Delta FF acct hacked, miles stolen & more
#32
Join Date: Nov 2006
Location: SLC & NYC
Programs: Diamond Medallion, Delta Million Miler, Hyatt Globalist
Posts: 674
This brings up an interesting note about delta. I have two factor authentication on almost everything these days (even three factor on a couple like brokerage) and would love to put it on my delta account. But its not yet offered. I really wish they would include that option.
#33
Join Date: Aug 2013
Location: San Marcos, CA
Programs: DL - DM MM / UA - PP / LH - SEN / Marriott - AMB-LTT / Avis - PC
Posts: 342
Sorry, but I DO think Delta has culpability here. They don't even offer two form authentication. And yet, they are storing Credit card, Passport, trusted Traveler numbers and more. A blatant example is getting a BP at the airport from a kiosk, all one needs to know is the Delta Frequent flyer number to access today's travel information. Their system should have immediately sent an email to the OP, and maybe it did and the email account was also hacked. In any case, their systems need to be stronger in today's internet crime spree age.
#34
Join Date: Dec 2003
Location: NYC
Posts: 6,433
Security questions are usually terrible security if you answer them correctly, because of the chance the answers can be researched or just guessed. However, you are free to make up whatever answers you want, including strings of random characters.
#35
Join Date: Jan 2008
Location: NYC, MSY
Programs: DL DM, 1.5MM, NEXUS, Sky Club Lifetime, Admirals Club Lifetime, LowValueCustomer everywhere
Posts: 6,447
#36
Join Date: Dec 2004
Location: LHR / BHX / MAN / ATL
Programs: DL DM 2MM - IHG Diamond
Posts: 4,053
But the "what is your mother's maiden name" or "what high school did you graduate from" questions are useless.
#37
Join Date: Dec 2014
Posts: 1,880
Two Factor Authentication can use email via a one-time password– it falls under the “something you have” category. You can debate the wisdom of using email as the second factor since it makes your account vulnerable if your email is hacked, but the same applies to Two Factor Authentication via text message. This is why 2FA via text message is not recommended for high profile people– it’s too easy to gain unauthorized access to someone’s phone number via social engineering.
#38
Join Date: Mar 2013
Location: Minnesota
Posts: 367
Can't say I'm at all surprised to hear this sentiment from someone called "FlyBitcoin"
Generally, on-prem storage is a much larger security risk than cloud-based storage. Cloud service providers are not immune from security vulnerabilities, but they follow best practices: ensure software is up-to-date, employ robust firewalls, have constant monitoring, adhere to rigorous security policies, and have strong physical and personnel controls.
Generally, on-prem storage is a much larger security risk than cloud-based storage. Cloud service providers are not immune from security vulnerabilities, but they follow best practices: ensure software is up-to-date, employ robust firewalls, have constant monitoring, adhere to rigorous security policies, and have strong physical and personnel controls.
That said, I still don't think it's overall safer to do so. Even with that every-minute pull, there's still a lag where someone who's trying to get in can still get those emails if they're watching the account and trying to get in. It also removes convenience, and it makes someone much more vulnerable to a virus/malware attack on their PC. While not security-related, there's also the real concern of non-existent or failed backups, which can cause the loss of data if the only storage of those emails (or other data) is on your computer.
Considering the vast majority of the attacks on cloud accounts can be thwarted with decent 2FA, it seems much better to simply use 2FA with a secure password than FlyBitcoin's scheme of offloading emails onto a personal computer that almost certainly won't have as robust of physical/software security as Microsoft's or Google's server farms.
#39
Join Date: Dec 2009
Location: RDU
Programs: DL DM+(segs)/MM, UA Ag, Hilton DM, Marriott Ti (life Pt), TSA Opt-out Platinum
Posts: 3,227
Sorry OP, but DL didn't do anything wrong here, although they could have handled the aftermath better. Your gripe is with what ever site/service leaked your login/password info and the criminals who used that info.
This. Anyone who uses the same password on more than one website is just asking to be hacked. Download Lastpass (free) and use randomly generated passwords.
In light of the Equifax breech, my recommendation to anyone is to put a freeze on all 4 credit bureaus unless you specifically need someone to pull your credit. Depending on where you live, the costs vary for this. Thankfully in NC the credit agencies are required to lock/unlock for free.
**Disclaimer: this message is directed at everyone and not just the OP**
This is further proof to why you shouldn't store sensitive info online (i.e. passport #s , DL #s , CC #s ) and you should use a different password for every account. I need more info from the OP, but I wouldn't be surprised if his/her email address and password combo had been leaked online from a different breach and the hacker just used those credentials to login to the DL account.
