Tesco is one of the most popular groceries and merchandise retailers in the UK, as well as in some European and Asian countries. Its loyalty card, Tesco Clubcard, rewards members with points for Tesco-related purchases, with members being able to redeem these points at various Partner businesses.
Our research revealed that one of these Partners – Hotels.com – employs an easily-faked code that allows people to get up to £750 off hotel rooms. Since Hotels.com has more than 325,000 hotels in approximately 19,000 locations, this allows cheaters a wide variety of options where they can use these fraudulent codes.
The main victim here seems to be Hotels.com, which can stand to lose millions of pounds in revenue over the lifetime of the membership deal.
Besides Hotels.com, Tesco Clubcard members are also caught in the crosshairs, seeing as scammers are able to generate codes that should have gone to members. Instead, they’re being sold to unscrupulous deal-hunters on the black market.
We reported the issue to Hotels.com’s parent company Expedia Group on March 11, and they successfully patched the issue on March 17.
Summary of our results
- Discount is composed of 13-character codes that use the same first 5 characters, plus 3 numbers consisting of the discount amount (200, 500 or 750), and then a colon, leaving only the 4 last characters to be guessed
- All possible voucher codes equal more than 4 million possible codes
- Coupons can save anywhere from £200-£750
- The coupons are valid for booking from 21/04/2017 to 31/12/2021, and guests can use them until 31/12/2023
- There are multiple blackhat marketplaces selling this cheat (like this one and this one), with some selling a £750 code for just £37.50
- According to these blackhat marketplaces, coupon amounts can also equal £160, £200, £300, £400, and £500
How the coupon hack works
The popular British supermarket brand Tesco offers shoppers a loyalty card known as Clubcard. For each £1 the customer spends, they earn 1 point. Once Clubcard members earn at least 150 points (which has a redeem value of £1.50), they can convert these points into tokens to spend on different services, like Hotels.com.
Hotels.com is a 3x partner, which means that you get 3 times the value for each pound earned. In that way, if I’ve earned £50 pounds (equal to 5,000 Clubcard points), I’d have £150 to spend on Hotels.com.
So, to summarize: for every £1 you have in Tesco points, you can get £3 of savings at Hotels.com.
Tesco’s Clubcard site allows you to convert your points into a token that you can use with Hotels.com discounts. And this is where the problem comes in.
The method that Hotels.com used to generate these codes is unfortunately quite simplistic, and it allows anyone to generate their own codes. Essentially, we have discovered the following formula for generating codes:
The only part that needs to be guessed is the last 4 characters from the code. Once we figured that out, we clicked on the special Tesco Clubcard page on the UK version of Hotels.com:
We were then able to start booking some rooms with our fake codes:
Sometimes we came up to the problem where the code does exist, but it’s already been used:
In these two tests above, we used a discount code worth £200. This only applied to the price of the room. This is also a one-time-use code, so if a room cost less than £200, we’d essentially lose the difference.
While our initial tests were successful, there was still the lingering suspicion that this was all just a bug. For that reason, we decided to try to purchase a few hotel rooms with a bigger discount amount. Right after confirming the purchase, we canceled the rooms — all within a few hours.
First we tested it on a Hilton in Cardiff, Wales with a fake £200 discount code:
In order to apply this fake discount, we had to first choose to pay online. Then we went ahead and tried to pay and – success:
For a room that originally cost £216.99 (£180.83 for the room alone), we only had to pay £36.16 in taxes.
Next, we tested it on one of the top hotels in Vilnius, the capital of Lithuania – the Grand Hotel Kempinski Vilnius. This time, we used a discount code worth £500:
Here again, we had success. From an original price of £527.47, we ended up paying only £43.28. Still, we wanted to check if we’d need to show our Tesco Clubcard (which we don’t have) at check-in. So we emailed Kempinski and they confirmed that this was not the case:
While we succeeded in purchasing these rooms, we naturally cancelled our bookings within a few hours.
How the black market is reacting
One of the first things we do when we discover an exploit is to check if it’s been discovered by bad actors. For this particular cheat, the answer is, unfortunately, yes.
So far, we’ve seen two blackhat sites selling these codes, with both roughly offering the same deal. This one is offering the £750 code for just £37.50 (about $45):
We first discovered this cheat on March 4, 2020, and we noticed that this seller listed the ad just one day earlier on March 3. Luckily, he mentions that only 80 had been sold – but that would be in the timespan of just a day or two. He also gives more discount amounts than what we discovered, as we couldn’t find any codes for £160, £300, or £400.
When we checked the thread again a week later, we saw this gem:
This particular seller has been using it since June 2019, and claims that there are now many sellers (which explains why some codes may not be working for his customers).
When we searched outside the web, we found that there are more sellers, such as in this group on ICQ:
But questions of how long these black market sales have been going on, and how much money is being lost, are still unanswered.
So who’s losing money here?
Now, one of the more important questions is about who’s actually losing money here? There are four separate entities involved in this entire scheme:
- Tesco Clubcard
- Tesco Clubcard members
- Hotels listed on Hotels.com
While we believe the biggest victim here is Hotels.com, let’s see how this affects each one in turn.
Impact: Low (Reputational)
This cheat works only through a special Tesco Clubcard version on the Hotels.com site. Tesco first started offering discounts on Hotels.com in mid-2017.
According to this Hotels.com page, Tesco Clubcard coupons are valid for bookings made between April 21, 2017, until the last day of 2021:
That leaves a lot of space for bad actors to exploit this easily-cheated coupon generation system. We asked Tesco for information on the situation and the general impact to their business. A Tesco spokesperson emphasized that the issue lies with the way that Hotels.com generates these codes, and therefore not a vulnerability on Tesco’s side.
