Loyalty programmes hacked - could Aeroplan be next?
#1
Original Poster
Join Date: Sep 2014
Programs: AC SEMM
Posts: 1,379
Loyalty programmes hacked - could Aeroplan be next?
Recent news reports indicate that loyalty programmes have been a target of hackers "stealing" miles to redeem for goods and services.
This article describes techniques that would seem to be easy to apply to the Aeroplan site as well as BA and others that have been attacked.
Until Aeroplan improves their security on their website I am certainly going to improve my approach to password security there by making it longer and harder to be defeated by a brute force attack although Aeroplan makes this hard by these restrictions.
There is a long thread about the BAEC situation at http://www.flyertalk.com/forum/briti...ex-gratia.html
This article describes techniques that would seem to be easy to apply to the Aeroplan site as well as BA and others that have been attacked.
In addition to weak controls to block brute force attacks, many of these systems do not enforce good password policies as well, making it that much easier for attackers to get into these accounts.
Not only do customers re-use passwords, but companies continue to reject CAPTCHAS, two-factor authentication, session timeouts after failed login attempts and other controls against these sort of attacks
Not only do customers re-use passwords, but companies continue to reject CAPTCHAS, two-factor authentication, session timeouts after failed login attempts and other controls against these sort of attacks
1. Make it 6 to 10 characters long 2. Use only numbers or letters in any combination (avoid special characters or accents)
#2
Join Date: Oct 2009
Location: YUL
Programs: AC SE (*A Gold), Bonvoy Platinum Elite, Hilton Gold, Amex Platinum / AP Reserve, NEXUS, Global Entry
Posts: 5,691
Semi-off topic, but this is the first time I see someone specifically suggest avoiding special characters in passwords. They're typically encouraged because they broaden the number of possible passwords. I wonder why the suggestion was made...
#3
Join Date: Aug 2010
Location: Why? Why? Zed! / Why? You? Elle! / Gee! Are You!
Programs: Irrelevant
Posts: 3,543
Most successful hacks today don't bother with the front door anymore, the backend is usually targeted and with the plethora of systems used between AC and AP - well, nothing would surprise me.......
#4
Original Poster
Join Date: Sep 2014
Programs: AC SEMM
Posts: 1,379
Exactly - it apparently is a requirement on the Aeroplan site (that is where my second quote was from) - as well as, apparently, on other loyalty programmes' sites such as BAEC.
#5
Join Date: Oct 2009
Location: YUL
Programs: AC SE (*A Gold), Bonvoy Platinum Elite, Hilton Gold, Amex Platinum / AP Reserve, NEXUS, Global Entry
Posts: 5,691
Right... by not designing their websites to accept complex passwords, they're shouting "we don't care about security"
#6
Original Poster
Join Date: Sep 2014
Programs: AC SEMM
Posts: 1,379
What makes you think Aeroplan hasn't been hacked or isn't p0wned to some degree already?
Most successful hacks today don't bother with the front door anymore, the backend is usually targeted and with the plethora of systems used between AC and AP - well, nothing would surprise me.......
Most successful hacks today don't bother with the front door anymore, the backend is usually targeted and with the plethora of systems used between AC and AP - well, nothing would surprise me.......
#7
Suspended
Join Date: Sep 2014
Programs: AC SE100K-1MM, NH, DL, AA, BA, Global Entry/Nexus, APEC..
Posts: 18,877
Recent news reports indicate that loyalty programmes have been a target of hackers "stealing" miles to redeem for goods and services......
Until Aeroplan improves their security on their website I am certainly going to improve my approach to password security there by making it longer and harder to be defeated by a brute force attack although Aeroplan makes this hard by these restrictions.
Until Aeroplan improves their security on their website I am certainly going to improve my approach to password security there by making it longer and harder to be defeated by a brute force attack although Aeroplan makes this hard by these restrictions.
Back on Nov 4, I posted this in a new thread.
It seems no one was concerned enough to post a reply
This got me thinking about the current level of password protection on AC/AE accounts...maybe adding two-step or multi-step authentication?
From Krebs on Security re hacking of TRAVEL loyalty program accounts:
"“They got into the account and of course the first thing they did was change my primary and secondary email accounts, so that neither me nor my travel agent were getting notifications about new travel bookings,” said Brothers, co-founder of Verafin, a Canadian software security firm that focuses on anti-money laundering and fraud detection."
http://krebsonsecurity.com/2014/11/t...ints-accounts/
From Krebs on Security re hacking of TRAVEL loyalty program accounts:
"“They got into the account and of course the first thing they did was change my primary and secondary email accounts, so that neither me nor my travel agent were getting notifications about new travel bookings,” said Brothers, co-founder of Verafin, a Canadian software security firm that focuses on anti-money laundering and fraud detection."
http://krebsonsecurity.com/2014/11/t...ints-accounts/
After Hilton got hacked, they added CAPTCHA and offered members 1,000 HHonors points for updating their passwords. Maybe it is an improvement, who really knows.
