There was a very interesting article published on the CyberNews website this week which is well worth a read.
It explains how Hotels.com and Tesco Clubcard lost substantial sums of money when scammers realised that the codes provided by Tesco Clubcard to get a hotel discount could be generated automatically.
The full article is well written and I recommend you read that rather than I repeat the story. The article is not entirely correct, however, as I explain below.
This is how the offer was meant to work:
Tesco Clubcard vouchers can be swapped for a Hotels.com credit voucher worth 3x the face value of your Clubcard points
When you redeem, you receive a 12-character code which you input into the Hotels.com website to get your room discount
What could go wrong?
The answer is that the code format generated by Hotels.com was not very complex. Whilst 12 characters long, the first five characters never changed. The next three characters were the discount amount in £. This means that only four characters needed to be guessed.
If you wrote a little bit of code to automatically generate different permutations of four character codes, it was straightforward to find one that worked.
But I think there was more to it …..
The CyberNews article is not correct in how the Hotels.com discount worked.
The article says that only a few different code values could be ordered with Clubcard points. In reality, you were able to order Hotels.com vouchers for any amount you wanted as long as it was a multiple of £15.
In theory, this would make it virtually impossible to guess a code since the middle three characters could be anything from ‘015’ (£15) to ‘990’ (£990).
There are two other issues:
Hotels.com vouchers were capped at £495 (EDIT: apparently this increased to £750 at some point) yet the scammers were selling codes worth more than this
In the article, a £200 code, bought from a scammer, is successfully used in the trial. However, it is impossible to have a £200 Hotels.com voucher code from Tesco. You could only redeem in chunks of £15, so a £200 code could not exist.
This makes me think that the code triggered whenever an ‘active’ set of four characters was found and then applied whatever discount was shown in the middle three digits with no other checks. ‘Active’ means that Hotels.com had generated a voucher code for Tesco which would, at some point in the future, be sent to a customer.
For example …. someone ordered a £15 Hotels.com voucher and was supplied with the code ABCDE-015-DJ8J. The scammers created a £200 voucher by using a piece of code to try to book a £200 hotel using the code ABCDE-200-…….’ and then randomly scrolling through different variants of letters and numbers. There are only (36x36x36x36) 1.7 million permutations which can be tried surprisingly quickly.
Once a voucher code got the ‘accepted’ message, the transaction could be cancelled so the voucher remained active for future use.
If true, this would imply that scammers didn’t even need the computer power to try out 1.7 million codes. Anyone who genuinely ordered a voucher would have been able to change the discount simply by changing the three numbers in the middle of the code.
Perhaps this was going on too? Were people ordering a £15 voucher and selling the codes online as offering £500+ off, simply by changing the three middle numbers? It would be easy to cover your tracks as people sell Clubcard points on eBay. A scammer could buy points, get the seller to redeem them for multiple £15 Hotels.com codes, change the middle three numbers to increase its value and then resell the code. Suspicion, if investigated, would fall on the person who sold the original £15 code.
If you’re interested in learning more about redeeming your Clubcard vouchers for (now far more secure) Hotels.com codes, you can learn more here.
(Want to earn more hotel points? Click here to see our complete list of promotions from the major hotel chains or use the ‘Hotel Promos’ link in the menu bar at the top of the page.)