Hilton HHonors - Hilton HHonors e-statement - Security Issues!

I just got this e-mail from Hilton:

"Hilton HHonors is pleased to provide your monthly online statement. Your online statement is a convenient way to view your HHonors account balance, and contains links to view your account activity detail and special HHonors offers."

It also includes several hyperlinked buttons, one of which says "Download a copy of your statement (in Adobe .pdf format) from our secure site."

But it links to an unsecure site! It opens a .pdf version of a portion of the usual monthly statement, with very poor image quality at that, and not showing total nights/stays for the year, special offers, news, etc.

First of all, I never asked HH to send me an e-statement. Second, claims of using a secure site when in fact it's completely unsecure (not just for the statement, but for "Member Profile" and "Click and Redeem" as well) trouble me greatly.

Hilton folks, I know you are reading this. Fix these problems ASAP!

Eugene -- Perhaps this outrageous security lapse will confirm for once and for all whether Adam Burke, or another Hilton lurker, still exists.

Same story here! http://www.flyertalk.com/forum/frown.gif

I also have trouble with their printed and mailed statements. Everything one needs to know to use my points is right there. I don't know of any other company who prints the pin number along with the account number.

I agree this looks bad, and I also receive it unsolicited. However, it does contain the following note (look at the e-mail again to get the proper URL):

ABOUT THIS E-MAIL
Because we value our relationship with you, we would like to offer you the opportunity to
“opt out” of future e-mail. If at any time you would like to be removed from our e-mail list,
please click here. Or, if the URL is not clickable, simply copy and paste the URL into your Internet browser and hit Enter. No additional text or message is needed.

"I also have trouble with their printed and mailed statements. Everything one needs to know to use my points is right there. I don't know of any other company who prints the pin number along with the account number. "

I agree. My statements come to my office and often sit around for 2+ weeks. Anyone could pick it up and have my code. Crazy!

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by Zip:
I agree this looks bad, and I also receive it unsolicited. However, it does contain the following note (look at the e-mail again to get the proper URL):

ABOUT THIS E-MAIL
Because we value our relationship with you, we would like to offer you the opportunity to
“opt out” of future e-mail. If at any time you would like to be removed from our e-mail list,
please click here. Or, if the URL is not clickable, simply copy and paste the URL into your Internet browser and hit Enter. No additional text or message is needed.
</font>

Zip -- With all due respect, you miss the point here.

First, I do not want to opt out of all e-mails. I want to receive special offers, etc.

Second, opting out after the security breach is similar to closing the barn door after the horse is gone.

What Hilton needs to do is to immediately deactivate those live links.

Hello all,

Wanted to take a moment to address the concerns raised in this thread. Historically, our decision to provide a member's PIN on his/her statement has been a direct response to member requests to provide a readily-available reference to their PINs.. Recognizing the security concerns you've mentioned, it's been a balance between meeting a customer service need and the possibility of mail fraud.

We are currently making enhancements to the Membership Services portion of the hiltonhhonors.com website to enable members who've forgotten their PINs to more easily request a reminder.. This, along with several other security enhancements to be introduced shortly, have made it possible for us to change our practice and we will no longer be printing PINs on statements.. We are also increasing our reminders to members to periodically change their PINs in order to protect the security of their accounts.

If you would like to change your PIN, please log into your HHonors account at www.hiltonhhonors.com, (http://www.hiltonhhonors.com,) at the top of the home page.. Click on the Member Services tab, and then select Change PIN from the Select a Service drop down box.

Regarding HHonors e-statements, when a member clicks through to view their full account history, they are required to log in to their account and the site is secure. What's referenced above is a different issue -- which is that when a member clicks to view a PDF of his/her recent statement, they do not have to log in to view. This is also based on trying to make the e-statements as user-friendly as possible, so that members don't have to log in just to view the PDF version of their statement that accompanies their statement e-mail.

Recognizing some of the security concerns, we are removing the member address from all PDF statements, and PINs haven't been included on the PDFs.

Regarding the quality of the PDF - it's true that the PDF is not as clear when viewing it on screen as it is when it's printed out, but we're working on improving the quality.

Best regards,

Adam Burke
Hilton HHonors Worldwide

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by Adam Burke:
Regarding HHonors e-statements, when a member clicks through to view their full account history, they are required to log in to their account and the site is secure. What's referenced above is a different issue -- which is that when a member clicks to view a PDF of his/her recent statement, they do not have to log in to view. This is also based on trying to make the e-statements as user-friendly as possible, so that members don't have to log in just to view the PDF version of their statement that accompanies their statement e-mail.

Recognizing some of the security concerns, we are removing the member address from all PDF statements, and PINs haven't been included on the PDFs.
</font>

Adam -- Thanks a lot for your response. Your continuing presence on this board is very much appreciated.

I must say though that I still have a big problem with my PDF statement being available on the unsecure site not requiring a login (and remember, that your e-mail said "Download a copy of your statement (in Adobe .pdf format) from our secure site").

