WebTraveler

What was the resolution?

jeelele

They have replaced the miles. That was quick resolution from Alaska.

This experience makes me wonder why the loyalty programs are so slow in implementing additional security measures such as 2FAC, etc. It must be taking a toll on their resources to deal with hacks, which I am suspecting must be happening at a pretty good volume.

notquiteaff

Maybe because they have sooooo many account holders (and many neither tech savvy nor super frequent users) that it would be expensive to staff the support for dealing with those people who lock themselves out of their account if 2FA was required.

I’d still like to see it as an option, though.

ziggy29

Hard to say. My guess (retired IT guy) is that they have decided it's cheaper to occasionally restore someone's miles after being hacked than invest in all the tech upgrades and system redesign required to implement a more secure and robust 2FA protocol.

Kacee

Yeah, they're just not that motivated because the exposure is pretty low compared to a bank or brokerage firm, for example.

Some FFPs now do use 2FA, AC, AF, and SQ being a few that immediately come to mind.

frankvb

I assume there was a short time in between the OP's account being hacked, and then the award ticket booking, and the actual flight? Alaska could add some additional check in case of awards being booked for someone else than the account owner within a short time frame. And also have text message verification for any change made to the account to make it very difficult to circumvent such a check.

BTW: which credit card was used for the booking? If not the OP's card in the account, that should make it easy for Alaska or law enforcement to trace who did this. Though AS should already have the name and passport details of the travellers.

Actually thinking about it, just sending a text message in case miles are used (and make it only possible to change the phone number by confirming via text message) would allow early detection.

notquiteaff

Why implement a bunch of security bandaids in the application layer when you could instead implement a more robust security infrastructure?

frankvb

Because it costs more and is not something that can be quickly implemented? Of course I'm not saying they shouldn't also work on implementing proper 2FA.

notquiteaff

Quickly? 2FA and account hacks aren’t exactly a new thing.

The other not new thing? AS IT limitations

PS: whether it costs more to do it right isn’t something any of us can probably assess.

jeelele

Well, if a program like LifeMiles can add 2FA, as a non-IT individual, I have to question why AS can't implement it.

KDuce2011

I notice my account was hacked as of June or July ... I was logged out and it wouldn't let me lig in.. so I tried to change PW and no go.. tried calling customer support 2 times and asked to to verify and help me change ow and told them I believe my account was compromised and they said they didnt think that was what happened smh. I still had issues. I called a 3rd time and finally they gave me a temporary pw to get into the account. I skimmed through the settings and noticed there was a different email..I also noticed they changed the last digit of my phone # so I couldn't verify with the number on file. After a little more time looking into all the stuff on my account..they listed themselves under "companion" their full info was there. And there's an option to use another email and phone number for contact purposes. So I made sure I changed all my info back to normal.. and copied the thief's info and then deleted all of it. I'm going to report this person to the authorities. Luckily I dont think I lost anything... they also added another mileage program on there to funnel miles to.. but like I said..I wiped their info out .. you would think AA would know what happened but they were lost.

hickson

I found my account was hacked when I tried to log on. I was informed by the agent that phone number was changed to the international number as well as the email. It's very interesting that I did not receive any notification or alert when the info got changed. Even though I did not receive any alert when the new number and email were updated. Apparently AS security system is under-performing. Luckily there are less 10,000 miles left in the account as I just redeemed around 400K during the summer. In a word, pls double check your account once in a while to make sure it's fully secured especially when you have lots of miles in the account.

Boraxo

This is a good reminder I need to implement unique pw for all my FF air & hotel accounts. Reuse = bad.

Also heads up: last year someone tried to redeem my Amex points for an iPhone. Apparently they can hack your account by using “pay with points” on Amazon. Thankfully Amex fraud caught the transaction.

sullim4

Interestingly, Hyatt recently introduced passkey/FIDO2 support and I've associated my Yubikeys to it. It was pretty painless.

I suppose it is a pipe dream to have Alaska's IT implement this, but it still would be nice.

NWplatinum

I was hacked Dec. 15. It sounded like a mileage broker sold a bunch of people fake tickets and they’re out money now. They made a bunch of bookings. I used a password that was leaked by Spotify. I was lucky to catch the fraud within 6 hours as I was checking my credit card statement and saw all these AS charges.

now my account has a pin on it.