Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Delta Air Lines | SkyMiles
Reload this Page >

Skymiles account hacked, points drained

Skymiles account hacked, points drained

Reply

Old Oct 20, 18, 11:42 am
  #46  
 
Join Date: Sep 2009
Location: HNL
Programs: DL DM, BW DE (lifetime), HH DE, Marriott PE (lifetime GE), National Emerald Executive
Posts: 6,192
Originally Posted by spamkiller View Post
A password manager does have to decrypt the password to fill the form.
Exactly! This by the very nature of it is a major risk factor for password managers: they do not log you into a site directly, they have to decrypt your password first and then enter it plain text. The moment there is a mechanism for decryption, as I was explaining earlier, there is a heavier risk of a backdoor, or your password to unlock the password manager being exposed. All it takes is for a keylogger to log your password into the password manager and they have access to ALL your passwords, not just the one site you were logging into (unless the password manager also requires a physical hardware key or such...potentially 2FA. but only if configured and set securely, as too often it's not). As I said, it is for lazy people who like to feel good, while all to often needlessly endangering their security and doing quite of the opposite of what they imagine their are doing in their infinite wisdom.

That being said, there are, of course, different grades of password managers. All have some major core risks, but some have a lot more risk factors than others.

The best password manager? Still your mind.
RealHJ is offline  
Reply With Quote
Old Oct 20, 18, 12:34 pm
  #47  
 
Join Date: Oct 2017
Location: BNA
Programs: DL GM, HH Diamond
Posts: 458
Originally Posted by RealHJ View Post
The best password manager? Still your mind.
Agreed, if you do it correctly. Although I would argue most people have less net risk using a password manager versus typical weak passwords.
defrosted is offline  
Reply With Quote
Old Oct 20, 18, 12:41 pm
  #48  
pvn
Suspended
 
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
Originally Posted by RealHJ View Post
I don't think you know what you are talking about. You must be using weak random character passwords, vs. phrase and such passwords that are exponentially more difficult to crack, yet easy to remember even for those with a weak memory (while for anyone with normal to above memory, memorizing several passwords is no problem, since most attach a meaning even to a seemingly random keys password - I think you must be missing the commonly employed tactics of memorization).
You're almost certainly massively overestimating the security of xkcd-style passphrases.

Since I'm using a password manager and not trying to remember them, I don't need to use "weak" random character passwords (there's no limit on how long I can make them since I don't have to remember them and there's zero chance I'll reuse them).

xkcd-style passwords are certainly better than "password" and maybe even better than eight random characters.

I have a pretty decent memory but there's no way I can remember 200 different four-word phrases, especially considering a high percentage of those are sites I might only visit once a year (but have a very high cost if they're compromised).
pvn is offline  
Reply With Quote
Old Oct 20, 18, 12:44 pm
  #49  
pvn
Suspended
 
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
Originally Posted by spamkiller View Post
Really? How do you know the security of the password manager? How do you know there is no backdoor to it? https://thehackernews.com/2017/02/pa...ager-apps.html

A password manager does have to decrypt the password to fill the form.
It's certainly possible that the password manager is compromised but the likelihood my particular info is breached is small (I use keePassX which is offline and open source). For someone to get my passwords they'd have to both get access to my physical devices and be able to decrypt the database.

That's EXTREMELY unlikely unless I'm targeted by state-level organizations, which is definitely not the threat model I'm worried about (if it comes to that, I've already got a lot more things to worry about).
pvn is offline  
Reply With Quote
Old Oct 20, 18, 12:48 pm
  #50  
pvn
Suspended
 
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
Originally Posted by RealHJ View Post
All it takes is for a keylogger to log your password into the password manager and they have access to ALL your passwords, not just the one site you were logging into
If you get hit by a key logger then your passwords in your head that you actually use are compromised too. And if you're using an offline manager then the attacker still doesn't have access to your database.

I mean it's not like these keyloggers only work once and then self-destruct.

If you're using a password manager, you're also immune to physical keyloggers.
IndyHoosier likes this.
pvn is offline  
Reply With Quote
Old Oct 20, 18, 1:48 pm
  #51  
 
Join Date: Sep 2009
Location: HNL
Programs: DL DM, BW DE (lifetime), HH DE, Marriott PE (lifetime GE), National Emerald Executive
Posts: 6,192
Originally Posted by pvn View Post
If you get hit by a key logger then your passwords in your head that you actually use are compromised too. And if you're using an offline manager then the attacker still doesn't have access to your database.

I mean it's not like these keyloggers only work once and then self-destruct.

If you're using a password manager, you're also immune to physical keyloggers.
You're right, yes, that an off-line password manager, esp. with 2FA and individual encryption of each password (with unique keys), is a pretty solid way to go.

