Thieves develop new way to get credit card numbers at hotels

As posted on March 22, 2013 on

By Brendan Keefe

CINCINNATI - The phone rings in your hotel room late in the evening. It's the front desk calling.

The hotel computers are down and the clerk needs your credit card information again. No need to come down to the front desk, they can take your number over the phone.

But it's not the hotel clerk. It's a scam artist.

"They're calling up and asking for random room numbers," said hotel manager Steve Carlson, manager of a hotel in Florence, Kentucky.

Carlson's hotel has received about a dozen such late night calls. The calls come after 10 p.m. when most guests are in for the night. The thief chooses the late hour hoping the night manager will patch him through without asking for the guest's name.

"No matter the time of day or night, if someone calls you saying they're from the front desk, and want your information, hang up and either call the front desk or walk up to the front desk," Carlson suggested.

The scammers are probably not local. The I-Team found several cases scattered across the country in places like Dallas, Anchorage, Jacksonville and Cincinnati. It could be a sophisticated ring of scam artists who call a hotel in one state before moving on to another hotel in a different state.

Local police departments would not see a trend of such thefts if the scammers are indeed spreading their targets among hundreds of hotels across the nation.

Or they might be in the next room.

Most hotels require outside callers to provide both the room number and guest's name before connecting them to the room. But a thief who rents a room inside the hotel can bypass that security feature by directly dialing room to room and pretending to be calling from the front desk.

That's Carlson's biggest fear as a hotel manager, and he admitted there's nothing he could do to stop it.

As part of our investigation, the I-Team rented a room at the Marriott River Center Hotel in Covington, Ky., which appears to have a new method to stop such scammers. We were not able to dial room to room. In order to reach another guest, we had to call the front desk and provide the room number and guest name, just as outside callers would be required to do.


Even more devious than the front desk scam is the hotel Wi-Fi scam.

The thief sets up his own Internet hotspot on a laptop inside a hotel room, the lobby, or even outside on the street. Computers allow you to give your hotspot any SSID label you want, and thieves either mimic the hotel's own name or use a generic label like "Hotel Wi-Fi."

Apolonio Garcia, a security expert with Healthguard IT Security, set up a demonstration for us inside a Tri-State hotel room.

"If you're in an airport, you can make it an airport hotspot," Garcia said. "If you're in a coffee shop, you can make it the name of the coffee shop. In this case we're in a hotel, so we made it 'Hotel Wi-Fi.'"

Garcia bought a high gain Wi-Fi USB device for $40 and downloaded a free program from the Internet designed for capturing usernames and passwords.

"As soon as someone accesses that, and starts using the Internet, we're able to see and capture everything they're doing," Garcia said.

We're not giving the bad guys ideas. They're already doing this. There are even "how to" videos posted online.

Within minutes, Garcia's fake hotspot was up and running in Room 515. His high-gain antenna provided the strongest Wi-Fi signal to lure more potential victims.

In this case, he denied access to all users but the I-Team. We agreed to be the target, connecting into "Hotel Wi-Fi" and visiting an online shopping web page.

Garcia had his laptop connected to the Internet through his smartphone, so we were shown the real login page for the shopping site. An unsuspecting victim would have no idea that they were connected through the thief's laptop.

As soon as I typed my username and password into the shopping page, it showed up immediately on Garcia's laptop.

Thanks to the illicit program, the laptop was "looking for usernames and passwords, for log-ins, and when it sees them it actually logs them for us to use later," Garcia said.

Credit card numbers could be captured the same way, or the login credentials could be used to order products delivered to any location the thief designates.

Garcia moved his laptop to the lobby bar. While everyone assumed he was a businessman working on his laptop, Garcia was running the closest and most powerful hotspot in the middle of the hotel.

A thief could even duplicate the hotel's real login page by simply copying the HTML code the web browser uses to display the page, then making a few minor changes to redirect the victim's credentials to the thief's computer. The hotel guest would have a seamless web experience with the theft occurring invisibly in the background.

The Marriott River Center follows one of John Matarese's safety tips: The hotel places a high-profile card in the room indicating the name of its legitimate Wi-Fi network, called ibahn. While there's no guarantee a guest wouldn't be tempted to connect to one labeled Hotel Wi-Fi, the ibahn placard does help protect guests by directing them to the right network.

But by not using the hotel's brand to label its network, the hotel leaves the name Marriott open for a potential scammer to set up a fake hotspot using an SSID such as "Marriott Wi-Fi."

Always ask the front desk for the name of the hotel's network when checking in.


After a long day of surfing what you hope is a safe Internet connection in your hotel room, you might get a little hungry. Instead of room service, why not order a pizza using that flyer someone helpfully slipped under your door?

Because it may be a scam.

You call the number on the flyer, give them your credit card over the phone, and the pizza never arrives.

Tourist destinations like Orlando have seen an epidemic of fake pizza flyers. An investigative reporter from the Scripps station in Detroit nearly fell victim to the scam at one Orlando hotel in 2011. The scammers had unwittingly papered the hotel that was hosting a convention for investigative reporters from around the world.

Many tourist hotels now warn guests not to order from a flyer slipped under the door.


Skimmers have been around from several years now, but there's no sign they're going away. A waiter or hotel clerk who has physical possession of your card for a moment can slip the magnetic stripe through a hidden reader that stores the information. Those captured credit card numbers have a real street value, and theft rings can turn out duplicate cards that sell to other thieves for $50-$100 each.

Some skimming devices can be worn on the hip, while others can be installed to piggyback on the legitimate stripe reader built into the cash register or an ATM.


This is a scam even hackers themselves have fallen for.

Charging kiosks have been showing up at hotels, airports and convention halls. They have all the connections required for a quick charge when your phone's battery is running low. Some even have mini lockers with a removable key, giving you a feeling of security.

But the charging port on your smart phone is also the USB jack for transferring data.

Inside the kiosk, there could be a computer programmed to siphon all of your sensitive information from the phone without your knowledge. It's called "juice jacking."

At last year's DefCon hacker convention in Las Vegas, someone set up a fake charging kiosk to demonstrate the threat. Hackers who were on alert for others trying to get into their devices still happily plugged into the charging kiosk without giving it a second thought.

The designers of the demonstration set the kiosk to display a red warning screen soon after a target had been compromised. It read, "you should not trust public kiosks with your smart phone."

The National Security Agency, the government's top eavesdropping spy agency, is so concerned by the kiosk threat, it created a special manual for the NSA's smartphone users, and issued all of them extra chargers so they wouldn't be tempted by a risky charging station.