InterContinental Hotels: Priority Club & Inter-Continental Ambassador - Priority Club Point Theft

Recently, I had 300,000 points stolen from my Priority Club account and there is no resolution to the issue. I am a 10 year member and stay approx 150-200 times a year and have never had issues. Now someone hacked my account, changed my e-mail address and used my points to purchase gift cards. Priority Club states it was a legit transaction and basically calling me a liar!
The lack of concern for my situation is not what I expect from a loyalty program. I will not be using this group any longer!
Very disappointing!

Sorry to hear about your experience.
Perhaps you could provide a few more specifics ... and folks here might be able to help?
Also, don't cross-post ... you put the exact same thread in Community Buzz. Cross-posting is frowned upon.

PC should put the IT capacity in place for members to have alpha numeric passwords instead of 4 digit pins... 10,000 combinations isn't enough in this day and age.

I'm sorry to hear this. Others have posted similar problems in the past.

I suppose IHC needs to change their security policy to send an email to the old email account when there's a change. Of course, it could be an inside job.

Sorry to hear about your experience.
Perhaps you could provide a few more specifics ... and folks here might be able to help?
Also, don't cross-post ... you put the exact same thread in Community Buzz. Cross-posting is frowned upon.

I've done an RBP to the one in CommunityBuzz, so it should be locked sometime soon.

If stealing PC points appears to be common because of the 4 digit insecure pin, is there any chance to sue IHG for negligence?

HTB.

I have never ordered purchase gift cards.

Are they send or is it an electronic voucher?
In the first case, it may be easy to find who has ordered them.

I have never ordered purchase gift cards.

Are they send or is it an electronic voucher?
In the first case, it may be easy to find who has ordered them.

Can you report it to the police, after all it is theft (an poss. identity theft)?

Yes known issue. Earn and burn...

Actually there is a gap Can anyone through it spying on the PC of any person One day I called one of the telephone service PC and the employee who i know him told me : That there is someone phone pc service and give him my membership number and ask about my account!! :)
The solution to this problem is easy from my point of view Is :the employee must be ask anyone phone pc service 'Password words' before doing any thing on the account. What do you think?

I always keep my balance around zero making phantom bookings. Maybe this can help....

Around the end of November each year, PC tends to discount gift cards so I have some experience in ordering them.

The very first thing that jumps out at me is the ship to address. If they were mailed to your home billing address, that is going to be a problem. If they were maile to a different address, then yes,this is a law enforcement issue.

In 2004 I believe it was, I ordered a number of cards. One didn't arrive, and PC was kind enough to issue a replacement.

Let us know how this resolves.

I always keep my balance around zero making phantom bookings. Maybe this can help....

Care to elaborate? Cause if you reduce availability with this method I actually do think that this is.. not very nice..

Care to elaborate? Cause if you reduce availability with this method I actually do think that this is.. not very nice..

20 nights 16 month from now in a IC ???

All,

Thanks for the input. I'll try and answer a few questions.
I believe that the thief bought e-vouchers for e-bay or amazon. They were e-mailed to the address that the thief used when he changed my account. The voucher has to have a tracking number. When redeemed, tracking down to where the products were sent should be possible.
Checking the IP address of the thief when he changed my account should also be possible. To my knowledge, none of these things were done.
One possible improvement could be that you be notified when someone is changing anything to your profile. E-mail, address, phone etc. If that procedure were in place, none of this would have happened.
I am going to file a police report, but what I found out is that the only crime here is hacking my account. These points have no monetary value until redeemed. Thus no theft.

I always keep my balance around zero making phantom bookings. Maybe this can help....

this won't help if they hack your account.
they'll just cancel all your bookings.. refund the points
buy gift card..

All,

Thanks for the input. I'll try and answer a few questions.
I believe that the thief bought e-vouchers for e-bay or amazon. They were e-mailed to the address that the thief used when he changed my account. The voucher has to have a tracking number. When redeemed, tracking down to where the products were sent should be possible.
Checking the IP address of the thief when he changed my account should also be possible. To my knowledge, none of these things were done.
One possible improvement could be that you be notified when someone is changing anything to your profile. E-mail, address, phone etc. If that procedure were in place, none of this would have happened.
I am going to file a police report, but what I found out is that the only crime here is hacking my account. These points have no monetary value until redeemed. Thus no theft.

Welcome to FT Larry .... sorry it's on a bad situation. You have my genuine sympathies ... so I'll try and help ....

Your post exposes quite alarming basic security lapses and clearly IHG CS people would neither be able to help with your issue or possibly even recognise the significance of the issues you have raised. So, I'd write to the ceo outlining your loyalty and also a two of the points made in the thread and another I will add. These combined lapses are the reason why you lost your points. Specifially I'd state that you have realised that IHG do not immediately confirm account changes to the previous email addresss as do (as far as I an recall) all other organsisations. If they had done so then this would provide an opportunity for IHG to claim a reasonable excuse to claim to justifacation of passing responsibility for unauthorised changes back to the member if the member had failed to alert IHG of the unauthorised changes in a reasonable time. Not doing this is a basic industry standard and common sense.

This obvious lapse combined with the silly password limitations provided by 4 number compared to say six letters and numbers where dob is precluded means that IHG have effectively allowed - sanctioned maybe - unacceptably easy fraud. It amounts to failing to take the most basic of reasonable steps to prevent fraud. If they can send other confirmations they should be able to send immediate account change notices. It costs nothing.

Additionally, your post also implies that their system doesn't impose any "x" number of incorrect password login attempts before time locking or triggering a requirement for a password reset .... indicating another very basic security flaw. The combined effect of these three fundamental basic flaws means that with relatively little effort paswords can be guessed at either manually or with a little PC procedure and then full account details changed without any knowledge of the genuine owner and without triggering any alarm at IHG. I wouldn't overly criticise IHG CS for their lack of help .... I mean no rudeness but it might be above their pay grade to understand the full significance of the issues.

Be unemotional and courteous and explain that you mean no harm but genuinely believe that it is not you that has been careless or wreckless with your points but IHG and that you request that they consider the risk to their business of the combined effect of these three basic flaws and requesdt that the missing points be replaced and reassurance that immediate steps will be taken to prevent this type of easy fraud in future. I think it reasonable in this situation to say genuinely that your situation has caused alarm to other members that you are corresponding with on FT and that we have asked (make it clear that our interest does not relate specifically to your own points so it doesn't come over as any sort of cheap blackmail - or you will be dead ....) you to report back your progress with respect to the security holes your experience has exposed in their system and that we are all anxious to receive reassurance. Us lot receiving such reassurance should prompt them doing the right thing for you in any event.

The combination of factors raise questions about how robust - or as I suspect un-robust the rest of their systems are. Can you imagine what a disgruntled IHG employee downloading the IHG membership detail list could do if either directly ( or deep horrors ... if they are in the IT department ....) or through someone else with basic PC knowledge simply produce a small procedure or programme to work through every 4 digit password for every member .......

They really need to take this seriously - quickly. Hopefully a lurker might read this post and react ........;)

I'd be happy to write to IHG to support your problem and to echo your concerns if you do not receive adequate reassurance (and hopefully in the process the return of your points) and I really hope in this situation other FT'ers would join me in the exercise otherwise all of our points are vulnerable ..... and IHG need to understand the urgency of this in that we expect them to get their act together. Resolving this is neither difficult or expensive - in fact pretty much free - and failure to do so should not be rewarded with our loyalty.

Good luck .... please report back on your progress.

I really hope in this situation other FT'ers would join me in the exercise otherwise all of our points are vulnerable ..... and IHG need to understand the urgency of this in that we expect them to get their act together.


I'd never given this a thought until I read this alarming thread. I'm going to write to IHG and ask them that if anyone tries to use my points for anything other than a hotel booking, then please call me because it almost certainly isn't me.

Good luck with trying to get your points back.

Personally, I would be happy to have a system in place where you could not make any redemptions within 28 days or so of a primary email change. However, it is clearly quite neglectful of ihg to be so lax with our personal data. In the UK there might even be Data Protection Act issues. Any lawyers out there ?

Hope this gets sorted, both for the OP and everyone else. Unfortunately any cybercriminals finding this thread could now be having a field day. I would imagine it is quite easy to find threads like this by putting the right words into a search engine. :(

Personally, I would be happy to have a system in place where you could not make any redemptions within 28 days or so of a primary email change.(

This is a really good idea. How often do people change email addresses anyway?

Simply:

1. Making the password more robust
2. Reconfirming the full details of any changes made to the profile ie change of address, password email address etc to the current last and if changed new registered email address and
3. Not allowing more than 5 log-in attempts (password attempts) before bombing out with say a 24 hour delay - or a call to CS - would flag an alert and allow IC CS to review and also give the previous registered email address time to respond to IC CS.

.... as three simple no-cost changes works for most other organisations and I cannot see why any further inconvient redemption delays would therefore be needed.

It's a little dissapointing that the OP and the general issue hasn't received more interest from FT'ers but I guess c'est la vie.

IHG should certainly improve the security of Priority Club access online.

Still, I am always surprised to see some guests using public computers with no precaution.

I can remember:
- a strictly confidential Pdf commercial document let on a computer in the club lounge at IC Park Lane
- a Flyertalk file not closed in the club lounge of IC Berlin
- even more often: PC, airlines accounts with the number of the account
- some boarding passes (with ticket number, loyalty program numbers) and other documents let in the printers

IHG should certainly improve the security of Priority Club access online.

Still, I am always surprised to see some guests using public computers with no precaution.

I can remember:
- a strictly confidential Pdf commercial document let on a computer in the club lounge at IC Park Lane
- a Flyertalk file not closed in the club lounge of IC Berlin
- even more often: PC, airlines accounts with the number of the account
- some boarding passes (with ticket number, loyalty program numbers) and other documents let in the printers

There is also the issue of not clearing the cache on public computers if you've logged into something you want to remain secure. I'm never really certain that it's secure even after I have manually cleared the cache and if I'm in a twitchy mood switiching the computer on and off again.

Sometimes when I have back paged on a public computer I have found myself on a previous users "secure" page .......

Airlines like KLM/AF also use just a 4 digit pin, really doesn't seem enough... Won't accounts get locked or flagged after a couple of missed attempts?

Larry,

We would like to look into and follow up on your unfortunate experience. I have sent you a PM in order to obtain additional details.

Thank you,

Ben J
IHG Care

OP: thanks for sharing your experience!!! I hope the CS people can do something for you.

As a guy in the technology world, this is a rude wakening for me... IHG needs to do better! From the comments here and my personal experience, the system is very laxed and has quite a few weakness unacceptable by today's standard... And in the meantime, we better start changing that password more frequently.

There is also the issue of not clearing the cache on public computers if you've logged into something you want to remain secure. I'm never really certain that it's secure even after I have manually cleared the cache and if I'm in a twitchy mood switiching the computer on and off again.

Sometimes when I have back paged on a public computer I have found myself on a previous users "secure" page .......

I would NEVER use a computer in the hotel business center to access sensitive information of any kind. Those systems are so poorly maintained, you will have no idea if someone installed a keylogger on the system. Even those "reset" function isn't all that assuring.

I'm surprised to find out that if you keep trying to login with wrong pin numbers it is not automatically lock you out for a period of time.

Implementing this would be a relatively basic security measure, and would help to prevent someone simply getting hold of a PC account number, and sitting there trying the different combinations of numbers to find a pin number.

Regardless of their lax security measures, I hope they catch the scum bag who committed fraud.

I'm surprised to find out that if you keep trying to login with wrong pin numbers it is not automatically lock you out for a period of time.

Implementing this would be a relatively basic security measure, and would help to prevent someone simply getting hold of a PC account number, and sitting there trying the different combinations of numbers to find a pin number.

Agreed. I would also like to see "Last failed log on" date and time.

My bank can do this, so it can't be too difficult to implement.

Regardless of their lax security measures, I hope they catch the scum bag who committed fraud.

+1

I'm surprised to find out that if you keep trying to login with wrong pin numbers it is not automatically lock you out for a period of time.



I am curious, which hotel chain does this? I have not discovered such a feature with the chains I usually use (but usually know my Pin / Password).

I am curious, which hotel chain does this? I have not discovered such a feature with the chains I usually use (but usually know my Pin / Password).

+1
I can just confirm that Hilton, Wyndham and Carlsson don't do it either.. but thinking of it.. you can have a lot safer passwords there not only this 4 digit pin like IHG.

+1
I can just confirm that Hilton, Wyndham and Carlsson don't do it either.. but thinking of it.. you can have a lot safer passwords there not only this 4 digit pin like IHG.

Standard German bank cards use a 4 digit pin code for protection, which is considered to be "unbreakable" by the bank. This doesn't keep thieves who geld hold of a bank card from sticking it into the next cash machine and try 4 digit pin codes until the card either gets confiscated the the cash machine spits out money. This is aided by the fact that those pin codes don't seem to start with a zero.

I could imagine the same with IC account numbers with one big difference: you don't even have to get hold of a card...

HTB.

