Code Class

The Problem With Emails as Identities

I recently got an email from Crowne Plaza confirming my stay in Richmond, VA later this month. It’s always nice to get confirmed for a trip you’re taking, getting that nice event in Gmail with the little plane next to it. Tells you when you’re going, when you’re coming back, where you’re staying, when you need to leave for the airport. Freaking everything, man.

There’s a slight problem with this one, though: I don’t have any plans to go to Richmond. I’ve driven through Richmond once, seems like as good a city as any other midsized capital, but, I’m currently not planning on visiting, save this random email I got. It’s a weird feeling getting this type of email: Am I getting my identity stolen? If I am, is this person an idiot for letting me know he’s doing it? My credit cards don’t have any hits: is this person checking my email to confirm his trip? How did he get my password? I’m told you can’t see it when I type my password: Whenever I type hunter2 it shows to you like a bunch of asterisks ***.

That’s a really tired joke.

But anyway, I learned something funny: when you receive this confirmation email from any hotel in the IHG group, there’s a link to cancel the reservation. I clicked it, and this reservation was cancelled. Inspecting the URL, it looks like the reservation number is sequential, and they use the reserver’s last name to verify. I wonder what would happen if I ran through the next 1000 reservation numbers with the last name “SMITH”. Could probably cause some havoc. Maybe not, though. Hopefully someone’s figured that out.

I sent an email to their customer portal:

First things first, I never reserved a hotel room for you on [[date]]. However, I received an email that said I did, with confirmation number: [[redacted]]. I was able to cancel this reservation through the email, and so I did. The cancellation number was [[redacted]]. I’m a bit worried that someone is trying to steal my identity. However, it could just be some other idiot with the same name as me who can’t remember that they don’t own this email address.

You may wish to contact the renter by something other than email and ask them if they want to un-cancel their reservation. I don’t know, I’m not you. Maybe Crowne Plaza should not allow you to reserve/cancel a hotel room without verifying your email address. That seems pretty basic, but again, I’m not you, I don’t know your life.
A Person Not Planning on Going to Richmond
I’ll keep you all updated with a response.
So, anyone running a business: It’s really important to verify email addresses. Otherwise someone like me can ruin someone’s lavish Richmond vacation.