Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > British Airways | Executive Club
Reload this Page >

300,000 miles stolen from my Avios BA account

300,000 miles stolen from my Avios BA account

Old Jan 18, 2017, 10:48 am
  #46  
FlyerTalk Evangelist
 
Join Date: Aug 2002
Location: London
Programs: Mucci. Nothing else matters.
Posts: 38,642
Originally Posted by nei1c
When you sign up it'll retrieve all of your passwords stored in you web browser ...
Ought not that number to be zero?

Or are you saying that web browsers will store your passwords in the cache or somewhere else even though you have switched off password storage (which I always thought was one of the most basic security steps there was)?
Globaliser is offline  
Old Jan 18, 2017, 11:59 am
  #47  
 
Join Date: Jan 2014
Location: Aberdeen
Programs: BA Rust
Posts: 140
Originally Posted by Globaliser
Ought not that number to be zero?

Or are you saying that web browsers will store your passwords in the cache or somewhere else even though you have switched off password storage (which I always thought was one of the most basic security steps there was)?
That number ought to be zero but I'd hazard a guess that for most people it isn't.

I've just checked mine again and found a few that Microsoft Edge had kindly stored for me - turning it off through Internet Options in Control Panel doesn't affect Edge which has it's own settings.
nei1c is offline  
Old Jan 18, 2017, 3:52 pm
  #48  
 
Join Date: Jun 2011
Location: UK
Programs: BAEC, HHH (Diamond), Le Club (Platinum), Hertz (Gold), Priority Club,
Posts: 101
I noticed that the points had been taken out last week for a stay at a hotel in Hungary.
All hotels insist on a credit card being produced at check-in. If the stay has already taken place then would the hotel give you the name of the person who checked in? If the stay has not yet taken place then ask the hotel to call the police when the thief checks in.
Airclues is offline  
Old Jan 19, 2017, 3:59 pm
  #49  
Suspended
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,103
Originally Posted by Airclues
All hotels insist on a credit card being produced at check-in.
That varies. On award nights or on otherwise direct billed nights, I've checked into a fair number of hotels in Europe where I've shown no bank card and no ID at check-in.

Originally Posted by markle
The industry is beginning to disagree with that point of view - essentially where you have mandatory password changes people tend to use simpler passwords and then alter them in a very predictable way after each reset. In the end it's felt that any security benefit gained from having changing passwords is offset by the simplicity / predictability of passwords used.

There's a good blog post about this at https://www.ftc.gov/news-events/blog...ssword-changes
I'd read that many months ago and there is indeed something to that. But when companies both require more complex passwords during a company-required password change and restrict use of a prior password or part of a prior password from being re-used, the increased frequency of password changes does help increase account security unless bad password creation/retention habits are allowed and/or being used (as is very often happening).

Originally Posted by Washington DC
The trouble you have is that hackers aren't learning your passwords then hanging around before using the points - as soon as they guess or discover, then they're redeeming for items that can be used quickly (gift vouchers, immediate travel).

Changing your password 2 weeks later will stop them coming back, but normally your account will be cleaned out.

If you're going to make an effort, go for a password manager and a secure, unique password for each site you use (as well as 2 factor where available).
Some of the raids on compromised airline program accounts involve redeeming high value awards upon the thieves finding the "right customer". And other raids on compromised accounts involve immediate redemptions to do as indicated above.
GUWonder is offline  
Old Jan 20, 2017, 2:28 am
  #50  
FlyerTalk Evangelist
 
Join Date: Aug 2002
Location: London
Programs: Mucci. Nothing else matters.
Posts: 38,642
Originally Posted by GUWonder
I'd read that many months ago and there is indeed something to that. But when companies both require more complex passwords during a company-required password change and restrict use of a prior password or part of a prior password from being re-used, the increased frequency of password changes does help increase account security unless bad password creation/retention habits are allowed and/or being used (as is very often happening).
From looking at colleagues who've been faced with such requirements, I suspect that a common bad habit is that increasingly-complex passwords simply get written down on paper and kept near the machine in question. But it's not difficult to understand why people do that, or to sympathise with those reasons. From an ivory tower, one can easily say "That's a bad habit. Don't do it." But in the real world, users genuinely find some of these requirements difficult. A security approach that doesn't take into account the real needs and the real limitations of the real people who are using the system is surely itself flawed.
Globaliser is offline  
Old Jan 20, 2017, 2:51 am
  #51  
Fontaine d'honneur du Flyertalk
 
Join Date: Jul 2001
Location: Morbihan, France
Programs: Reine des Muccis de Pucci; Foreign Elitist (according to others)
Posts: 19,086
Originally Posted by Bretteee
LOL well at least sounds East Europeanish to me. Some Hungarian chain hotel in some resort town I never heard of. It seems they use miles for hotel stays a lot; not for air travel.

