issues with Hyatt gift card

    Hide Wikipost
Old Aug 8, 16, 5:47 am   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: silver springer
Wiki Link
For checking balances (thanks to Brendan);
For those who don't know already, the US/ Canadian toll-free phone # for Hyatt Customer Service to check the value of Hyatt GCs is 1-866-784-0540. If calling from elsewhere, first dial the ++ code of the country from which you're calling, subject to the normal rate for ringing the USA.

Hyatt Customer Service suggested to check the value of your gift card (e-gift card or plastic) once a month
Print Wikipost

Old Jul 14, 16, 8:05 pm
  #211  
 
Join Date: Nov 2007
Location: SFO
Programs: AA lifetime platinum; Hyatt diamond;
Posts: 51
Hyatt quickly reimbursed my stolen gift cards

I purchased 20 gift cards with $100 each during the 10% off promotion last Christmas. Never used them until this past Sunday. I tried to pay for hotel bill and found all but 1 are 0 balance! My maximum loss in the worst scenario can be 1900*0.9=1710! I can imagine how sad my wife will be if she knew it.

I immediately contacted Hyatt customer care and found 3 of them are used in Miami, Chicago and somewhere in Kentucky. I didn't bother to check the rest because then I am 100% sure they are stolen - This year I have only been in San Francisco, LA and Seattle. I took photos of gift card and sent to them. Today morning, I received email saying they've shipped out my new gift certificate. Thumbs up for quick response and resolution. I requested to issue paper gift certificate instead of plastic gift cards, because paper cert can only be used in person.

As I've mentioned in the email, their plastic gift card is the least secure gift card because:
1) Their card numbers are consecutive(the last digit is check digit. Ignoring this check digit, the first 18 digits are in sequence). The 20 cards I purchased are all consecutive. If I am a bad guy, I can easily hack the card numbers from these 20 cards.
2) The card does not have PIN. Using these cards does not require entering PIN
3) They also issue e-gift card. Once card number is hacked, one can easily put the number into an e-gift card template, and use or sell as a regular e-gift card.

I won't touch Hyatt plastic gift card anymore until they can increase the security. I think paper certificate should be fine.
angelsun is offline  
Old Jul 15, 16, 11:16 am
  #212  
 
Join Date: Mar 2000
Location: Santa Barbara, CA, USA
Programs: Hyatt Diamond, Hilton Gold, Starwood Gold
Posts: 97
Red face e gift card

I had my e gift card balance of 1 K totally wiped out. It had been used by some thief even while I was at another Hyatt. It was replaced but then when I went to use the replacement card it also was down to zero just as I was checking out of Hyatt Waikiki last month.
We had just started our 3 week trip but a quick call and a new e card was sent. I quickly used it in Kauai before it too might be compromised.
So paper is no safer than plastic, but Hyatt quickly replaces your balance. I guess it's still worth the 10% savings, just disconcerting.
Simba is offline  
Old Jul 15, 16, 12:04 pm
  #213  
 
Join Date: Sep 2015
Location: flyover country
Posts: 995
My e-gift card was drained, so I agree that plastic is no worse than electronic. I learned about it on a Sunday afternoon and had a replacement e-gift card the following Wednesday afternoon. This was fine, except for the interim worry, but I would have more upset if I had been leaving a hotel before the replacement arrived.
serpens is offline  
Old Jul 15, 16, 12:34 pm
  #214  
 
Join Date: Sep 2006
Location: xLAS
Posts: 1,311
see this thread for more details: http://www.flyertalk.com/forum/showt...readid=1720517

Originally Posted by Simba View Post
So paper is no safer than plastic
How so -- don't you need the paper in your possession to use it? I haven't heard any accounts of fraud with the paper certs, but I've heard plenty with the e-certs and plastic cards (so far "only" 1 of 8 of my plastic gift cards was hacked).
ajc1970 is offline  
Old Jul 16, 16, 8:00 pm
  #215  
 
