firehawk

Yes to a strong password.

But that's the point... They can track down where they bought it from at least... Follow the trail.

QT31415

There's something bad going on with AS IT. I've been trying to book mileage tickets for a few days and get a blank screen(on Chrome, but not Safari) or "prove youre not a bot, hold this button" about 10 times before it will let me proceed. Is it possible they've been under some hacking attack?

Happy

The site would bring up a screen with 2 circles that kept circulating, but eventually timed out, and a log in screen popped up despite we are logged in.

The only occasionally workaround is to click on one of the options like credit or wallet (wallet does not always work), then it would bring up the more familiar screen with menu sidebar - Only from the menu side bar we could get to Account Activity screen. It definitely was not that way back in Feb when we made some award bookings including cancellation and rebooking. The Account Activity screen was normal, came up once you made the option on home screen... Sometime in June when I did eReward redemption and wanted to check whether the miles posted, I found the Account Activity screen did not come up, kept timing out then asked me to log in again...

This glitch apparently has been going on for several months. It did the same thing on Firefox, Chrome and Edge on desktop. Safari on iPad does not always have such issues. I just checked, the glitch remains there.

I believe the redirect link was broken ever since they did some updates to the site - I notice the Trip screen is completely different from last year. It is no longer the plain text style but with those colorful images on the Trips screen - though this is just a front cover because once you get into each trip details, it is the same old same old.

All these cosmetic "updates" actually made important function BROKEN, and not get fixed for months on end. It probably remains broken until next "enhancement".

xliioper

Strong password won't really matter if they got into your email account. They can just request a password reset (which only requires knowledge of your birthdate on AS website once they are in your email) and away they go.

anteater

Just two datapoints: I booked two award tickets (one 7/23 and one 7/24) using Firefox and experienced no issues.

Perhaps when Customer Care opens on Monday you can report the issue.

anteater

This also succinctly describes the new AS search / booking engine UI. 🤙🏻🥃

QT31415

Will do. I'm able to book the ticket, it just takes about a dozen tries and then the booking isn't accessible on the app or the website. Shades of BA.

firehawk

I know AS IT were in a big hiring spree last year and early this year... and they have been terrible. CLEARLY.
Regardless, there should be some comp for us passengers who have an account with them... it's their responsibility for patching/security - not us consumers.

notquiteaff

Can you prove that it was due to a security issue with AS� site vs. something you are responsible for? If it was an exploit of their system, I would think we might hear more reports about it. I personally think it�s fair enough if they make you whole by refunding the purchase.

firehawk

Excellent point. Pretty sure it was not on my end. I also work in the IT sector. Doesn't mean it couldn't have been from my end but it's a high percentage that it was not on my end. 😊

sdsearch

Did you perhaps leave a boarding pass anywhere? A boarding pass might contain enough info for someone to request an account change. The airline asks "what was your last flight" and the person can answer easily.

The misspelling on email address was probably the fake email address that someone else had set up. They knew your email address but couldn't access it, so they set up a very similar one and asked the airline to "correct" it.

sullim4

2fa via TOTP (those numerical keys that reset every 30 seconds) or a Yubikey-like hardware token is a must nowadays and I am happy to jump through the hoops of setting it up for the accounts that offer it. SMS 2fa is better than nothing I suppose, but is highly susceptible to attacks like SIM swapping.

It is unfortunate that 2fa adoption hasn't seemed to catch on with certain industries. Banks and airlines, both of which deal with large financial transactions, don't seem to see the value in it (yet).

John26

When I worked at the airlines the most common scam after someone got hacked is the fraudster sells a last minute booking to an unsuspecting purchaser at a steep discount. By the time it gets uncovered the pax already flew the trip. Same thing with stolen credit cards (almost allways a last minute purchase for those) but those usually got caught and were flagged to show the credit card used to an agent before boarding passes could be issued. It was often a family that was clueless they'd been duped and their only option was to buy (another, but a real) ticket at full fare.

jeelele

I just got an alert from Award Wallet about my balance in AS that didn't seem right. So, upon logging in to my account, I am seeing that 100K miles have been used for award reservation for 2x passengers which currently enroute on QR. I am calling AS and am presently on hold to speak to an agent. I am wondering if anyone has any advise. Please let me know. Thanks.

olouie

More airlines and hotels need to implement 2fac.