300,000 miles stolen from my Avios BA account
#31
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Today by chance I looked at my BA Executive account and was shocked to see that about 300,000 Avios points had disappeared.
I noticed that the points had been taken out last week for a stay at a hotel in Hungary.
I notified BA who are now investigating.My account will be blocked.
Has this ever happened to others? I find it pretty scary. Fortunately it was only one week ago. I only check my account about twice a year.
I noticed that the points had been taken out last week for a stay at a hotel in Hungary.
I notified BA who are now investigating.My account will be blocked.
Has this ever happened to others? I find it pretty scary. Fortunately it was only one week ago. I only check my account about twice a year.
But if your electronic devices are compromised, kiss goodbye to the effectiveness of even strong password use habits. Two vector authentication is harder to undermine but then the companies have to deal with more customer complaints and inquiries when account access is problematic even for the legitimate account user.
Increased frequency of password changes does provide some increased account security.
Last edited by GUWonder; Jan 18, 2017 at 2:42 am
#32
Fontaine d'honneur du Flyertalk
Join Date: Jul 2001
Location: Morbihan, France
Programs: Reine des Muccis de Pucci; Foreign Elitist (according to others)
Posts: 19,180
I'd feel that I had been personally violated if that happened to me - I do feel sorry for you.
Increasing password change is all very well - but you are the one that has to remember them. The bank in France decided that I had to change and that was all well and good - my PC remembers them for me (that's probably not safe either - but ultimately what is 100% safe). I, of course, was so used to the old one that after three attempts on another PC, I was locked out. I was most vexed when I realised what I had done.
My passwords are 12 - 15 long and have everything but symbols. I look daily and at the Bank Statements.
Anyhow, that is irrelevant, more to the point what are BA doing about this? Has something been booked and used?
Increasing password change is all very well - but you are the one that has to remember them. The bank in France decided that I had to change and that was all well and good - my PC remembers them for me (that's probably not safe either - but ultimately what is 100% safe). I, of course, was so used to the old one that after three attempts on another PC, I was locked out. I was most vexed when I realised what I had done.
My passwords are 12 - 15 long and have everything but symbols. I look daily and at the Bank Statements.
Anyhow, that is irrelevant, more to the point what are BA doing about this? Has something been booked and used?
#33
FlyerTalk Evangelist
Join Date: Feb 2009
Location: From ORK, live LCY
Programs: BA Silver, EI Silver, HH Gold, BW Gold, ABP, Seigneur des Horaires des Mucci
Posts: 14,217
#34
Join Date: Oct 2011
Posts: 273
Changing your password 2 weeks later will stop them coming back, but normally your account will be cleaned out.
If you're going to make an effort, go for a password manager and a secure, unique password for each site you use (as well as 2 factor where available).
#35
Join Date: Jul 2009
Posts: 561
There's a good blog post about this at https://www.ftc.gov/news-events/blog...ssword-changes
#36
A FlyerTalk Posting Legend
Join Date: Aug 2006
Location: Argentina
Posts: 40,211
The industry is beginning to disagree with that point of view - essentially where you have mandatory password changes people tend to use simpler passwords and then alter them in a very predictable way after each reset. In the end it's felt that any security benefit gained from having changing passwords is offset by the simplicity / predictability of passwords used.
#37
Moderator: GLBT travelers, India-based Airlines and India; FlyerTalk Evangelist
Join Date: Jan 2004
Location: Asia
Programs: Yes!
Posts: 15,512
#38
Join Date: Oct 2010
Location: Alameda, CA, US
Programs: BAEC Gold (GGL/CCR), HHonors Diamond
Posts: 1,346
I am using a program (1Password in my case), which will generate passwords. These passwords are stored in an encrypted vault with a master password. This vault is synced to a cloud location (like Dropbox) and I have that program on two PCs, my phone and tablet, all setup to sync from the cloud location. On phone and tablet the vault can be unlock with fingerprints, which makes it quick.
These passwords are not guessable and no password is used twice. Have to change password in a browser? Right click the password field and select generate password.
These passwords are not guessable and no password is used twice. Have to change password in a browser? Right click the password field and select generate password.
#39
Join Date: Dec 2016
Location: West of Heathrow
Programs: BA Exec Silver, IHG Platinum
Posts: 40
#40
Join Date: Jul 2009
Posts: 561
#41
Join Date: Nov 2006
Programs: Seniors Bus Pass
Posts: 5,531
I am using a program (1Password in my case), which will generate passwords. These passwords are stored in an encrypted vault with a master password. This vault is synced to a cloud location (like Dropbox) and I have that program on two PCs, my phone and tablet, all setup to sync from the cloud location. On phone and tablet the vault can be unlock with fingerprints, which makes it quick.
These passwords are not guessable and no password is used twice. Have to change password in a browser? Right click the password field and select generate password.
These passwords are not guessable and no password is used twice. Have to change password in a browser? Right click the password field and select generate password.
http://www.flyertalk.com/forum/trave...passwords.html
#42
Join Date: Nov 2006
Programs: Seniors Bus Pass
Posts: 5,531
If there has been no change on the OP's account details to change anything eg email notification, is it possible that this is not a hack but a human error? Otherwise the auto-notification email would have alerted the OP.
Could a person make a telephone booking with BA and the person making it mistype the BAEC number? Or some similar error so that the booking really was for somebody else and the wrong BAEC number has been used - it only requires a single digit error?
No doubt the OP may find out in due course.
Could a person make a telephone booking with BA and the person making it mistype the BAEC number? Or some similar error so that the booking really was for somebody else and the wrong BAEC number has been used - it only requires a single digit error?
No doubt the OP may find out in due course.
#43
Join Date: Jan 2014
Location: Aberdeen
Programs: BA Rust
Posts: 140
They've even got an app for your phone which if you've got a fingerprint reader is a doddle to use - you just enter your password or fingerprint and it'll fill in your login details into any app or the web browser. I think you need a Premium account to get the phone app but it's only $1 a month. You'll get a month free premium if you sign up through this link - https://lastpass.com/f?15566042
Since using this I've moved all passwords that I can to 15-20 character alphanumeric with symbols so pretty much as secure as you can get.
#45
Join Date: Dec 2016
Posts: 355
I'm not sure we can accuse the russians yet. A google search of trump and hungary did produce a link..
http://www.usmagazine.com/celebrity-...l-room-w461160
but i'm not for one second suggesting something went on. I think the hungary-trump-russia-avios connection is probably a big coincidence, unless he pays for his stays with avios..
http://www.usmagazine.com/celebrity-...l-room-w461160
but i'm not for one second suggesting something went on. I think the hungary-trump-russia-avios connection is probably a big coincidence, unless he pays for his stays with avios..