Skymiles account hacked, points drained
#46
Join Date: Sep 2009
Location: HNL
Programs: DL PM/1MM, BW DE (lifetime), HH DE, Marriott PE (lifetime), National Emerald Executive
Posts: 7,204
That being said, there are, of course, different grades of password managers. All have some major core risks, but some have a lot more risk factors than others.
The best password manager? Still your mind.
#47
Join Date: Oct 2017
Location: BNA
Programs: DL GM, HH Diamond
Posts: 1,027
#48
Suspended
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
I don't think you know what you are talking about. You must be using weak random character passwords, vs. phrase and such passwords that are exponentially more difficult to crack, yet easy to remember even for those with a weak memory (while for anyone with normal to above memory, memorizing several passwords is no problem, since most attach a meaning even to a seemingly random keys password - I think you must be missing the commonly employed tactics of memorization).
Since I'm using a password manager and not trying to remember them, I don't need to use "weak" random character passwords (there's no limit on how long I can make them since I don't have to remember them and there's zero chance I'll reuse them).
xkcd-style passwords are certainly better than "password" and maybe even better than eight random characters.
I have a pretty decent memory but there's no way I can remember 200 different four-word phrases, especially considering a high percentage of those are sites I might only visit once a year (but have a very high cost if they're compromised).
#49
Suspended
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
Really? How do you know the security of the password manager? How do you know there is no backdoor to it? https://thehackernews.com/2017/02/pa...ager-apps.html
A password manager does have to decrypt the password to fill the form.
A password manager does have to decrypt the password to fill the form.
That's EXTREMELY unlikely unless I'm targeted by state-level organizations, which is definitely not the threat model I'm worried about (if it comes to that, I've already got a lot more things to worry about).
#50
Suspended
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
I mean it's not like these keyloggers only work once and then self-destruct.
If you're using a password manager, you're also immune to physical keyloggers.
#51
Join Date: Sep 2009
Location: HNL
Programs: DL PM/1MM, BW DE (lifetime), HH DE, Marriott PE (lifetime), National Emerald Executive
Posts: 7,204
If you get hit by a key logger then your passwords in your head that you actually use are compromised too. And if you're using an offline manager then the attacker still doesn't have access to your database.
I mean it's not like these keyloggers only work once and then self-destruct.
If you're using a password manager, you're also immune to physical keyloggers.
I mean it's not like these keyloggers only work once and then self-destruct.
If you're using a password manager, you're also immune to physical keyloggers.
Many, however, use online password managers with dubious security measures.
#52
Join Date: Dec 2012
Location: MSP
Programs: DL Platinum, Marriott Life Plat, HHonors DM
Posts: 116
I am so sorry this happened to you (along with the other issues I read about further on). I am sorry that I cannot help in any way, but I wanted to thank you for posting, because it made me go in and change my password on Delta.com (I have almost 2 million miles accumulated). I had not changed it since 2014 and it was a common one I used back in the day and probably still have active on other websites. While that doesn't help you, once again, thank you for posting.
#53
Join Date: Sep 2016
Location: HSV
Programs: Bellevue Lifetime Premiere Mega Elite Supreme
Posts: 1,509
Perhaps someone you are familiar with gained access to your computer? Have you run a proper system check for any malware or keylogger?
Regardless, I hope you’re able to get Delta to redeposit your lost miles.
Also, as is wont to be on the internet, your thread has taken a bit of a detour.
#54
Join Date: Apr 2012
Location: California
Programs: DeltaSilver/MM, Marriott Platinum
Posts: 494
If you get hit by a key logger then your passwords in your head that you actually use are compromised too. And if you're using an offline manager then the attacker still doesn't have access to your database.
I mean it's not like these keyloggers only work once and then self-destruct.
If you're using a password manager, you're also immune to physical keyloggers.
I mean it's not like these keyloggers only work once and then self-destruct.
If you're using a password manager, you're also immune to physical keyloggers.
But as an added layer of security, I use unique e-mail addresses for everything.
