Last edit by: WineCountryUA
This thread to follow reports of MP accounts that actually have been hacked / improperly accessed. If you have missing miles and beleive you have been hacked, contact [email protected]
In Suspended MP Accounts / Third Party Vendor "Security Breach?" - Dec 2014 there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread.
A separate(?) "access denied" issue is covered in Consolidated " Is united.com or parts of it Down?" thread
In Suspended MP Accounts / Third Party Vendor "Security Breach?" - Dec 2014 there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread.
A separate(?) "access denied" issue is covered in Consolidated " Is united.com or parts of it Down?" thread
UA Account Hacked / Reports of Fraudulent Award Travel Redemption
#1
Original Poster
Join Date: Nov 2011
Location: YUL
Programs: UA 1K, MR Bonvoy Bonzaiiiii, National EE
Posts: 622
UA Account Hacked / Reports of Fraudulent Award Travel Redemption
Hey all. Just had a post-Xmas surprise in that someone hacked my account and did the following:
I got through to a fraud rep in Manila and she started the process of refunding everything. So far I have only gotten a refund on the CC for one of the flights and the miles for the award flight.
What really bothers me about this is that all it takes for someone to go into your account and do this is your MP# and your 4 digit PIN. The rep indicated there's no way at the moment to have the login more secure, but she hinted they are working on something this year that will allow it to be password-protected instead of just the PIN.
Either way, it's really shoddy that someone can access your account, create new travelers, drain all your miles, and charge up thousands on your CC with just a 4 digit PIN and no login captcha or the like to prevent brute force attacks. Sites like Amazon do this properly in that if you go to add a new shipping address, you have to confirm the full 16-digit CC # before you can charge a stored CC and ship it to that address.
Anyone else have this happen to them or know of any way to make their accounts more secure to prevent this?
- Purchased 3x revenue tickets, for 3 separate people, using my corporate card saved in my account for a total of ~$5k.
- Used GPUs/RPUs to upgrade said tickets.
- Used half my miles in my account for an award flight and charged the taxes and fees to my CC.
- Booked a hotel with the other half of my miles, taking me down to just a few thousand total.
I got through to a fraud rep in Manila and she started the process of refunding everything. So far I have only gotten a refund on the CC for one of the flights and the miles for the award flight.
What really bothers me about this is that all it takes for someone to go into your account and do this is your MP# and your 4 digit PIN. The rep indicated there's no way at the moment to have the login more secure, but she hinted they are working on something this year that will allow it to be password-protected instead of just the PIN.
Either way, it's really shoddy that someone can access your account, create new travelers, drain all your miles, and charge up thousands on your CC with just a 4 digit PIN and no login captcha or the like to prevent brute force attacks. Sites like Amazon do this properly in that if you go to add a new shipping address, you have to confirm the full 16-digit CC # before you can charge a stored CC and ship it to that address.
Anyone else have this happen to them or know of any way to make their accounts more secure to prevent this?
#2
Join Date: Feb 2007
Programs: United 1K, Delta PM, Hilton Diamond, Starwood Gold, National Exec. Elite
Posts: 1,406
I don't use a 4 digit pin, I use a password, for my MP account.
Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".
I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.
Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".
I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.
#3
Original Poster
Join Date: Nov 2011
Location: YUL
Programs: UA 1K, MR Bonvoy Bonzaiiiii, National EE
Posts: 622
I don't use a 4 digit pin, I use a password, for my MP account.
Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".
I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.
Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".
I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.
#5
Join Date: Dec 2013
Location: San Francisco Bay Area
Programs: United - GS
Posts: 6
Captchas are like the TSA... security theatre, not effective against someone who is determined to get through. It's far more likely that a username and password/pin was compromised by malicious software on a computer used to access the site, than password guessing. Public computers (think hotel business center) and public wifi hotspots are far more likely places to loose control of your account.
I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value.
I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value.
#6
Original Poster
Join Date: Nov 2011
Location: YUL
Programs: UA 1K, MR Bonvoy Bonzaiiiii, National EE
Posts: 622
Yup
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.
Last edited by iluv2fly; Jan 6, 2014 at 2:39 pm Reason: merge
#8
Join Date: Apr 2006
Location: SFO
Programs: UA Premier Platinum (and falling fast)
Posts: 566
- Purchased 3x revenue tickets, for 3 separate people, using my corporate card saved in my account for a total of ~$5k.
- Used GPUs/RPUs to upgrade said tickets.
- Used half my miles in my account for an award flight and charged the taxes and fees to my CC.
- Booked a hotel with the other half of my miles, taking me down to just a few thousand total.
.....unless the perps realize that they didn't get away with it / their reservations have been cancelled and don't even attempt to fly. UA should almost just leave them in tact and trap them at the airport.
#9
Join Date: Aug 2011
Programs: UA 1K
Posts: 8,634
#10
Join Date: Oct 2004
Location: Anywhere but home
Programs: UA 1K/MM, DL GM/MM, HH Dia, PC Plat, MR Gold, ALL Sil,
Posts: 4,552
Sorry to hear of the hacking, brp1264.
Yup, just changed my password but can still access my account with the 4-digit PIN.
Yup, just changed my password but can still access my account with the 4-digit PIN.
#12
formerly sahiljain22
Join Date: Apr 2011
Location: BOS;NYC;YVR;YYZ;DEL;BOM
Programs: Amex Plat; HH Diamond; SPG Plat; Hyatt Diamond; United 1K; National EE; HSBC Premier
Posts: 532
#13
Suspended
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 50,262
1. Do not use a 4-digit PIN, stick to a passphrase (UA can acommodate up to 20 characters).
2. Do not ever store CC information with online accounts (not just UA).
3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too.
This is almost certainly a commercial operation in which some suckers were sold ultra-cheap F /C tickets. Yes, they will now show up at some departure airport and their tickets won't be valid, but that is between them and the crooks who hacked your account.
There are a number of things which UA and others could do to make access more secure, but that would make customers crazy and they would complain. For instance, logging in could require that you enter a code texted or phoned to you. It could require you to answer security questions each time.
2. Do not ever store CC information with online accounts (not just UA).
3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too.
This is almost certainly a commercial operation in which some suckers were sold ultra-cheap F /C tickets. Yes, they will now show up at some departure airport and their tickets won't be valid, but that is between them and the crooks who hacked your account.
There are a number of things which UA and others could do to make access more secure, but that would make customers crazy and they would complain. For instance, logging in could require that you enter a code texted or phoned to you. It could require you to answer security questions each time.
#14
Join Date: Dec 2013
Location: San Francisco Bay Area
Programs: United - GS
Posts: 6
United.com doesn't show the full card number, and doesn't show the CVV (3 or 4 digit security code). In fact, they aren't even allowed to store the security code on their servers. There's no reason to go through the hassle of getting a new card when there is next to zero chance these criminals could retrieve the whole card number.
Last edited by iluv2fly; Jan 6, 2014 at 2:39 pm Reason: merge