Miscreants have been nabbing British supermarket chain Tesco Clubcard discount codes to snap up Hotels.com rewards meant for holders of the retailer's loyalty cards.
Uncovered by researchers from CyberNews, a vulnerability stemmed from the way Hotels.com generated the discount codes, which are issued to Clubcard holders as a reward for splashing the cash in-store. The 13-character discount code used the same first five characters, then three numbers for the discount amount (200, 500 and 750), a colon, and then four final characters (to be guessed by the ne'er-do-wells).
CyberNews reckoned that there were around four million possible codes – well within the bounds of a brute force attack.
While no accounts were compromised (and neither Tesco's nor Hotels.com's IT systems were breached), it was potentially a bit of a pain for some Clubcard holders hoping to use their discounts since the codes are unique and can only be used once. "Two hacker forums," said CyberNews, "were found to be selling the discount codes" with a value of between £200 and £750. The individuals were selling the codes for much lower sums.
“In the current economic climate people are looking for ways to save money, so businesses need to stay vigilant to prevent fraud," said a spokesperson for the researchers at CyberNews. "We’d recommend using longer, less predictable discount codes with more characters which make it harder for cyber-criminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature.”
Hotels.com is a so-called "3x" partner of Tesco's loyalty programme, meaning those seeking to lob their points its way were in line for three times the value of each pound "earned" on the loyalty scheme. Thus £50 of Clubcard vouchers equated to £150 to spend on Hotels.com, which has 325,000 hotels in 19,000 locations.
The CyberNews crew were able to use Hotels.com to book (and subsequently cancel) several hotel rooms at an impressive discount.
Hotels.com was temporarily dropped from the Clubcard Rewards programme back in March when the issue was identified, but has since been reinstated. Any customers that had unused Hotels.com coupons from the scheme had them replaced or their Clubcard points returned.
The Register also understands that the loophole was closed once spotted and codes obtained by nefarious means were duly stomped on.
Hotels.com, we hope, will have learned an important, and potentially expensive, lesson in security hygiene and the generation of codes.
We contacted Hotels.com, which said: "This issue was identified and resolved promptly several months ago. Working closely with our partners at Tesco we ensured that only legitimate Clubcard customers were able to obtain and redeem the codes they had earned. No customers of Hotels.com or Tesco missed out on the offer, lost money or Clubcard points as a result."
Tesco confirmed the incident, but had no comment to make on the matter. ®