#55
Original Poster
Join Date: Jul 2008
Location: Exactly where I want to be
Programs: IHG Gold,SPG Gold, HH Gold, Marriott Gold, Hyatt Discoverist, Delta Kettle, AMEX Plat, DL AMEX Plat
Posts: 1,434
Yet... someone was still able to gain access and steal your Skymiles.
Perhaps someone you are familiar with gained access to your computer? Have you run a proper system check for any malware or keylogger?
Regardless, I hope you’re able to get Delta to redeposit your lost miles.
Also, as is wont to be on the internet, your thread has taken a bit of a detour.
Last edited by slidergirl; Oct 21, 2018 at 6:52 pm
#56
Suspended
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
I guess you should re-read my post, since my claim of a password manager giving immunity against keyloggers was specifically qualified to physical keyloggers.
#57
Original Poster
Join Date: Jul 2008
Location: Exactly where I want to be
Programs: IHG Gold,SPG Gold, HH Gold, Marriott Gold, Hyatt Discoverist, Delta Kettle, AMEX Plat, DL AMEX Plat
Posts: 1,434
An update: This is getting silly. Yes, it's not millions of miles, but there are MY miles and I want them back and access to my account.
Since I had received ZERO responses from Delta, I decided to call again. Once again, the phone program did not recognize my FF#, so shot me to an random agent. I went through the whole thing again and said that I had not received any responses yet. The agent looked at my account and said "well it is locked for a security issue." I said "yes I reported this 3 weeks ago." She can't see any documentation that anything was being investigated. She then said "you need to send us a copy of your Drivers License for us to proceed." Why the Hell did someone tell me this earlier??? So, she points me to the "contact us" page to send another email. It won't let me enter my FF# because it is "unknown". She can't understand why, since she can see it and the account. So she says to send it without the number, put the number as the first line of the comment, and attach a photo of my DL. I do that. THEN, she says it will take 3-4 weeks to get this resolved. I said it's already been 3 weeks - she says the clock starts again and it will be 3-4 weeks before I know IF I GET MY ACCOUNT BACK.
I've got flights out on Nov.1 - I'm just waiting to get "dinged" at the gate and taken away for being a fraud.... Maybe if I were a Diamond MMer, this would have been fixed quickly. But, this is really poor service for a lowly SM member...
Since I had received ZERO responses from Delta, I decided to call again. Once again, the phone program did not recognize my FF#, so shot me to an random agent. I went through the whole thing again and said that I had not received any responses yet. The agent looked at my account and said "well it is locked for a security issue." I said "yes I reported this 3 weeks ago." She can't see any documentation that anything was being investigated. She then said "you need to send us a copy of your Drivers License for us to proceed." Why the Hell did someone tell me this earlier??? So, she points me to the "contact us" page to send another email. It won't let me enter my FF# because it is "unknown". She can't understand why, since she can see it and the account. So she says to send it without the number, put the number as the first line of the comment, and attach a photo of my DL. I do that. THEN, she says it will take 3-4 weeks to get this resolved. I said it's already been 3 weeks - she says the clock starts again and it will be 3-4 weeks before I know IF I GET MY ACCOUNT BACK.
I've got flights out on Nov.1 - I'm just waiting to get "dinged" at the gate and taken away for being a fraud.... Maybe if I were a Diamond MMer, this would have been fixed quickly. But, this is really poor service for a lowly SM member...
#58
Join Date: Sep 2016
Location: HSV
Programs: Bellevue Lifetime Premiere Mega Elite Supreme
Posts: 1,509
Bees. Honey. Vinegar.
If you can strike a rapport with an agent, they will often take a personal interest in your dilemma. If you’re caustic, they won’t do more than the bare minimum to help and will be counting the seconds until they hang up.
If you get an agent at the end of a long shift, or if they feel like you’re not worth going the extra mile for, those weeks will turn into months.
Remember, from their perspective, one which is not altogether unmerited, your problem is self-inflicted by your inability to keep your login information secure — regardless of how you feel about it.
If you can strike a rapport with an agent, they will often take a personal interest in your dilemma. If you’re caustic, they won’t do more than the bare minimum to help and will be counting the seconds until they hang up.
If you get an agent at the end of a long shift, or if they feel like you’re not worth going the extra mile for, those weeks will turn into months.
