Online sales, cashless systems, and ticket pickup at kiosks that help speed the passage from parking lot to lift have become indispensable customer service tools for mountain resorts. But the frictionless convenience enjoyed by guests and the labor savings accrued by resort operators increasingly comes with a hidden price: increased vulnerability to credit card scams, including well-organized schemes that operate globally and specifically target the outdoor recreation industry.

Protections at the online point of purchase offered by the payment processor or additional third-party tools like Kount or Sift are the first line of defense. But when fraudulent transactions slip through the cracks, operators often need to take matters into their own hands.  

CHALLENGING CHARGEBACKS 

For New Jersey’s Mountain Creek Resort, the first sign of trouble came in the form of a spike in credit card chargebacks—an action taken by a bank to reverse charges—alerting resort chief Evan Kovach and his team that cardholders were disputing charges for lift tickets and services like lessons and rentals at the mountain. 

An investigation led Mountain Creek to the source of the scam: the so-called “dark web,” where fraudsters—often using social media platforms—offer buyers deeply discounted lift tickets and other experiences. 

“These bad actors have lists of stolen credit cards at their disposal,” explains Kovach. “When they ‘sell’ someone the experience, they simply (use a stolen credit card to) purchase on behalf of the person looking to do the experience, and then receive payment through crypto currency or other difficult-to-track digital payments.”

The customer will then consume the service, such as visiting the resort for the day, Kovach says—sometimes to the tune of more than $2,000 in value, if snowsports school, rentals, and other amenities are included. 

“The bad actor has already received a digital payment from the guest who visited and, unfortunately, the resort will receive a chargeback due to fraud from their credit-card processor and never see a dime of the $2,000 in services they provided,” says Kovach. “Many times, the visiting guest doesn’t even have a sense that they were part of an illegal transaction; they simply think they’ve found a great discount service.”

Significant losses. Ski Big Bear in northeastern Pennsylvania was hit by chargebacks totaling between $1,000 and $2,000 before catching onto a similar scheme. 

“We reported it to the state police, but that’s not a dollar amount they are going to respond to,” says general manager Lori Phillips. “For a small resort like us, though, it’s a significant loss. I don’t know what the future holds for this, but it’s not easy to pick up on until after the fact. It’s truly a question of how many times you will be hit before it’s no longer just a cost of doing business and you make an investment in prevention.”  

IDENTIFYING “TELLS” 

Ski Santa Fe was among several New Mexico resorts targeted by credit card fraud last winter. Tipped off by other resorts in the region, operations manager Tommy Long and his team were able to block fraudulent transactions using some identifying “tells” employed by a particular group of fraudsters: entering the same (stolen) credit card number for multiple, unrelated purchases; using identical mailing addresses; typing in guest names using all lower-case letters; and entering a full first name but only an initial for the last name.

“We thought we were in the outdoor recreation business, and suddenly we were in the fraud-prevention business,” says Long.

For Brigid Howell, director of guest services at Pats Peak in New Hampshire, it was unusual email addresses and personal information from people located far from the mountain that raised red flags. 

“How many people from California are coming to ski here?” she recalls asking. 

Intercepting offenders. Once alerted to the scam, staff at Pats Peak took to reviewing lists of online purchases for suspicious transactions daily—a relatively effective, if labor-intensive, practice. The no-nonsense Howell would then position herself at the ticket kiosks to intercept people trying to pick up passes using fraudulently acquired QR codes. Depending on the day, that meant confronting up to 10 parties each morning. 

“Most had no ID to back [the purchase] up,” says Howell. “I’m pretty good at reading people; some of them sincerely don’t know” they had been unwittingly part of a scam, she says.

Likewise, back in New Mexico. “Some said, ‘We saw a deal with your logo on it for 50 percent off lift tickets,’ but admitted it was probably too good to be true,” adds Reed Weimer, marketing manager at Red River Ski & Summer Area, who also made a practice of stopping would-be ticket redeemers at kiosks—and reporting the real names of fraudulent purchasers to local law enforcement.

“A lot of people doing this probably know there’s something shady going on but are not aware of the level of crime involved,” says Kovach.

Ski Santa Fe guests who showed up to ski on the scam tickets were also confronted by resort staff. “We charged them the difference with a full-price ticket if they wanted to ski,” says Long. 

Gaining info. When Mountain Creek staff did catch someone picking up a fraudulent ticket at a kiosk, Kovach saw an opportunity to enhance his fraud investigation. “We would go easy on them in exchange for information,” he says, telling guests, “‘We’re going to let you ski today and not call the police if you tell us what we want to know.’”   

