Scammed: How Hotels.com and Tesco lost money via fake Clubcard Deals codes

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

There was a very interesting article published on the CyberNews website this week which is well worth a read.

It explains how Hotels.com and Tesco Clubcard lost substantial sums of money when scammers realised that the codes provided by Tesco Clubcard to get a hotel discount could be generated automatically.

The full article is well written and I recommend you read that rather than I repeat the story.  The article is not entirely correct, however, as I explain below.

This is how the offer was meant to work:

Tesco Clubcard vouchers can be swapped for a Hotels.com credit voucher worth 3x the face value of your Clubcard points

When you redeem, you receive a 12-character code which you input into the Hotels.com website to get your room discount

What could go wrong?

The answer is that the code format generated by Hotels.com was not very complex.  Whilst 12 characters long, the first five characters never changed.  The next three characters were the discount amount in £.  This means that only four characters needed to be guessed.

If you wrote a little bit of code to automatically generate different permutations of four character codes, it was straightforward to find one that worked.

Tesco and Hotels.com fraud

But I think there was more to it …..

The CyberNews article is not correct in how the Hotels.com discount worked. 

The article says that only a few different code values could be ordered with Clubcard points.  In reality, you were able to order Hotels.com vouchers for any amount you wanted as long as it was a multiple of £15.

In theory, this would make it virtually impossible to guess a code since the middle three characters could be anything from ‘015’ (£15) to ‘990’ (£990).

There are two other issues:

Hotels.com vouchers were capped at £495 (EDIT: apparently this increased to £750 at some point) yet the scammers were selling codes worth more than this

In the article, a £200 code, bought from a scammer, is successfully used in the trial.  However, it is impossible to have a £200 Hotels.com voucher code from Tesco.  You could only redeem in chunks of £15, so a £200 code could not exist.

This makes me think that the code triggered whenever an ‘active’ set of four characters was found and then applied whatever discount was shown in the middle three digits with no other checks.  ‘Active’ means that Hotels.com had generated a voucher code for Tesco which would, at some point in the future, be sent to a customer.

For example …. someone ordered a £15 Hotels.com voucher and was supplied with the code ABCDE-015-DJ8J.  The scammers created a £200 voucher by using a piece of code to try to book a £200 hotel using the code ABCDE-200-…….’ and then randomly scrolling through different variants of letters and numbers.  There are only (36x36x36x36) 1.7 million permutations which can be tried surprisingly quickly.

Once a voucher code got the ‘accepted’ message, the transaction could be cancelled so the voucher remained active for future use.

If true, this would imply that scammers didn’t even need the computer power to try out 1.7 million codes.  Anyone who genuinely ordered a voucher would have been able to change the discount simply by changing the three numbers in the middle of the code.

Perhaps this was going on too?  Were people ordering a £15 voucher and selling the codes online as offering £500+ off, simply by changing the three middle numbers?  It would be easy to cover your tracks as people sell Clubcard points on eBay.  A scammer could buy points, get the seller to redeem them for multiple £15 Hotels.com codes, change the middle three numbers to increase its value and then resell the code.  Suspicion, if investigated, would fall on the person who sold the original £15 code.

The full story is here.

If you’re interested in learning more about redeeming your Clubcard vouchers for (now far more secure) Hotels.com codes, you can learn more here.

(Want to earn more hotel points?  Click here to see our complete list of promotions from the major hotel chains or use the ‘Hotel Promos’ link in the menu bar at the top of the page.)

ZERO fines issued for breaches of English or Scottish travel quarantine rules
Hilton to open a luxury Conrad hotel on the Costa del Sol

Click here to join the 15,000 people on our email list and receive the latest Avios, miles and points news by 6am.

Nutmeg ad
Amazon ad
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. riku2 says:

    They really got what they deserved by using such a stupidly simple encoding algorithm. A twelve year old could have worked out how to hack that system. Perhaps too advanced for a seven year old though.
    And not only was the encoding easy to guess but you could encode discount amounts (200 pounds) that were not actually sold by Tesco and so should never exist.

    • Chrisasaurus says:

      They should certainly have had someone other than the work experience kid design it, granted, but I’m not sure about ‘deserving’ to be stolen from…

    • Lady London says:

      I noticed that makeup of the voucher code but didnt think they could be so stupid as to make that as hackable as it looked. Wish I’d tried now 🙂

    • Sunguy says:

      To me, this is all part of how Tesco roll……

      Tesco bank, should you ever be unlucky enough to have to go for an interview, will make you do psychometric testing – and if you don’t fall within a certain percentile range, you will not be allowed to interview, no matter how much the job suits your skill set….

      Tesco are “very” head-office biased in almost all respects, this usually means there is not alot of thought put into real practicalities but something that looks good and sounds good on paper and presentations…..

      I’m not saying they are the only company to do so, but it has been very noticeable during this time period we are currently going though…. much more so than any of the other major supermarkets…..

      Where it all started to go wrong for the clubcard was the purchase of Dunhumby and the subsequent removal of the 2 people with the knowledge….then selling off the US business to Kroger…now its just Tesco……

      Anyways….just my 2 cents…..

