Pete Finnigan's Oracle Security Weblog

Credit card security should be important for all those concerned with handling and processing credit cards. My company does security audits of Oracle databases and we quite often get involved in credit card security. We are not QSA's and are not dong QSA type audits but often as part of our Oracle database security audits we find glaring issues related to credit card processing or storage in Oracle databases. I know how important it is to companies that credit card details are secured and handled properly. I travel a lot with business across the UK, Europe, middle east and occasionally further so get involved in booking hotel rooms for business trips; either through my own company or because clients books rooms for me.

What is starting to annoy me is how hotels and companies outside the UK (I have to say none of these issues have occured in the UK to me personally yet, i guess it doesn't mean they won't happen) are handling personal data and particularly credit card details and even passports.

I have had a lot of requests from hotels to send all my card details to them so that i can book a room. Here is an example. Last week a client booked a hotel for me in Europe and I recieved a confirmation email for the hotel booking with a booking reference BUT its accompanied by an email that says I need to scan both sides of my credit card; provide on a form, the name on card, expiry date, card number, start date and my signature. The scan of the card also would give them the CVV. This is enough detail to make payments on-line as me. What would my card company say if someone made fraudulent payments on my card and i said "hey, these are payments here are fraudulent and by the way I provided this detail in writing along with scans to a hotel via email and i have no idea where they stored this data or held it or indeed who they gave it to". Would they say, its fine sir we will cover the loss, or well sir you have been negligent by giving these details to a hotel?

This is not an isolated case; literally all hotels I have been involved in booking lately are doing this. They want this data in an ad-hoc way in printed format often sent to generic email addresses. A hotel a month ago was using a gmail account for this very purpose and they expected me to send my details to a gmail account. In all cases I refuse to comply and insist that I call and if they wish they can pre-authorise the card and send me proof that they did it. This is no different to booking on line or over the phone I guess. Sending your card details and scans of the card sounds crazy to me. So far no hotel has refused to honour the booking when i refuse to email and send details in a printed format.

I also did a test case for a middle east/gulf hotel where I refused to send my card details so i gave a completely bogus card number (made up) over the phone. When i checked out of the hotel (which was some weeks after booking and the call) they obviously tried to put the transaction though their card machine at checkout and it failed. I handed over my correct card and it was fine; so at least in this case they must have written down the wrong card number or entered it in their database and never pre-authorised it. What therefore in this case was the point of asking for it. If i didnt turn up they would not be able to charge the fisrt night for instance.

I was happy in this case as I didnt want my card number stored on their hotel database so far from the UK. This is becoming a trend in my experience with hotels that is most likely driven by people booking and then not turning up and the hotel wanting to be able to charge but for me its not good enough to store my card details on paper or in email systems or ....

I have also seen a return to the days of trying to hold on to my passport as I attend a companies building or checkin to a hotel.

I remember this process years ago but have not seen it personnaly again until recently. I checked into a hotel a few weeks ago and they wanted to photo-copy my passport. They had my details on my booking and had pre-authorised my card but they said they wanted to copy my passport. I asked why? they could not tell me; they just said its hotel policy so I said I dont have a passport; they said OK, then your identity card (I said luckily we don't have these in the UK) or driving license. I said I dont have any of these either. They said OK, and continued to check me in. No common sense; how did i arrive in that country with no ID, obviously i have ID and i did carry it woth me at all times; I just dont feel comfortable to have them take copies and keep them who knows where and for who knows how long. If they are collecting this for their government then why can they not tell this is the reason and what the actual purpose of it is. The country knows I entered their soil as my passport was scanned as I went through passport control some one hour before.

I had the same experience in another country a few weeks ago when I arrived at a clients office i was asked to surrender my passport to some woman at the desk in return for a "plastic token". The woman then placed my passport in a carousel that is accessible to any visitor to this building. She then escorted me to the lift and swiped me into the lift; i.e. she left the carousel to be plundered by anyone else visiting - it was reachable by anyone. She could not speak a word of English so to get into the client I had no choice. The client came back downstairs immediately and retrieved my passport for me. The silly thing was to leave this building later the client had to swipe themselves out and then pass the badge to me over the barrier to allow me to swipe out as the barrier was un-manned. We discussed this (taking of my passport) during my time there are I was told its to prevent terrorism. It was interesting also that they had a metal detector and x-ray scanner at the building entrance but i was motioned to avoid that by the woman at the front desk and instead to come straight to the desk to her - I was not asked to go back and be scanned after speaking to her. So keeping peoples passports was deemed to be a deterant against terrorism but not actually protecting the building (i.e. bypassing the scanners and barriers) was OK and clearly doesn't prevent issues. This to me is a "jobsworth" problem not a true intent to secure their building.

In this age of identity theft I am not happy that these two things happen. The first regards credit card details being far more common in my experience over the last year or so. The credit card companies need to get on top of this and ask hotels and others to stop asking customers to copy their cards with scanners and photo-copiers or send all details and their signatures. Simply have a card pre-authorised as that seems logical if they want to ensure payment if a guest doesn't turn up. If the real reason is collecting data about people then we should know why. The fact that all hotels now seem to be doing it is a worry for loss of identity.