chase about suspicious charges, it’s up to them.

  12. Gizmosdad
    Gizmosdad at |

    A few years ago I had my wallet stolen, and like you said, the only real inconveinience is having to switch my auto-pay for the monthly bills, update my credit card info for online purchases, etc. That was enough of a hassle that I now have one credit card for recurring monthly bills, another for online ordering (those two cards never leave the house), another one that I carry around for day-to-day expenses, and one that i use when travelling, and another one that I use for international travel — the day-to-day card doesn’t come with me at all when I travel. This way, if there ever is a problem, things are somewhat contained, and the hassle factor is much less.

    I also did the same thing with my debit cards – I have one account to use as a day-to-day card, and another for travel (from separate banks.) For the travel account, I keep only as much money in there as I’ll be withdrawing, otherwise, the account is empty. This came in handy a few years ago when an ATM I used overseas had been hacked and someone stole my debit card info and PIN. They got away with very little money (and even that I got back from the bank once I did all of the paperwork.)