Join Date: Mar 2000
Location: Santa Barbara, CA, USA
Programs: Hyatt Diamond, Hilton Gold, Starwood Gold
Posts: 97
Not one of my 20 plastic gift cards were ever hacked while 3 of my e-certs were drained. All they need is the number on the cert, neither the paper or plastic has to be present. On my first call about a zero balance a year ago, the customer service was not very help full. I had to call back a few days later to say I was positive I had not used the the two e-certs in question. Eventually a very nice agent , Samantha, checked the dates of use and saw I was not at those hotels.
My replacement e-cert for 1K was then hacked before I could use it. That next replacement was the now standard 48 hours. I hope they figure out how to stop these thefts.
Simba is offline  
Old Jul 17, 16, 10:05 am
  #216  
 
Join Date: May 2003
Location: Texas
Programs: Hyatt Explorist ex-Diamond; Marriott Platinum Life; Hilton, AA, United ex-status
Posts: 2,007
With all the hacked cards, and the apparent inability to contain the problem, would think a rational person would stop selling them tomorrow. Is a third party actually selling them and on the hook so Hyatt does not care or what?
jayer is offline  
Old Jul 20, 16, 9:52 am
  #217  
 
Join Date: Oct 2013
Programs: Hyatt Globalist No More..., Hyatt Explorist, Hilton Diamond, SPG Platinum, Marriott Platinum
Posts: 4,355
Admins can we merge this thread with the one mentioned above?
cdancer20 is offline  
Old Jul 20, 16, 1:17 pm
  #218  
 
Join Date: Feb 2005
Location: Marin County, California
Programs: Amex Centurion
Posts: 376
Originally Posted by jayer View Post
With all the hacked cards, and the apparent inability to contain the problem, would think a rational person would stop selling them tomorrow. Is a third party actually selling them and on the hook so Hyatt does not care or what?
I agree, but in addition to stop selling new cards, Hyatt should be replacing their gift card program with one that has more security.

One possible theory is the Hyatt gift card program is run by some mid-level person who is just following instructions to replace compromised cards and hasn't compiled statistics of total gift card losses to upper management. I'd be amazed if Upper Management had any idea of what their losses are with this they wouldn't jump on it immediately.
TravelStar is offline  
Old Jul 23, 16, 11:10 am
  #219  
 
Join Date: Jul 2009
Location: World
Posts: 1,420
It seems like all varieties of Hyatt gift cards are effectively compromised. Is anyone aware of Hyatt taking steps to address this?

It's totally unbelievable that there are still obviously stolen Hyatt GC listings turning up on eBay from sellers with zero feedback almost a full year after this issue originally started being discussed in public forums.
mster is offline  
Old Aug 1, 16, 11:16 am
  #220  
 
Join Date: Feb 2011
Location: Southern California
Programs: Delta Plat, Bonvoy titanium, Hilton diamond.
Posts: 371
my re-issued (previous card was drained) e-gift card was drained fairly quickly.

...it appears to be idiotically easy to steal one. There is no 2-factor authentication mechanism employed (AKA PIN). The card #'s are likely sequential or semi sequential. Someone is plugging in the #'s into a tool which checks balances. I doubt its even an automated process considering how rampant the problem is. When the thief finds a gift card with a balance they resell it.

My understanding is that Hyatt has stopped issuing e-gift cards at this time. The "new" plastic cards they are sending out are no longer "compromised" from a sequential # perspective...or so a customer service rep claimed. This is probably why some are reporting their plastic cards appear to be fine.
bubu-SNA is offline  
Old Aug 1, 16, 12:10 pm
  #221  
 
Join Date: Jul 2009
Location: World
Posts: 1,420
Originally Posted by bubu-SNA View Post
my re-issued (previous card was drained) e-gift card was drained fairly quickly.

...it appears to be idiotically easy to steal one. There is no 2-factor authentication mechanism employed (AKA PIN). The card #'s are likely sequential or semi sequential. Someone is plugging in the #'s into a tool which checks balances. I doubt its even an automated process considering how rampant the problem is. When the thief finds a gift card with a balance they resell it.