Standard German bank cards use a 4 digit pin code for protection, which is considered to be "unbreakable" by the bank. This doesn't keep thieves who geld hold of a bank card from sticking it into the next cash machine and try 4 digit pin codes until the card either gets confiscated the the cash machine spits out money. This is aided by the fact that those pin codes don't seem to start with a zero.

I could imagine the same with IC account numbers with one big difference: you don't even have to get hold of a card...

HTB.

UK cards have 3 or 5 tries, then the card is cancelled and/or swallowed by the machine. I'm surprised Germany isn't something similar.

+1
I can just confirm that Hilton, Wyndham and Carlsson don't do it either.. but thinking of it.. you can have a lot safer passwords there not only this 4 digit pin like IHG.

Yes, my passwords for these other sites have more than four digits

There are a number of other sites where a wrong password locks you out either until it is reset or for a peiod of time, not only banks, this also includes telecom providers, retailers, cashback schemes etc. even forums!

I had not tried it with other hotels, as I know my passwords/codes. However, I am suprised at the lax security as it is not only the points and their value, but also personal details and payment detials that are present on the account. The card detials may be encoded, but they can still be used to make bookings which may require prepayment.

I think this whole thread reminds of of something we learned in another IHG thread -- it's not safe to store our credit card details on the site, either. I deleted mine, and i don't like re-entering them each booking, but...

Standard German bank cards use a 4 digit pin code for protection, which is considered to be "unbreakable" by the bank. This doesn't keep thieves who geld hold of a bank card from sticking it into the next cash machine and try 4 digit pin codes until the card either gets confiscated the the cash machine spits out money. This is aided by the fact that those pin codes don't seem to start with a zero.

I could imagine the same with IC account numbers with one big difference: you don't even have to get hold of a card...

HTB.

Umm.. with my German bank card it's exactly three times until that slurping sound occurs and the ATM won't give it back..
And my last card had a zero to start with..

UK cards have 3 or 5 tries, then the card is cancelled and/or swallowed by the machine. I'm surprised Germany isn't something similar.

Yes -- same in Germany. So a thief will just put the card into the machine and punch in pin codes until he either gets money or the card will be confiscated. It's like the lottery. Steal ten cards, try 4 times each. That's gives you rougly a 1:250 chance to hit the jackpot.

HTB.

Umm.. with my German bank card it's exactly three times until that slurping sound occurs and the ATM won't give it back..
And my last card had a zero to start with..

Your last one -- but probably none before that. There an article (in German) here (http://www.sv-gramberg.de/forum.htm) that explains the principle. Probably the system was changed.

In short: to get a pin, they took four hexadecimal digits, e.g. AAF7 and changed that into a dezimal digits: 10-10-15-7. Since 10 and 15 are not single digits, they dropped the leading 1 to give 0-0-5-7. Then they decided that the first digit could not be a 0, so that pin would finally be 1057.

As a result:

- no pins starting with 0
- 25% probability for a leading 1
- 0-5 twice as probable then 6-9 for the last three digits.

Punching in optimized numbers is not quite as futile as it looked just a little while ago. Some PINs are/were up to 32x more probable than others.

HTB.

Yes -- same in Germany. So a thief will just put the card into the machine and punch in pin codes until he either gets money or the card will be confiscated. It's like the lottery. Steal ten cards, try 4 times each. That's gives you rougly a 1:250 chance to hit the jackpot.

HTB.

Are you using a German issued card? This happened when we used our German visa card in Germany:

I used Mr. Nacho card by mistake (somehow I got both cards in my wallet and thought it was mine), I typed in my code 3 times and now his card is blocked for good.

btw Mr. Nacho's pw starts with a 0.

I used Mr. Nacho card by mistake (somehow I got both cards in my wallet and thought it was mine), I typed in my code 3 times and now his card is blocked for good.

Thieves would not punch in the same code three times. Some people buy lottery tickets, some people steal cards. The former costs money, the latter is free (unless you are caught -- but even then the German State tends to pay for all out-of pocket expenses...).

btw Mr. Nacho's pw starts with a 0.

See my other post.

To get back on topic: 4 digits on the PC account and presumably many attempts to find the correct pin is not very safe. You could write a program to try arbitrary account/pin codes and run it from public access points until you find an account/pin combination with enough points in it.

So any counter-measure IHG takes should not only look at how many log-in attempts are made for one account, but how many attempts are made from the same IP for multiple accounts. It's probably easier to allow random passwords instead.

HTB.

All,

Just want to give an update. They have determined that my account was accessed with out being hacked, thus no point being returned. I have spoke with numerous people and there seems to be nothing I can do about it.
I have also been on Priority Club Connect and have found out that others are experiencing the same theft.
Priority Club does not care. They keep reciting by laws about giving out my account number and password. It is just me and my wife. No one else has my info.
Why after 10 yrs of being platinum, only using points for stays, would I change my password and do something I have no history of doing?
Then, why would I risk criminal charges on myself if I was lying?
I have since changed hotel chains.

Larry, sorry for your issue.

Let me ask you this. Did you ever use a computer at a hotel that may have stored your data? Then someone will be able to capture that material and access your account.

See if those people you are in contact online, also stayed at the same hotel as you may have and then likely you have the culprit.

Hotels are supposed to use software to re-set everything and not have this situation develop, but some hotels may have been using old computers or no software. I have seen this occur with my accounts in years past.

Luckily I caught it and brought it to the hotel's attention.

A similar thing may have occurred with your account.

All,

Just want to give an update. They have determined that my account was accessed with out being hacked, thus no point being returned. I have spoke with numerous people and there seems to be nothing I can do about it.
I have also been on Priority Club Connect and have found out that others are experiencing the same theft.
Priority Club does not care. They keep reciting by laws about giving out my account number and password. It is just me and my wife. No one else has my info.
Why after 10 yrs of being platinum, only using points for stays, would I change my password and do something I have no history of doing?
Then, why would I risk criminal charges on myself if I was lying?
I have since changed hotel chains.

If you want an effect, post your experience at PC's Facebook page - when you do that everyone can see your post.

Can you find out if you can trace where the thief sent the gift cards to?

All,

Just want to give an update. They have determined that my account was accessed with out being hacked, thus no point being returned. I have spoke with numerous people and there seems to be nothing I can do about it.
I have also been on Priority Club Connect and have found out that others are experiencing the same theft.
Priority Club does not care. They keep reciting by laws about giving out my account number and password. It is just me and my wife. No one else has my info.
Why after 10 yrs of being platinum, only using points for stays, would I change my password and do something I have no history of doing?
Then, why would I risk criminal charges on myself if I was lying?
I have since changed hotel chains.

You do not say in which country you leave but I would seriously considering taking this further. If they say the changes appear legit to them they should at least tell you which IP the web-request for email change came from. They will have this on file and may be asked to produce this data if you take this further. If the IP is one of the ones they have on file for you, they will think it's someone close to you perhaps at work. Either way they have to disclose where the vouchers were sent to. After all they believe it was you, don't they?

All,

Just want to give an update. They have determined that my account was accessed with out being hacked, thus no point being returned. I have spoke with numerous people and there seems to be nothing I can do about it.
I have also been on Priority Club Connect and have found out that others are experiencing the same theft.
Priority Club does not care. They keep reciting by laws about giving out my account number and password. It is just me and my wife. No one else has my info.
Why after 10 yrs of being platinum, only using points for stays, would I change my password and do something I have no history of doing?
Then, why would I risk criminal charges on myself if I was lying?
I have since changed hotel chains.

I am sorry to hear that, it sounds outrageous. I am not sure if they should have returned the points to you (almost-)no-questions-asked, but surely they could have come up with a more customer-friendly response. Maybe give you the points back if you produced a valid police report that you had filed? (Though I am sure that would lead to FlyerTalk threads on how to abuse the process.) Offer to block the gift cards, then return the points (though I guess the culprit would have presumably redeemed them quickly.)

I agree with your approach to take your business elsewhere. There are so many simple system fixes to make this problem much less likely: allow account settings that forbid any redemption other than award nights (I would do this), send you an e-mail every time a redemption occurs on your account, and make it difficult to change your e-mail address (i.e., require a validation in the old e-mail or at least security questions).

(Though I am sure that would lead to FlyerTalk threads on how to abuse the process.)

Wow, how can you say something like this? If you actually fake police report or deliberately lie about things like this, then it's criminal act rather than the 'going through a loophole thing'.

I can never imagine most of the people at FT are criminals - some are more into the 'deals' than others.

I feel sorry for OP about his point lost - no doubt that PC is not doing the right thing here.

If the thief has ordered gift cards, they ought to be issued either electronically or physically. Either way there will be some sort of trace, and you somehow can trace it. I'm sure the card issuer can block it.

Anyway I would go to the police if I were OP, and then leave a comment on PC's FB page.

As a follow up, PCR does not issue the cards, another company does. Once PCR deems that the account was accessed without hacking, then they wash their hands of anymore responsibility. I have asked the questions about IP addresses, tracking the products redeemed by these cards etc.
They find it easier to believe that some one in my family is a thief. Unless my hound has learned how to log-on, then that would be impossible.

They could do so much more to help.....

In the end, the hackers are smarter than their IT!

As a follow up, PCR does not issue the cards, another company does. Once PCR deems that the account was accessed without hacking, then they wash their hands of anymore responsibility. I have asked the questions about IP addresses, tracking the products redeemed by these cards etc.
They find it easier to believe that some one in my family is a thief. Unless my hound has learned how to log-on, then that would be impossible.

They could do so much more to help.....

In the end, the hackers are smarter than their IT!

As I stated above, it may not have been a hack but an outside computer capturing your information for some thief to access without your knowledge.

I recently had someone I don't know use my points for an award stay after changing my account email address. I posted about my experience here:
http://www.flyertalk.com/forum/intercontinental-hotels-priority-club-inter-continental-ambassador/1350768-unknown-person-using-my-points-poor-value-stay.html.
In my case, I was lucky -- PC was able to ascertain that the award stay (and, presumably, the email change) was booked through Central Reservations so I got my points back. I also caught the unauthorized usage while the perpetrator was still at the award hotel. At first, PC thought the award stay was booked online through my account and took the "so sorry, nothing we can do, you allowed someone access to your account" approach. NOT impressed with PC's lack of concern when email addresses are changed. When you change your email of record, PC does NOT send an email to the old email address saying "we've changed your email" (at least not when the change is made through Central Reservations -- not sure whether an email would be sent if the change is made online.) This lack of notifications seems to encourage the hacking of accounts and delays the discovery of hacked accounts.
OP, I have sent you a PM to see if (by chance) the same email was used to hack both your account and mine.

I also caught the unauthorized usage while the perpetrator was still at the award hotel.

:eek::eek:
What happened then?

:eek::eek:
What happened then?

I'm curious to know what happened as well! Did the person who booked the stay get arrested?

I always keep my balance around zero making phantom bookings. Maybe this can help....


So, let's say you have 301,000 points. And you use 300,000 points to make these "phantom" bookings for the future.

If I'm the hacker and I gain access to your account, then I can also cancel your existing reservations.

Can't I simply cancel your bookings, get the 300,000 points back and use them? What advantage does your method have?

The police would NOT let me file a report -- they said I was NOT the victim because PC had agreed to refund me my points. The hotel locked him out of the room so that he had to come to the front desk. When he showed at the front desk, he was advised that he would have to pay for the room or give a valid PC account number for the award stay. He went outside to call "his friend" who had made the reservation for him. He went in and told the front desk he was unable to reach "his friend" and agreed to pay for the room. Read the linked thread to see my concerns about the original check in deposit being linked to MY credit card upon check in. I don't know whether he paid cash or came up with a valid credit card (at check in, his credit card was declined). I also don't know if the person was charged for the full stay (several nights) or just the last one. It took several calls for my PC points to make it back into my account. When I first reported it to the hotel (on a Saturday, I think) the front desk clerk just said to call PC -- wasn't terribly concerned. When I called the next day (on a Sunday, I think and AFTER an additional one night stay was reserved under my account DESPITE my notifying PC of the problem the day befoare) I got a different front desk clerk who seemed to care and took steps to change the key card.

Oh, and PC pretty much made it clear to me that the fraudulent stay would be investigated only because it was booked through Central Reservations. If the account had been booked online through my account, my points would NOT have been refunded. I also got the impression that they would have done NOTHING to investigate the fraudulent stay, which in my opinion is WRONG. I feel for the OP -- this could have been me, or any of us.

What an awful situation, and very concerning for all of us. I hope you don't give up fighting this, OP! What about contacting a local consumer reporter or the Ombudsman at Conde Nast Traveler magazine?

So, let's say you have 301,000 points. And you use 300,000 points to make these "phantom" bookings for the future.

If I'm the hacker and I gain access to your account, then I can also cancel your existing reservations.

Can't I simply cancel your bookings, get the 300,000 points back and use them? What advantage does your method have?

It depends, if a thief is looking for accounts with big balance, then a 1 point account balance wouldn't interest him/her. Partially it's because it shows that the account is somehow 'active'.

