Hilton HHonors - HHonors Silent Auction - Anyone Check This Out?

I received an e-mail with a link to this site from HHonors this morning, has anyone checked out the items just yet?
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
Welcome to the Hilton HHonors Online Silent Auction! (http://www.hiltonhhonors.com/auction/)

Hilton HHonors is pleased to offer you the opportunity to bid on special vacation packages, merchandise and travel prizes with our unique HHonors Online Silent Auction. From vacation packages with travel and hotel stays, to airline tickets, to select merchandise, we have put together a wide array of exciting options for you to bid on with your HHonors points. This auction is open to HHonors members who are legal U.S. residents (excluding Puerto Rico). Online bidding is easy - just follow the instructions below to submit a bid for any of these great prizes! These prizes are open for bidding now through December 30, 2002, so don't wait! </font>

The paranoid/cautious among us will not be happy that bidding requires including your HHonors account number and PIN in an unsecure email.

I don't have a problem with the email security but the minumum bids don't seem to be that great of a deal even if they stay at the minimum.

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by drtravels:
the minumum bids don't seem to be that great of a deal even if they stay at the minimum. </font>

That's not necessarily true at least for some items.

Here are some examples:

25,000 AA miles for 40,000 HH points is a great deal, IMO.

Weekend in the Windy City, besides 2 free nights, includes 50,000 UA miles (two x 25,000), which is a terrific deal for 100,000 HH points.

That said, it's extremely unlikely that the final bids would be even close to the minimums stated.

I didn't get any email, and I can't find the auction link from anywhere at HHonors.com. (Sniff.)

Link, anyone??

Welcome to the Hilton HHonors Online Silent Auction! (http://www.hiltonhhonors.com/auction/)

That cute little blue link in the original post http://www.flyertalk.com/forum/wink.gif

Hilton really does not understand PIN number security.

They recently started asking for your pin number when you call the service center before they can access your account. So if you happen to use the same PIN for other accounts (e.g. your bank acount), the CSR gets the keys to your life.

I'm no expert, but I believe that when PIN numbers and passwords are properly implemented, they are encrypted from the time they leave your computer and aren't even accessible by system administrators.

It always annoys me when I signup for some online program or account and they immediately send me an automated email that contains my username and password for anyone sniffing the Internet to see.

Now they want everyone to send their PINs via email to bid on this auction?

Unbelievable!

[This message has been edited by dhacker (edited 11-20-2002).]

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by dhacker:
They recently started asking for your pin number when you call the service center before they can access your account.</font>

It's my understanding that CSR's see your PIN and ask you to verify it to confirm your identity (or at least confirm that you're authorized to use this account), so you are not giving them any new information. That said, it's quite inappropriate, IMO, to use PIN in any manual transactions.

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by dhacker:
It always annoys me when I signup for some online program or account and they immediately send me an automated email that contains my username and password for anyone sniffing the Internet to see.</font>

Ditto! AA.com did the same thing.


<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by dhacker:
Now they want everyone to send their PINs via email to bid on this auction?</font>

Huge mistake, IMO. This is not the first time security concerns with Hilton are raised here.

Hilton folks, we know you're reading this - internet security is no joke. Take it seriously already!

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by Eugene:
It's my understanding that CSR's see your PIN and ask you to verify it to confirm your identity (or at least confirm that you're authorized to use this account), so you are not giving them any new information.</font>

My point is that Hilton personnel should NEVER be allowed to see your PIN is the first place. PIN numbers should be kept secret between the user and the system. Encryption should be used to keep ANYONE except the user from ever seeing it. The most anyone on Hilton's end should be able to do is reset your PIN or password to a temporary value if you forget what you entered. They can verify identity by asking other questions, like mother's maiden name, birthdate, last hotel credited, etc.

Of course, if they had any programmers worth a ****, they wouldn't have implemented such a lame email bidding system in the first place, PIN or no PIN. Why can't you just bid after logging in and have all the account and contact information supplied automatically? This way they could also verfiy a sufficient account balance at the time of bidding.

[This message has been edited by dhacker (edited 11-20-2002).]