Many, however, use online password managers with dubious security measures.
RealHJ is offline  
Reply With Quote
Old Oct 20, 18, 1:53 pm
  #52  
 
Join Date: Dec 2012
Location: MSP
Programs: DL Diamond, Marriott Life Plat, HHonors DM
Posts: 96
I am so sorry this happened to you (along with the other issues I read about further on). I am sorry that I cannot help in any way, but I wanted to thank you for posting, because it made me go in and change my password on Delta.com (I have almost 2 million miles accumulated). I had not changed it since 2014 and it was a common one I used back in the day and probably still have active on other websites. While that doesn't help you, once again, thank you for posting.
MinnTee is offline  
Reply With Quote
Old Oct 20, 18, 10:26 pm
  #53  
 
Join Date: Sep 2016
Location: HSV
Programs: Bellevue Lifetime Premiere Mega Elite Supreme
Posts: 1,232
Originally Posted by slidergirl View Post
I only have 2 devices that I use. I use the 2-step authorization when possible. I don't have a password manager. I've gone in and changed passwords to frequently used accounts that are used for purchasing or services.
Yet... someone was still able to gain access and steal your Skymiles.

Perhaps someone you are familiar with gained access to your computer? Have you run a proper system check for any malware or keylogger?

Regardless, I hope you’re able to get Delta to redeposit your lost miles.

Also, as is wont to be on the internet, your thread has taken a bit of a detour.
TheHorta is offline  
Reply With Quote
Old Oct 20, 18, 11:31 pm
  #54  
 
Join Date: Apr 2012
Programs: Delta DM/MM, Marriott Gold
Posts: 456
Originally Posted by pvn View Post
If you get hit by a key logger then your passwords in your head that you actually use are compromised too. And if you're using an offline manager then the attacker still doesn't have access to your database.

I mean it's not like these keyloggers only work once and then self-destruct.

If you're using a password manager, you're also immune to physical keyloggers.
No, you are wrong. If a key logger is being used, it will log the login to the key logger. A key logger does not intercept web traffic, but it hooks into the keyboard input. Probably using SetWindowsHookEx(WH_KEYBOARD_LL,...); The would do this in a small program that does gets called as a startup or set it up as a service. Actually, I'd set up a second service that will handle sending the data, and a 3rd to make sure that the other programs and services were not messed with. This is mostly off the top of my head since I never had to write a full keylogger, just something to monitor the Windows and Alt keys for a terminal server client which uses a high speed proprietary protocol.

But as an added layer of security, I use unique e-mail addresses for everything.
spamkiller is offline  
Reply With Quote
Old Oct 21, 18, 12:20 am
  #55  
Original Poster
 
Join Date: Jul 2008
Location: Exactly where I want to be
Programs: IHG Gold,SPG Gold, HH Gold, Marriott Gold, Hyatt Discoverist, Delta Kettle, AMEX Plat, DL AMEX Plat
Posts: 1,391
Originally Posted by TheHorta View Post



Yet... someone was still able to gain access and steal your Skymiles.

Perhaps someone you are familiar with gained access to your computer? Have you run a proper system check for any malware or keylogger?

Regardless, I hope you’re able to get Delta to redeposit your lost miles.

Also, as is wont to be on the internet, your thread has taken a bit of a detour.
I am the only one with access to my MacBook and iPhone. Advantage of living alone. I have a malware program that runs frequently on a schedule, once a week. Yet, I was one of quite a few who had miles drained that day. And, as I've had a little more time to look for crumbs (I used to be a network software engineer that tested software), I've kind of been led to some things that I will investigate further for the non-Delta issues. No one gets out cleanly...

Last edited by slidergirl; Oct 21, 18 at 6:52 pm
slidergirl is offline  
Reply With Quote
Old Oct 21, 18, 5:22 am
  #56  
pvn
Suspended
 
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
Originally Posted by spamkiller View Post
No, you are wrong. If a key logger is being used, it will log the login to the key logger. A key logger does not intercept web traffic, but it hooks into the keyboard input. Probably using SetWindowsHookEx(WH_KEYBOARD_LL,...);
I guess you should re-read my post, since my claim of a password manager giving immunity against keyloggers was specifically qualified to physical keyloggers.
pvn is offline  
Reply With Quote
Old Oct 27, 18, 11:17 am
  #57  
Original Poster
 
Join Date: Jul 2008
Location: Exactly where I want to be
Programs: IHG Gold,SPG Gold, HH Gold, Marriott Gold, Hyatt Discoverist, Delta Kettle, AMEX Plat, DL AMEX Plat
Posts: 1,391
An update: This is getting silly. Yes, it's not millions of miles, but there are MY miles and I want them back and access to my account.