There is very little you can prevent hacker these days - it's like preventing your house from break-ins. No matter what alarm you set up, they can always break your window and get into your house. The only thing you can do is the basic thing like make sure your house doesn't look attractive to them.

What an awful situation, and very concerning for all of us. I hope you don't give up fighting this, OP! What about contacting a local consumer reporter or the Ombudsman at Conde Nast Traveler magazine?

This guy seems pretty reputable: http://www.elliott.org/

My ex used to (probably still does) log in and check his key accounts on a daily basis. First I thought he was a little OCD (probably still is ;)) but then I started doing the same - and eventually realized the value. Does not stop identify theft - but I can spend fifteen minutes a day and hopefully address any issues before things goes to far.

This guy seems pretty reputable: http://www.elliott.org/

I was thinking about that. The OP should at least contact this guy and see if with his connections, whether he could find a solution and EXPOSE the lack of security control of a Major Hotel Chain's website.

Only when media is involved, bad publicity is generated, then there might be some hope for IHG/PC to improve its very poor IT system.

Even better would be the folks on Boarding.com who blog on USA Todays website, such as Loyalty Traveler, et. al.

This issue directly affects the P/C membership and as such should be exposed and discussed so that others do not fall victim, as well. @:-)

My ex used to (probably still does) log in and check his key accounts on a daily basis. First I thought he was a little OCD (probably still is ;)) but then I started doing the same - and eventually realized the value. Does not stop identify theft - but I can spend fifteen minutes a day and hopefully address any issues before things goes to far.

I run a weekly check on all my accounts through award wallet. This is how I learned that an unauthorized award stay had been booked with my account.

If you want an effect, post your experience at PC's Facebook page - when you do that everyone can see your post.


This is a good idea - making the problem more public might get them to sit up and take notice.

What a dreadful situation and pretty poor service and response from PC. Please do not give up on this. These thieves need to be caught.

Why not ask if anyone has an email address of someone high up in ICHG and fire off an email. I am sure then you will get a response.

Good luck

One last Post.

I believe I know now, how the theft could have been pulled off. It may scare you how simple this could be.

I have quite a few points left after the 300K was taken. Now that PCR has determined that no fraud has taken place, they opened a new account for me and transferred the remaining balance. Once this transfer had taken place, I needed to create a new pin. That's when it dawned on me how easily someone could take over your account.

To create a new pin, you need 4 things.

1. First Name
2. Last Name
3. Account Number
4. Zip Code

All of these items are displayed for the world to see, in a 2 inch square on your check-in ticket and check-out receipt!

The points balance is proudly displayed on your room key packet. When someone sees a balance of 700K, how hard would it be to get the information needed. Check in tickets are left in plain sight on the desk and check out silps are slid under our room door. Sometimes not completely under the door and half way in the hall.

Once you have created a new pin, your profile account can be accessed and e-mail changed. Now I have no access to my account and the thief has my points to do with what they will.

At one point credit card numbers were displayed on your receipt until thieves figured out how easy the pickings were.

I wonder if those first few individuals that were ripped off, experienced my same frustration!

Good Luck!

LarryMcAdoo,

It sounds like anyone wandering around a hotel could reap quite a harvest. :(

Sorry to hear that even with lot's of support and the intervention of the ICHG lurkers your issue doesn't sound like it has been resolved fairly or sensibly. Sadly, this also indicates that they probably plan to make no improvements to account security even though it would be simple. I presume so, because if they did it would infer it was previously inadequate and the honourable thing would be to reimburse you ... and then make some changes.

Out of interest, have you bought your latest theory to their attention so that they can reconsider their stance? If so what did they say?

If so, a pain, but likely to keep points housed in a reward reservation far in the future to cancel. That way, you leave precious few points not tied up in your account. If you receive an an e-mail(s) that certain of your award reservation(s) has(ve) been cancelled and you did not do it, then that is the canary in the coal mine that something is going on with your account not of your making. Then, you must act fast! :eek:

I believe I know now, how the theft could have been pulled off. It may scare you how simple this could be.

To create a new pin, you need 4 things.

1. First Name
2. Last Name
3. Account Number
4. Zip Code

All of these items are displayed for the world to see, in a 2 inch square on your check-in ticket and check-out receipt!


:eek::eek:

I think the comment about writing to Christopher Elliott is a really good idea. He has a lot of contact and a blog read by a lot of people... Check it out and maybe email him your story... I'll send his twitter page a link here...

ICH really need to come up with an explanation for this and take remedial action. They can't just say it was done online and wash their hands with it. I would understand if their records showed it's been done from the same IP the OP uses but this does not appear to be the case.

Might be worthwhile pointing out their poor security to some IT publications such as The Register.

LarryMcAdoo

I was trying to replicate what you say with my own account but I've looked at the web-site but I'm unable to locate where you can change the email address from

1. First Name
2. Last Name
3. Account Number
4. Zip Code

It seems to ask for your last email address. Can you post a link please?

I too looked at the PIN reset option. To me the weak link would be the service centre comment. It says if you don't have an e-mail address you can call them to 'source your PIN' and set an e-mail. I suspect armed with the above info one could call up and say they had changed e-mails, forgotten their PIN but "it's obviously me as I remember my last balance from my last check-in at hotel X [where they saw the above info] on xx/xx" and fool an agent.

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ shows just how easy it is to fool call centres - and that's ones you'd assume are halfway decent, not even ICHG's ;)

This does seem really poor on ICHG's part and shockingly easy to exploit. They should do something about this - some of the ideas mentioned in this thread to protect online logins are good. And presumably extra checks if anyone calls up would be wise too - like asking for more recent/detailed stay histories to 'prove' it's you. The chances of some scumbag ripping off my info at a hotel are probably good...the chances of said scumbag being able to recite my last 3 stays, or "where were you staying on yy/yy and zz/zz dates" are probably slim?

I stayed at a HI recently where on check-in they gave me a document that offered me ways of spending my points. It more or less went,

"Welcome Mr Antichef, we see that in your Priority Club account 12345678 you have 567,890 points .... Have you thought of spending them on A, B, C etc?"

I asked the front desk to shred it. I pointed out to the duty manager that such a document if just thrown into the bin in the room would allow almost anybody getting it to access my account by ringing up and making a redemption booking.

As Larry has pointed out these are often on the key card wallet too.

Yes the hotel should never print the membership number and balance on welcome letter nor invoice. Name and address is good enough. If I want to know the balance of my points i could always check my account using in room wifi......

Yes the hotel should never print the membership number and balance on welcome letter nor invoice. Name and address is good enough. If I want to know the balance of my points i could always check my account using in room wifi......

Only if wifi is free at the hotel ...... a lot of IHG properties don't give out free internet.

This is a really good idea. How often do people change email addresses anyway?

Uhh - Maybe when they change jobs?

This is a silly idea. All that's necessary is rewriting the script so that when an email change is made, an email is sent to the old and the new address. The email specifically notes, "if you did not make or authorize this change, please call us immediately...."

Done by virtually every other online vendor, no reason it can't be done here.

How much access to your account do check-in staff have?

If not that I would say the using of a public computer is the more likely cause for someone accessing your account.

How much access to your account do check-in staff have?

If not that I would say the using of a public computer is the more likely cause for someone accessing your account.

If they can tell you how many points you have and your PC number and your name and address and your CC number.......they pretty much have everything they need to hack anyone's account.

The problem with the invoices slipped under the door or lying in front of the room open or in open envelopes is a somehow common problem and not limited to IHG hotels only.

There was an issue at at Sheraton a couple of month ago:

http://www.flyertalk.com/forum/starwood-preferred-guest/1329815-folio-outside-room-door-no-envelope.html

The problem with the invoices slipped under the door or lying in front of the room open or in open envelopes is a somehow common problem and not limited to IHG hotels only.

There was an issue at at Sheraton a couple of month ago:

http://www.flyertalk.com/forum/starwood-preferred-guest/1329815-folio-outside-room-door-no-envelope.html

I stayed at a Marriott hotel and I got 2 bills slipped through my door, and one of them is not mine. I can see his name and address but not his MR number.

http://www.flyertalk.com/forum/starwood-preferred-guest/1329815-folio-outside-room-door-no-envelope.html

What's interesting about that is there are at least 3 problems raised there, all of which seem to be fixed (and it's only been a couple of months):

1) The original lazy hotel, the GM was forced into fixing it (we hope, at least promising it would be fixed)

2) The Google URL for cancelled reservations now seems to yield nothing - presumably SPG fixed it.

3) The page where you could view anyone's bookings with just a name or SPG number no longer appears to have that option - presumably SPG fixed it.

So bravo to Starwood. I've never been a big SPG person, always been a ICHG man primarily. Maybe I should begin to pay more attention to SPG ^

Only if wifi is free at the hotel ...... a lot of IHG properties don't give out free internet.

That is correct. But so far only North American properties printed the membership number and balance. And majority of North American properties have free wifi.

That is correct. But so far only North American properties printed the membership number and balance. And majority of North American properties have free wifi.
Just in the last month, I have had membership number and balance printed at several Asian hotels too. Including,
- Holiday Inn Golden Mile HKG
- Crowne Plaza New Delhi Okhla
- Crowne Plaza Gurgaon

So I don't think it just a north American thing.

What's interesting about that is there are at least 3 problems raised there, all of which seem to be fixed (and it's only been a couple of months):

What's depressing is that there are at least 3 straightforward fixes that IHG could do -- already mentioned in this thread, in fact -- that would increase security by an order of magnitude, yet IHG continues to ignore these gaping security holes. :td:

Looks like we have no choice but to monitor our account balances like a hawk (and if we notice something wrong, hope that IHG believes us). :(

I would suggest that any concerned individuals file complaints through the Privacy Office at IHG: http://www.ichotelsgroup.com/ihg/hotels/us/en/global/customer_care/privacy_statement

If resolution isn't forthcoming, then go the TrustE route.

As a follow up, PCR does not issue the cards, another company does. Once PCR deems that the account was accessed without hacking, then they wash their hands of anymore responsibility. I have asked the questions about IP addresses, tracking the products redeemed by these cards etc.
They find it easier to believe that some one in my family is a thief. Unless my hound has learned how to log-on, then that would be impossible.

They could do so much more to help.....

In the end, the hackers are smarter than their IT!
Larry,

We would like to look into and follow up on your unfortunate experience. I have sent you a PM in order to obtain additional details.

Thank you,

Ben J
IHG Care

Can this thread or the IHG forum get an official response from IHG Care or IHG corp?

I can understand not commenting on the specific case of LarryMcAdoo but how about details on how IHG determines that an account was not hacked?

Also any developments on increasing security measures (some of which have been suggested in this thread).

I really hope that they don't just run and hide on this.

I can understand not commenting on the specific case of LarryMcAdoo

Actually given the OP has asked for a resolution in public, unless he objects, I see no reason why they should not say why they regard his specific case as not fraudulent. There are no legal proceedings and none are likely.

Actually given the OP has asked for a resolution in public, unless he objects, I see no reason why they should not say why they regard his specific case as not fraudulent. There are no legal proceedings and none are likely.

It's been near 2 weeks since this last post and absolutely no reply from PCR or IHG. Seems as though they do not monitor these sites and/or just do not care!

It's been near 2 weeks since this last post and absolutely no reply from PCR or IHG. Seems as though they do not monitor these sites and/or just do not care!

My experience with IHG Care is that you need to PM them your issue in order to get a response -- they do not seem to monitor this site, per se (though obviously were as they posted in this thread back on Aug 6). I am assuming you had responded to their PM to you, which they posted about up thread? Are you saying that you haven't gotten a response to that? If so, :td:

It's been near 2 weeks since this last post and absolutely no reply from PCR or IHG. Seems as though they do not monitor these sites and/or just do not care!

Why don't you write on their FB page?

I have informed both company lurkers about this thread and they are aware of this topic. There seems to be some internal discussions about this issues and I think this should be solved first before posting here.

FLYGVA
co-moderator IHG Forum

Airlines like KLM/AF also use just a 4 digit pin, really doesn't seem enough... Won't accounts get locked or flagged after a couple of missed attempts?


Though why a hacker would bother hacking into an AFKL account is another matter . :)

Sadly, others are experiencing the same theft. On Priority Club Connect, another victim of this theft has emerged. Unbelievable that PCR is ignoring this!




Re: Points Stolen [ New ]
Options
09-04-2012 09:28 PM



Larry, I'm not having any luck either.. They really don't care about their customers. Priority Club actually said I did it and closed the case.. I was so mad when I got the email accusing me and closing my case that I called priority club right away. The thieves that took my 70+ thousand points used the email address befree107@yahoo.com. I'm so mad about this.. The thieves like I said before cashed in the points for 2 100dollar Amazon gift cards.. I was arguing with the agent. She explained that the cards had been sent to me.. I said no they have not. After arguing for a while she finally told me that they had been sent to me electronically.. I said really!!! What email address did they use.... Of course the cards were sent to the email address listed above. The agent finally started to see the light and said she would resubmit my case to the fraud dept.. Of course I have heard nothing back yet.. I just don't know what my next step will be.. I said the same thing to the agent. Track the cards and see were purchases are sent and you will have your thief.. I want this person busted soooo bad!!

