My wife looked up from her iPad, where she was routinely reviewing a credit-card statement.
“You’re going to Bogotá?” she asked.
“Not that I know of,” I replied.
“So I’m guessing you also didn’t buy a $10 cup of coffee yesterday in Antelope, California?” she asked.
Most Read Stories
No. The charge of $740.04 for a one-way ticket on Delta Air Lines to Bogotá, Colombia, and the charge for $10.20 at a coffee shop were fraudulent.
We are vigilant in our house about monitoring credit-card activity, especially after traveling, and this was not the first time unauthorized charges had appeared after recent trips. So I immediately got on the phone and reported the problem to the American Express Platinum Card office. The card was invalidated, a fraud investigation began, the charges were removed, and a few days later a new card arrived via FedEx.
Then I called my friend, the security expert Anthony C. Roman, and asked, “Problem solved, right?” Not exactly. “Red alert! Red alert! Red alert!” he responded.
What’s the big deal? Aside from the inconvenience of having to enter the new credit-card information on recurring accounts, the cost to me was zero.
“Well, hopefully it was,” said Roman, president of Roman & Associates, which specializes in investigations and risk-management consulting. He explained, however, that isolated unauthorized charges on your credit-card statement most likely indicate that sophisticated cybercriminals are waiting to see if you will notice.
“What credit-card fraudsters do is test your vigilance, how carefully you’re watching your account, and how carefully the credit-card providers are watching your account. They do this by making relatively small purchases first, to see if it sets off any bells and whistles,” he said. Many frequent travelers are lax about checking activity statements in a timely manner, which flashes a green light to criminal hackers. Then, he said, “Hell or high water, the big charges are coming.”
Worse, he said, a hacked card could indicate that more serious identity theft might have occurred.
Hackers and hotels
In its 2013 Global Security Report, Trustwave, a data-security management firm, says that the top three industries targeted for data-breach attacks in 2012, measured by the number of its investigations, were retailing (45 percent), food and beverage (24 percent) and hotels (9 percent). Three years ago, the hotel industry was at the top, but hotels have since made “significant strides” in improving credit-card security measures, the report says.
Still, criminal hackers gravitate to some hotels because, like retail stores and restaurants, hotels do many credit-card transactions at a local level, where centralized and highly sophisticated data-security safeguards may be lacking. Last year, for example, the Federal Trade Commission sued Wyndham Worldwide, the hotel chain, for what it said was inadequate safeguarding of credit-card information that led to three data breaches at hotels in under two years, with “millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”
Wyndham responded that it had done all it could to report the crimes and carry out “significant remedial measures.” The company also charged that the commission had overstepped its authority and its expertise in hotel data-security enforcement.
Most hotels are locally owned, though managed by big hotel-chain companies. For hotel owners, it is expensive to come into full compliance with the tough global data-security criteria set by the credit-card companies. And, Trustwave says, “Cybersecurity threats are increasing as quickly as businesses can implement measures against them.”
The threat is constant, Roman said. “The best protection is vigilance, and that takes work,” he said. That includes using complex passwords, being wary of public Wi-Fi, updating anti-virus software — and checking credit-card statements carefully.