Remember, from their perspective, one which is not altogether unmerited, your problem is self-inflicted by your inability to keep your login information secure — regardless of how you feel about it.
#59
Join Date: Aug 2018
Location: SEA
Programs: DL DM
Posts: 292
An update: This is getting silly. Yes, it's not millions of miles, but there are MY miles and I want them back and access to my account.
Since I had received ZERO responses from Delta, I decided to call again. Once again, the phone program did not recognize my FF#, so shot me to an random agent. I went through the whole thing again and said that I had not received any responses yet. The agent looked at my account and said "well it is locked for a security issue." I said "yes I reported this 3 weeks ago." She can't see any documentation that anything was being investigated. She then said "you need to send us a copy of your Drivers License for us to proceed." Why the Hell did someone tell me this earlier??? So, she points me to the "contact us" page to send another email. It won't let me enter my FF# because it is "unknown". She can't understand why, since she can see it and the account. So she says to send it without the number, put the number as the first line of the comment, and attach a photo of my DL. I do that. THEN, she says it will take 3-4 weeks to get this resolved. I said it's already been 3 weeks - she says the clock starts again and it will be 3-4 weeks before I know IF I GET MY ACCOUNT BACK.
I've got flights out on Nov.1 - I'm just waiting to get "dinged" at the gate and taken away for being a fraud.... Maybe if I were a Diamond MMer, this would have been fixed quickly. But, this is really poor service for a lowly SM member...
Since I had received ZERO responses from Delta, I decided to call again. Once again, the phone program did not recognize my FF#, so shot me to an random agent. I went through the whole thing again and said that I had not received any responses yet. The agent looked at my account and said "well it is locked for a security issue." I said "yes I reported this 3 weeks ago." She can't see any documentation that anything was being investigated. She then said "you need to send us a copy of your Drivers License for us to proceed." Why the Hell did someone tell me this earlier??? So, she points me to the "contact us" page to send another email. It won't let me enter my FF# because it is "unknown". She can't understand why, since she can see it and the account. So she says to send it without the number, put the number as the first line of the comment, and attach a photo of my DL. I do that. THEN, she says it will take 3-4 weeks to get this resolved. I said it's already been 3 weeks - she says the clock starts again and it will be 3-4 weeks before I know IF I GET MY ACCOUNT BACK.
I've got flights out on Nov.1 - I'm just waiting to get "dinged" at the gate and taken away for being a fraud.... Maybe if I were a Diamond MMer, this would have been fixed quickly. But, this is really poor service for a lowly SM member...
By the sound of it your account seems to be in a lockdown status from access due to the compromise and drainage of miles. They seem to be taking caution to make sure that when they reactivate it they do so to the rightful owner.
#60
Join Date: Aug 2018
Location: SEA
Programs: DL DM
Posts: 292
A quick edit to say that I regret trying to stoke the fire on the security discussion. I will leave my original quote, below, but also say that let's try to focus on the original issue. None of us here know how the account got compromised so it's hard to offer advice in that sense. In hindsight, a plausible cause of Delta compromises could just be a successful phishing attack. They are very sophisticated these days. Happy weekend, everyone!
By the way, there is a lot of silly advice on password security here (I'm looking at you, who claims remembering 30 different passwords is a laughably easy feat). Most compromises happen from a shared password. Focus more on using unique passwords for each service and when available use 2 factor authentication. In terms of how you store your passwords use a password manager, or even allow Google to do it (if you do, make certain you use 2 factor authentication on Google itself). If you somehow get compromised with doing that there's probably not a lot you could have done to prevent it in the first place.
By the way, there is a lot of silly advice on password security here (I'm looking at you, who claims remembering 30 different passwords is a laughably easy feat). Most compromises happen from a shared password. Focus more on using unique passwords for each service and when available use 2 factor authentication. In terms of how you store your passwords use a password manager, or even allow Google to do it (if you do, make certain you use 2 factor authentication on Google itself). If you somehow get compromised with doing that there's probably not a lot you could have done to prevent it in the first place.
Last edited by pulpfiction78; Oct 27, 2018 at 4:39 pm Reason: Regret