FlyerTalk Forums - View Single Post - HELP: Someone hacked my AS account - 255K miles gone! Is AS under attack?
Thread: HELP: Someone hacked my AS account - 255K miles gone! Is AS under attack?
View Single Post
Old Jan 3, 2025 | 1:45 pm
  #6  
notquiteaff
FlyerTalk Evangelist
Community Builder
Community Influencer
Active Streak: 30 Days
All eyes on you!
 
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS Plat, AA EP, Bonvoy Plat, Hilton Dia, Hyatt Glob, IHG Plat, ...
Posts: 21,428
Originally Posted by sbedelman
That's no guarantee of security. It’s a good idea of course but someone can hack your computer as the result of a security flaw that you aren't even aware, hack Alaska or any number of other entry points.
Sure, but the OP makes it sound like AS security is at fault here. Most individual account hacks, I suspect, are due to lax security measures by the individual account holder. Hacking an individual’s computer to then somehow access their loyalty program is likely so much more effort than just buying a email/password list from some previous hack and just looking for people who still (in 2024) reuse passwords.

985X's suggestion is an excellent one. If a redemption looks suspicious require the account holder to validate it. At a minimum all redemptions should be acknowledged with an email and text to the account holder asking to confirm the order or say it wasn't them (just like credit card companies do for charges that don't appear legit). It also seems like a good idea to limit close in redemptions to the account holder, those already listed or put the request on a pending status until the account holder confirms their identity.
Sure, they could do that. Instead they just blocked all awards at the 72 hrs window, probably because that was a single IF statement in their PDP-11 code while what you are describing is a much more significant effort.

Whenever I make an AS reservation, I receive an email confirmation. The OP probably did, too, but either didn’t notice it in the flood of emails or their email account was changed in AS.com and the flood of emails was designed to make that harder to discover.


There are lots of ways to handle this that aren't difficult nor unduly inconvenient for a user. They could even make the higher level of security opt in. That way if someone didn't and their account was hacked it would be on them.
Strong, unique passwords aren’t difficult or unduly inconvenient for a user either. I don’t disagree that companies like Alaska should do more, but I can control my risk to a large degree here, and so I will of course do that.
notquiteaff is offline  
Reply