Originally Posted by
txflyer77
Another step HHonors could take to prevent points from being stolen is to require email validation of any redemptions besides stays (since those can be easily fixed and aren't what hackers go for anyways).
User tries to redeem points for merchandise -> email confirmation goes to account on file -> redemption is only completed after the confirmation is completed.
Obviously, this also requires putting a temporary hold on non-stay redemptions of accounts that change email addresses and notifying the original email address if the address is changed.
I'm hoping for this:
https://www.grc.com/sqrl/sqrl.htm
What is to stop the hacker from changing the email address to some free non-traceable one once hacked in? Get the confirmation email, confirm the spend then change it to some random email address. They need to make it so no profile info can change without confirmation from the current email/sms# on file and if doesn't exist anymore you call in and they ask identifying questions before they will make any changes.