Really sorry this is happening to folks...sad all around. LarryMcAdoo, have you heard anything further from IHG Care or customer service?

I do think this is a cautionary tale and an excellent reason to monitor your accounts via tools like Award Wallet and the like. And certainly, PC would do well to add in additional security measures that are simple, really -- such as, emailing the OLD email address when a new one is added or it is changed, etc.

I'm totally perplexed as to why they haven't jumped on this quickly -thanking those effected for helping them to shore up obvious and avoidable holes in their processes. It is really just a matter of time before this moves into a wholesale phase when large numbers of accounts will be hacked with the helpful cooperation of the clueless people at ICHG HQ. These opportunities spread like wildfire on some of those scum websites.

A minute % of accounts are being so called hacked and suddenly all our accounts are in jeopardy of being emptied.
I think you're making a mountain of a molehill of this to be honest.

A minute % of accounts are being so called hacked and suddenly all our accounts are in jeopardy of being emptied.
I think you're making a mountain of a molehill of this to be honest.

I wish I could comprehend a comment like this. It makes no sense at all. Accounts of innocent FT'ers and ICHG members are (I didn't say "all" or "suddenly") vulnerable to the same problem unless ICHG does something. You are clearly unaware of the subculture that buys and sells identities and help and "secrets" as to how to exploit easy and vulnerable "low branch" hacking opportunities. Perhaps it has never happened to you. Perhaps you haven't heard of this before. Complacency is the friend of this problem.

Supporting FT'ers who have been called liars and thiefs and received exceptionally poor and shoddy treatment, particularly when it is clearly the rather flakey procedures in ICHG isn't making a mountain out of a molehill. Wouldn't you like a bit of support if it happened to you?

Placing pressure on ICHG is a sensible thing to do. Asking ICHG to do something before it becomes a wider problem is prudent and is what people call shutting the stable door before the horse bolts.

I'm sorry you think it wrong to do so.

A minute % of accounts are being so called hacked and suddenly all our accounts are in jeopardy of being emptied.
I think you're making a mountain of a molehill of this to be honest.

I think you're wrong. Once the word gets around amongst the criminal fraternity about how easy it is to steal from IHG accounts, and how disinterested they are in following it up, all of our accounts are at risk.

uk1 has got it quite right.

i wish i could comprehend a comment like this. It makes no sense at all. Accounts of innocent ft'ers and ichg members are (i didn't say "all" or "suddenly") vulnerable to the same problem unless ichg does something. You are clearly unaware of the subculture that buys and sells identities and help and "secrets" as to how to exploit easy and vulnerable "low branch" hacking opportunities. Perhaps it has never happened to you. Perhaps you haven't heard of this before. Complacency is the friend of this problem.

Supporting ft'ers who have been called liars and thiefs and received exceptionally poor and shoddy treatment, particularly when it is clearly the rather flakey procedures in ichg isn't making a mountain out of a molehill. Wouldn't you like a bit of support if it happened to you?

Placing pressure on ichg is a sensible thing to do. Asking ichg to do something before it becomes a wider problem is prudent and is what people call shutting the stable door before the horse bolts.

I'm sorry you think it wrong to do so.

^ ^

i think you're wrong. Once the word gets around amongst the criminal fraternity about how easy it is to steal from ihg accounts, and how disinterested they are in following it up, all of our accounts are at risk.

Uk1 has got it quite right.

^ ^

A minute % of accounts are being so called hacked and suddenly all our accounts are in jeopardy of being emptied.
I think you're making a mountain of a molehill of this to be honest.

Until YOURS is being hacked, then you may probably not make such callous comments.

When there is no safeguard of account information as witnessed that the email addresses can be changed without the owner of account being informed of such change, it puts EVERYONE at risk.

At the very least, as a stopgap measure, they should shut off the gift card option until a better system can be implemented Those are what most of the thieves are after.

While I agree that it would help to notify people at their "old" email if their email is updated, that wouldn't be enough for me. I don't always have a means of checking my email when I'm traveling. I want to see them handle it by allowing more secure passwords.

A minute % of accounts are being so called hacked and suddenly all our accounts are in jeopardy of being emptied.
I think you're making a mountain of a molehill of this to be honest.

Let's see what your reaction is if your account gets "hacked" and you loose tens of thousands of points.

Just how many have been "hacked" do we have any idea?

Of the few that have had problems.......I've no doubt some will have been caused through negligence by the owner of the account or by some dodgy hotel or PC staff member gaining access.
Yes it must be upsetting for those who have experienced it although if your account has indeed been hacked it shouldn't be hard to prove your innocence and have your points reinstated.

I've no doubt some will have been caused through negligence by the owner of the account or by some dodgy hotel or PC staff member gaining access.


Would you like to explain how anyone can prevent a 'dodgy hotel or PC staff member' from getting access to their account?



Yes it must be upsetting for those who have experienced it although if your account has indeed been hacked it shouldn't be hard to prove your innocence and have your points reinstated.

The OP seems to be finding it very hard indeed.

I have to agree with HIDDY here. There is absolutely no reason for IHG to create any better security mechanism. The best solution in my opinion would be just not use any passwords at all because even if some dishonest person (not sure if those even exist) does something wrong "it shouldn't be hard to prove your innocence and have your points reinstated".

I have to agree with HIDDY here. There is absolutely no reason for IHG to create any better security mechanism. The best solution in my opinion would be just not use any passwords at all because even if some dishonest person (not sure if those even exist) does something wrong "it shouldn't be hard to prove your innocence and have your points reinstated".

Just double checking ... so not as to waste time .... is this "irony"? ;)

I sometimes mistakenly take people's fun too seriously .... and would hate to find I'd misunderstood! :)

Would you like to explain how anyone can prevent a 'dodgy hotel or PC staff member' from getting access to their account?

The OP seems to be finding it very hard indeed.

Basically the controls of the specifics of this are so lax - any staff member with basic computer access - and that seems almost everyone I'd have thought - could do this or help someone else do this and remain undetected.

Just double checking ... so not as to waste time .... is this "irony"? ;)

Thats how I also read that comment to the FT ambassadors statement.

Just double checking ... so not as to waste time .... is this "irony"? ;)



Oh, yes:) IMO, they should require a strong password and never let anyone change e-mail address before it has been accepted from the old address, etc.

Would you like to explain how anyone can prevent a 'dodgy hotel or PC staff member' from getting access to their account?


Which was the point I was making....you probably can't so I would say that's the most likely reason for peoples accounts being accessed.

I still don't buy the idea that some geek is sitting at a computer hacking into our PC accounts and stealing points all because the log in process is a high security risk. There would be similar stories appearing on this forum every day if it were that easy.
From what I've seen there are far more stories about mystery points appearing in our accounts than disappearing points. :D

Just how many have been "hacked" do we have any idea?

Of the few that have had problems.......I've no doubt some will have been caused through negligence by the owner of the account or by some dodgy hotel or PC staff member gaining access.
Yes it must be upsetting for those who have experienced it although if your account has indeed been hacked it shouldn't be hard to prove your innocence and have your points reinstated.

Mrs B's account has been hacked and 210,000 points redeemed for Argos vouchers 11th Sep :mad::mad::mad:

Her email address has been altered too.

I've asked her to contact IHG asap.

Will now read this thread to see what else she can do :mad::mad::mad:

Edit
Read through NOT impressed or hopefull of a resolution
Have PMd IHGCare
I don't have a FB account but may register just to post this.

Mrs B's account has been hacked and 210,000 points redeemed for Argos vouchers 11th Sep :mad::mad::mad:

Her email address has been altered too.

I've asked her to contact IHG asap.

Will now read this thread to see what else she can do :mad::mad::mad:

Edit
Read through NOT impressed or hopefull of a resolution
Have PMd IHGCare
I don't have a FB account but may register just to post this.

OMG another one! Please post it on FB - something has to be done.

OMG another one! Please post it on FB - something has to be done.

I have posted it on FB and Priority Club (http://community.priorityclub.com/t5/Promotions/Points-Stolen/m-p/26627#M576)connect

IHG Care responded quickly to my PM ^ ahd has forwarded the issue to the Customer Retention Team.

My wife contacted IHG CS and they "should" ring her back later today.

I hope this starts alarm bells ringing at IHG-but I won't hold my breath. :td:

I will update as soon as I hear anything useful

Sorry to hear about the theft Bman!

This situation is not getting any better!

I hope you have better luck than we had!

Sorry to hear about the theft Bman!

This situation is not getting any better!

I hope you have better luck than we had!

You have a PM

Mrs B's account has been hacked and 210,000 points redeemed for Argos vouchers 11th Sep :mad::mad::mad:

Her email address has been altered too.

I've asked her to contact IHG asap.

Will now read this thread to see what else she can do :mad::mad::mad:

Edit
Read through NOT impressed or hopefull of a resolution
Have PMd IHGCare
I don't have a FB account but may register just to post this.

Sorry to hear this.

Were the Argos vouchers physical or soft vouchers and if physical where were they sent? Do they have redemption code numbers that Argos can be alerted to and tracked?

Presuming everything is as it appears to be from the latest report - then if they had taken some fairly easy and basic steps when the lax security was originally resported then this might have been avoided.

ICHG. Is anyone there? What are you doing about this? IHG lurkers ... why not find out and report back here?

This sort of basic account compromise shouldn't happen with such apparent ease. Just improve the passwords; always send an email to the last email address when an email address change is requested and introduce some other basic security and protection methods.

Does anyone yet understand exaclty how the hacks are being completed ie what stages?

And, IHG, when an email address on an account is changed, WHY don't you send an email to the OLD email address? Seems like a simple enough proposition. While an email address change notification might not stop all hacking of accounts, it could at least notify the rightful account owner that something is amiss.

Sorry to hear this.

Were the Argos vouchers physical or soft vouchers and if physical where were they sent?

Vouchers were EMAILED to the changed address

Do they have redemption code numbers that Argos can be alerted to and tracked?

I rang ARGOS-They were useless TBHO.


Presuming everything is as it appears to be from the latest report - then if they had taken some fairly easy and basic steps when the lax security was originally resported then this might have been avoided.

ICHG. Is anyone there? What are you doiung about this?

This sort of basic account compromise shouldn't happen with such apparent ease. Just improve the passwords; always send an email to the last email address when an email address change is requested and introduce some other basic security and protection methods.

Simple fix is highlighted in red. A lot of proper accounts do this for the very same reason :mad:

CS at Argos knew sod all TBHO. She eventually found out the vouchers do have some sort of tracking.
BUT she said they would only talk to the police about the theft- which has been said before the police most likely won't be bothered.

And as we've seen in the press lately the Police can't really be trusted IMHO.

Update
As expected IHG say there is no fraud:mad::mad:

I've asked them to provide evidence that they actually looked into IP address, failed logs ins etc and the e-cert numbers.

I think one of their statements can easily be challenged (not saying what).


Question
Is there anyway I can (or someone in auth) get details of the hotmail email that was used to get the voucher sent to?

Name of owner
When it was setup
What emails were received?

This is NOT over by a LONG way :mad::mad:

FLYGVA and Larry you have PM's

I would appreciate a response.

Thanks

Update
As expected IHG say there is no fraud:mad::mad:

I've asked them to provide evidence that they actually looked into IP address, failed logs ins etc and the e-cert numbers.

I think one of their statements can easily be challenged (not saying what).


Question
Is there anyway I can (or someone in auth) get details of the hotmail email that was used to get the voucher sent to?

Name of onwer
When it was setup
What emails were received?

This is NOT over by a LONG way :mad::mad:

I think you are approaching this in the wrong way because you are arguing with the wrong people and actually doing things you shouldn't be doing. This is a serious issue. Your current approach is unlikely to resolve your issue. It isn't really for you to start becoming a crime investigator and to argue with relatively low-level staff. You should stop.

Give it a day or two to calm down and then write a very unemotive email or letter to the ceo explaining what happened and explaining what you have uncovered is not only a loss to you but a potential serious reputational and business loss to ICHG. Explain that your reward for trying to explain this to his staff is to be treated disrespectfully and dismissively.

That will do it ... I can almost promise. Unless he has a full time ineffective executive complaints department. In which case there is no hope for them or for you.

Try: richard.solomons-at-ichotelsgroup.com

Remember. Calm. Rational. Unemotive. Facts only. Short. Concise.

You want to appear to be the epitome of reasonableness.

I think you are approaching this in the wrong way because you are arguing with the wrong people and actually doing things you shouldn't be doing. This is a serious issue. Your current approach is unlikely to resolve your issue. It isn't really for you to start becoming a crime investigator and to argue with relatively low-level staff. You should stop.

Give it a day or two to calm down and then write a very unemotive email or letter to the ceo explaining what happened and explaining what you have uncovered is not only a loss to you but a potential serious reputational and business loss to ICHG. Explain that your reward for trying to explain this to his staff is to be treated disrespectfully and dismissively.

