Knilsen07

Just started booking a flight to go home for a funeral and when I went to my account, 50,000 SkyMiles were missing and used in the market place (practically draining my SkyMiles).

I've already pursued and completed the initial steps (i.e. Obviously reporting it, cancelled my Amex, changed all username password info associated to this, etc.) but I had to leave a message for the srevenue fraud dept (? Or whatever it was called..) and now my mind is racing: what if I can't recover those points? What if whatever investigation process they have is limited/not extensive, also resulting in my loss and a "welp. You were smart to react by canceling your card and changing your login info for everything. Sorry this happened to you. Better start flying again soon to start gaining those point back."

At at the end of the day, I'm out whatever money I'm going to have to pay out of pocket to attend the funueral which sucks but of course will have to be done, but has anyone ever had a similar situation to this? What was the process like and did you recover your points?

The worst part: when I immediately re-checked my app, there was some bogus email address in place of my own. I'm incredibly uncomfortable with this and feel vulnerable. How could this have happened? I'm intensely careful with all personal/financial information and have worked extremely hard for 10+ years to establish the credit/rewards that I have.

Any insight on the following would be immensely appreciated:
1.) will my SkyMiles points be returned?

2.) How could this breach of security have happened so I know how to avoid it?

Thank you.
-K

No_Name

There are many ways it could have happened. The more likely ones:

- You use the same password on multiple web sites and at least one of them had account information stolen The person was able to deduce your password from that set of data (i.e. weak or no encryption on passwords)

- You have a weak password and they were able to guess it. They either had your Skymiles (do you have a brag tag) or username (you use the same username on multiple accounts)

- They called Delta and conned them into getting access to your account

- Your computer is infected with malware that steals credentials

They way to protect yourself is to strengthen your security posture.

- Use strong passwords

- Use a password manager

- Bin your online accounts into 3 tiers.

Tier 1) Important- Each has a unique username and unique passwords. Recommend using an email address that is unique.

Tier 2) Useful- Reusing usernames is permissible. Unique passwords is a good idea, but not required. You can use your regular email address.

Tier 3) Throw away- Use a separate email from your normal address to register. The username should only be reused within this Tier.

javabytes

The usual outcome is that your miles are restored, though the process tends to take some time while the theft is investigated.

CrazyEddie

Sorry for your situation and I hope it works out. Thanks for the post, as I had always thought of DL as a lower tier security level (thinking "what, is someone going to book a flight for me?") and had not, for some reason, thought that SMs could be stolen. I took the opportunity to increase the complexity of my PW.

MarkCron

what does your Amex have to do with this? Was that compromised as well?
Anyway, you'll get your miles back

exwannabe

No Name, good advice and I would like to add 2 points.

Third party computers (hotel lobbies, internet shops, ...) can never be secure. Any use of such while accessing a high value account puts it at risk.

[Note, using your own computer over a public WIFI is fine. The WIFI never really provides security. Must be secure leaving your device.

And the email account issue is huge. It is very easy to perform a "social hack" (calling the company and claiming you lost your password) if you have some info and the email associated with the account.

Virtually nobody is going to set up a bunch of email accounts. But having at least 3 (high security, normal, throw away) really helps.

NegativeGhostrider

Complexity alone is essentially worthless. You need to ensure that you have long passwords before you worry about complexity. The length is what increases the entropy, or the difficulty of guessing all of the possibilities. If you want to understand more, you can get a quick explanation here: passwordstrengthcalculator DOT com. The calculations are probably outdated in terms of current processing power, but the math behind it is still accurate. You can also watch Lorrie Faith Cranor's TED Talk called "What’s wrong with your pa$$w0rd?"

You need to use a password manager for all of your accounts so that you never have to remember them, which allows you to use unique passwords that are the maximum length possible. You can use diceware to generate long passphrases that are easy to remember for the master password to your password manager. The password manager encrypts all of your passwords end-to-end so they can be stored safely in your phone and/or computer, as well as synced to the cloud. The cloud storage never sees the cleartext passwords.

Your password manager and each individual account should also use multi/two-factor authentication. Even if someone steals your password, they still need something else (e.g., your phone) in order to access your account. Unfortunately, Delta still doesn't offer this basic feature that provides you with exponentially better account security.

