Geoflying

Recent news reports indicate that loyalty programmes have been a target of hackers "stealing" miles to redeem for goods and services.

This article describes techniques that would seem to be easy to apply to the Aeroplan site as well as BA and others that have been attacked.

Until Aeroplan improves their security on their website I am certainly going to improve my approach to password security there by making it longer and harder to be defeated by a brute force attack although Aeroplan makes this hard by these restrictions.

There is a long thread about the BAEC situation at http://www.flyertalk.com/forum/briti...ex-gratia.html

ffsim

Semi-off topic, but this is the first time I see someone specifically suggest avoiding special characters in passwords. They're typically encouraged because they broaden the number of possible passwords. I wonder why the suggestion was made...

jaysona

What makes you think Aeroplan hasn't been hacked or isn't p0wned to some degree already?

Most successful hacks today don't bother with the front door anymore, the backend is usually targeted and with the plethora of systems used between AC and AP - well, nothing would surprise me.......

Geoflying

Exactly - it apparently is a requirement on the Aeroplan site (that is where my second quote was from) - as well as, apparently, on other loyalty programmes' sites such as BAEC.

ffsim

Right... by not designing their websites to accept complex passwords, they're shouting "we don't care about security"

Geoflying

Well it hasn't hit the airwaves on FT yet if it is affecting users - and FT is usually the canary in the coal mine

24left

Back on Nov 4, I posted this in a new thread.
It seems no one was concerned enough to post a reply



After Hilton got hacked, they added CAPTCHA and offered members 1,000 HHonors points for updating their passwords. Maybe it is an improvement, who really knows.

Otherwise, I'm not sure AC/Aeroplan's IT can move that quickly, otherwise they would have done so a while ago. IMHO.

Geoflying

So 24left is the canary

tweet tweet

superangrypenguin

They need to move to two factor authentication as much as I hate it.

24left

Yup. Nov 4. And yet here we are.

jaysona

Uhm, so, as much as I really don't think too highly of the general state of IT affairs at AC and AP, this is one area I'm willing to cut them a little (albeit extremely little) slack on.

I don't think it's really an issue of the website vs the issue of some back-end systems that aren't capable of processing a password that use characters other than the 7-bit ASCII character set. You'd be surprised how many systems that are still in use today that are not capable of processing username/password that are made of UTF-8 characters.

Keep in mind that the Aeroplan number and password are used to control access to many different systems within both AC and AP besides just website access.

CAPTCHA is pretty much useless when it comes to thwarting a machine, there are massive botnets dedicated to thwarting (quite successfully) CAPTCHA. CAPTCHA provides nothing more than a warm and fuzzy feeling of a false sense of security for the naive and ignorant and is a real annoyance to the rest of us.

I kinda like where 2-factor has gone with the likes of google, twitter, facebook, etc. You use a 2nd code to login once and then as long as the same pc/browser is used, no follow-up 2-factor authentication is asked for.

I routinely get notices of rogue access attempts from various places around the of my various accounts every month. I don't really think much of it, since I'll get notified if a new browser is used to login to my account, and this is something AC/AP could implement with little pain and effort compared to having to upgrade the legacy systems in the background.

superangrypenguin

Yep. At work we've gone from just a AD login to having to login with our AD credentials AND having a phone call sent to our mobile phones and entering a second X digit code. As big of a pain as it is, it certainly verifies that I am who I am. I'm surprised no loyalty program has implemented this yet. Then again most users are too stupid to figure out how VPN works, let alone having to remember two passwords

canadiancow

I think of all websites I use (FT included), AC has my weakest password, because of the limit of 10 characters and no special characters. And yet they get more of money than any other website, maybe excluding my bank.

I've been debating writing a little blog post about "hacking" AC for EYW. I was amazed how much of their website let me do whatever I wanted. I guess it's a good thing I didn't have any nefarious plans

pitz

There was an incident ~10-12 years ago, where the AP site would randomly spit out the names of other members and their account balances when someone made a points balance inquiry. AC dealt with it at the time by sending everyone affected a letter informing them of such, and 5,000 free AP points.

As for the title of this thread, I thought it had to do with how loyalty programs like AP have been constantly hacked and slashed in terms of their usefulness and rewards offered. For instance, the latest "enhancement" to AP appears to be that bookings are made in "Tango", not "Flex", and hence seat selection is no longer complimentary. The next shoe to drop? Probably stopover privileges, IMHO. Sooner or later, confirmed reservations may go the way of the dodo bird with the way that AP is going, and an AP booking will be a standby booking at best, just like employees use for personal pass travel.

Geoflying

...and in some cases you don't even need that. If I know your booking reference number and your last name (say, by hunting through the garbage bins in the office after you have left for the night, looking for the printout of your flight confirmation before you moved yourself into a preferred set) I can go and move you out of 18A into 60E thereby opening up 18A for me (OK I know you never fly economy jaysona but you get the general idea)