Thursday, May 24, 2007

Free lunch: Trust models that don't work

Both business and pleasure travelers are used to seeing bills at hotel restaurants that let you simply write down your room number and your name to charge the bill to your room. Most of us are used to seeing it, and we probably even wonder how often it is exploited.

In my case, it was exploited on a recent stay at an upscale hotel on the west coast during a conference.

My normal departure morning routine is to check the paper bill most hotels now slide under your door the morning of checkout. In my still sleepy daze, I glanced at the bill, expecting it to show a zero balance...

It carried a total of over $300 from the hotel restaurant, and a charge to my credit card for that amount.

This obviously wasn't right - I hadn't eaten in the hotel restaurant, and in fact, all the meals I had eaten had been provided as part of the conference, or by friends off site. Something odd was going on. As with most people, I first thought that there was likely a billing mistake, although the security analyst side of my brain started to ponder how a $300 charge had popped up.

A trip down to the desk and a chat with the clerk changed my initial reaction. They did, in fact have a receipt with my name, a signature, and my room number all filled out - in handwriting that wasn't mine, at a time I was in the conference, and with food for at least four people.

I would have remembered the crab and lobster, let alone the rest of the $300 of food and drinks that were signed for on that receipt.

In the end, the hotel handled it with reasonable aplomb, but I was stunned to see that there was absolutely no verification of the identity of people signing for large bills. This places the hotel itself on the losing end of transactions. If they had left the charge, I would have simply disputed it. As it was, they now have to investigate how someone got my name and room number.

A few simple controls could have prevented this:

  • Check ID for anything charged to a room number.
  • Allow people to elect to not allow anything beyond the room to be charged to their credit cards at check-in.
  • Set a maximum charge limit, either by hotel policy, or for the person who pays for the room.
There is of course the danger of upsetting customers with new requirements like this, particularly at an upscale hotel where patrons are used to the service. Thus, some hotels would find that the optional security approach may be more acceptable to their patronage.

The other interesting thing about the incident is that in talking with hotel staff after the fact, one staff member had a very hard time believing that anybody would take advantage of this loophole. While I can understand that hotel staff members would generally not do this for fear of losing their jobs, I wasn't horribly surprised to find out that someone would try to take advantage of the loophole itself. In many cases, the bill would have been paid for using a corporate card, or possibly by a sponsor, and I wouldn't have ever noticed the discrepancy. The fact that the bill was mine meant that detection was much easier.

Next time you stay at a hotel, see how many times you are given the option of charging to your room - and how easily you can get access to the first initial, last name, and room number of anybody else you run into.

No comments: