Southwest security warning: RR account recently hacked!
Mar 30, 2015, 8:57 pm
#1
Original Poster
Join Date: Mar 2011
Location: AUS
Programs: Mileage Hoarding Anonymous
Posts: 90
Southwest security warning: RR account recently hacked!
Someone managed to take over my Rapid Rewards account and booked a flight + made a More Rewards redemption without my knowledge.
They didn't change my RR account password but did manage to change the email address and phone number on the account, which prevented me from getting email confirmations for the flights, redemption, etc. For what it's worth there's 0 chance my Gmail has been hacked due to password length, 2FA, and use of VPNs.
The most shocking piece of this saga is that Southwest does not have a security protocol in place that notifies the previous email address on an account when it's changed, and that is frankly a huge security hole. Another security hole is that upon logging into a SW account you can easily see someone's answers to their security questions (like passwords, they should only be changeable; never shown) and use the credit card(s) on file without typing in the 3-digit code.
I'm working with SW to get my points restored, but it sounds like they will probably not go after the perpetrator. Why, I have no idea... seems like a VERY easy case to prosecute given there was going to be a person showing up at a specific time to take a flight.
Anyway, I don't know if they discovered my password or ran a social hack by calling Southwest, but I wanted to put this datapoint out there as a warning!
They didn't change my RR account password but did manage to change the email address and phone number on the account, which prevented me from getting email confirmations for the flights, redemption, etc. For what it's worth there's 0 chance my Gmail has been hacked due to password length, 2FA, and use of VPNs.
The most shocking piece of this saga is that Southwest does not have a security protocol in place that notifies the previous email address on an account when it's changed, and that is frankly a huge security hole. Another security hole is that upon logging into a SW account you can easily see someone's answers to their security questions (like passwords, they should only be changeable; never shown) and use the credit card(s) on file without typing in the 3-digit code.
I'm working with SW to get my points restored, but it sounds like they will probably not go after the perpetrator. Why, I have no idea... seems like a VERY easy case to prosecute given there was going to be a person showing up at a specific time to take a flight.
Anyway, I don't know if they discovered my password or ran a social hack by calling Southwest, but I wanted to put this datapoint out there as a warning!
Mar 31, 2015, 8:19 am
#6
FlyerTalk Evangelist
Join Date: Sep 2002
Location: Chicagoland, IL, USA
Programs: WN CP, Hilton Diamond
Posts: 14,192
Mar 31, 2015, 8:35 am
#7
Original Poster
Join Date: Mar 2011
Location: AUS
Programs: Mileage Hoarding Anonymous
Posts: 90
When she asked whether or not I wanted to cancel the flights to get a refund I told them I of course want my points, but would be willing to wait if it means catching the crook. Southwest's stance is that they don't prosecute these people, so they went ahead and cancelled the flights.
Mar 31, 2015, 9:03 am
#8
Join Date: Mar 2011
Programs: Southwest A-List Preferred and CP, Marriott Platinum, National Executive Elite
Posts: 158
When she asked whether or not I wanted to cancel the flights to get a refund I told them I of course want my points, but would be willing to wait if it means catching the crook. Southwest's stance is that they don't prosecute these people, so they went ahead and cancelled the flights.
Just because Southwest made you whole does not mean that this person did not wrong you. My guess is that you are not the only one this crook has done this to, and that local law enforcement may be interested in identifying information (and possibly information about where he/she will be at a certain time) even if Southwest is not.
Edit: Now that I think about it, given the high security surrounding air travel at a federal level, there may be a federal law enforcement agency interested in this information. I am not up to speed on all federal air travel regulations, but it would not surprise me if this sort of activity were considered a federal crime.
Mar 31, 2015, 9:33 am
#9
Join Date: Jul 2013
Posts: 5,813
Edit: Now that I think about it, given the high security surrounding air travel at a federal level, there may be a federal law enforcement agency interested in this information. I am not up to speed on all federal air travel regulations, but it would not surprise me if this sort of activity were considered a federal crime.
Looking at the various statutes many things the airlines would take issue with are probably not a violation of federal law, including flying on someone else's ticket, unless you identified yourself as that person to TSA. Stealing someone's frequent flyer miles if far below that.
Mar 31, 2015, 9:41 am
#10
Join Date: Jul 2013
Posts: 5,813
I do know that under Airtran's old system they did show up in your A+ Rewards Account and you could access the reservation. On Southwest.com in your redemption history you can see the PNR redemption but no other information, so if you don't have a name you're outa luck.
Mar 31, 2015, 10:02 am
#11
Original Poster
Join Date: Mar 2011
Location: AUS
Programs: Mileage Hoarding Anonymous
Posts: 90
Does Southwest show tickets purchased for someone else with your points in your RR account? Can you cancel those tickets yourself? I never checked.
I do know that under Airtran's old system they did show up in your A+ Rewards Account and you could access the reservation. On Southwest.com in your redemption history you can see the PNR redemption but no other information, so if you don't have a name you're outa luck.
I do know that under Airtran's old system they did show up in your A+ Rewards Account and you could access the reservation. On Southwest.com in your redemption history you can see the PNR redemption but no other information, so if you don't have a name you're outa luck.
Were you able to identify the person who did this? I would assume you could see the PNR for the reservation when you logged into your account, and maybe the person's name. If Southwest does not want to pursue it you could attempt to do so on your own.
Just because Southwest made you whole does not mean that this person did not wrong you. My guess is that you are not the only one this crook has done this to, and that local law enforcement may be interested in identifying information (and possibly information about where he/she will be at a certain time) even if Southwest is not.
Edit: Now that I think about it, given the high security surrounding air travel at a federal level, there may be a federal law enforcement agency interested in this information. I am not up to speed on all federal air travel regulations, but it would not surprise me if this sort of activity were considered a federal crime.
Just because Southwest made you whole does not mean that this person did not wrong you. My guess is that you are not the only one this crook has done this to, and that local law enforcement may be interested in identifying information (and possibly information about where he/she will be at a certain time) even if Southwest is not.
Edit: Now that I think about it, given the high security surrounding air travel at a federal level, there may be a federal law enforcement agency interested in this information. I am not up to speed on all federal air travel regulations, but it would not surprise me if this sort of activity were considered a federal crime.
I emailed this to my local FBI office, though like others are speculating I doubt this will lead to anything. We'll see!
Mar 31, 2015, 1:33 pm
#12
Join Date: Dec 2000
Location: Dallas, TX, AA 3MM EXP, WN
Posts: 1,808
Is it just me or is this thread title missleading. Assumes wrong on part of WN. We don't know this. It could be OP using same password on other accounts, phishing etc. Thread suggests someone hacked into this one account. If it was a hack wouldn't there be multiple instance. How was the OP lucky enough to be the only one. Not saying OP has issues, but the title is very missleading.
Mar 31, 2015, 1:33 pm
#13
Join Date: Apr 2013
Location: Lehigh Valley, Pennsylvania
Programs: Milege+, SkyMiles, AAdvantage, HHonors Diamond, Marriott Gold
Posts: 1,685
Just checked to see my account wasn't hacked. I find it extraordinary that a major airline would not prosecute someone stealing from both them and their customers. I don't care what their reason is.... It's inexcusable.
Mar 31, 2015, 1:47 pm
#14
Original Poster
Join Date: Mar 2011
Location: AUS
Programs: Mileage Hoarding Anonymous
Posts: 90
Is it just me or is this thread title missleading. Assumes wrong on part of WN. We don't know this. It could be OP using same password on other accounts, phishing etc. Thread suggests someone hacked into this one account. If it was a hack wouldn't there be multiple instance. How was the OP lucky enough to be the only one. Not saying OP has issues, but the title is very missleading.
The problem is Southwest has several security issues I outlined above that led to this, and is the reason I created this thread.
Mar 31, 2015, 2:39 pm
#15
Join Date: Feb 2004
Location: USA
Programs: AC SE100K, F9 100k, NK Gold, UA *S, Hyatt Glob, Bonvoy Titanium
Posts: 5,195
I am curious if you are A List Preferred, if you used the free wifi, and if you changed your password in the last few months.
As I understand it, the A List Preferred authentication page had two issues, one was that it sent passwords in plain text (visible to any network sniffer that happened to be running on the same flight), and second it allowed an unlimited # of attempts without locking out the account.
As I understand it, the A List Preferred authentication page had two issues, one was that it sent passwords in plain text (visible to any network sniffer that happened to be running on the same flight), and second it allowed an unlimited # of attempts without locking out the account.