"exceeded maximum number of login attempts....blocked access"
May 4, 2015, 12:27 pm
#1
A FlyerTalk Posting Legend
Original Poster
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,409
"exceeded maximum number of login attempts....blocked access"
Has anyone else experienced an attempt to hack their DL FF account recently? Apparently someone was busy while I was on a DL flight last night.
It sounds like the person knew the account number, or more specifically knew that my number was a valid account number, but fortunately they were unable to guess my password before the account was locked. DL IT told me the exact time and was able to state that there had been no transactions. In addition, I was told that the attempts were through delta.dumb.
I called, did the password reset, and checked for myself that there was no activity or mischief.
I also checked my other major air and hotel accounts just to be sure and didn't see any evidence of anyone but me being in there.
Is this a one-off situation, perhaps targeted at me or my account individually, or has anyone else seen the same thing?
I printed a boarding pass at my hotel yesterday morning but was careful to logout. I also never leave boarding passes behind or around in full view, including of hotel maids, although I was in a situation yesterday where a couple people I vaguely know could have seen the number for about a minute, in addition of course to TSA employees, PreCheck security line dragons, and DL airport staff. The guy sitting next to me on the flight could also have seen my boarding pass for a minute or so as I was getting settled, but I didn't notice him using delta.dumb in the middle of the flight.
It sounds like the person knew the account number, or more specifically knew that my number was a valid account number, but fortunately they were unable to guess my password before the account was locked. DL IT told me the exact time and was able to state that there had been no transactions. In addition, I was told that the attempts were through delta.dumb.
I called, did the password reset, and checked for myself that there was no activity or mischief.
I also checked my other major air and hotel accounts just to be sure and didn't see any evidence of anyone but me being in there.
Is this a one-off situation, perhaps targeted at me or my account individually, or has anyone else seen the same thing?
I printed a boarding pass at my hotel yesterday morning but was careful to logout. I also never leave boarding passes behind or around in full view, including of hotel maids, although I was in a situation yesterday where a couple people I vaguely know could have seen the number for about a minute, in addition of course to TSA employees, PreCheck security line dragons, and DL airport staff. The guy sitting next to me on the flight could also have seen my boarding pass for a minute or so as I was getting settled, but I didn't notice him using delta.dumb in the middle of the flight.
May 4, 2015, 12:47 pm
#2
Join Date: Jun 2013
Location: YTO/DEL/BOM/GAU
Programs: A few airlines, hotel programs and car rentals
Posts: 1,238
I believe only the last 4 digits of your FF number (alongwith your DL/ST status) is printed on your paper BPs, right? Are you sure you did not leave your DM card out in the open?
Also, if I have to print a BP, I always save it as a pdf on my personal computer, transfer it to a thumb-drive (I always carry one), and then take the print out directly from the drive. A little tedious, but very secure. I try not to use a public computer to access the account!
I would suggest using the app,as, I think it is more secure.
On another note, I have to log in and check my account!
Also, if I have to print a BP, I always save it as a pdf on my personal computer, transfer it to a thumb-drive (I always carry one), and then take the print out directly from the drive. A little tedious, but very secure. I try not to use a public computer to access the account!
I would suggest using the app,as, I think it is more secure.
On another note, I have to log in and check my account!
May 4, 2015, 12:57 pm
#3
Join Date: Dec 2008
Location: NYC, BOS, ORD
Programs: AA EXP, DL PM
Posts: 843
I had this happen this morning - it locked me out twice / had to reset my password twice. It took on the 3rd try. didn't think to look at account (or other FQTV programs) for suspicious activity initially but I just did and all looks fine...
May 4, 2015, 12:58 pm
#4
A FlyerTalk Posting Legend
Original Poster
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,409
I believe only the last 4 digits of your FF number (alongwith your DL/ST status) is printed on your paper BPs, right? Are you sure you did not leave your DM card out in the open?
Also, if I have to print a BP, I always save it as a pdf on my personal computer, transfer it to a thumb-drive (I always carry one), and then take the print out directly from the drive. A little tedious, but very secure. I try not to use a public computer to access the account!
I would suggest using the app,as, I think it is more secure.
On another note, I have to log in and check my account!
Also, if I have to print a BP, I always save it as a pdf on my personal computer, transfer it to a thumb-drive (I always carry one), and then take the print out directly from the drive. A little tedious, but very secure. I try not to use a public computer to access the account!
I would suggest using the app,as, I think it is more secure.
On another note, I have to log in and check my account!
I have my DL FF number memorized so I almost never pull out the card, although I do carry it with me. Similarly, I enter SCs using my boarding pass and photo ID, without showing a card.
I try to avoid carrying a laptop when I travel if I can avoid it, plus I'm not sure that all hotel computers/printers have the capacity to take a thumb drive. So,e of these beasts are ancient.
