Finding the source of credit card fraud, and not really caring


Back in January I received a fraud alert from Chase, letting me know of unauthorized charges on my primary travel card. It was mildly annoying but the new card arrived quickly as I learned the new number and, generally speaking, it was a non-event. Now I have a pretty good idea where the fraud came from.

Turns out that HEI Hotels & Resorts, owner of 60+ hotels across the country, was the target of hackers who compromised the payment processing software at some 20 of the company’s hotels. I finally saw the list today (thanks, Stephan) and I immediately recognized one of the listed properties.

In 2015 I was working in Nashville for a couple months. I stayed at the Sheraton Music City a few times until I got the proper corporate booking code from the company I was at. And that Sheraton was included in the list of affected hotels during the time I was staying there. Oops.

List of the affected hotels and dates from HEI
List of the affected hotels and dates from HEI

On the one hand, I guess I’m happy to have an idea of where the problem started, though zero chance of confirming that for sure. On the other hand, I can’t say that it really matters all that much. I suppose that’s the real benefit of zero liability to me from the banks and their ability to reissue cards overnight if needed. Sure, I was annoyed to learn a new CC number, but it really made no difference inter end. And it won’t change my booking patterns in the future. Would it change yours?

Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.


Seth Miller

I'm Seth, also known as the Wandering Aramean. I was bit by the travel bug 30 years ago and there's no sign of a cure. I fly ~200,000 miles annually; these are my stories. You can connect with me on Twitter, Facebook, and LinkedIn.

16 Comments

  1. Yeah, it would change my habits. My example from real life is buying habits, not booking habits, but the principle is the same.

    Back in 2013 in the couple of months when Target had a data breach, I used a Chase Visa card at Target one whole time. Chase detected I was in the affected group, said they saw no evidence of fraud, but wanted to send me a new card anyway. They did, it came, I memorized the new number, and changed all my recurring payments over to it. But Chase said we’ll still leave the old one valid for 30 days just in case you have any more charges out there. On the 29th day – I’m not kidding – I logged into my Chase account and there were $800 of overnight bogus charges from the Minneapolis area, hundreds of miles from where I lived in Wichita. So I called Chase, the bogus charges were written off down to zero liability, and other than learning a new credit card number, notifying them of the fraud, and changing my recurring payments, I was out nothing.

    But I was so mad at Target for letting it happen in the first place to all those people, that I didn’t set foot in one of their stores for a full year. And to this day, I am still not a regular again.

    So yes, to answer your question, things like that do change my habits.

  2. Lodging locations are run by mid sized corporations, not by the name on the door. These firms often are regional or have several regions run by one main office. I assume the run their own billing software and training programs. Ultimately, the real risk is more likely the honesty of the clerk running the front desk!

    1. Mistake number one. Using a debit card at retail. Yes there’s zero liability, but your checking account gets hit first, vs. a credit line.

    1. Similar, the Oracle breach is due to hackers attacking Micros registers and software. You may have not noticed, but you’ll usually see Micros terminals at airport and hotel restaurants and the like.

      Also thanks to Krebs, I’ll avoid Triton ATMs. These are grey independent ATMs that often find in independent convenience stores and hotels. So many loopholes and these are often attacked.

  3. I’m curious @seth if you received notice from the hotel chain of the hack? I’d be more concerned if they didn’t notify any potentially affected customers and if your only notice was from Chase…

  4. I did boycott CVS for a long time after I found out my info had been stolen as part of the big CVS Photo hack (actually a supplier to CVS which also supplied Costco and others). What angered me wasn’t the fact that it happened but the fact that CVS’s communication to me informing me of the breach was a heavily lawyered email that expressed no contrition and provided little information regarding how I could help myself but droned on for paragraphs about why it wasn’t CVS’s fault (because I, as a consumer, should have known that CVS Photo – with CVS’s logo all over it and me redirected there from CVS’s site – really has nothing to do with CVS).

  5. A few months ago I noticed suspicious pending charges on my chase acct and called to notify them. They insisted they were in person charges and not suspicious. Then a few days later someone charged $17k on my card. I of course was not liable. I no longer call Chase about suspicious charges, it’s up to them.

  6. A few years ago I had my wallet stolen, and like you said, the only real inconveinience is having to switch my auto-pay for the monthly bills, update my credit card info for online purchases, etc. That was enough of a hassle that I now have one credit card for recurring monthly bills, another for online ordering (those two cards never leave the house), another one that I carry around for day-to-day expenses, and one that i use when travelling, and another one that I use for international travel — the day-to-day card doesn’t come with me at all when I travel. This way, if there ever is a problem, things are somewhat contained, and the hassle factor is much less.

    I also did the same thing with my debit cards – I have one account to use as a day-to-day card, and another for travel (from separate banks.) For the travel account, I keep only as much money in there as I’ll be withdrawing, otherwise, the account is empty. This came in handy a few years ago when an ATM I used overseas had been hacked and someone stole my debit card info and PIN. They got away with very little money (and even that I got back from the bank once I did all of the paperwork.)

Comments are closed.

BoardingArea