Cervantes

My IHG Rewards Club account was hacked twice, in April of this year. The two hacks were a week apart. The stolen points were used to purchase eVouchers from the online shopping catalogue. I reported the hack/theft to IHG as soon as I became aware of the fact. However I was informed that IHG would not refund the stolen points as the transactions were 'legitimate'; in other words the hacker used my email address and home address to order the eVouchers.

I checked on the purchase details and found that the only difference was that the hacker used a different phone number than mine (and the one I have listed with IHG)But so far the points have not been refunded. What I find very confusing, and perhaps more knowledgeable members can help with, is how were the hackers able to receive the eVouchers using my email address? The vouchers certainly never came to me, but presumably they were received by the hacker. How?

I suspect that such hacks are frequent given the very poor authentication processemployed by IHG. Apparently any password system depending wholly on numbers (membershipand pin numbers) can be hacked by a script using brute force to apply thousands of combinations. Once the 9-digit membership number is cracked, the 4-digit pinfalls easily.

I would like two things to happen: 1) for IHG to add a password verification tier to membership accounts; and 2) notify members by email of any account activity. I have since joined Award Wallet to try and rectify the second issue.

I do hope I get back the missing points, but am not optimistic based on several phone calls to both IHG and the online store (Maritz).

Has any other IHG member been hacked recently?

FFlash

Knock knock... haven't been hacked but I am a bit nervous about IHG lousy password security level. 4 digits... Not that I like very complicated requirements, I hate them, but making it 6 digits would help a bit.

Keeping points account fairly low anyway, so no big issue. Bigger issue are devaluations so better burn em than hoard em

RR42

Cervantes, I would suspect that whomever has your IHG credentials also has access to your email account. You should change your email password immediately.

I actually just went through this with my wife last night regarding another rewards program. Her email address / password were stolen from a Linkedin breach, and someone in Russia was sending spam messages from her account. (The outgoing spam messages were in her Sent items.) They were also using that account access to reset her password on other sites where she is registered. I'm still trying to assess the damage.

If you're curious, you can look at https://haveibeenpwned.com to see if you're registered at a site that has been compromised.

Cervantes

RR42
Thanks for the heads up. I checked via the site you posted, and do not appear to have been compromised.


However, I've changed my email account password (and my IHG pin) as a precaution.


I just got off the phone and a long conversation with IHG re the fraudulent transactions on my account. They are still maintaining that the transactions are 'legitimate' as the hacker used my email address. I don't know how to convince them otherwise--partly because I cannot myself figure out how the hacker obtained the purchased eVouchers by using my email address. I am thinking of going onto a hacker website to ask for advice on how this could have been done.

blindman

Read post#6 and #14 in this thread


Raise the issue publicly on Facebook.

tom_MN

I'm afraid I have a bit of a criminal mind! If I were to do something like this I would set up an email account one letter off from yours and then call up the vendor and say that I made a typo in the online order and can they please send the vouchers to the correct (bogus) email account. Or perhaps change the email address first, then after the vouchers were sent change it back and hope IHG doesn't see it. Some characters look the same also depending on the typeface, i.e. I and l, or 0 and O, so IHG may not even notice on their screens.

Cervantes

Thanks to both Blindman and Tom for the replies.
I suspect that something of what Tom describes may have taken place--although it seems an awful lot of work for $200 worth of evouchers. But then again perhaps the hackers have nothing better to do than mine online accounts for whatever they can get. I've contacted IHG and requested that they add a password to their sign-in protocol to add another layer of protection for all members. Meanwhile I'm still pursuing IHG in an effort to get the points restored. I will let members know what happens. Finally, I'm a little surprised that no one else has reported similar hacks as I'm fairly certain that this is not an isolated occurrence, particularly given the weak security.

scubaccr

Why look for something harder, the easy obvious route is usually true. Email addres was not changed as they had that access too.

So, the culprit 'hacked' had access to your email and simply ordered the voucher whilst simultaneously signed into your email, then obtained incoming voucher email details and deleted voucher email from inbox and trash folders before you saw it or looked for it after becoming aware.

Cervantes

Well, that's a scary thought. But if what you suggest is feasible, wouldn't that mean that the hacker had to monitor my in-box continuously in order to spot the incoming voucher? That's an even more troubling scenario.


But even if the above was the case, why then would the hacker give a different phone number (to my own) on the voucher order? If everything was done via an email hack wouldn't a traceable phone number give the game away?


Nevertheless, I've now changed my email log-in as an added precaution.

dontippet

I had my Lowe's online account hacked not too long ago. The criminal changed one letter in my email address so that I didn't receive any knowledge about the order. Obviously, in my situation they also changed the delivery address so that the item could be delivered near them.

scubaccr

PAYG sim cards are cheap, can not be connected to individuals, untraceable, and could even be dummy invalid number on the purchase form as long as not your real telno.

scubaccr

It is worse than that once a hacker gets your email id access. All accounts associated with that same email address should be reset by you.

These days any account (Hotel, airline, facebook etc etc) under same email can be reset by asking for pasword or a reset link to be sent to yourself, ie your email.

Those sites where email from site gives 'forgotten' password direct in email, not as a password change link should be changed to be safe. If such password is used on other accounts (or you use same email acct password) I'd change those too asap.

For sites that send a password change link, where password is unique, that you can still logon with expected password, you are safe as 'hackers' won't have been able to know and set password back to correct password after getting access.

Upstate

Yesterday I had someone hack my account. They made reservations with my points. I called and reset everything. I wake up this morning and they did it again. The 4 digit PIN is worthless. I suspect they will be doing it again until the fraud department calls me and gives me a new number.

Cervantes

So many people have pointed out the inadequacies of the log-in process. I wonder why IHG don't take the hint and harden the system.


Scubaccr. Thanks for the good advice.

TheBeerHunter

I just noticed the same thing on my account - exactly. I did a chat with them to instigate a fraud investigation. I changed my PIN, but I'm not hopeful this will help.