Otherwise, I'm not sure AC/Aeroplan's IT can move that quickly, otherwise they would have done so a while ago. IMHO.
#11
Join Date: Aug 2010
Location: Why? Why? Zed! / Why? You? Elle! / Gee! Are You!
Programs: Irrelevant
Posts: 3,543
I don't think it's really an issue of the website vs the issue of some back-end systems that aren't capable of processing a password that use characters other than the 7-bit ASCII character set. You'd be surprised how many systems that are still in use today that are not capable of processing username/password that are made of UTF-8 characters.
Keep in mind that the Aeroplan number and password are used to control access to many different systems within both AC and AP besides just website access.
I routinely get notices of rogue access attempts from various places around the of my various accounts every month. I don't really think much of it, since I'll get notified if a new browser is used to login to my account, and this is something AC/AP could implement with little pain and effort compared to having to upgrade the legacy systems in the background.
#12
Suspended
Join Date: Jun 2009
Location: YYZ
Programs: AC E50K (*G) WS Gold | SPG/Fairmont Plat Hilton/Hyatt Diamond Marriott Silver | National Exec Elite
Posts: 19,284
Yep. At work we've gone from just a AD login to having to login with our AD credentials AND having a phone call sent to our mobile phones and entering a second X digit code. As big of a pain as it is, it certainly verifies that I am who I am. I'm surprised no loyalty program has implemented this yet. Then again most users are too stupid to figure out how VPN works, let alone having to remember two passwords
#13
A FlyerTalk Posting Legend
Join Date: Sep 2012
Location: SFO
Programs: AC SE MM, BA Gold, SQ Silver, Bonvoy Tit LTG, Hyatt Glob, HH Diamond
Posts: 44,331
I think of all websites I use (FT included), AC has my weakest password, because of the limit of 10 characters and no special characters. And yet they get more of money than any other website, maybe excluding my bank.
I've been debating writing a little blog post about "hacking" AC for EYW. I was amazed how much of their website let me do whatever I wanted. I guess it's a good thing I didn't have any nefarious plans
What makes you think Aeroplan hasn't been hacked or isn't p0wned to some degree already?
Most successful hacks today don't bother with the front door anymore, the backend is usually targeted and with the plethora of systems used between AC and AP - well, nothing would surprise me.......
Most successful hacks today don't bother with the front door anymore, the backend is usually targeted and with the plethora of systems used between AC and AP - well, nothing would surprise me.......
#14
Join Date: Apr 2002
Location: YXE
Posts: 3,050
There was an incident ~10-12 years ago, where the AP site would randomly spit out the names of other members and their account balances when someone made a points balance inquiry. AC dealt with it at the time by sending everyone affected a letter informing them of such, and 5,000 free AP points.
As for the title of this thread, I thought it had to do with how loyalty programs like AP have been constantly hacked and slashed in terms of their usefulness and rewards offered. For instance, the latest "enhancement" to AP appears to be that bookings are made in "Tango", not "Flex", and hence seat selection is no longer complimentary. The next shoe to drop? Probably stopover privileges, IMHO. Sooner or later, confirmed reservations may go the way of the dodo bird with the way that AP is going, and an AP booking will be a standby booking at best, just like employees use for personal pass travel.
As for the title of this thread, I thought it had to do with how loyalty programs like AP have been constantly hacked and slashed in terms of their usefulness and rewards offered. For instance, the latest "enhancement" to AP appears to be that bookings are made in "Tango", not "Flex", and hence seat selection is no longer complimentary. The next shoe to drop? Probably stopover privileges, IMHO. Sooner or later, confirmed reservations may go the way of the dodo bird with the way that AP is going, and an AP booking will be a standby booking at best, just like employees use for personal pass travel.
#15
Original Poster
Join Date: Sep 2014
Programs: AC SEMM
Posts: 1,379
...and in some cases you don't even need that. If I know your booking reference number and your last name (say, by hunting through the garbage bins in the office after you have left for the night, looking for the printout of your flight confirmation before you moved yourself into a preferred set) I can go and move you out of 18A into 60E thereby opening up 18A for me (OK I know you never fly economy jaysona but you get the general idea)