My understanding is that Hyatt has stopped issuing e-gift cards at this time. The "new" plastic cards they are sending out are no longer "compromised" from a sequential # perspective...or so a customer service rep claimed. This is probably why some are reporting their plastic cards appear to be fine.
Hyatt e-gift cards *do* have pins. Physical Hyatt GCs do not and have historically been sequential. US Bank Visa Gift Cards (sold by Kroger and affiliates) suffered from a similar security flaw and also experienced an elevated level of fraud until US Bank changed their numbering scheme. The number of possible combinations for gift cards is much lower than you might think since the first 50%+ of their numbers are frequently shared by entire production runs.
mster is offline  
Old Aug 1, 16, 12:49 pm
  #222  
 
Join Date: Jul 2006
Location: Upper Sternistan
Posts: 7,661
I just used three cards this morning - no problems. I had called to verify each about a week ago.

When you call now, it's one verification per call, and they mix it up a bit with the menu options to check the balance. So they're working on the problem, at least a little.
josephstern is offline  
Old Aug 1, 16, 1:51 pm
  #223  
 
Join Date: Oct 2013
Programs: Hyatt Globalist No More..., Hyatt Explorist, Hilton Diamond, SPG Platinum, Marriott Platinum
Posts: 4,355
Originally Posted by josephstern View Post
I just used three cards this morning - no problems. I had called to verify each about a week ago.

When you call now, it's one verification per call, and they mix it up a bit with the menu options to check the balance. So they're working on the problem, at least a little.
While I agree that it was an effort to help the problem, that verification method is nothing new. It's been in place for at least a year now since I first started using Hyatt gift cards.
cdancer20 is offline  
Old Aug 1, 16, 4:46 pm
  #224  
 
Join Date: Feb 2011
Location: Southern California
Programs: Delta Plat, Bonvoy titanium, Hilton diamond.
Posts: 371
not on mine

Originally Posted by mster View Post
Hyatt e-gift cards *do* have pins. Physical Hyatt GCs do not and have historically been sequential. US Bank Visa Gift Cards (sold by Kroger and affiliates) suffered from a similar security flaw and also experienced an elevated level of fraud until US Bank changed their numbering scheme. The number of possible combinations for gift cards is much lower than you might think since the first 50%+ of their numbers are frequently shared by entire production runs.
None of the hyatt e-gift cards I've had have ever had a pin...maybe that's something new. The last one which was re-issued in March of this year did not have a pin.
bubu-SNA is offline  
Old Aug 1, 16, 5:52 pm
  #225  
Original Member
 
Join Date: May 1998
Location: New York, NY, USA
Programs: AA 2MM, Bonvoy LTT
Posts: 11,534
Originally Posted by mster View Post
Hyatt e-gift cards *do* have pins. Physical Hyatt GCs do not and have historically been sequential. US Bank Visa Gift Cards (sold by Kroger and affiliates) suffered from a similar security flaw and also experienced an elevated level of fraud until US Bank changed their numbering scheme. The number of possible combinations for gift cards is much lower than you might think since the first 50%+ of their numbers are frequently shared by entire production runs.
Originally Posted by bubu-SNA View Post
None of the hyatt e-gift cards I've had have ever had a pin...maybe that's something new. The last one which was re-issued in March of this year did not have a pin.
The problem is Hyatt gift cards don't have PINs. The main gift card# itself consist of an algorithm which determines which set of numbers are valid and which sets are not (similar to credit card#). That appears to have been compromised.

Having a PIN which is completely unrelated to the compromised algorithm would have helped as even if the main gift# was known to be valid, there would have only been 1 out of 1,000 or more combinations of PIN (depending on how many digit PIN is being used) to keep the gift card from being used. Since Hyatt took down the online balance check and allow you to check one gift card number per phone call, checking the 1,000+ combination via telephone would be tedious. Unfortunately, it does not appear Hyatt gift card have a "PIN" mechanism unrelated to the gift card# algorithm in place.
seawolf is offline  

Thread Tools
Search this Thread