Finally, I have no choice but to print boarding passes as I'm required to submit them for reimbursement.
If someone knows the PNR and name, they can access the itinerary, right? And that has the FF number, so I believe that would be a way to access the account from seeing a boarding pass.
If it wasn't the boarding pass, I have no idea how someone could have seen any of my account information recently. I'm very careful.
May 4, 2015, 12:59 pm
#5
FlyerTalk Evangelist
Join Date: Jun 2006
Location: LAX/BOS/HKG/AMS/SFO...hmm, I need a life.
Programs: United1K, AA ExPlAAt, DL MM/Gold, Hilton Diamond, Avis First
Posts: 13,316
Has anyone else experienced an attempt to hack their DL FF account recently? Apparently someone was busy while I was on a DL flight last night.
It sounds like the person knew the account number, or more specifically knew that my number was a valid account number, but fortunately they were unable to guess my password before the account was locked. DL IT told me the exact time and was able to state that there had been no transactions. In addition, I was told that the attempts were through delta.dumb.
I called, did the password reset, and checked for myself that there was no activity or mischief.
I also checked my other major air and hotel accounts just to be sure and didn't see any evidence of anyone but me being in there.
Is this a one-off situation, perhaps targeted at me or my account individually, or has anyone else seen the same thing?
I printed a boarding pass at my hotel yesterday morning but was careful to logout. I also never leave boarding passes behind or around in full view, including of hotel maids, although I was in a situation yesterday where a couple people I vaguely know could have seen the number for about a minute, in addition of course to TSA employees, PreCheck security line dragons, and DL airport staff. The guy sitting next to me on the flight could also have seen my boarding pass for a minute or so as I was getting settled, but I didn't notice him using delta.dumb in the middle of the flight.
It sounds like the person knew the account number, or more specifically knew that my number was a valid account number, but fortunately they were unable to guess my password before the account was locked. DL IT told me the exact time and was able to state that there had been no transactions. In addition, I was told that the attempts were through delta.dumb.
I called, did the password reset, and checked for myself that there was no activity or mischief.
I also checked my other major air and hotel accounts just to be sure and didn't see any evidence of anyone but me being in there.
Is this a one-off situation, perhaps targeted at me or my account individually, or has anyone else seen the same thing?
I printed a boarding pass at my hotel yesterday morning but was careful to logout. I also never leave boarding passes behind or around in full view, including of hotel maids, although I was in a situation yesterday where a couple people I vaguely know could have seen the number for about a minute, in addition of course to TSA employees, PreCheck security line dragons, and DL airport staff. The guy sitting next to me on the flight could also have seen my boarding pass for a minute or so as I was getting settled, but I didn't notice him using delta.dumb in the middle of the flight.
May 4, 2015, 1:00 pm
#6
FlyerTalk Evangelist
Join Date: Apr 2009
Location: Bye Delta
Programs: AA EXP, HH Diamond, IHG Plat, Hyatt Plat, Marriott Plat, Nat'l Exec Elite, Avis Presidents Club
Posts: 16,273
It's impossible to really say. It could be targeted at you, either from the hotel computer, boarding pass, or similar (though many boarding pass formats now mask all but the last few digits of the SM #). Or it could be someone simply brute forcing with the knowledge that account numbers all ten digits. If I were trying to brute force accounts, I would be taking a list of 3-5 common, easy passwords and trying them against random numbers and hoping to get lucky. Or it could just be someone who typo'd their own SM # and it happened to be yours instead.
Suggestion: Do not log in to your account on hotel computers, use your name and reservation number to check in. Much lower impact if anybody happens to be snooping, and less than 24 hours later the information becomes useless.
Suggestion: Do not log in to your account on hotel computers, use your name and reservation number to check in. Much lower impact if anybody happens to be snooping, and less than 24 hours later the information becomes useless.
May 4, 2015, 1:03 pm
#7
A FlyerTalk Posting Legend
Original Poster
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,409
Thanks. That's reassuring, but now I'm rethinking about whether it's wise to even open an account on one's own machine in public, where someone might be watching your screen or your keystrokes. The app on the phone stays logged in so that one can keep checking seat maps and upgrade lists there rather than through the main delta.dumb website.
May 4, 2015, 1:08 pm
#8
A FlyerTalk Posting Legend
Original Poster
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,409
It's impossible to really say. It could be targeted at you, either from the hotel computer, boarding pass, or similar (though many boarding pass formats now mask all but the last few digits of the SM #). Or it could be someone simply brute forcing with the knowledge that account numbers all ten digits. If I were trying to brute force accounts, I would be taking a list of 3-5 common, easy passwords and trying them against random numbers and hoping to get lucky. Or it could just be someone who typo'd their own SM # and it happened to be yours instead.