Keep in mind that e-mail containing the link to that statement comes completely unsecure, and can be viewed in transit by someone.

There is absolutely no reason to have my address printed on it, and I am glad to hear that you've decided to remove it (although, as of now, it is still there - hopefully, not for long).

As a major privacy issue, I don't want information about my stays (showing where I stayed and for how long) available to anyone who may monitor my e-mail.

Please reconsider your position and recognize these important security and privacy concerns!

Finally, I would like to be able to opt out of receiving my statements online without opting out of all other e-mails from Hilton. I'm sure your IT department can easily arrange for such an option.

Originally posted by Adam Burke:
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">This, along with several other security enhancements to be introduced shortly, have made it possible for us to change our practice and we will no longer be printing PINs on statements. </font>

Yeah! Thank you, Adam. http://www.flyertalk.com/forum/smile.gif

Thanks Adam.

The fact that the Pin was provided on paper statement was a major security risk and stopping this is a great move. Hopefully further improvements will be provided - Eugene is indeed making some excellent points.

Thanks also for responding so quickly (and thanks to Mary Beth http://www.flyertalk.com/forum/wink.gif).

Canista

Once again,thanks Adam.

I just received my statement for March (on May 18, but that's another story) and noticed my PIN printed right beneath the account number. This not only compromises the Hilton account, but for many folks it could be a security risk for other accounts, since they try to minimize the number of PINs they use.

As I was about to write an angry letter to Hilton, I thought, "Wait, do a FlyerTalk search." As is often the case, a relevant thread and a problem resolution appeared. Long live FlyerTalk. And thank you, Adam!

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by shauna:
I just received my statement for March (on May 18, but that's another story)</font>

same here. s-l-o-w mail ?

I personally don't have a problem that the pdf-statement is not secure.

I can't check "MEMBER PROFILE" and "CLICK & REDEEM"
Get error: HTTP Error 500-13 - Server too busy. Still, the problem could be with my PC, which is on a cable modem and highly secured and firewalled, so some sites get blocked.
However, I checked the HTML code by right-clicking the e-mail and clicking "view source". They have hyper-links to http://www.hiltonhhonors.net (with some instructions), which transforms to https://www.hiltonhhonors.com/, a secure site!
Like Eugene is asking, Hilton should give the choice if somebody want's the statement by e-mail or not.
Otherwise, I don't have a (security or other) problem with the service.

USAFAN -- In Hilton's e-mail, promise of a secure site has been made for the PDF statement, which in reality connects to an unsecure site. This means that someone can observe it in transit and potentially have access to the information where I stayed and for how long. I understand that you may not necessarily have a problem with that information being accessible to other people, but I most certainly do object (and I'm sure quite a few people would as well).

And, same as you, I can't connect to the remaining links, getting various error messages at different times. And while today http://www.hiltonhhonors.net resolves to a secure https://www.hiltonhhonors.com , I do not recall this being the case a couple days ago (unless I'm mistaken, it resolved to a regular, unsecure http://www.hiltonhhonors.com ). Perhaps, Hilton is working on it making it secure. http://www.flyertalk.com/forum/smile.gif

Eugene:

Don't get me wrong, I don't question your demands.
I think Hilton, Adam Burke did understand, that they have to make some "improvements" to this new service.
Regarding security, you can push up the security level to a point, that the IT people may/will come with a solution that makes it very difficult to get the information at all. Negative examples are the the "Secured Mail" from American Express and the "E-Mail-Help Service" from Microsoft ... you get an e-mail with a hyper-link and a message that you have a secured answer ... and then you can't read anything ... may be some error messages.

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by USAFAN:
Regarding security, you can push up the security level to a point, that the IT people may/will come with a solution that makes it very difficult to get the information at all. </font>

That's a good point, and I agree with you. I just feel that in this particular case security and privacy concerns are more important for me than ability to easily click and see my PDF statement.

I want to be able to opt out of having my PDF statement e-mailed to me without being forced to opt out of all e-mails from Hilton.

They're the only idiots that mail your statement with your "PIN" printed on the statement along with everything else.

DeltaFan,

FYI... HHonors does not have an opportunity to tally up your total stays for the month of March until April 1. Then they put all the other relevant offer & info into the statement during the month of April, before mailing it out in May.

come on now, you can't possibly expect a printed piece on ALL of your March activity to appear in your mail box the first week of April. In the event you need to know your stay activities or points balance so badly, HHonors has created that option for you online.

Passwords and PINs should never, ever, ever be emailed or printed in plain text. It's just too easy for crooks to get ahold of them.

A quick update:

Today I received an e-mail from Mary E. Parks, Vice President - Marketing, Hilton HHonors Worldwide, addressing issues I have raised in this thread.

I'm very impressed how serious they took issues of security and privacy. They will implement changes suggested here, and will also provide in the near future a way to opt out of certain types of e-communications without canceling all e-mails from Hilton.



[This message has been edited by Eugene (edited 05-22-2002).]