Skymiles account hacked, points drained
Oct 27, 2018, 4:37 pm
#61
Join Date: Jul 2006
Location: Earth (non-US)
Programs: NW Gold->CO->UA->DL PM
Posts: 1,338
But might I mention how many times I've called up the Elite line, to find that I've been authenticated as someone else? Wide gaping security hole.
Oct 27, 2018, 4:46 pm
#62
Join Date: Jul 2006
Location: Earth (non-US)
Programs: NW Gold->CO->UA->DL PM
Posts: 1,338
It's certainly possible that the password manager is compromised but the likelihood my particular info is breached is small (I use keePassX which is offline and open source). For someone to get my passwords they'd have to both get access to my physical devices and be able to decrypt the database.
That's EXTREMELY unlikely unless I'm targeted by state-level organizations, which is definitely not the threat model I'm worried about (if it comes to that, I've already got a lot more things to worry about).
That's EXTREMELY unlikely unless I'm targeted by state-level organizations, which is definitely not the threat model I'm worried about (if it comes to that, I've already got a lot more things to worry about).
:P
Oct 27, 2018, 6:55 pm
#63
Suspended
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
I'm not very worried about my password file being swiped. Physical access is like the least efficient compromise method and is pretty much only used by highly-funded agents who are targeting a specific individual for a specific purpose.
Oct 27, 2018, 7:31 pm
#64
Join Date: Jul 2004
Location: SNA
Programs: AA EXP, UA 1K (until it expires then never again), *wood Plat, Marriott Gold
Posts: 9,239
+1
A password manager is for lazy people and anyone with even a little bit of security consciousness would stay away from those like the plague. That is like giving all your personal details away to some random stranger (almost). Unfathomable why people actually use those things (or allow browsers to store passwords, etc.). Just use your head; it's not that hard.
A password manager is for lazy people and anyone with even a little bit of security consciousness would stay away from those like the plague. That is like giving all your personal details away to some random stranger (almost). Unfathomable why people actually use those things (or allow browsers to store passwords, etc.). Just use your head; it's not that hard.
Oct 28, 2018, 12:28 am
#66
Join Date: Sep 2009
Location: HNL
Programs: DL PM/1MM, BW DE (lifetime), HH DE, Marriott PE (lifetime), National Emerald Executive
Posts: 7,205
What is just plain careless (to say the least) is saving it in browser or even worse having it stored externally with no control where it is, how it is secured, etc. at some place like Google. That is just like asking to be compromised, and anyone advocating that either has an ulterior motive or otherwise is just spreading ignorance and misinforming others.
US, as always, is backwards from rest of the world. In other countries one can use a smart card reader and one's gov't issued smart ID card to, among other things, authenticate access both via physical media (smart card) and password and optionally additional 2FA, and use that either for direct access where supported (like to vote, for example) and for various online site access. Not foolproof, but a smart card can't be duplicated like a magnetic stripe, so unless the smart card is stolen and login credentials and 2FA both obtained by a third party (3 things have to happen then), it's a pretty safe - and easy, ubiquitous - way to do secure online access, from filing taxes, through voting, and through to various site access.
But anyhow, this is too much OT here..
Jan 23, 2019, 2:45 pm
#67
Join Date: Sep 2012
Location: Dayton, OH/CVG
Programs: DA Diamond(1 MM), Marriott Bonvoy Ambassador/Charter Ambassador, Hyatt Glob, Hertz Presidents Circle
Posts: 882
Hey there, just wanted to give a quick warning: my account was hacked earlier this week for approx 130,000 miles. I noticed it when I was just log in and my mileage total was way off. Skymiles marketplace people were very helpful and said all will be restored, but couldn't hurt to check your accounts. I, of course, changed my password immediately. Not sure if that will help or not, but i did anyway.
Jan 23, 2019, 8:51 pm
#68
FlyerTalk Evangelist
Join Date: Jul 2003
Location: jfk area
Programs: AA platinum; 2MM AA, Delta Diamond, Hilton Diamond
Posts: 10,291
Hey there, just wanted to give a quick warning: my account was hacked earlier this week for approx 130,000 miles. I noticed it when I was just log in and my mileage total was way off. Skymiles marketplace people were very helpful and said all will be restored, but couldn't hurt to check your accounts. I, of course, changed my password immediately. Not sure if that will help or not, but i did anyway.