  2. david says:

    Its like if criminals really took their skills into academia, they would be geniuses.

    • guesswho2000 says:

      But then they’d get paid less

      • I’ve often thought about this! If you’re good enough to, say, create a website or spam email that is impressive enough to drive sales, then just start a proper business and benefit from scale, repeat custom and not going to prison 🙂

        • Well it’s all connected somehow: If Tesco+Hotels.com had hired a qualified person with adequate pay this would not have happened. And the more well-paid jobs there are, the less people need to rely on scamming.

        • Charlieface says:

          Arguably most salespeople are legalised scammers anyway 🙂

        • Mr. AC says:

          You’d think, but in reality, it comes down to the fact that these scammers could have been based anywhere, say, Russia or Ukraine. Median salary in Russia is around 500 GBP a month. For software engineers it can be 1000 if you’re good, 2000 if you’re amazing (think Facebook / Google / Microsoft level). If you try to work remotely, you’re competing with an endless pool of folks from e.g. India who have the advantage of knowing English by default, and anyways rules in western countries generally make hiring people / contracting stuff out to post-Soviet states tricky due to sanctions / regulations. Perception doesn’t help. Immigration is extremely difficult (I know because I pulled it off).
          On the other hand, you have an opportunity here to earn 1-2-4x the median salary with almost no risk defrauding a faceless corporation in a country that your TV tells you is the enemy. It’s very easy to see how it’s tempting.

      • cinereus says:

        And it would be less fun

    • The Urbanite says:

      This is the thing. Working stuff like this out comes naturally to some people.

      Some people are good at finding legal loopholes and staying on the right side of the law, but the same technical ability can be used for nefarious purposes if the person is so minded.

      Companies should be sharp and employ people who can pre-empt the actions of people who are minded to cost them money so they can prevent that activity, whether it is legitimate or fraudulent.

      However some companies decide it isn’t worth doing this and prefer to either foot the bill or find inefficient ways of patching the issue.

      One exercise I found amusing was the Skrill Knect loyalty scheme. They trialled it with VIP customers who I assume Skrill identified as sharp so any potential for abuse could be identified and removed before general rollout.

      I don’t know exactly what other people did to Skrill during that trial (I took it fairly easy), but it only took a few days for Skrill to alter the terms of the trial to make it less lucrative. By the time it was rolled out to all, the value to be had was significantly less than when the trial started!

      • Lady London says:

        Hum. So clearly Frequent Flyers and MS’ers have a high overlap with criminals…

        • There certainly are overlaps. I joke that my investigative experience over 3 decades would give me a huge advantage if I ever want to go into organised crime, especially as no-one tends to suspect middle aged ladies!

          • Lashious says:

            Anna, I’m with you, I should be a spy, or a drug overlord, as who would ever suspect lil’ ole me??

      • cinereus says:

        This isn’t even “working something out”. This is literally step 0 in designing any “code” scheme. That’s why literally every other code includes a redundancy check digit.

        I think “employing sharp people” is massively overstating things. More like “employ people who graduated primary school”.

  3. Andrew says:

    Sorry Rob, you are wrong. Hotels.com vouchers are capped capped at £250 of points, which equates to £750 of hotels.com vouchers.

  4. Andrew Mc says:

    Rob. I think you’re mistaken on the cap. Max £250 can be exchanged into £750. Believe that’s been the case for as long as I can remember

    • Thanks. It used to £495 when the deal launched – I wasn’t sure if the current cap was only since it relaunched recently.

  5. Chrisasaurus says:

    This is really interesting.

    It does seem unlikely this could have existed for long – hotels.com are big, but still they have accounts. That they are booking sales of $x with discounts of $y but only receiving payments from Tesco for $z ought to be noticed pretty quickly, no?

    • You’d think. The number of times things rely either on manual processes or are simply glaring loopholes waiting to be discovered, even in very large organisations, is astounding.

      • Chrisasaurus says:

        You can’t even by the wrong brand of staples at my place without getting picked up on it!

        • Lady London says:

          that’s purchasing systems (which is my area). Doesnt guarantee that anyone is running, say, a monthly job in accounts that would report such anomalies. Auditors ought to pick it up.

          The best hacks are the ones we’ll never hear about…:-)

          • Chrisasaurus says:

            Very wise closing point LL!

          • Jonathan says:

            A large bank in Canary Wharf for years paid thousands of pounds in premium rate calls to Mexico.

            The Mexican cleaners they contracted had been coming in at 4am every morning and as they did their rounds they were ringing their own premium rate numbers in Mexico on the conference line.

            This only came to light when an employee had to come in early and found three phones off the hook with an open line and raised it.

            Over the preceeding three years the cumulative charges came in at just under 100k.

            You’d think an organisation with several thousand employees would have some software to look at premium number calls for patterns etc. Much like they monitor work phone and computer browsing sites.

