Recent news reports indicate that loyalty programmes have been a target of hackers "stealing" miles to redeem for goods and services.
This article describes techniques that would seem to be easy to apply to the Aeroplan site as well as BA and others that have been attacked.
In addition to weak controls to block brute force attacks, many of these systems do not enforce good password policies as well, making it that much easier for attackers to get into these accounts.
Not only do customers re-use passwords, but companies continue to reject CAPTCHAS, two-factor authentication, session timeouts after failed login attempts and other controls against these sort of attacks
Until Aeroplan improves their security on their website I am certainly going to improve my approach to password security there by making it longer and harder to be defeated by a brute force attack although Aeroplan makes this hard by these restrictions.
1. Make it 6 to 10 characters long 2. Use only numbers or letters in any combination (avoid special characters or accents)
There is a long thread about the BAEC situation at
http://www.flyertalk.com/forum/briti...ex-gratia.html