Once you're using a password manager, you can easily lie when answering security questions because you no longer have to remember your answers. Most security questions are easy to hack because that information can be gathered online. Use a random phrase generator to create your answers and then store them in the password manager.

Always use a VPN when connected to the Internet, not just when you're using WiFi. VPN services are cheap and most allow for multiple devices per account.

Treat your boarding passes like credit cards. They have a lot of unencrypted personal information encoded in them. Try using a barcode scanner app and see for yourself. Don't throw them in the trash; shred them at home.

One last useful tip regarding travel security, never post anything about your current or future whereabouts on social media. No one needs to have a minute by minute account of your life. If you must share your travels, wait until you're home to recap everything. You're only telling everyone that your home is likely unprotected for however long you'll be gone.

CrazyEddie

I had not thought about that, but in this case I made my PW longer as well as more complex.

I have thought about this before and worried about the security of the PW manager. Is that a valid concern?

I, for one, am not as concerned about DL and would probably be irritated to have to authenticate each time I log in with DL. Yes, I am now aware that my SMs are at risk, but it's not as material (to me) as my financial accounts and some other things that are more important.

This was news to me - thanks!

Again, this is way off topic but I appreciate the info. I still think that there are some accounts that are of little concern to me (my WSJ.com account for example), but I'm overdue to look over all of my stuff to reconsider.

Zorak

This. All my "security" questions, where they are free form and not selected from a drop-down, are nonsense strings generated by a password manager.

The ones that have choices restricted to a drop-down, I don't have to answer truthfully because the pw manager remembers for me (I keep track in the "notes" field)

The rest of the advice I didn't quote is also on point.

I would say yes, but still less of a concern overall compared with not using one.

sethb

Delta should be able to audit your account and determine how the points were taken and the email address changed. The owner of the bogus email address's domain can also provide some information, if they're willing to not be the criminal's accomplice.

NegativeGhostrider

Your concern is valid, but properly using a well developed password manager provides you with significantly better security than trying to rely on your mere human abilities.

We are terrible at memorization, which leads to weak passwords and password reuse. Weak passwords can be cracked almost instantly. If you're reusing a weak password on multiple accounts, hacking into them is trivial because the first thing I am going to try is your weak password that I already cracked.

When passwords are generated, a one-way hash algorithm is applied in order to scramble the password for storage in the user database. Passwords can not be reverse engineered from the hash, but nothing stops hackers from computing all of the possible hash values. Once you find a hash that matches one in the database, you now know what the password was that generated the hash.

However, hackers are lazy and only have so many resources (time and money) available to devote to cracking your password. It is easier for them to focus on all of the weak passwords, steal what they can from those accounts, and then move on to the next database. If you are using long and unique passwords, they will "never" be able to find the matching hash because it would take lifetimes upon lifetimes of guessing. Therefore, the use of a password manager is your only hope of truly protecting your accounts.

Again, using a long diceware generated master passphrase for your password manager makes that extremely difficult to crack. Second, using two factor authentication means that someone would not only have to crack the passphrase, but also steal the device you're using to generate authentication codes that are only valid for a few seconds. Google Authenticator is one of the best options. Codes delivered via text message or email are less desirable because they can be intercepted quite easily, but they are better than nothing.

Lastly, if your password manager is open source software with a highly active development history, you can trust that the community of users, developers, and security researchers are constantly probing the software for vulnerabilities. It also ensures that the software is designed to do what it is said to do and that no one has built in back doors or jeopardized the encryption being used.

The bottom line is:

1. Pick an open source password manager with an active development community.

CrazyEddie

Thanks again. I've already spent a few hours on this process, including prioritizing the many places I need to change PWs. Any recommendations on #1 - especially one that I can use to change the passwords automatically, as opposed to manually for each?

NegativeGhostrider

PC Mag has a decent comparison of password managers, but you need to review them and select what suits your needs the best. What works best for others might not work best for you.

That said, you will typically see LastPass and Dashlane as the most commonly recommended options.

doglover

Delta.dumb needs to adopt 2-factor authentication.

CrazyEddie

After posting my last request, I realized that might be asking a bit too much, especially for you to endorse a PW manager on a public forum in response to a request from someone you don't know. Thanks for the PCMag reference (although I looked at it and found it somewhat confusing, at least when compared to a few other recent reviews). That said, I had downloaded and am testing LastPass. Is it open-source?