[A while back BAs database was hacked...]
Jan 23, 2019, 9:15 pm
#69
FlyerTalk Evangelist
Join Date: Jul 2003
Posts: 23,051
Several possibilities: (1)your PC, ipad, iPhone was hacked--working on a non-secure connection(?), (2)"through the back door" www.delta.com was hacked.
[A while back BAs database was hacked...]
[A while back BAs database was hacked...]
Jan 23, 2019, 10:22 pm
#70
Join Date: Dec 2016
Location: CA
Posts: 304
Physically stored indeed, that is a good way to go.
What is just plain careless (to say the least) is saving it in browser or even worse having it stored externally with no control where it is, how it is secured, etc. at some place like Google. That is just like asking to be compromised, and anyone advocating that either has an ulterior motive or otherwise is just spreading ignorance and misinforming others.
US, as always, is backwards from rest of the world. In other countries one can use a smart card reader and one's gov't issued smart ID card to, among other things, authenticate access both via physical media (smart card) and password and optionally additional 2FA, and use that either for direct access where supported (like to vote, for example) and for various online site access. Not foolproof, but a smart card can't be duplicated like a magnetic stripe, so unless the smart card is stolen and login credentials and 2FA both obtained by a third party (3 things have to happen then), it's a pretty safe - and easy, ubiquitous - way to do secure online access, from filing taxes, through voting, and through to various site access.
But anyhow, this is too much OT here..
What is just plain careless (to say the least) is saving it in browser or even worse having it stored externally with no control where it is, how it is secured, etc. at some place like Google. That is just like asking to be compromised, and anyone advocating that either has an ulterior motive or otherwise is just spreading ignorance and misinforming others.
US, as always, is backwards from rest of the world. In other countries one can use a smart card reader and one's gov't issued smart ID card to, among other things, authenticate access both via physical media (smart card) and password and optionally additional 2FA, and use that either for direct access where supported (like to vote, for example) and for various online site access. Not foolproof, but a smart card can't be duplicated like a magnetic stripe, so unless the smart card is stolen and login credentials and 2FA both obtained by a third party (3 things have to happen then), it's a pretty safe - and easy, ubiquitous - way to do secure online access, from filing taxes, through voting, and through to various site access.
But anyhow, this is too much OT here..
Jan 24, 2019, 3:28 am
#71
Join Date: Sep 2012
Location: Dayton, OH/CVG
Programs: DA Diamond(1 MM), Marriott Bonvoy Ambassador/Charter Ambassador, Hyatt Glob, Hertz Presidents Circle
Posts: 882
Highly unlikely this was the result of a hack of DL systems. Much more likely due to a device OP has used or is currently using has been compromised. People should really take these cases more seriously rather than simply assuming a password change will solve the problem. If a device you are currently using has been compromised, that's not going to address the underlying issue.
Jan 24, 2019, 5:27 am
#72
Join Date: Sep 2016
Programs: DL PM, Marriott, IHG
Posts: 193
Not foolproof, but a smart card can't be duplicated like a magnetic stripe, so unless the smart card is stolen and login credentials and 2FA both obtained by a third party (3 things have to happen then), it's a pretty safe - and easy, ubiquitous - way to do secure online access,..
An externally generated OTP is arguably more secure because the malicious actor can only compromise the same site you authenticated with (albeit in a narrow time window). When you use a smart card, they can compromise any site that accepts your smart card as an authentication mechanism.
And, FWIW, the US government does use smart cards internally. There is no national ID card in the US, so there is no simple process to issue smart cards. Under the current infrastructure it would need to be implemented by the states. Perhaps they may offer smart cards with login.gov, but I would rather have a OTP mechanism rather than a smart card.
Jan 24, 2019, 8:30 am
#73
Suspended
Join Date: Nov 2010
Location: MEM
Programs: Starbucks Green Card
Posts: 5,431
Several possibilities: (1)your PC, ipad, iPhone was hacked--working on a non-secure connection(?), (2)"through the back door" www.delta.com was hacked.
[A while back BAs database was hacked...]
[A while back BAs database was hacked...]