Flaw Fixed in Hotels.com Generator as Tesco Clubcard Users Impacted

Tesco Clubcard users have been warned to check their accounts, after a weakness was discovered in the way that Hotels.com codes were generated, which then impacted Clubcard members as they tried to use their points.

Whilst Tesco Clubcard’s IT systems have not been compromised in any way, research found cyber-criminals purchased fraudulent vouchers to provide huge discounts on bookings via Hotels.com. The codes were generated by Hotels.com and made available to Tesco Clubcard members as a reward for in-store spending.

According to The Telegraph, the vouchers allowed people to get up to £750 off hotel rooms on Hotels.com. Fraudsters were able to guess the final four digits of the promotional code that unlocks the discount as the remaining nine characters follow the same pattern each time. The codes were valued between £200 and £750, and were sold on hacker forums for under £50.

Initially alerted by researchers from CyberNews, who informed Hotels.com parent Expedia Group of the flaw, the booking site has since taken measures to resolve the issue and Tesco Clubcard temporarily removed Hotels.com from Clubcard Rewards until the issue was resolved.

A spokesperson for the CyberNews research team, said: “In the current economic climate people are looking for ways to save money, so businesses need to stay vigilant to prevent fraud. We’d recommend using longer, less predictable discount codes with more characters which make it harder for cyber-criminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature.”

A statement from Hotels.com said the issue “was identified and resolved promptly several months ago” and, working closely with its partners at Tesco, it ensured that only legitimate Clubcard customers were able to obtain and redeem the codes they had earned. “No customers of Hotels.com or Tesco missed out on the offer, lost money or Clubcard points as a result.”

What’s Hot on Infosecurity Magazine?