That will do it ... I can almost promise. Unless he has a full time ineffective executive complaints department. In which case there is no hope for them or for you.

Try: richard.solomons-at-ichotelsgroup.com

Remember. Calm. Rational. Unemotive. Facts only. Short. Concise.

You want to appear to be the epitome of reasonableness.

Thanks for the reply.

I understand that "arguing" with the Call centre Staff doesn't get results.
All I'm trying to to do is get to a higher level to complain.

Thanks for the email address ^

I'm not "seething " mad , just exploring different avenues in which to build a counter claim to IHG lies.

I have one concrete evidence to counter one of their lies.
I nearly have another one-just waiting for a reply.

I understand how to complain in a fact only rational way.

I agree this is a serious issue because I believe this is the tip of the icebreg.

My scenario is that :

1 Some hacker has found a way of identifying IHG accounts with "high" points value" (possibly just on the first page)

2 Has then "sold" the "hack" to others so they can try it-Hence attacks in Uk, Usa etc.

3. IHG are aware but don't care as it
A) Depletes their liabilitly to give £1K in hotel rooms as opposed to £350 in vouchers. Which probably don't cost IHG that amount if anything.
B) It's too expensive to fix and would be an admission that they have a problem.
C) It gives the brand a bad name.

4. It will spread as other hackers buy this script and steal points as IHG web-site is seriously flawed re security.

I may be one of the the first BUT I'm sure I'll not be the only one. :td:

My advice to any one with a high account balance is :

1 Book dummy rooms way in advance so your Initial points value looks small > 5000

2. Check your email address on your account EVERY day or have an App that does it for you.

3 Email PC club and TELL them you want them to setup a system that IF your email is changed YOU get an email to confirm this-Like almost every other decent web-site.
This is the achilles heel in the system

4 Change to a Better Hotel program^

[Arnie -ON]
I'll be back
[Arnie-OFF]

ahh well ..... I tried! :)

Some hacker has found a way of identifying IHG accounts with "high" points value" (possibly just on the first page)

Interesting theory. Inasmuch as all persons who have had points stolen appear to have had large account balances and we have not heard stories of smaller points thefts, I think your theory has merit. Sorry you are going through this, blindman. Please keep us advised.

I have obviously been trying to figure how this has all happened.

One thing I was doing different, prior to the theft, was that I began using the Priority Club App for a Droid. Staring using it a few weeks before the theft occured.

I wonder if any of the others have just recently been using the same?

I have obviously been trying to figure how this has all happened.

One thing I was doing different, prior to the theft, was that I began using the Priority Club App for a Droid. Staring using it a few weeks before the theft occured.

I wonder if any of the others have just recently been using the same?

Nope.

My wife has not used her account anywhere but at home or work.

Neither of us have smart phones and I work in IT so am Internet savvy re passwords\cached web-pages etc.


The only flaw I can see and I do wonder every time we get them is the promotions by IHG where you fill ot a survey etc to get extra points and you input your PC details.

Also if a hacker has a bone-fide PC number (Lists "bought" from unscupulous sources) then trying to break the 4 digit pin is childs play on IHG' site as there is no lock out protection for failed attempts.

My theft was different that Larry and blindman's (hotel stay rather than gift card, gmail address rather than hotmail address used on changed account email address). I do NOT have any type of mobile phone app (still use a dumb phone rather than a smart phone.) I do an occasional survey, etc.

And Another!!!!!!!!!!!!!!!!!!!!!!!!!

Re: Points Stolen
Options
09-19-2012 11:02 AM

I apologize if this is a duplicate post. I have never tried to post something at this site and am not exactly sure how to complete the task.
I too had points stolen. It seems that someone changed my email and had the point value of gift cards sent to them via a new email. When I discovered this a few days after the transaction ( I was trying to make more reservations) I immediately reported it and changed the pin number. I was told that I would be contacted within a week with the results of an “investigation.”
When I was contacted later in the week, I was then told that it was not fraudulent because I must have given someone my pin number! And that was how they changed the email address. Then I was told that it was my responsibility to keep someone from logging into my priority page!
Here is my take on this… and this is not rocket science.
The email was changed solely for the purpose of the transaction of redeeming points for gift cards. The account had had the same email since the registration several years ago. There is no mechanism for notification if someone changes anything on your basic information page. Points that had previously been redeemed by me were always for rooms, never cash or gift cards. The email address that the gift cards were sent to were in no way close to my email address.
It is also concerning to me that my credit card number is on my account. If they can hack into my account, they can certainly see my credit card number. As a side note, when I tried to delete the credit card information, the website would not allow that!
Kinda’ makes you wonder if the thefts are actually being done on the inside of this company and not actually “hackers”…. After all, how would the company know since there is no actual investigation into theft and hacking? And isn’t it always easy to blame the one that actually accumulated the points?
I am very upset and am to the point of taking my business to a competitor! I think that if you continue with this company and program, knowing that they will not protect your points... build up more points… then they hit you again. .. then too bad… you just donated points yet again to a thief!

Sorry to hear that, Larry. This is unbelievable. They should have implemented better security mechanisms years ago - before anything like this happened.

A real password instead of four-digit "passnumber" should be a minimum requirement. E-mail change confirmation to OLD e-mail address or a call to confirm as well.

And why is it allowed to enter wrong pin as many times as one wishes?

Sorry to hear that, Larry. This is unbelievable. They should have implemented better security mechanisms years ago - before anything like this happened.

A real password instead of four-digit "passnumber" should be a minimum requirement. E-mail change confirmation to OLD e-mail address or a call to confirm as well.

And why is it allowed to enter wrong pin as many times as one wishes?

It seems that once a thief has your PC number, it's only a matter of time before they guess your PIN. With no protections on the PC Web sites, someone could easily write a script to cycle through all the combinations until they reach the correct one, and there's nothing that we can do about it. :(

And to add insult to injury, IHG will just claim that we gave them our PIN. :rolleyes:

So is there nothing else we can do, except to use up our points to make our accounts look less attractive to thieves? :confused:

It seems that once a thief has your PC number, it's only a matter of time before they guess your PIN.

They don't need to know the PC number either. E-mail address is enough.

It should be easy enough to generate a script that tries to log in with every e-mail address the program knows and try all the pin combinations (9999 of them which is very little for a computer program). Very easy to let the computer read the point amounts as well. And let the computer generate a nice list of e-mail address / pin number combinations that work, along with point balance. The only manual labor being copy&paste to log in, changing the e-mail address and ordering the gift vouchers or whatever.

Does anyone have contact details for IT security department at IHG? If they even have one. I work in the industry so it might be nice to ask some relevant questions.

Sorry to hear that, Larry. This is unbelievable. They should have implemented better security mechanisms years ago - before anything like this happened.

A real password instead of four-digit "passnumber" should be a minimum requirement. E-mail change confirmation to OLD e-mail address or a call to confirm as well.

And why is it allowed to enter wrong pin as many times as one wishes?

Larry was reporting another post from a very quiet blog. (http://community.priorityclub.com/t5/Promotions/Points-Stolen/m-p/26709#M610)The poster was TxTravel

We all know what the issues are with the web-site, it's the attitude of ICHG that really amazes me.

we ALL need to shout at them and publicise these thefts in order to shame them into doing something.

After having read this thread, and seen the extent of how the problem might apply, I considered that an email to the gentleman listed earlier in the thread as being CEO of IHG - if reasoned and not offensive - might be of assistance. So I sent this:

Dear Sir,

I am a long time Platinum member of the PC and have over 500k points in my account. I have recently been alerted to two security flaws with my account, and apparently with all PC accounts, and would wish you to address this matter with your IT people, as I would not wish to lose them through the flaws.

I became aware of the flaw through reading of points thefts on an Internet bulletin board. People there have speculated about how it might happen, but I have considered the documentation given to me during recent stays at ICH group hotels might contribute to the security breach - when combined with your IT flaws in the use of the PIN. You limit passwords to four digits only.

It seems that if a person tries to log in with an incorrect password PIN, that instead of locking the account after a number of incorrect tries, your system allows unlimited attempts. Consequently a thief with a genuine account number can try all 9999 numbers until the correct one is found. This can easily be automated using a simple computer program and the account cracked in minutes. Once the thief gets access, they merely change the account email to lock out the true owner then spend the points in the account - obtaining gift cards etc.

In my opinion you should consider locking the account for 24 hours after three wrong attempts and at that point send an automatic email to the account holder notifying them of the failed attempts. After three more failed attempts 24 hours later the account should be locked until the account holder gets in touch with your Customer Services dept.

Secondly, any change of email address should be notified to the old email address as well as the new one. This is a fairly normal practice with many businesses these days, and would give an opportunity to alert CS if there was a problem detected.

Returning to the points theft, the thief needs a genuine account number. Whilst a simple programme on a computer could generate a random sequence of nine numbers, I have noticed that when I stay at your properties I am regularly given a note with my name and account number written on it. If the note is thrown in the bin, then the account can be compromised. I don't need to be given my account number at any ICH property, I already know it when I make the bookings! Very few businesses print complete numbers on accounts or credit card details, I usually get either Account Ending 1234 or ****1234, but in ICH properties it is always shown in full!

I would be grateful if you would take steps to address this issue. If you wish to follow the Internet thread on this problem please visit:
http://www.flyertalk.com/forum/intercontinental-hotels-priority-club-inter-continental-ambassador/1373164-priority-club-point-theft.html

Signed
Antichef

I have received the following reply:

Dear Antichef,

Thank you for taking the time to share your views and suggestions in regards to the security measures of Priority Club Rewards accounts.. The security of our member accounts and the integrity of the Priority Club Rewards program is always of the utmost importance to IHG.

The observations and suggestions you provided are extremely helpful to us in better understanding how IHG can continue to deliver a world class experience for all Priority Club Rewards members who stay at our hotel properties.. As we fully understand the necessity to continuously review our procedures, we are grateful for your feedback and will incorporate your suggestions in our current internal discussions to implement enhanced security features to better protect you and all of our members.

We greatly appreciate the insight you provided and for your loyalty to our hotel company.. We are committed in striving to deliver the exceptional service our members and guests have come to expect from IHG and the Priority Club Rewards..

Sincerely,

Xxxxx. Xxxxx

Executive Assistant

Executive Office

IHG


Can I suggest that others feel free to raise the issue to HQ IHG, so that they are aware of what is going on. Don't be shy about copying my format if it helps!!

again it is richard.solomons at ichotelsgroup dot com

Or one of the others:
http://www.ihgplc.com/index.asp?pageid=786

And as others have said. It may help to be calm, polite, and rational. I know it's easy to say for those of us who hasn't been victimized (yet). But with these things (appealing to those in charge for _help_, even if it's their subordinates who are doing something wrong) I've learnt if there is even one exclamation mark, you're probably doing it wrong. :)

It sounds like a legit problem, definitely concerning enough at least a few of us have proactively tried to contact the higher ups. Too-emotional correspondence may make it hard to achieve traction for change. :)

In my opinion you should consider locking the account for 24 hours after three wrong attempts and at that point send an automatic email to the account holder notifying them of the failed attempts. After three more failed attempts 24 hours later the account should be locked until the account holder gets in touch with your Customer Services dept.


I don't think locking the account for 24 hours is a good idea - what if I need to book anything during that time - what if PB is on?

What I think a better approach to deal with this is have 3 attempts to log in, and then the legit user can retrieve the password using security questions.

After having read this thread, and seen the extent of how the problem might apply, I considered that an email to the gentleman listed earlier in the thread as being CEO of IHG - if reasoned and not offensive - might be of assistance. So I sent this:



I have received the following reply:

Dear Antichef,

Thank you for taking the time to share your views and suggestions in regards to the security measures of Priority Club Rewards accounts.. The security of our member accounts and the integrity of the Priority Club Rewards program is always of the utmost importance to IHG.

The observations and suggestions you provided are extremely helpful to us in better understanding how IHG can continue to deliver a world class experience for all Priority Club Rewards members who stay at our hotel properties.. As we fully understand the necessity to continuously review our procedures, we are grateful for your feedback and will incorporate your suggestions in our current internal discussions to implement enhanced security features to better protect you and all of our members.

We greatly appreciate the insight you provided and for your loyalty to our hotel company.. We are committed in striving to deliver the exceptional service our members and guests have come to expect from IHG and the Priority Club Rewards..

Sincerely,

Xxxxx. Xxxxx

Executive Assistant

Executive Office

IHG


Can I suggest that others feel free to raise the issue to HQ IHG, so that they are aware of what is going on. Don't be shy about copying my format if it helps!!

Glad to see some others are taking note of this serious issue. ^ Can I suggest we ALL do it!

However if you read the reply it is just a Generic feable "Ok we got your mail"

I'm waiting for a response to my questions from IHG "Care" before I send an email to the CEO (with no exclamation marks)

@Antichef

How long was it before you got a reply?


@Clusters78

Did you receive a reply?
Cheers.