      • Bagoly says:

        Agreed.
        Especially as the mantra from the top of most organisations is to “cut costs” which means that there are not sufficiently capable people to think through processes in theory, and then they are pushed out to be programmed by whichever organisation offers the cheapest price.
        “work experience kid” might be a slight exaggeration, but not much.

  6. Brian says:

    OT: Anyone got their Clubcard bonus for pet insurance yet?

    • WillPS says:

      I had to fight tooth and nail. They tried wriggling out based on the cover type I took, refusing to acknowledge the fact their site accepted the code and promised the points at the time I took it.

      I got £50 compensation, which I settled for in the end. No points though 🙁

    • Yes I got mine. I was chasing them to get them on to my main CC account but then I got £25 of vouchers in the post at the May quarter so it would appear they set up a new account. Also £60.60 paid out a couple of days ago from you know where – cost me £18 in premiums.

      • Lady London says:

        How many payments was that @Liz? this was a promotion that was much better for the regions. Presumably due to higher incidence of road deaths and injuries for moggies in London that were factored into premiums?

        • It took 5 payments. I only kept it going for so long as others mentioned the payouts came out around 120 days.

          • Lady Londons says:

            that would have been only just over 2 payments for my moggy in respectable leafy NW London (but apparently still cat-lethal) so I passed.

            Glad it worked out for you @Liz

          • Erico1875 says:

            Only cost me £12 (3 payments) points posted within 60 days.
            Cancelling was easy. Very nice lady. I must add Im with Tesco Mobile too and their customer service is first class.

  7. Andrew says:

    Quote:- “There are only (36x36x36x36) 1.7 million permutations which can be tried surprisingly quickly.”

    I suspect there aren’t. There’s probably a modulus check within the 4 digits so the website can locally throw up an “invalid number” when input before submitting it.

    Who knows, the original discovery could have been purely accidental miskey:-

    ABCDE-210-DJ8J
    ABCDE-120-DJ8J

    • cinereus says:

      There’s no sense in having a check digit that checks 3 digits and not the rest of the code at all. The error here was retarded, that would be 100x more stupid.

  8. As I have investigated this kind of thing in the past it would be very interesting to know whose accounts the bookings came from and who tuned up to check in on the relevant nights! This is definitely fraud as opposed to the other reported scam of hacking people’s loyalty accounts and using their points which is a legal grey area.

    • That is, using the points is a grey area, anyone actually hacking an account is committing an offence!

    • Andrew says:

      Hacking an account is definitely illegal.

      But I suspect that the accounts are rarely hacked, they simply take advantage of the weakness of the cheap and cheerful barcode.

      Say Malmesbury’s, a major supermarket, issues a Loyalty card, let’s call it “Ratcen”. The cards have a 19 digit barcode. The first 8 digits are the same on every card, so we’re only interested in the last 11 digits.

      You notice that the person who last used your trolley has carelessly left their receipt in it, they have a £200 balance, for security reasons the first 11 digits are asterisked out, leaving the final 8 digits visible.

      So you know that the first 8 digits are fixed.
      You know the final 8 digits from the receipt.
      There are 3 digits missing from the middle.
      There are around 12,000,000 Ratcen cardholders, so digit 9 is probably fixed too.
      Their website helpfully runs a script that runs a modulus check on the card number, so the method is readily reviewed by anyone reasonably technical by checking the code.

      So with Mod-11 there’s probably only just 9 potentially valid numbers…

      • I was referring to reports of people’s hotel loyalty and avios accounts being accessed and the hackers then using those points for hotel and flight bookings. That’s gone a bit quiet recently so maybe the companies got a grip on it. But using someone else’s points per se is a tricky one to pursue as points have no monetary value so don’t realty fall under the definition of property.

        • Wouldn’t it be obtaining pecuniary advantage by deception, though?

          • I think that particular offence wording doesn’t exist now but if the hotel got the points regardless, it wouldn’t have suffered a material loss. If it didn’t get the points, it would have to show that it had sustained a loss through the person staying there and incurring, for example, the cost of cleaning the room or that a paying guest had been turned away because the hotel was otherwise full. It would be also only be fraud for UK purposes if it all occurred here, of course. Any element which took place in another country would be subject to that country’s laws.

      • I recently had 2000 rectan points stolen in malmesburys, but I definitely didn’t leave my receipt behind.

        • Lady London says:

          🙂

        • Chrisasaurus says:

          I would think most phone cameras these days could capture a good enough image of the barcode on a fob or card to be able to nab a rectan number….

          • HAM76 says:

            Or picture of baggage tags in the baggage claim area that have sufficient information printed on them to give you access to the booking.

    • cinereus says:

      Anna – no it’s not. Unless you have case law to back up your claim?

      • What’s not?

        • If you mean using a forged voucher, it wouldn’t be any different from using a forged credit card or knowingly paying with counterfeit money. Or in the olden days, forging a cheque!

  9. johnnt5a says:

    I suspect the was an open web service that you could use to validate codes against, not necessarily redeem but to check it was valid before committing at the checkout.

Please click here to read our data protection policy before submitting your comment.