How did my cc get hacked?

[galen_ubal]

Hotel receptionist here.
Does the hotel you book online have access to your actual credit card number that you used to book? It depends on the company you booked with, and how you booked it.
The Expedia group, which includes Expedia, Wotif, Hotels.com, and some others, has a couple of options when you book. What we see is either “Expedia collect booking” or “Hotel collect booking”. If it’s the former, then we get a Virtual Credit Card number good only for the amount of the booking (less Expedia’s cut). If it’s the latter, then we get your credit card number. The difference depends on what type of booking you select when you book online - if you pay immediately, then Expedia sends the virtual number to us, and it’ll be good on the date of arrival. If it’s the latter, then the hotel I work at will ask you for your credit card and process it directly.* Some hotels charge it immediately on receipt of the reservation, but we don’t.
While it’s true that you can only access the guest’s credit card number only so many times on the vendor website (ie, the website that is Expedia’s link to its suppliers), that number drops directly onto our Property Management System, and I can view it as many times as I like. It’ll stay there, even after you’ve gone. The number is obscured on our screen, but all I have to do is click a button and it pops up - and the access is logged somewhere in the system.
The same applies to the Virtual card supplied by the online booking company, but of course that’s dead once it’s been charged to pay for the room.
I have access to literally thousands of credit card numbers, and I work at a small place - it’s a little spooky, sometimes.

So if you’re concerned about someone at the hotel “lifting” your credit card number when you book online, pick the pay immediately, and we’ll never see it.

*Yes, we can read it off the screen, but that’s a pain in the neck, and (IMHO) poor security to boot.

[Riemann]

susan:

I had several cards spoofed over a couple of years. The card security office said it was probably from running random numbers rather than hacking or skimming.

Yup, I’ve had this happen twice in the past few years. The first time I pushed the CC fraud dept for more info, because I wanted to understand how the card had been compromised. They told me that the charge was processed using only the card number, without any confirmatory information such as my name, let alone my billing address or the expiry date of the card or the 3-digit security code. Nothing but a 16-digit number. So the card wasn’t compromised, it was just someone guessing random card numbers. So I asked them - without even my correct name to confirm, why the fuck did the charge get approved then? And they basically shrugged and said “it’s just the way the system works, it’s up to the merchant and sometimes happens”. I have never found any coherent explanation of why the system would ever allow a charge based on someone guessing a random 16-digit number to be approved. Of course you don’t lose any money, but it’s a massive inconvenience to have your card cancelled and reissued under these circumstances.

ETA: not to mention: why should I give a shit about keeping my card secure, if the CC companies don’t give a shit about making any effort at all to confirm the validity of charges?

[kambuckta]

Update: so the bank has already reinstated the funds from the first transaction, just waiting now on the second one of $1250. I don’t anticipate any problems given that both debits were through the same merchant.

[AK84]

One new and unfortunately ingenious method some scammers have, is that they look at your card usage history and make a few transactions based on that. Won’t trip up fraud algorithms and less chance you notice.
Say you make about $500 of purchases a month, an average purchase being $20. They’ll do 2-3 of $20.