ADDED RISKS FOR RESORTS 

Kovach notes that any experience or activity-based business, like ski resorts, faces some extra exposure to fraud due to the relationship between the customer (who becomes a guest) and access to the experience/activity.

“It’s unlike a traditional online purchase where a purchaser orders something that gets delivered to a physical address,” he says. “As a result of this nuance, it’s critical that the guest-facing purchasing platform a resort uses is directly tied to both credit-card processing and access control. Without these three functions working together in real-time, it is relatively easy for criminals to take advantage of resorts.” 

Credit card fraud, of course, has been around for as long as credit cards. Snowsports areas aren’t strangers to scams involving lift tickets. Managers including Howell still spend part of their days catching guests using illegally copied tickets and passes, claiming to have lost theirs so they can give it to a friend, or handing over—or selling—their pass to someone else after taking a few morning runs. 

Ransomware. And credit card scams aren’t the only—or even the most serious—digital-age threat facing resorts. One upstate New York ski area was hit by a ransomware attack precisely timed for the week before the busy 2023 Presidents’ Week period. Hackers locked the ski area out of its own servers and threatened to release all its data publicly unless a $4 million ransom demand was met. 

Ultimately, the ski area (whose leaders spoke to SAM on condition of anonymity) refused to pay, rode out the holiday week using paper tickets and other old-school methods, and invested its insurance money and additional funds in a rebuilt computer system with better network security.  

A GLOBAL PROBLEM 

Ski areas are being targeted by high-tech criminals, but they’re hardly being singled out. Credit-card fraudsters raked in an estimated $46 billion worldwide in 2022, according to Juniper Research, an analyst firm in the mobile and digital tech sector, with scammers combining stolen credit card information and identity theft to exploit weaknesses in the digital payment system.

“I am truly not sure what resorts could do to avoid this,” says Maria-Kristina Hayden, CEO and founder of cybersecurity firm OUTFOXM. “Unfortunately, retail stores and companies worldwide are dealing with purchases made with stolen credit cards.”

“Basically, the way credit cards are processed and accepted in the United States on the web is the main origin of the fraud,” says Daniel Wakounig, chief technology officer at Axess, which provides a variety of tech solutions for ski areas, including self-serve kiosks. 

Front-end prevention. Wakounig says that credit card fraud is best prevented on the front end, not at the kiosk, such as requiring two-factor authentication of purchaser identity “either by requesting a secure code additionally to the credit card data or asking for a secure ID, which is sent to the buyer via a second channel that the buyer declared when the credit card contract was signed. In that case, the secure codes are usually sent to a mobile device or an app where the real owner is logged in.

“Two-factor authorization, as it is used today outside of the U.S., is not that common in the [United] States,” he says. “[With] two-factor authentication at purchase time, a stolen card cannot be used to buy tickets at all.”  

POTENTIAL SOLUTIONS 

But while credit card fraud might be an unavoidable downside to automated purchase and sales, there are ways that resorts can make themselves less vulnerable. 

ID required. Having staff verify that the identity of the person picking up tickets—either at the window or kiosk—matches the purchaser information submitted online is an option that some areas like Pats Peak employ, but typically only when they’re alerted of potential fraud. It’s an effective method, though it, of course, slows the redemption process.

Another option is to add a pop-up message on kiosks warning that users may be asked to present the card that they used to buy their lift tickets. This could discourage fraud, says Howell, but it’s mostly an empty threat without some sort of automation. 

Credit card required. Another potential solution is to use the kiosks themselves to verify identity, such as requiring a swipe of the credit card used to purchase the tickets and services. 

“We are constantly challenging processes at our devices to prevent whatever fraud is possible,” says Wakounig. “Checking the credit card at the pickup would be an approach. Since credit cards cannot be simply scanned, but require dedicated hardware provided by the payment service providers, it requires a credit card terminal for that purpose per each pickup device.”

Wakounig says that while this option is currently not supported, the company could develop it as an option for ski areas to add. “[That] decision has to be taken by the ski resorts.” 

Likewise, he says, scanning driver’s licenses to confirm identity also requires an additional reader. “Unfortunately, all these solutions have a significant performance impact on the pickup process, slowing it down for all guests,” he adds.

AI technology. One potentially more efficient tool for identity verification at the point of pickup is AI-enabled facial detection technology, which Wakounig says will be rolled out on Axess kiosks in 2024 or 2025, “replacing our current monitoring tool for ticket misuse,” he says. 

PROTECT YOURSELF  

Operators can take steps to protect themselves from credit card fraud, such as increasing their understanding about how such scams work, monitoring online activity that may indicate that they are a target, reviewing transactions to spot potential fraud, and using that information to inform future fraud-prevention efforts—all of which could save your resort a lot of money in the long run.