If there is fraudulent activity in the IT department it could explain the multiple referral certificates being offered by some eBay sellers - see this thread -
http://www.flyertalk.com/forum/intercontinental-hotels-priority-club-inter-continental-ambassador/1180396-ebay-royal-ambassador-experience-beware-4.html

If there is fraudulent activity in the IT department it could explain the multiple referral certificates being offered by some eBay sellers - see this thread -
http://www.flyertalk.com/forum/intercontinental-hotels-priority-club-inter-continental-ambassador/1180396-ebay-royal-ambassador-experience-beware-4.html

Quitecontrary: I know that you are very concerned about the RA certs sale on ebay. However this thread is about PC point theft.

Why don't you go to ebay.co.uk and chat with the CS there? They might be able to ban the seller.

Nacho - I've done all that! I was just pointing out that there could be a possible connection if it's an inside job.

IHG CAre (Misonomer if I ever heard one)

You have a PM

I would appreciate a reply

RESULT ^

We are sending this correspondence in response to the previous communication we have received from you, where you have reported the unauthorized use of your xxx0,000 points towards the redemption of xxxxxxxxxxxxxxxxxxxxxon date, Month 2012


We would like to inform you that the points used for this transaction have been credited back to your account. However, due to this unfortunate incident, we would need to enroll a new account under your namexxxxxxxxxxxxxxx

My wife has to email them details to prove it was her account BUT it looks like this is over ^


Also
Should you want to discuss the case directly, we could give you a call.

So the question is:
Due to the poor way this was handled and the effort I had to investigate this and the stress caused

How much compensation should she ask for-OR would that be wrong??

I'm thinking either

Award points 50K?
Free Night cert for ANY hotel?

Answers on a postcard (along with your PC number and password;) )


Hopefully TxTravel + Larry read this and have had the same result.

If not then email me to see what can be done.

Blindman - I don't know how much compensation I'll ask for. Has IHG admitted that it's their fault? If so, then I'll ask for compensation.

Did you get the reply from IHG Care?

Blindman - I don't know how much compensation I'll ask for. Has IHG admitted that it's their fault? If so, then I'll ask for compensation.

Did you get the reply from IHG Care?

No and No

Congrats, blindman. Your experience shows that persistence sometimes pays off. Unfortunately, I fear that PC point thefts may become more common unless PC puts some security features in place.

thats awesome blindman. I sincerely hope that they offer you something worthwhile without you having to ask for it. I can only imagine the time wasted and aggravation that this caused.

The goal is to get them to improve their security.

To ask them to be fair to us in return, we should also try to see from their perspective:

** ring ring "Hi I had X,XXX,000 points in my account, it's stolen. Can you make me whole?"

Option A: trust this person, eat the hundreds/possibly thousands of dollars in losses as a goodwill gesture.

Option B: we have no idea if this user is trying to scam us. Like real scammers, little prevents the original owner from going in, changing the email, redeem the gift cards, and claim that they've been hacked. (Just theoretically speaking. Personally, reading the threads, I'm 100% confident that all the posters here were _NOT_ option B. Just saying: as a business owner, what kind of slippery slope are they embarking on if they regularly adopt option A? even if not scammers, what if users are just cavalier with their acct#/pin codes? A) makes good human sense, but what about business sense?)

Just my $0.02, I think
* ICH has set up a low bar on safeguarding user accounts

* that said, the fact they chose to adopt option A for blindman is commendable. Heartening to know either blindman's persistence or maybe (and hopefully there were more than just a few) the community's emails achieved this positive outcome.

* that said, at this point the focus really isn't about compensation. Let's face it: ICH can't do this for everyone. What's to prevent you and me otherwise to go into our accounts (or ask a friend so the IP is different), change email to some random hotmail/gmail acct, redeem giftcards, then call and claim we've been hacked? and that we want our points back? The answer of course is: absolutely none. And I would not ICH to consistently adopt option A as personally I like their program, and I don't want them to have to eat losses from hackers or users who may choose to abuse the system from this.

The best outcome for everyone, ICH included, is for them to address their security flaws. Not if we just get these threads on flyertalk here and there about thefts, and as long as someone got reimbursed and it's case closed.

The goal is to get them to improve their security.

To ask them to be fair to us in return, we should also try to see from their perspective:

** ring ring "Hi I had X,XXX,000 points in my account, it's stolen. Can you make me whole?"

Option A: trust this person, eat the hundreds/possibly thousands of dollars in losses as a goodwill gesture.

Option B: we have no idea if this user is trying to scam us. Like real scammers, little prevents the original owner from going in, changing the email, redeem the gift cards, and claim that they've been hacked. (Just theoretically speaking. Personally, reading the threads, I'm 100% confident that all the posters here were _NOT_ option B. Just saying: as a business owner, what kind of slippery slope are they embarking on if they regularly adopt option A? even if not scammers, what if users are just cavalier with their acct#/pin codes? A) makes good human sense, but what about business sense?)

Just my $0.02, I think
* ICH has set up a low bar on safeguarding user accounts

* that said, the fact they chose to adopt option A for blindman is commendable. Heartening to know either blindman's persistence or maybe (and hopefully there were more than just a few) the community's emails achieved this positive outcome.

* that said, at this point the focus really isn't about compensation. Let's face it: ICH can't do this for everyone. What's to prevent you and me otherwise to go into our accounts (or ask a friend so the IP is different), change email to some random hotmail/gmail acct, redeem giftcards, then call and claim we've been hacked? and that we want our points back? The answer of course is: absolutely none. And I would not ICH to consistently adopt option A as personally I like their program, and I don't want them to have to eat losses from hackers or users who may choose to abuse the system from this.

The best outcome for everyone, ICH included, is for them to address their security flaws. Not if we just get these threads on flyertalk here and there about thefts, and as long as someone got reimbursed and it's case closed.

The problem is you're missing the point: and TBHO you are way off the mark as to what has happened here.

1. IHG "security" on their web-site is very lax-and I'm sure it's easy to get around a 4 digit PIN. No lock out of account after X amounts of failed log ins is not implemented.

2. Their gift card redemption is flawed-Items should not be allowed to be emailed to a recently changed account-if your email is changed then YOU should be told (via phone, old email address, SMS) if that's what you want AND no purchases should be sent there for (say) 30 days-It's simple and good business-IF you cared for your customers :mad:

3. Anything done via Internet accounts should be easily logged and traceable. Any account changes immediately followed by strange unusual activity should be questioned.
It's not rocket science. IHG don't care TBHO.

4. Their attitude is to blame user and hope they go away. It's cheaper that way :rolleyes:


Well they picked the wrong user:

I work in IT so know a "little "bit of how things should work and what questions to counter with-They never answered them.

I also know how IT logging works-Whenever you log into ANYTHING on the web-there are traces.
Granted if you're intent on defraud-you can hide-but innocent victims don't do that

I intend to ask what steps they will take to improve security-Otherwise I'm outtha here and will publisize their failings.

BTW
Their "commendable" actions were to tell the (known) four victims that it was all their own fault with scant proof that they even investigated the traceable elements I have mentioned.

Classic!

Hi Everyone -
I'm sorry to hear that several of you have had account security issues recently. If you sense that points have been fraudulently redeemed from your account, I encourage you to work with the Priority Club Customer Care team . IHG takes member account security very seriously, and as such I am not able to comment on or divulge information regarding any of these cases publicly. If you would like to speak with a customer care agent regarding your account, please reach out to the service center in your region: http://www.priorityclub.com/rewards/us/en/customer-care/contact-us

We have been aware of this thread for some time and due to the nature of the content have had many internal discussions regarding response and actions to be taken. Because of the recent discussions here, IHG has begun examining additional security measures to be put in place to further secure member accounts. Thank you for your all of your ideas and suggestions.

-Carolyn

Hi Everyone -
I'm sorry to hear that several of you have had account security issues recently. If you sense that points have been fraudulently redeemed from your account, I encourage you to work with the Priority Club Customer Care team . IHG takes member account security very seriously, and as such I am not able to comment on or divulge information regarding any of these cases publicly. If you would like to speak with a customer care agent regarding your account, please reach out to the service center in your region: http://www.priorityclub.com/rewards/us/en/customer-care/contact-us

We have been aware of this thread for some time and due to the nature of the content have had many internal discussions regarding response and actions to be taken. Because of the recent discussions here, IHG has begun examining additional security measures to be put in place to further secure member accounts. Thank you for your all of your ideas and suggestions.

-Carolyn

Carolyn,

I think it's great that you have indicated interest in this topic, but can you provide us with something a touch more tangible please?

LarryMcAdoo provided an alert to this 7 weeks ago and there is nothing in your note to reassure that anything has been done about this at all - other than "awareness".

As a person who has a background in IT I believe fixes for this could have been managed in a day or so. For example 90% of the problem would have been cured by simply sending an email alert following an email change request.

Obviously you are a messenger - and shouldn't be shot :) - and I know you are relaying information that you are passing on in good faith - but it doesn't sound like ICHG responded with any urgency or indeed responded at all yet - so please can you explain why nothing seems to have been done at all and if it has - then what exactly?

Carolyn:

IGH has not been responsive to its customers that have reported fraudulently stolen points.

Mine is a case in point. I have worked in the security industry for 20+years. When I discovered that my points were stolen, I did the right thing and immediately reported the theft. Since that time, I have had no less than 4 conversations with your representatives, including “supervisors.” I have also sent two emails. In the last one I requested information that I needed to further an investigation I was conducting with my own security firm. Without that information, there is not a whole lot I can do. So not only does your company accuse its membership of lying and fraud themselves but when they try to recover their property or at least try to determine what happened to it, your company blames, ignores and impedes the flow of information to those that may be able to make a determination and resolve the issue.

As an example, I last spoke with your representatives earlier this week to ask for the case # and email address where the points were sent. Your representative stated “oh we no longer have that information.” To which I replied “Well I just spoke to you on Monday, you didn’t retain that information for less than a week?” I was then placed on hold. She returned some minutes later with the information.

In the “investigation” from your “fraud team”, no one ever contacted me. I can tell you in Investigations 101, that can be learned from anyone reading a dime store crime novel, talking to the victim is customarily within the first few steps of determining who, what, when, where and how.

I will state my position again. This is not a complicated security issue. But to call the loyal members of your rewards program liars is not a solution. I will not be reaching out to yet another email address in your company. If your company does not know who I am… so be it for me to further bother you.

I apologize in advance if this posting seems a bit harsh. As you may imagine, my patience has worn thin with the accusations that I am somehow responsible for your internal security issues.

TexasMSW

http://community.priorityclub.com/t5/Promotions/Points-Stolen/td-p/26151/page/7
My name on this website is TxTravel

Good day all.

Blindman...glad to see that your account has been made whole again!

When I began this mission, I had no hopes of getting anything resolved, but I
believed that through awareness, others might not experience my pain.
I believe that the other responders on this site, pertaining to this issue have been of great help.
Ideas and resolution on fixes have been free flowing. But to be quite honest, I do not have time to run another business! PCR/ICH or whome ever, does not see fit to treat its loyal customers with common decency. People that have been loyal to your brand are treated as though they are no more than cheating and stealing criminals!
I completely agree with TexasMSW...I am sick of dealing with everyone in your company! I may have been the first to bring this to light, so I went through alot of initial run around. Hours lost on the phone speaking to folks by the name of Blue and Ice. Everytime they put you on hold, after appologizing, the phone connection becomes worse. Bad enough to the point that no other recourse, is but to hang up.
I'll stop my rant and I appologize but my frustration level has reached the point of indifference.

I have not been contacted by anyone at PCR/ICH via e-mail, phone etc. I guarentee they have my information.

My account is still missing 300,000 points and I would have thought that a courtesy message from the company might have been warranted.

Guess not!

As a quick follow up, I decided to try one last time and send an e-mail to the link provided above by Carolyn.

I decided to cut and paste my original information. It is nothing more than the generic site for Priority Club Customer Care. The link does not direct you to a specific individual or team that might be working on this issue.

So once again into the abyss!!!!!!!!!!!!

Good day all.

Blindman...glad to see that your account has been made whole again!

Well my Wife's account is STILL not fixed as we've had no response to our answer to their email on 21st Sept. and her account is still locked out. :td:


My account is still missing 300,000 points and I would have thought that a courtesy message from the company might have been warranted.

Guess not!

I don't think IHG do "courtesy" :td::td:

I will chase this tomorrow and ask WHY my Wife's, yours. TxTravel and Braintasic have not received the missing points OR an offer of compensation for IHG's TOTAL inadequacies.

i don't mean to appear cynical but perhaps the late involvement here by ihg was intended more to stop people contacting the ceo - who if they or their staff read the threads then might conclude that their staff lurking here might have been more pro-active and helpful?

It's disappointing that there's been no response other than fatuous platitudes.

Just a note to update yall.

I did receive an email this morning apologizing for the delay. Of course it included the words “We have experienced higher e-mail volume than normal.” …. I’ll bet they have!

And they have agreed to credit the account of missing points. I was a little disappointed they offered no additional points credit for time and frustration spent, let alone the insult to my integrity.