This is further proof to why you shouldn't store sensitive info online (i.e. passport #s , DL #s , CC #s ) and you should use a different password for every account. I need more info from the OP, but I wouldn't be surprised if his/her email address and password combo had been leaked online from a different breach and the hacker just used those credentials to login to the DL account.
In light of the Equifax breech, my recommendation to anyone is to put a freeze on all 4 credit bureaus unless you specifically need someone to pull your credit. Depending on where you live, the costs vary for this. Thankfully in NC the credit agencies are required to lock/unlock for free.
#40
Moderator: Hyatt; FlyerTalk Evangelist
Join Date: Jun 2015
Location: WAS
Programs: :rolleyes:, DL DM, Mlife Plat, Caesars Diam, Marriott Tit, UA Gold, Hyatt Glob, invol FT beta tester
Posts: 18,931
This brings up an interesting note about delta. I have two factor authentication on almost everything these days (even three factor on a couple like brokerage) and would love to put it on my delta account. But its not yet offered. I really wish they would include that option.
What they might have had in mind is that a lot of accounts can be reset if you have access to someone's email though, or that it can sometimes be used as a 2nd factor as rucksack mentioned.
It's also worth noting that, depending how tin-foil-y you want to be, using your phone number/SMS as a 2nd factor is a bad idea because it is apparently surprisingly easy to social engineer or otherwise hack your way into getting a cell phone company to swap service for someone else's phone number onto a device controlled by an attacker. Thus, wherever possible I use a physical hardware token such as a YubiKey as my 2nd factor, else a code generator app, and only SMS as a last resort if nothing else is supported by the site.
#41
Join Date: Nov 2006
Location: SLC & NYC
Programs: Diamond Medallion, Delta Million Miler, Hyatt Globalist
Posts: 674
[QUOTE=Zorak;31220455]Do they actually require all 3 factors to login? Or is it 2-factor but you can use one of a few alternatives as the second factor, which is still just 2-factor
Actual 3 factor. Password, physical card with PIN and 6 digit code from dongle that changes every minute. Good times...
I would personally prefer if they added like google authenticator or something as a 2nd factor option. Not a fan of email as email servers can lag and its not nearly as safe.
Actual 3 factor. Password, physical card with PIN and 6 digit code from dongle that changes every minute. Good times...
I would personally prefer if they added like google authenticator or something as a 2nd factor option. Not a fan of email as email servers can lag and its not nearly as safe.
#42
Join Date: Feb 2007
Location: SJC, SFO
Programs: Delta DM, IHG Spire, Hertz PC, H.com Gold^3, lowly something on others...
Posts: 1,260
**Disclaimer: this message is directed at everyone and not just the OP**
This is further proof to why you shouldn't store sensitive info online (i.e. passport #s , DL #s , CC #s ) and you should use a different password for every account. I need more info from the OP, but I wouldn't be surprised if his/her email address and password combo had been leaked online from a different breach and the hacker just used those credentials to login to the DL account.
For the OP, I would recommend putting a fraud alert (different from a freeze) on your credit report. You should assume whoever hacked your account has all the info you stored on there.
This is further proof to why you shouldn't store sensitive info online (i.e. passport #s , DL #s , CC #s ) and you should use a different password for every account. I need more info from the OP, but I wouldn't be surprised if his/her email address and password combo had been leaked online from a different breach and the hacker just used those credentials to login to the DL account.
For the OP, I would recommend putting a fraud alert (different from a freeze) on your credit report. You should assume whoever hacked your account has all the info you stored on there.
By the way, have you try to type a 30 character randomly generated password using your phone touch keyboard?
They need to enable multi-factor authentication, period...
#43
Moderator: Hyatt; FlyerTalk Evangelist
Join Date: Jun 2015
Location: WAS
Programs: :rolleyes:, DL DM, Mlife Plat, Caesars Diam, Marriott Tit, UA Gold, Hyatt Glob, invol FT beta tester
Posts: 18,931
#44
Join Date: Apr 2019
Location: DEN
Programs: DL DM
Posts: 583
#45
Join Date: Dec 2011
Programs: HHonors Diamond, Delta Platinum, Marriott Gold
Posts: 155
check rules in your email
This happened to me a few months ago with Delta, Hilton, and Amazon simultaneously. Check your email accounts for rules/filters. The bad guys had gotten into my email and had set up rules so anything with certain keywords (like the word password, change, etc.) would go directly to my trash so I would never see them unless I looked but they knew where they were.