Another step HHonors could take to prevent points from being stolen is to require email validation of any redemptions besides stays (since those can be easily fixed and aren't what hackers go for anyways).
User tries to redeem points for merchandise -> email confirmation goes to account on file -> redemption is only completed after the confirmation is completed.
Obviously, this also requires putting a temporary hold on non-stay redemptions of accounts that change email addresses and notifying the original email address if the address is changed.
Originally Posted by
BearX220
Yes, the 2FA theorists forget that if people won't adopt a new protocol voluntarily, it will fail, regardless of its technological brilliance. (See Windows 8.) And as the people behind HHonors.com have been unable to make the "Remember Me" button work since 1998, I share your lack of faith that they can possibly succeed here anyway.
I'm hoping for this:
https://www.grc.com/sqrl/sqrl.htm