Suggestion: Do not log in to your account on hotel computers, use your name and reservation number to check in. Much lower impact if anybody happens to be snooping, and less than 24 hours later the information becomes useless.
Suggestion: Do not log in to your account on hotel computers, use your name and reservation number to check in. Much lower impact if anybody happens to be snooping, and less than 24 hours later the information becomes useless.
I find it easier to use the FF number when I'm doing OLCI as I have that memorized. Sometimes I haven't even planned to do this when I do, but I notice that a hotel lounge computer isn't being used or I'm passing through the lobby and the Linked@Sheraton area reminds me that I can do OLCI now.
May 4, 2015, 1:11 pm
#9
Join Date: Jun 2013
Location: YTO/DEL/BOM/GAU
Programs: A few airlines, hotel programs and car rentals
Posts: 1,238
You're right about the boarding pass, although the complete FF number does appear under passenger information on the itinerary. I usually print one to make sure that the printer works before proceeding to do OLCI.
I have my DL FF number memorized so I almost never pull out the card, although I do carry it with me. Similarly, I enter SCs using my boarding pass and photo ID, without showing a card.
I try to avoid carrying a laptop when I travel if I can avoid it, plus I'm not sure that all hotel computers/printers have the capacity to take a thumb drive. So,e of these beasts are ancient.
Finally, I have no choice but to print boarding passes as I'm required to submit them for reimbursement.
If someone knows the PNR and name, they can access the itinerary, right? And that has the FF number, so I believe that would be a way to access the account from seeing a boarding pass.
If it wasn't the boarding pass, I have no idea how someone could have seen any of my account information recently. I'm very careful.
I have my DL FF number memorized so I almost never pull out the card, although I do carry it with me. Similarly, I enter SCs using my boarding pass and photo ID, without showing a card.
I try to avoid carrying a laptop when I travel if I can avoid it, plus I'm not sure that all hotel computers/printers have the capacity to take a thumb drive. So,e of these beasts are ancient.
Finally, I have no choice but to print boarding passes as I'm required to submit them for reimbursement.
If someone knows the PNR and name, they can access the itinerary, right? And that has the FF number, so I believe that would be a way to access the account from seeing a boarding pass.
If it wasn't the boarding pass, I have no idea how someone could have seen any of my account information recently. I'm very careful.
If someone knows your full first and last name, and your PNR, they can access your itinerary (thereby giving them access to your FF#). If possible, you can submit the receipts (they have the ticket number, not the PNR so if someone is gets their hands on it, and aren't too savvy, they might not be able to access it), I suggest doing so, alongwith your BPs!
May 4, 2015, 1:23 pm
#10
Join Date: Jul 2008
Programs: DL GM, Marriot Platinum, Hilton Diamond, Avis First
Posts: 102
May 4, 2015, 1:24 pm
#11
Join Date: Feb 2010
Posts: 1,857
Thanks. That's reassuring, but now I'm rethinking about whether it's wise to even open an account on one's own machine in public, where someone might be watching your screen or your keystrokes. The app on the phone stays logged in so that one can keep checking seat maps and upgrade lists there rather than through the main delta.dumb website.
May 4, 2015, 1:58 pm
#12
A FlyerTalk Posting Legend
Original Poster
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,409
I totally avoid online banking and online looking at credit card statements, plus I don't often buy stuff on the Internet, never eBay, Craigslist, etc. I don't want my bank account numbers to ever be used on my computer because I sometimes must take it to Russia and China. [My employer doesn't provide a scrubbed loaner.] If I must make an online pruchase, I try to do it on my desktop which is hardwired to the internet.
May 4, 2015, 2:22 pm
#13
Join Date: Jun 2004
Location: ATL
Programs: Delta PlM, 1M
Posts: 6,363
I totally avoid online banking and online looking at credit card statements, plus I don't often buy stuff on the Internet, never eBay, Craigslist, etc. I don't want my bank account numbers to ever be used on my computer because I sometimes must take it to Russia and China. [My employer doesn't provide a scrubbed loaner.] If I must make an online pruchase, I try to do it on my desktop which is hardwired to the internet.
I do strongly agree that accounts have variabkle security needs. My dl,.com account is only mid level for me (out of high, mid, low). But I have about 180K SMs in it and I suspect you likely have at least 10x that amount.
Also, the email account you use as the primary contact on your secure accounts should itself be secure, This is the biggest window into many accounts.
May 4, 2015, 2:39 pm
#15
Join Date: Jun 2004
Location: ATL
Programs: Delta PlM, 1M
Posts: 6,363
Still can be be an issue is somebody calls in to hack it, but that is rare.