Thank yall for the help in resolving this issue and I wish you all well and happy in your travels!

TexasMSW

Great to hear that you got your points back TexasMSW. Have you asked for compensation for all the trouble they put you through?

If you don't ask, they won't give you anything.

Please post your experience on FB - a place where everyone can see what they have put you guys through!

I'm going to do it if they haven't sorted out their BRG fraud!

Btw I think the one who stole the point must know where you guys live because I believe that Blindman is UK based and he got his point stolen for Argos GC. The American member got their point stolen to redeem Amazon.com GC. Of course IHG is suspicious about this because the GC is for the companies in where they live.

I did receive an email this morning apologizing for the delay. Of course it included the words “We have experienced higher e-mail volume than normal.” …. I’ll bet they have!

I have never, ever had an email from PC that didn't have that sentence in it. It's plainly rubbish - if their email volume is consistently higher than "normal", that volume is by definition normal......

I dont do any social media so I cant post it... just as effective though is that I work with and around a lot of State employees. It's great water cooler chatter.

As for compensation... I agree it would have been nice if it had been offered. But I am really not the type to ask for such things. In all reality, I stay at the same hotels over and over.. and the staff at those hotels is on first name basis with me, right down to the maids. I never have a bad experience in these hotels. Which is why this has pissed me off to have to argue with their corporate offices.

I have never, ever had an email from PC that didn't have that sentence in it. It's plainly rubbish - if their email volume is consistently higher than "normal", that volume is by definition normal......

Yes if you email them through their normal channel, try this one:

IHGCare@ihg.com

When I sent email to this address I do get a reply and I never get those BS about high volume.

Thumbing through this does not surprise me at all! A while back I stayed at a HI in Germany on an award stay. Months later I noticed they charged my credit card some 130 Euro or so. I asked them to fix it. The hotel said they did no such thing. I sent them my bank statement, again they denied it. I went to Priority Club, and they absolutely had nothing to do or say! I sent them facts evidence that their hotel fraudulently charged me etc, and they did not care. I was past my banks charge back timeline so I was screwed.

After several international phone calls, emails faxes etc, finally the hotel realized they screwed up and refunded me. Less my interest bank fees, and conversion charges. Priority club has no sense of taking care of their customers (Plat) whatsoever. I take my business elsewhere, and just take advantage of PB's etc. I won't give them a dime!

Of course, it's worth remembering that it's not just a points theft that is the issue since the accounts are so easy to hack, it's that anyone holding their credit card details on the PC site is going to be wide open to having that card used to purchase any number of items. Keeping a card on file is useful, but there needs to be adequate security in place. There clearly isn't.

Thumbing through this does not surprise me at all! A while back I stayed at a HI in Germany on an award stay. Months later I noticed they charged my credit card some 130 Euro or so. I asked them to fix it. The hotel said they did no such thing. I sent them my bank statement, again they denied it. I went to Priority Club, and they absolutely had nothing to do or say! I sent them facts evidence that their hotel fraudulently charged me etc, and they did not care. I was past my banks charge back timeline so I was screwed.

After several international phone calls, emails faxes etc, finally the hotel realized they screwed up and refunded me. Less my interest bank fees, and conversion charges. Priority club has no sense of taking care of their customers (Plat) whatsoever. I take my business elsewhere, and just take advantage of PB's etc. I won't give them a dime!

See the thread I started

http://www.flyertalk.com/forum/intercontinental-hotels-priority-club-inter-continental-ambassador/1385069-hi-torino-charged-my-card-5-months-after-2-award-nights.html

I got absolutely no help from Priority Club. IHG Guest Relations is a tiny tad better in that at least out of 3 different case numbers its reps assigned me, 1 case number eventually led to a half-baked resolution which later was aborted as it claimed the hotel confirmed it had refunded the charge to my card. I have not heard from my bank on a formal closure of this matter which normally happens if the merchant was able to refund or accept a charge back. So I honestly dont know whether the hotel has ever refunded the money. At least now I finally have an "official" response from IHG Guest Relations that the hotel claimed it did. I disputed the charge after no response / assistance from all parties concerned and Chase issued a temporary credit. And this "official" response from IHG would serve as a supporting doc should Chase come back to tell me merchant does not issue refund.

It is absolutely pathetic the way PC / IHG handle things like this. The official rep on this forum is of very little help also.

But of course, some posters on this forum would tell you to relax and wait for the resolution from the hotel / IHG. In your case, you did not take the matter into your own hand quick enough and then passed the allowed period to dispute the charge with your bank. I dont want this crap to happen to me because I would be away for over a month, and it would be close to passing the deadline to dispute by the time we return home. So I was following up with both the hotel and the PC/IHG to at least make them send me a written response to admit the wrong billing before my dispute goes expired.

But of course, some posters on this forum would tell you to relax and wait for the resolution from the hotel / IHG.

I believe most people on that forum told you to relax and let the card issuer handle it if the hotel wouldn't respond positively within a few days. I don't remember anyone advising you to sit back while the hotel/IHG do nothing.

HTB.

ICHG seem to have developed the knack of at best failing to do the right thing or at worst consistently doing the wrong thing at corporate level when dealing with issues. They also seem to miss or under value the fact that almost all of the posters here are loyal regular users of their product and therefore by implication happy to be so. They don't see this as being a potentially very useful almost "free" highly valuable and tappable resource.

BAEC's view of FT'ers in contrast seems to be that they have access to a bunch of people that work as an early warning system, sounding board and willing prototypers. It is really clear to me that the BAEC lurker "get's it" and really pulls the stops out if there is either a generic or individual issue. They seem to listen and act. They have in fact become almost personal friends to BAEC members by the gaining of their confidence and trust over the years. The same was also true on the BMI DC board.

On this forum ICHG seem to have produced the worst of all worlds. They have a couple of official lurkers who ICHG clearly believes places them a step up in the hotel group pecking order and have therefore increased expectations by arriving and being present, but then created a greater level of frustration and annoyance by being absent, unresponsive and ineffective.

To me this seems to expose and prove a level of collective corporate incompetence that is simply mystifying and frustrating. It is as though they are purposefully burning goodwill by extraordinary incompetence by going out of their way to demostrate regularly their lack of care and/or respect to their most loyal of customers. How is it possible to produce such a result given the little that need be done?

Utterly perplexing.

I want to thank everybody for their input and sharing their thoughts about the various aspects about "this situation" and the secutity concerns. I also want to thank you for sharing your thoughts and opinions in a highly professional way. ^

Given my work background, I can imagine that it is difficult for IHG and Priority Club to react in the way we would prefer they had - with various departments involved this takes some time. The bigger the company or the office is, the much more difficult it is to deal with social media. I too would have prefered a quicker reaction, but this could not always happen and we should not shot the messengers. Personally, I think it is good that PCR finally posted in this thread (better late than never).

I also ask you to focus in this thread about the security issue and not so much about how IHG has reacted in other situations. I have no specific post ins mind when I make this post, I simply want to avoid that we have many other than the security aspect covered in this tread.

Thank you

FLYGVA
co-moderator IHG Forum

I want to thank everybody for their input and sharing their thoughts about the various aspects about "this situation" and the secutity concerns. I also want to thank you for sharing your thoughts and opinions in a highly professional way. ^

Given my work background, I can imagine that it is difficult for IHG and Priority Club to react in the way we would prefer they had - with various departments involved this takes some time. The bigger the company or the office is, the much more difficult it is to deal with social media. I too would have prefered a quicker reaction, but this could not always happen and we should not shot the messengers. Personally, I think it is good that PCR finally posted in this thread (better late than never).

I also ask you to focus in this thread about the security issue and not so much about how IHG has reacted in other situations. I have no specific post ins mind when I make this post, I simply want to avoid that we have many other than the security aspect covered in this tread.

Thank you

FLYGVA
co-moderator IHG Forum


I take your point but don't wish to disagree with an esteemed mod but I totally disagree with the comment:

Given my work background, I can imagine that it is difficult for IHG and Priority Club to react in the way we would prefer they had - with various departments involved this takes some time.

Given my work background I conclude the opposite and that this is both a high priority and relatively easy to cure in a very short period of time.

I take your point but don't wish to disagree with an esteemed mod but I totally disagree with the comment:



Given my work background I conclude the opposite and that this is both a high priority and relatively easy to cure in a very short period of time.

Well my point was, that in such cases Social Media is not on the highest points of our priority.

Well my point was, that in such cases Social Media is not on the highest points of our priority.

Neither it seems is communication with wronged customers.

My wife has had no comms since the email at 06:00 on 21st Sept stating the points had been restored and requesting details so they can set up another account.

At present she still can't access her account and has no points:td:

Total shambles :mad:

Given my work background I conclude the opposite and that this is both a high priority and relatively easy to cure in a very short period of time.I agree. Had this been a client of mine, or the firm I work for, the reaction and response would have been massively different.

The reaction, or lack thereof, from ICHG has been quite appalling and shambolic to say the least. And I don't think any sugar coating or rationalization can change that fact.

Guys n Galls.

I hope you do not have to go through the frustration of having mega 100,000's of points stolen and then the incompetence of an ICHG "Investigation".

My situation has been resolved as has TexasMSW BUT NOT THE OP (Not too sure about Braintastic-but will endeavour to find out)

HOWEVER
ICHG have the pompous attitude that it was not their insecurities of their web-site but MY WIFE'S fault!

They DENY there's a problem and as far as I can see are NOT willing to address the issues we have all mentioned here.

So I would be very cautious about amassing a huge amount of points and would try to keep an alert as to when the email address is changed on your account as ICHG DO NOT CARE.

Once our points are (honestly) spent I'm leaving this program.

I suggest you all do the same.

Good to hear it's resolved but unsettling to reconcile the attitude you have encountered with the soothing reassurances we have received from the lurker.

It is either a known problem being resolved - or isn't. :confused:

Still no response to my earlier rather good natured request for more information.;)

Unfortunately, my account has not been reconciled. Furthermore, I have not heard from anyone from ICH. I reposted my original threads to the links provided by the Carolyn, and no repsonse. This was done after some had success and we were directed to go through customer care. (I would love to see their definition of "customer care").

I am glad to hear that some are seeing results, but as of today, I HAVE NOT had resoltion.

I am running out of adjectives to descibe this whole affair. (I have a few adjectives, but want to keep this clean)

Again, I want to thank all that have added to this discussion.

Unfortunately, my account has not been reconciled. Furthermore, I have not heard from anyone from ICH. I reposted my original threads to the links provided by the Carolyn, and no repsonse. This was done after some had success and we were directed to go through customer care. (I would love to see their definition of "customer care").

I am glad to hear that some are seeing results, but as of today, I HAVE NOT had resoltion.

I am running out of adjectives to descibe this whole affair. (I have a few adjectives, but want to keep this clean)

Again, I want to thank all that have added to this discussion.

Sorry to hear you've not had any results-I've amended my post.

Did you write to the CEO?

Have you rung and quoted these three know cases?

I intend to keep pushing to get answers to questions they have ignored.

It's interesting that I have just needed a few moments ago to change an email address on my Avios account and the first thing they do is to immediately send an automated message to both the new and old email address with the warning:

Dear Customer,

We are sending you this automated email to confirm that you have created or updated your details.

To check they are correct, please log in at http://www.avios.com

Thank you
The Avios team

What is so difficult for ICHG?!:confused:

I am new to this thread and have not read all posts, but it seems to me that could it be a possibility that this is an 'inside' job by an employee of one or more ICHG hotels? When you check in to a HI or HIX the folio wallet shows the # of points available. A hotel clerk has access to your account # and the knowledge if your account is worth hacking.

Another reported theft from FaceBook

Karen Frohlich Johnson

My husband and I have been loyal PC members for years, staying around 200 nights a year. On 9/11 my account was hacked and somebody changed my email address and purchased Amazon gift cards with 148,000 points! I have talked to customer service twice and sent one email and have yet to hear anything on this. Do you know how long it has taken me to save up those points?! Today I can't even sign on to my account, it's like it doesn't exist. I'm getting concerned because I have a reservation tomorrow through the end of the week and don't know what I'm going to find out when I check in. (Last week's check-in I found out that almost 150,000 points were missing from my account.)

Well ..... I think we know where we stand.


It was August 2nd that this topic first got raised and then a long time later on 21st September we received a message from ICHG lurker Carolyn that I feel strongly was intended to stop FT'ers emailing senior people. I asked for more detail (http://www.flyertalk.com/forum/19359493-post152.html) - but if they were sincere in their respect for the issue or this forum - we would have heard something back even if it was just a holding message. Zilch.

As it happens I also made my very first complaint about a stay that I couldn't resolve with the property that I emailed in 10 days ago. An automated acknowledgement. Nothing more.

Very dissapointing.

Well ..... I think we know where we stand.


I
but if they were sincere in their respect for the issue or this forum - we would have heard something back even if it was just a holding message. Zilch.

As it happens I also made my very first complaint about a stay that I couldn't resolve with the property that I emailed in 10 days ago. An automated acknowledgement. Nothing more.