The hotel only charges $47 a night. 300,000 miles must have bought them quite a few rooms or they spent a long time there. They must have invited the whole family; aunts, uncles, cousins, grandmas, grandpas.
Which Hungarian hotel chains accept Avios?
PUCCI GALORE is offline  
Old Jan 20, 2017, 3:58 am
  #52  
 
Join Date: Apr 2015
Location: Oxford
Programs: Skyteam Elite+, VS Red, HHonours Diamond, Accor Plat
Posts: 629
Originally Posted by Globaliser
I suspect that a common bad habit is that increasingly-complex passwords simply get written down on paper and kept near the machine in question.
It's a matter of assessing what you consider to be the threat to the system to decide if this is as bad an idea as it might initially sound.

If the main threat actor is:
  • a cyber criminal then the written-down complex password works perfectly.
  • a physical thief or an insider threat then you are in a bit of trouble.
  • state sponsored hackers or hacktivists then you probably have to have a really good think about your life choices!

My retired father has a password book that sits on his desk at home and has yet to have any on line account breached.
stuart_f is offline  
Old Jan 21, 2017, 11:29 am
  #53  
FlyerTalk Evangelist
 
Join Date: Feb 2009
Location: From ORK, live LCY
Programs: BA Silver, EI Silver, HH Gold, BW Gold, ABP, Seigneur des Horaires des Mucci
Posts: 14,177
Originally Posted by Airclues
All hotels insist on a credit card being produced at check-in.
That's a sweeping, and incorrect, generalization. Plenty of hotels will accept a debit card, many will accept a cash deposit, some will use the card that the stay was booked with, and quite a few will not require any at all if the guest says they do not require room-charging privileges.
Originally Posted by Airclues
If the stay has already taken place then would the hotel give you the name of the person who checked in?
Not if they want to comply with data protection legislation, which is substantially the same throughout the EU.
Originally Posted by Airclues
If the stay has not yet taken place then ask the hotel to call the police when the thief checks in.
May potentially work, may not.
stifle is offline  
Old Mar 23, 2017, 8:56 pm
  #54  
 
Join Date: Jun 2010
Location: USA
Programs: SA Air, Air Canada, KLM, BA,Lufthansa, United, AA, Hawaiian, Air New Zealnd, Qantas, Virgin Atlantic
Posts: 777
Lastpass help

I signed up with Lastpass, and started adding sensitive accounts, but somehow I thought it would generate new and difficult passwords, but it didn't. It just has my passwords. What am I doing wrong?

I'm in kind of a quandary since I had to send a dead, but brand new, Dell computer back and it has all this info on it.

I just deleted all of the sites that I had added to Lastpass and will start with a clean slate tomorrow.

If you use Lastpass and have the time, please explain it like you are teaching a 5 year old because clearly I am not doing something right.

Thank you so very much if you can help.
Jeannietx is offline  
Old Mar 24, 2017, 2:54 am
  #55  
 
Join Date: Feb 2001
Location: London
Programs: AA EXP, SPG Plt
Posts: 2,607
We are way off topic but with lastpass you need to change your existing passwords to newer stronger ones. Here's how you generate stronger ones https://helpdesk.lastpass.com/generating-a-password/

When moving a pc it's quite easy. Sign into lastpass from the new pc and make sure it's synced. Then just Uninstall it from old pc
BobbySteel is offline  
Old Mar 24, 2017, 3:25 am
  #56  
 
Join Date: Apr 2016
Programs: SK Gold, BA Gold
Posts: 180
Originally Posted by Jeannietx
I signed up with Lastpass, and started adding sensitive accounts, but somehow I thought it would generate new and difficult passwords, but it didn't. It just has my passwords. What am I doing wrong?
I don't use LastPass any more, but I used to. I think you may have misunderstood what a password manager does for you.

Its most basic function is, as you've discovered, simply storing your passwords. The idea is that you should be using a strong, random password for each site, but since there's no way you're going to be able to remember them all, you need somewhere to write them down. In that regard, LastPass is just a more secure version of that Post-it note you stick on your screen.

LastPass does a few other things to make your life easier though. If it already has your login information for a site you are visiting, it will offer to fill the login form for you so there's no manual copying and pasting.

It can also generate strong passwords for you. This is useful both when you first sign up on a website as well as when you're filling the "change password" form (where you have to type your old password and then your new one twice). LastPass will usually notice that you've added or changed a password and offer to store/replace it for you. This works pretty well, use it.

It sounds like you were expecting LastPass to change your passwords for you. It's very tricky for a computer to do that because the process is different for each website, however I distinctly remember LastPass doing that for me once or twice to my amazement. I'm not quite sure where that action was buried, it may have been part of the "security audit".

But in any case, you'll have to go through your list and change most of your passwords by hand. It's not that bad though: let LastPass open the web page and log you in, then find the "change password" page, let LastPass fill in your old password for you, use its password generator to generate and fill in a new one. Then submit the form and LastPass should ask you if you'd like it to update the login data for that site in its database, to which you say yes.
waffle is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.