Tesco temporarily suspended Hotels.com from its Tesco Clubcard partnership until the issue was satisfactorily resolved. Since then, Hotels.com has been reinstated into Tesco’s Clubcard Rewards program.
Tesco Clubcard members
Impact: Low-Medium (lost Clubcard points)
One of the potential victims is the Tesco Clubcard membership. Here’s why:
Clubcard members earn points for each purchase they make, and they have the option to redeem these points for lots of things. If they decide to exchange it for a Hotels.com coupon, they’ll go through the Clubcard site and exchange their points for a code of varying amounts.
Easy enough. Now, while there are about 4 million possible codes with this simplistic system, not all of them are active codes. We believe that the codes only become active when a user clicks to exchange their points for Hotels.com codes.
Clubcard members will generally be OK if the time between exchanging their points to coupon codes is quite short. But the more time passes, the more risk there is that any one of these sellers will hit their codes.
So what’s the danger then? When we talked with Tesco Clubcard support, we learned that Clubcard points can’t be refunded once they’ve been exchanged:
Given that, Tesco have ensured us that Clubcard members wouldn’t lose the value of their vouchers or points. They also reaffirmed that, because of the strict security measures they have in place, at no point has Clubcard customer data been accessed.
A Tesco spokesperson informed us that no customers lost any of their vouchers or points due to this exploit, and any Clubcard customers that had unused Hotels.com vouchers had them replaced or their points reimbursed.
Hotels on Hotels.com
A potential victim here are the hotels – both big and small – that are listed among the choices on Hotels.com’s Tesco Clubcard version. These are worldwide hotels, by the way, and in our tests we had the freedom to apply the coupon to hotels in Europe, the US, Caribbean, Asia, Africa, and anywhere else. Even more, the number of hotels listed may very well be in the tens of thousands, so people using these cheats won’t be starving for choice.
I reached out to Matthew Weber, General Manager at a leading international hotel chain, to discover more about how Hotels.com and other online travel agencies (OTAs) work. He states that when hotels feel a need to get more sales, such as the current situation with the coronavirus/Covid-19 pandemic, they will upload lower rates on sites like Hotels.com. They won’t lose or gain money until a hotel room is reserved.
“Let’s say that, of 100 rooms, we have only 50 rooms sold, and there isn’t much market demand. So we load a rate to hotels.com, as an opaque rate for $50, just above our cost to sell a room, and we can set a limit on how many of these rooms we want to sell at that rate. Hotels.com can then add a markup and sell those rooms to guests. Until a reservation is made, no inventory, or money is exchanged.”
If they set a room rate on Hotels.com for a certain price, they will make that money no matter what Hotels.com does to that room rate, be that applying discounts, raising the price, or anything in between. “If we set it at $50, we’ll get $50, regardless of what Hotels.com is doing on their end,” says Weber.
Therefore in this specific sense, we can’t conclude that the hotels are the direct victims in this cheat.
Hotels.com loses big
Impact: High (lost revenue)
From what we can gather about the usual scheme on OTAs, Hotels.com is the one that’s really losing big here.
Let’s say that the hotels do give Hotels.com a room rate of £50. Normally, Hotels.com would (algorithmically) set prices in line with market rates for the hotel in terms of dates, locations, demand, etc.
In this example, the price they give customers could be £125. At this point, if we buy the room at this price, Hotels.com has £75 in revenue.
Now, let’s apply our fake discount of £200 – since we didn’t earn these points, we don’t care that we’re applying a coupon larger than the price of the room. For the room, we’re essentially paying £0, and all we’ll need to pay is the tax.
At this point, Hotels.com not only loses that £75 revenue, but they’re also in the red since they didn’t break even with the £50 paid to the individual hotels. That’s a £125 total loss.
Now, let’s extrapolate. There are two assumptions we’ll make here:
- Clubcard members are more likely to activate low-amount discounts than high-amount discounts, since they probably have lower amounts of points. In order to get a £750 discount, members would need to exchange 25,000 Tesco Clubcard points. For £200, that’d be a more reasonable 6,700 points.
- People buying fake codes are going to use discounts that will save them the most money, covering at least 90% of the Hotels.com room rate, meaning that they’re most likely to only have the taxes to pay. (This is opposed to cheaters covering only partial costs, meaning Hotels.com would still have some revenue.)
Using that, we can come up with some ranges based on the lower £200 codes:
- 100 stolen codes since launch means nearly £20,000 in lost revenue
- 1,000 stolen codes since launch means nearly £200,000 in lost revenue
- 10,000 stolen codes since launch means nearly £2,000,000 in lost revenue
- 100,000 stolen codes since launch means nearly £20,000,000 in lost revenue
I think you’re starting to get the point here. Depending on how many codes have been fraudulently generated and used, Hotels.com could stand to lose anywhere from tens of thousands of pounds to millions of pounds in potential revenue. Depending on what rates they’re getting from hotels, they may have already suffered large losses from paying out these rates to hotels.
What can you do?
For Clubcard members, the Tesco Clubcard support mentioned something pretty positive: they’re willing to reinstate the points on a case-by-case basis if members suspect that their codes had already been used.
Hotels.com has already fixed the issue, and we were able to confirm this when one of our unused codes gave us a new error – “That coupon code isn’t valid”:
Most likely, this will be a pretty expensive lesson for Hotels.com to create unique codes that won’t be so easy to crack. This includes:
- Using much longer, less predictable codes with more characters in each space
- Generating codes only when they’re created by the customer, if that’s technically feasible
- Putting a limit on attempts in the coupon code entry field to stop brute force attacks