Recently, I was working on a project with a similar business model to hotel booking websites such as LateRooms.com and Booking.com:
The customer reserves a “room” from a third party. The customer pays at the hotel. Failure to show, results in customers card being charged.
I was intrigued about how the others got this process to work, and naturally went about finding out, and doing some research.
Despite me thinking there was some kind of repeated pre-auth happening on the customers credit card until day of booking, I was concerned, and almost horrified when I discovered how these sites handle the process.
This is what actually happens on the above mentioned sites (and others not listed)
Customer makes booking on secure site. Reassured the way through that the site is using SSL encryption etc…
Customer submits their credit card details, as security for the booking.
Here’s the scary part:
The booking website then faxes the hotel details of your booking, along with your credit card number, address, CV2, and expiry date (all the details required to complete a card not present transaction)
How did I discover this?
By signing up as a hotel, and reading how their process worked!
Naturally, I was worried, so i emailed one of the sites, asking them to confirm how the process works as a customer.
Here’s part of their response:
When your booking is processed via *********.com, the information you supply is securely sent to your chosen hotel via fax. Several other companies use this same method of transfer however, we are looking at implementing a full digital system to transfer card information.
Not all hotels will receive the CVV/CV2 number from us unless they have confirmed that the property is fully PCI/DSS compliant. Any hotel that is not compliant with this does not receive the full card information. The CVV/CV2 number is sent on the first fax only (to compliant properties) and then is omitted from any further faxes and is not held on our systems.
Naturally, this got me thinking: What if fax machine was accessible by other staff? Nosey customers? Joe public?
I’ve stayed in several hotels (some scarily booked on websites such as this) who’s “back room” office I wouldn’t exactly class as secure.
The advantage of working like this for the booking site however is clear:
They don’t actually handle any money. Therefore, reducing their liability for chargebacks etc… They simply invoice the hotel for their commission.
After searching around for apartments for our holiday in Ibiza, I found our apartment on the Holiday-Rentals website. This advert, surprisingly, has now been removed.
I contacted the owner, and had a reply from someone called Jonny Simons ([email protected])
Everything seemed ideal – located in San Antonio, near to Kanya (a bar on the sea front) and Café del Mar etc…
The week before, I asked for the check in details, to which he sent:
Thanks for your email. The office contact number for your check in is +34 638 739 320, please call us when you are leaving the airport so we know when to meet you. I have you down as arriving at 4pm on the island, is that still correct? Please also let us know if your flight is delayed.
We will be meeting you on the road outside the Coastline Cafe, on the LHS of the Cafe as you are facing the sea and will take you up to the apartments from there.
Please make sure that when you are checking in you have the balance in cash of €945 + €500 refundable damages deposit ready or we won´t be able to give you the keys.
The latter we can accept the equivalent in GBP if it´s easier for you.
If you have any questions please let me know.
We got there, checked in, everything seemed fine.
We were instructed how to use the alarm, and lock the door etc…
2 days later (Tuesday, 25th August 2009) we headed out, and, as we did every night, locked the door, set the alarm (pathetically easy alarm code – I won’t post it here), and went off in to town.
We returned to the apartment at about 5am, and that’s when the problems started.
All of us had things missing.
There was absolutely no sign of a break in.
I phoned Monica, the girl who had given us the keys, and she offered absolutely no help what so ever.
I asked her to come to the apartment, and help us (none of us speak Spanish) so we could of done with her talking to the police, but she wouldn’t even come and help.
We scoured the apartment, and found a police report, dated a couple of weeks before, which had the EXACT same thing happen. If only we’d of seen this on our first day! We would of checked straight out!
Eventually, I got hold of Jonny, who offered the same lack of care.
We were blamed for not setting the alarm, or locking the door.
This, is nonsense. There were 5 of us in that apartment, and we ALL know we set the alarm and locked the door.
It is quite obvious to me that it is an inside job of sort. Somone has another key for the apartment, and the alarm code.
They wait for the occupents to head out at night, and enter the apartment, and take everything they can.
I shared my concerns with Jonny:
I’m very disappointed with the lack of customer care we received whilst in Ibiza.
We had the distinct impression that you, nor Monique cared at all. You said you would call us, however never did.
As soon as i rang Monique and asked for help, she immediately tried to blame us!
Like i said, i work in security, and one of the other guys is a CCTV installer, so we’re all clued up on security. The ONLY way someone got into that apartment is with a key, and the alarm code.
Please can you send me the full details of the apartment, including address and booking company name, so I can begin the lengthy process of claiming from our travel insurance.
And got this reply:
Thanks for your email. I am travelling for a few days and will send you the address for the apartment shortly.
Please understand that myself and Monica work directly for the owner of the apartment, and we are the messengers. Everything that you have asked or said to us has been directly referred to him, and any replies have been related back to you. He has sent me a reply to your email below.
´ I appreciate your comments, and I am sorry that you feel you were not properly looked after, however I do not share your point of view.
There is no-one else who has a key to the apartment, and no-one who has the alarm code. As I said to you when you were here, the alarm company confirmed that the alarm was not set when the break in ocurred and that is why it did not trip. I have sent the alarm company to review the system and it is working correctly.
You have compounded your situation over here by denouncing myself, and also Monica, neither of whom are at fault for what happened. We appreciate that there was a break in in the apartment and we are very sorry that it has happened, however, had you set the alarm correctly and put your money in the safe provided, then this situation could have been avoided. ´
Now, let me show you this “safe”
As you can plainly see, after a camera, couple of passports and wallets had been placed in there, it was full.
How we were supposed to fit 5 peoples worth of valuables in there, is anybodies guess.
The question still remains – how did they get in the apartment in the first place?
Simple answer – THEY HAD A KEY!!!!
The full address of the apartment was:
Edificio Luna y Sol, 3,3
C/ Don Bosco s/n
Sant Antoni 07820
And the details we were asked to pay the deposit into are:
Mr George Allen
Paseo Maritimo, San Antonio
IBAN – ES03 0081 7039 01 0001 0763 15
SWIFT – BSABESBB
If this article helps just ONE person from getting conned, It’s been worth my while writing it.
Heres a few more pictures illustrating my point – the MUST of had a key!!!
Now, everybody knows that drinks are pricey in Stockholm… but what does an "average" drink cost?
Well…. depends where you are: GK (Göta Källare) which is in Södermalm (in Medborgarplasten metro station) has an event called 360 on a Friday night. The age limit is 20 according to the door staff, however some people I was talking to in the club were 18/19 They seemed to have a kind of happy hour, where the bottles of beer were 25-30 SEK, a vodka red bull was 98 SEK all night
Left is a receipt from the bar.
Another thing worth noting, most clubs accept payment by debit / credit card. I would recommend getting a Nationwide Flex Account – as you are not charged by the provider for using the card abroad, either in shops or cash machines.
In Stureplan, drinks were a lot more, around 120 – 200 SEK for a vodka Redbull.