Very dissapointing.

I have emailed the CEO and contacted elliottc AT gmail.com who did respond immediately.

I'll post any updates.

2. Their gift card redemption is flawed-Items should not be allowed to be emailed to a recently changed account-if your email is changed then YOU should be told (via phone, old email address, SMS) if that's what you want AND no purchases should be sent there for (say) 30 days-It's simple and good business-IF you cared for your customers :mad:



This post (http://community.priorityclub.com/t5/Priority-Club-Rewards-Program/Why-are-there-no-more-eGift-cards-available/m-p/26851#M10115) on the very quiet PriorityClub connect is saying that the E-Certs have gone.

Anyone else confirm this?

I can only see UK gift cards.

Another reported theft from FaceBook

Karen (http://www.flyertalk.com/forum/19415571-post179.html) seems to be in luck

I am very happy to say that I have been given a new account and all my missing points have been returned. Thank you, Priority Club.

I have emailed the CEO and contacted elliottc AT gmail.com who did respond immediately.

I'll post any updates.

My email to CEO on 1st October began with

Dear sir

I apologise for writing to you directly but I feel I should bring to your attention the cover up and denial of user accounts fraud which could lead to potential serious reputational and business loss to ICHG.


and went on to briefly outline the problems finishing with

Can I ask you to put in place a thorough investigation into these incidents with all the seriousness they deserve and to address the IT security flaws in the ICHG web-site to prevent an escalation of the problem.


His answer today (4th October) was:

....thank you for bringing this to my attention. I will have it looked into immediately.

I'm not getting my hopes up just yet, but maybe something positive may come out of this.

I live in hope!

Unless you were substantially luckier than me in my contacts it will be a set of non-responses from the Executive team who heap platitudes but are short on genuine content.

My contacts so far have been substantially less than slightly acceptable.

Nope nothing changed.

The 74k pts for $200 Amazon card options are still there for scam artists to redeem.

This post (http://community.priorityclub.com/t5/Priority-Club-Rewards-Program/Why-are-there-no-more-eGift-cards-available/m-p/26851#M10115) on the very quiet PriorityClub connect is saying that the E-Certs have gone.

Anyone else confirm this?

I can only see UK gift cards.

Nope nothing changed.



You'r not wrong ;)

ANOTHER case posted on FB



Zev Kaminetsky
Congrats, you just lost a customer that, for the past 5 years, has stayed in one of your properties over 150 nights per year. Someone called in to the Priority Club system, changed the email address on my account to theirs, and by phone, cashed in 100,000 of my points for an e-gift card to their email address. It opened my eyes. Someone can call in with just your membership number and name (easily obtained by an employee of the hotels, which is who I think it was) and book a reservation with the card on file by just telling them to use the card on file. No security at all. Luckily this guy didn't try that, or he could've gotten access to my company credit card.
The final straw was the people I have spoke to over the past 5 days at your organization. They 1st tried to tell me that the email address was never changed and was on file the whole time, then backtracked and admitted that it was changed the day the points were cashed in. Then they told me that I did it myself. Then they told me that the "Fraud" dept would call me in 48 hours, and it's been 4 days. You do the math. You lost a loyal customer (who at 1 time received a letter in the mail thanking him for being in their top 1% customers in the world) over a $200 e-gift card. Good customer service.
I have still yet to hear from the fraud dept, and I have now closed my account, and I will be taking my business elsewhere.

IHG seems to be good at losing there best customers, I have also gone away from them and I am not sure if I will hit platinum this year and frankly don't care. For the last three years I stayed over 100 nights per year and this year I am up to a whopping 7. Over the years they have devalued the program and allowed anyone to become top members with as little as one stay. That was their choice and I made mine. Anytime there is an issue they try as hard as they can not to resolve it or give you verbal platitudes with zero action. Great program for people who don't stay in hotels but terrible program for people who do. wake up people, much better programs out there

Great program for people who don't stay in hotels but terrible program for people who do. wake up people, much better programs out there

I'm listening. Which programs offer a similar spend/burn ratio with hotels that are similarly priced? I can justify paying around $100 per night, but not $200 in most locations...

HTB.

I'm listening. Which programs offer a similar spend/burn ratio with hotels that are similarly priced? I can justify paying around $100 per night, but not $200 in most locations...

HTB.

I have changed over to the Choice brand hotel. A lot more offerings, although a lot are pretty rough. I have already stayed upwards of 40 nights with this brand since I first reported my theft in the beginning of August.
It takes to long to accrue points on the Hilton program.

my 2 cents

After reading this thread, I logged into PC to check my points balance as I normally do. I noticed there is a Feedback button on the bottom right corner of the main page. I clicked on it and filed a complaint specifying PC needs to protect our accounts better since a 4 digit code is insufficient along with notification if our email account is changed.

I highly suggest anyone reading this thread to do the same so they hear from all of us. It only takes a few seconds..

wouldn't this be a concern with other programs too that just use 4 digit passcode? I mean we are would be talking about UA, Skymiles, HiltonH, etc..

Update...
I recieved a phone call yesterday from an executive to Richard Solomon the CEO. They called to inform me that my points have been restored and that numerous changes to their security system are being implemented.
I was quite amazed that I got the call, I have pretty much written the whole ordeal off.
He stated that due to the threads from this blog, (he actually named FlyerTalk specifically) numerous holes in their system were revealed and changes are being made. He told me that he could not go into details at this time but that numerous departments have been involved and actions are being taken.
My feelings on this are mixed. I'm glad that what was right fully mine has been returned, but it got bloody along the way. Alot of time and energy was wasted on trying to get a response, but in the end what should have happened alot sooner came to pass. I was not compensated for my troubles, but to be quite honest I am tired of this whole situation, so I will let it all pass.
I would like to personally thank all that have chimed in and helped wave this flag. Without the power of the masses, I believe that nothing would have been resolved.
The executive did state that he had other calls to make, so I hope others have had resolution as well.

Take care all and thanks!

Update...
I recieved a phone call yesterday from an executive to Richard Solomon the CEO. They called to inform me that my points have been restored and that numerous changes to their security system are being implemented.
I was quite amazed that I got the call,



Great news.

I sent you an email earlier today ;)

Update...
I recieved a phone call yesterday from an executive to Richard Solomon the CEO. They called to inform me that my points have been restored and that numerous changes to their security system are being implemented.
I was quite amazed that I got the call, I have pretty much written the whole ordeal off.
He stated that due to the threads from this blog, (he actually named FlyerTalk specifically) numerous holes in their system were revealed and changes are being made. He told me that he could not go into details at this time but that numerous departments have been involved and actions are being taken.

My feelings on this are mixed. Take care all and thanks!

Very good news that you have had the points reinstated and that you received a call. Shamefull that the initial reaction which they continued to defend took so long to reverse. Presumably your apology carried with it a substantial points deposit by way of a genuine apology for calling you a fraudster and wasting so much of your time.

I share your mixed feelings.

If ICHG senior execs have genuinely learned something from this forum and thread that was probably to their considerable advantage then what is it exactly that prevents them from making the very minor leap of concluding that a somewhat better quality of long-term parcticipation in the forum with an energetic, senior, cross-departmental influential lurker could prove somewhat more useful to them. Engaging with your best customers - who often seem grimly determined to be loyal despite their best efforts to dissaude you - has been something astute corporations are normally desperate to find ways of doing. This platform would almost be free to them. They should look at BA and some of the other forums who benefit from engagement.

Anyway ..... the jury is still out it seems.

So many things remain problematic for ICHG that have been issues for so long ....... how many other organisations replicate (for example) ICHG's complete inability to send out Ambassador membership packs promptly or at all? And this is as a result of people paying to join ...... Every year it is a palaver.

Why does CS often ignore emails completely or have as a standard service offering a 10 day delay to email replies and then not read complaints but send out cut and paste replies to topics that are nothing to do with your complaint or comment? Why when you conclude an issue do they promise to deposit points in your account for a misdemenour on their part does it take weeks and not just overnight?

I am not saying they do everything wrong but ICHG seem to get too many really simple and inexpensively curable things wrong.

Something has been done, thank goodness!

I have just signed out from another IHG hotel today, having been given a card at checkin showing my points balance etc. Still a bit miffed that this still continues, but I then tried to log in to my account today with a few wrong numbers to see if there was any progress.

After three wrong attempts it takes you to a new screen that requires a pin and a CAPTCHA (http://en.wikipedia.org/wiki/CAPTCHA)human entry. If you close and try to access the account at all the CAPTCHA screen reappears.

That pleases me, and about time too ^

Update
My wife got a phone call today-16:50 UK time.
She thinks it was from Richard Solomons from the executive Office.

He was apologetic about the fraud and loss of her points.

She gave him a hard time ^ about ICHG denying it was their fault and blaming her and the non responses from IHG"CARE"

She asked if steps had been taken to improve security-He said there had been changes that wouldn't be visible :confused: but there had been steps to improve things.

At the end of the conversation he must have been glad to hang up ;)

Conclusion
I judge a business not only by the service it provides when things go well but what responses one gets when it all goes a little awry.

ICHG have fallen well short of the mark for responding well to a situation they created through inadequate security:td:

It has taken weeks of badgering on here by all concerned ^ Plus posts on Facebook and eventually a personal email to Richard to get this resolved.

The total lack of care for alledgedly "premium" customers is shocking.

I put ICHG customer service alongside RyanAir :rolleyes: Fine when all goes well, Disaster when it doesn't

Hopefully Braintatstic got his\her points back as did Zach from FB.

BTW
I noticed the "Captacha" page a couple of days ago when I purposedly tried the wrong password 4 times.
I wonder if I change my email if I get a notification. :rolleyes:

To be fair, blindman, if it was the CEO ringing up personally to apologise then I would be prepared to cut him some slack. When an organisation fouls things up it needs to get things sorted out, and this is the right level for this type of foul up.

It sems that they have acknowledged a problem, and plugged the holes. If the CEO is making personal calls to apologise to those affected, and basically these are loyal customers who were called liars by IHG in the initial stages, then it is a call where he expects to take some stick. It also says a lot that he is making the calls himself, and not giving the job to a lower functionary.

It is a strong acknowledgement that they accept you have been wronged by their actions. I am not sure what else he could have done that would satisfy me better than a personal apology in these circumstances.

To be fair, blindman, if it was the CEO ringing up personally to apologise then I would be prepared to cut him some slack.

Not really. If you "give him some slack" he will conclude that the problem wasn't so bad after all. It should be made absolutely clear to him that being insulted and accused by call center workers is unacceptable. Of course without getting personal.

HTB.

Also seen the reCAPTCHA verification today. It's a start and hopefully will prevent automated scripts from gaining entry, but I'd still like to see 3 attempts then account locked. Also, email confirmation required for email address change.

...but I'd still like to see 3 attempts then account locked. Also, email confirmation required for email address change.

That would facilitate denial of service attacks.

HTB.

IHG has now initiated a CAPTCHA if you input incorrect pin. At least this will help that you cannot use a straight computer power to go through the all possible combinations.

This might be a little off topic but wanted to share.

Can't log in to my account this morning. I usually email the support but stumbled upon this thread. I got so nervous. I thought my account was hacked.

Their Customer Agent told me that they have identified that i had two PC accounts so they consolidated it. But the new number was the one that was retained.

I checked the invoice from my last stay after the call. i noticed that the hotel created a new account for me. I don't know what happened, but maybe I said yes to a question I did not fully understand. The hotel is in France and I remember not really paying much attention when I talked to the front desk.

I just hope that I was informed via email that they have consolidated the accounts.

Thanks to this thread. ICHG realized their system flaws. I think they improved their system security because they were able to catch my second account. I hope everyone who lost their points will be able to sort things out.

I checked the invoice from my last stay after the call. i noticed that the hotel created a new account for me. I don't know what happened.

It happened to me once in Spain, where the agent at reception created - without asking (and obviously to get a bonus) - a new account for me (the reason why my stay did not appeared on my PC account).

I wrote an email to the hotel GM, with a copy to the Ambassador line, to cancel the non requested account, and got my points on my actual account.

But the next 3 stays at this hotel were not posted on my correct account, despite making the reservation online with my actual PC number, and presenting my PC card at check-in.

Looks like PCR is not the only company to suffer where points earned can end up as untraceable cash vouchers. See todays UK news.

http://www.dailymail.co.uk/news/article-2280897/Tesco-calls-police-dozens-customers-complain-Clubcard-accounts-emptied-online.html

Teso Stores has just hit UK papers, difference is points can only be swapped for vouchers, although as well as using instore for food, you can use for other worthwhile things eg Alton Towers Entry Vouchers, Magazine subscriptions.

Unlike PCR, I think Tesco Customer Services are reacting far far better than IHG/PCR to customer complaints, and as well as quickly refunding affected customer points, Tesco have also referred points theft matter to the police.

See my post
http://www.flyertalk.com/forum/intercontinental-hotels-priority-club-inter-continental-ambassador/1446398-i-am-someone-elses-account.html

If anyone wants me to help them with PC let me know.