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">25,000 AA miles for 40,000 HH points is a great deal, IMO</font>

Depends how you look at it: the other way around 25000AA miles will only get you 25000HH points, where 25000MP miles will get you 50000HH points.

Since it is an auction the winning bid will likely be higher than the minimum. IMHO the AA miles for HH points deal is only good if you really need the miles.

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by ql2112:
Depends how you look at it: the other way around 25000AA miles will only get you 25000HH points, where 25000MP miles will get you 50000HH points.</font>

You are confused. There are completely different rates for transfers from HH and for transfers to HH.

To get 25,000 AA miles by means of the HH Reward Exchange (http://www.hilton.com/en/hhonors/rewards/exchange_2.jhtml), you need more than 100,000 HH points (50,000 HH points --&gt; 12,000 AA miles). That makes 40,000 HH points an incredible bargain (if only the winning bid was close to the minimum one).

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by dhacker:
So if you happen to use the same PIN for other accounts (e.g. your bank acount), the CSR gets the keys to your life.</font>

If that's the case, it's the user's fault, not HH's.

While you make a valid point about HH needing to take security more seriously, users need to take responsibility for their share. If an individual uses the same PIN for HHonors as they do for banking, the individual is being carelessly negligent.

I have different sets of passwords and PINs for low, medium, and high security, with fewer instances of the pw or PIN the higher the security. Low is things like NYTimes.com, Flyer Talk, etc. Medium is Amazon, FF programs, etc. High is banking and securities, and that's about it.

[This message has been edited by Rut Dog (edited 11-20-2002).]

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by dhacker:
My point is that Hilton personnel should NEVER be allowed to see your PIN is the first place.</font>

And I completely agree. That's why I said

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by Eugene:
it's quite inappropriate, IMO, to use PIN in any manual transactions.</font>

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by dhacker:
They can verify identity by asking other questions, like mother's maiden name, birthdate, last hotel credited, etc. </font>

And I believe this can be done right now, meaning that you can provide your mother's maiden name along with some other identifying information instead of your PIN. But, unfortunately, your PIN appears to be still visible to CSR's.

! ! WARNING ! !

The Waldorf weekend has you flying CO. T&C (http://www.hiltonhhonors.com/auction/termsandcond.asp#new%20york) for this package say
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Continental Airlines standard ticketing policy and blackout dates apply.</font>
If that means standard OnePass availability, you could be SOL.

[This message has been edited by Rut Dog (edited 11-20-2002).]

Duplicate Post Deleted

always wondered how that happens, it was a burp in FT, said the post didn't happen the first time, but it did

[This message has been edited by Rut Dog (edited 11-20-2002).]

Eugene - I've had two different CSR's insist on me telling her my PIN. One explained that she couldn't even access my account without it. Perhaps she was lying and could really see the PIN on her screen. Either way, we agree that she should see it or hear it.

Rut Dog - I use levels for my PIN and passwords too, but I hardly think that a failure by a user to do the same would totally exhonorate Hilton for their terrible security procedures. Even if someone uses three levels, they might classify a high balance FF account in the top security category. Their miles or points might even be worth more than there bank account balance!

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by dhacker:
I use levels for my PIN and passwords too, but I hardly think that a failure by a user to do the same would totally exhonorate Hilton for their terrible security procedures.</font>I agree wholeheartedly. Hopefully this discussion will convince some people to think a little more about security.

Anybody checked what the highest bids are on these things now?? Wow!

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by zipual:
Anybody checked what the highest bids are on these things now?? Wow! </font>

What they currently show, is "Effective as of 12/02/2002" - 11 days ago. Who knows what the bids are up to now...

Gawd, they must be borrowing the one programmer that USAirways has. It's not that difficult to make it all on the web, especially given they already have a password protection Hilton HHonors section. I mean, you don't need a whole ebay, but I've setup a basic auction site for a customer (they were auctioning off a car for charity) in a couple of hours... but enough ranting... I'm actually bidding for something.. not the best value, but worth it for me..

Anyone bid on items in this auction? I actually did but never got a reply that they received my bid or anything. Today I checked and the website has been taken down and 'winners will be notified'...

Poor form, I think.