Public warned to be wary with online booking forms

Public warned to be wary with online booking forms, illustration photo/ Source: freepik.com

Last week, in response to a complaint from a Hanoi resident regarding a breach of his credit card information during a hotel booking on Agoda.com, the platform confirmed it had instructed the hotel to revise its procedures. The hotel was directed not to store credit card information on paper and to ensure complete security of sensitive details, including CVC codes used by Mastercard.

Agoda clarified that providing credit card details to hotels is mandatory for bookings where payment is made at the hotel, in accordance with the platform’s service usage and privacy policies. “Agoda’s policy clearly states that our partners and accommodation providers are responsible for safeguarding credit card information, which should only be used for the specific booking,” the company said, stressing that this information must not be shared with third parties or stored improperly.

This response followed a viral social media post in late August by Pham Ngoc Hieu, who revealed that his full credit card details, including the CVC code, were printed and accessible to hotel staff when he arrived at a resort in the south-central city of Phan Thiet after booking via Agoda. His card information had been passed through Agoda’s partner, Booking.com.

“Having used Agoda numerous times, I was shocked when the hotel staff had full access to my credit card information, including the CVC code,” Hieu said.

He found Agoda’s explanation unsatisfactory. “If it was just for verification, Agoda should have printed only the last four digits and the cardholder’s name,” he said.

Agoda’s privacy policy, updated in June, permits the platform to collect and share customer details such as names, addresses, and credit card information with travel providers and business partners. However, the breach raises serious concerns about Agoda’s ability to protect sensitive customer data effectively.

This incident mirrors a similar case in 2018, when another Agoda customer had their Visa credit card details fully disclosed during a booking in the southern offshore island of Phu Quoc.

A representative from the bank that issued Hieu’s credit card stated that the transaction failed to comply with Payment Card Industry Data Security Standard requirements, noting that Booking.com “did not adhere to the regulations” on card encryption.

The bank assured that it would work with the card network and payment provider to resolve the issue and issued a new card to the customer as a precautionary measure.

Experts warn that the exposure of full credit card details, including the three-digit CVV code used by Visa, significantly increases the risk of fraud. “The potential for third parties to exploit this information is very real, making unauthorised charges a substantial risk,” a cybersecurity expert said.

Huynh Trung Minh, a financial expert at HDBank, stressed the dangers of hotels printing customers’ credit card details for verification. “This practice is unnecessary. If card details must be printed, only the last four digits should be shown, and the CVV/CVC code should never be included,” he added.

Minh explained that while one-time password (OTP) authentication protects many online transactions, customers whose full credit card information is exposed remain at risk. “There are foreign websites that simplify payment processes, allowing users to store their card information after entering the code without requiring OTP verification,” he said.

Cybersecurity expert Nguyen Hong Phuc pointed out that this issue is widespread across the online travel industry, and not just limited to Agoda. “In the hospitality sector, it is common for hotels and booking platforms to exchange full credit card details. Often, major hotel apps transmit unencrypted card data to hotels for processing,” Phuc said. “There are two primary risks: firstly, unencrypted credit card data stored in hotel systems are vulnerable to hacking. Secondly, booking platforms regularly send complete credit card details to hotels, making data breaches almost inevitable.”

To mitigate these risks, Phuc recommends that consumers adopt more secure payment methods, such as Apple Pay, Google Pay, PayPal, or AliPay, which are available on platforms like Booking.com.

“These methods encrypt card details, providing an extra layer of security while ensuring the transaction is completed safely,” he said.

Vo Do Thang, director of the Athena Cybersecurity Training Centre, added that major companies like Facebook, Apple, Amazon, and Google have adopted systems that eliminate the need for OTP verification after the first transaction.

“Once the first payment is registered, subsequent payments can be completed without OTP,” Thang said, noting that this increases the risk of fraudulent activities when credit card data is exposed.