Since I had received ZERO responses from Delta, I decided to call again. Once again, the phone program did not recognize my FF#, so shot me to an random agent. I went through the whole thing again and said that I had not received any responses yet. The agent looked at my account and said "well it is locked for a security issue." I said "yes I reported this 3 weeks ago." She can't see any documentation that anything was being investigated. She then said "you need to send us a copy of your Drivers License for us to proceed." Why the Hell did someone tell me this earlier??? So, she points me to the "contact us" page to send another email. It won't let me enter my FF# because it is "unknown". She can't understand why, since she can see it and the account. So she says to send it without the number, put the number as the first line of the comment, and attach a photo of my DL. I do that. THEN, she says it will take 3-4 weeks to get this resolved. I said it's already been 3 weeks - she says the clock starts again and it will be 3-4 weeks before I know IF I GET MY ACCOUNT BACK.

I've got flights out on Nov.1 - I'm just waiting to get "dinged" at the gate and taken away for being a fraud.... Maybe if I were a Diamond MMer, this would have been fixed quickly. But, this is really poor service for a lowly SM member...
slidergirl is offline  
Reply With Quote
Old Oct 27, 18, 2:35 pm
  #58  
 
Join Date: Sep 2016
Location: HSV
Programs: Bellevue Lifetime Premiere Mega Elite Supreme
Posts: 1,232
Bees. Honey. Vinegar.

If you can strike a rapport with an agent, they will often take a personal interest in your dilemma. If you’re caustic, they won’t do more than the bare minimum to help and will be counting the seconds until they hang up.

If you get an agent at the end of a long shift, or if they feel like you’re not worth going the extra mile for, those weeks will turn into months.

Remember, from their perspective, one which is not altogether unmerited, your problem is self-inflicted by your inability to keep your login information secure — regardless of how you feel about it.
TheHorta is offline  
Reply With Quote
Old Oct 27, 18, 4:00 pm
  #59  
 
Join Date: Aug 2018
Location: SEA
Programs: DL DM
Posts: 129
Originally Posted by slidergirl View Post
An update: This is getting silly. Yes, it's not millions of miles, but there are MY miles and I want them back and access to my account.

Since I had received ZERO responses from Delta, I decided to call again. Once again, the phone program did not recognize my FF#, so shot me to an random agent. I went through the whole thing again and said that I had not received any responses yet. The agent looked at my account and said "well it is locked for a security issue." I said "yes I reported this 3 weeks ago." She can't see any documentation that anything was being investigated. She then said "you need to send us a copy of your Drivers License for us to proceed." Why the Hell did someone tell me this earlier??? So, she points me to the "contact us" page to send another email. It won't let me enter my FF# because it is "unknown". She can't understand why, since she can see it and the account. So she says to send it without the number, put the number as the first line of the comment, and attach a photo of my DL. I do that. THEN, she says it will take 3-4 weeks to get this resolved. I said it's already been 3 weeks - she says the clock starts again and it will be 3-4 weeks before I know IF I GET MY ACCOUNT BACK.

I've got flights out on Nov.1 - I'm just waiting to get "dinged" at the gate and taken away for being a fraud.... Maybe if I were a Diamond MMer, this would have been fixed quickly. But, this is really poor service for a lowly SM member...
On your upcoming flight do you perhaps have access to a lounge? Here's what I would try. Write out everything that's happened with dates in short bullet points. Whomever you talk to, be it an agent on the phone or in person, be very precise and polite- forget your frustration for a moment. If you have access to a lounge, pay the fee to enter and see a customer service rep in person. Maybe by speaking to someone in person they can offer you better assistance.

By the sound of it your account seems to be in a lockdown status from access due to the compromise and drainage of miles. They seem to be taking caution to make sure that when they reactivate it they do so to the rightful owner.
pulpfiction78 is offline  
Reply With Quote
Old Oct 27, 18, 4:08 pm
  #60  
 
Join Date: Aug 2018
Location: SEA
Programs: DL DM
Posts: 129
A quick edit to say that I regret trying to stoke the fire on the security discussion. I will leave my original quote, below, but also say that let's try to focus on the original issue. None of us here know how the account got compromised so it's hard to offer advice in that sense. In hindsight, a plausible cause of Delta compromises could just be a successful phishing attack. They are very sophisticated these days. Happy weekend, everyone!


By the way, there is a lot of silly advice on password security here (I'm looking at you, who claims remembering 30 different passwords is a laughably easy feat). Most compromises happen from a shared password. Focus more on using unique passwords for each service and when available use 2 factor authentication. In terms of how you store your passwords use a password manager, or even allow Google to do it (if you do, make certain you use 2 factor authentication on Google itself). If you somehow get compromised with doing that there's probably not a lot you could have done to prevent it in the first place.
jinglish likes this.

Last edited by pulpfiction78; Oct 27, 18 at 4:39 pm Reason: Regret
pulpfiction78 is offline  
Reply With Quote

Thread Tools
Search this Thread