mridley2

there is a lot Delta can and should do. At a minimum, Delta needs two factor vauthentication to change a password or any crucial information in the account. Or when logging in from a unknown device. T
his is very common now for email, banking, etc. Delta should exercise the same precautions.

OWLCAR

I can't really say much more, except to clarify that this is what she said to me while we were together on the phone trying to straighten out the details on my account.

I asked her HOW this had happened, and she said she didn't know, but that it looked like the hackers were getting in via Outlook. She then went into a very long story about one incident that was NOT via the internet, but was a phone scam and she was able to prevent it. After the story, she said that the hackers were getting much more sophisticated and were "getting really good at it". I pressed her, but she woudl not give me any particulars.

Sorry to not be able to provide details about HOW they are hacking via Outlook, because she wouldn't say more. But I can tell you that I immediately changed my passwords on all my MS accounts.

OWLCAR

Just to clarify a few things-

I change my passwords frequently. I used complicated passwords and do not use the same passwords on any two sites.

I don't answer "security questions" with the actual answer. For example: to "name of elementary school" I would use something like "banana nut bread recipe"

I didn't wait 10 days because I'm dumb... I waited 10 days while calling or tweeting every day, and did not KNOW what had happened until I could finally get into my account. All I knew was that there was a security alert on my account and I couldn't access it, nor could I get anyone from Delta to tell me what was wrong except that they "suspected" that there had been unusual activity on my account. When pressed, they said it looked like my FF miles had been used. NO amount of work on my part helped to speed up the process or find out the scope of the problem.

As soon as I found out what had happened, I put a fraud alert on my accounts, and it took me about 4 hours to lock down or change everything required. It wasn't fun, but it got done.

I DO think the issue is, at least in part, with Delta. No matter HOW the accounts are getting hacked, if they know they are being hacked with more frequency, they can and should deal with it. Two factor identification is not difficult to set up, for example.

Last... I wrote this as a precautionary message. I hope it alerted a few people to check their accounts. And I appreciate the suggestions on making accounts more secure. I will look into anything I am not already doing. Thank you.

It certainly seemed to have given a few techno-geeks (who love to tell others about how stupid they are) a good time. Geesh...

OWLCAR

Just to clarify a few things-

I change my passwords frequently. I used complicated passwords and do not use the same passwords on any two sites.

I don't answer "security questions" with the actual answer. For example: to "name of elementary school" I would use something like "banana nut bread recipe"

I didn't wait 10 days because I'm dumb... I waited 10 days while calling or tweeting every day, and did not KNOW what had happened until I could finally get into my account. All I knew was that there was a security alert on my account and I couldn't access it, nor could I get anyone from Delta to tell me what was wrong except that they "suspected" that there had been unusual activity on my account. When pressed, they said it looked like my FF miles had been used. NO amount of work on my part helped to speed up the process or find out the scope of the problem.

As soon as I found out what had happened, I put a fraud alert on my accounts, and it took me about 4 hours to lock down or change everything required. It wasn't fun, but it got done.

I DO think the issue is, at least in part, with Delta. No matter HOW the accounts are getting hacked, if they know they are being hacked with more frequency, they can and should deal with it. Two factor identification is not difficult to set up, for example.

Last... I wrote this as a precautionary message. I hope it alerted a few people to check their accounts. And I appreciate the suggestions on making accounts more secure. I will look into anything I am not already doing. Thank you.

It certainly seemed to have given a few techno-geeks (who love to tell others about how stupid they are) a good time. Geesh...

xliioper

I very much doubt the agent was actually technical enough to actually understand how it happened. While understanding social engineering compromises is generally straightforward for most people, something involving compromises in the systems themselves will generally require a good technical background. Someone technical probably just mentioned something about Outlook to them and that was probably about as far as it got. "Outlook" could very well mean outlook.com, not Outlook the program. Or maybe it was just an email based hack and as far as the agent is concerned email and "Outlook" are the same thing. At any rate, I very much doubt it is something that DL could somehow actually trivially "fix".

AeRoSpaceman

I actually just scrolled down to the bottom of this thread as it is the same old same old.. Use 2FA and ALSO an authentication app. This is happening everywhere and not just the airlines. Use a password manager like Lastpass or something similar and store at least a 20 character password with special characters or whatever the site allows you to use as the max. This .... happens and I deal with it everyday for my job. NEVER EVER EVER use the same password for multiple sites. </Rant>

nrr

Robert Woodhead

Standard advice:

* Use a password manager, and have it generate strong random unique passwords.
* Use 2FA whenever available. Complain when it isn't. Not providing 2FA when the account has significant economic value is negligence IMHO.
* Physical token or App 2FA > SMS 2FA > Email 2FA.
* Lock your cellphone account to prevent unauthorized porting of your phone number. This is crucial.
* Strong PIN on all devices (I use a long alpha password on my devices that have fingerprint unlock, I have to enter it once every couple of days)
* PIN on 2FA app if available (Authy lets you do this, Google Authenticator does not)

It's all about defense in depth. Do all of the above and your risk is basically limited to account provider errors or bad guys tying you to a chair and ripping off fingernails until you give up your passwords.

haa

Quick hint for easy to type but secure random passwords: Use 4-5 random words, for example something like "hope flatworm oft flesh hid" (example just generated by 1Password I use) contains enough random to be very secure, but is quick and easy to type error-free even even on mobile keyboards.

To help with password rules, you can e.g. uppercase one of the words (to get capital letters) and add special character and numbers, so above would become e.g. "hope flatworm OFT flesh hid/8". Try typing that on your mobile to see how easy it is (but don't use the example for anything ;–)

Most password managers have an option to generate "word-style" passwords, so look into that setting on yours. Or you can use a dictionary and randomly open pages and point to words (newspaper or book is worse, as they use mostly common words).

Zobieee

An IT guy I work with said to use passwords that are made up of the first letters of song verses that you can easily sing in your head, like: Dttsiaohosotfwglatw2019 = Dashing through the snow, in a one horse open sleigh, o'er the fields we go, laughing all the way. We all know hundreds of songs by heart...easy enough to choose different lyrics for different accounts and store them in a Password keeper.

NotHamSarnie

What do you mean by locking your cellphone account?

Zorak

Some (all?) cellphone providers have a security mechanism such as a PIN that will be required, among other things, if someone tries to port your number into another carrier (which could legitimately happen if you were switching from one to another, for example).

It makes it harder for someone to e.g. use social engineering on a cell phone customer service rep to convince them to switch your cell service away from your phone onto a phone they control.

Using SMS for security codes is better than nothing at all, but other more secure methods exist.

crunchie

This is sound advice, I'll add a few more points

• don't follow the recommendation about putting everything on your desktop. I've audited Microsoft Azure and Amazon AWS security practices, facilities and some of their software/services. They are a world ahead of the dozen or so global banks and insurance companies I've worked with in the past (as a consultant), way better than several city and federal agencies including the ones that you'd think grok security. The ones that do security right, from my experience, are a few of the hedge fund companies and one major DoD contractor (we had a really long chat at a conference). I cannot remember the last time I found a home/personal computer regardless of type/OS that I thought was well managed from a security perspective (machines owned by security professionals I work with not-withstanding).
• password in general is a really poor security mechanism but better options like U2F devices aren't going mainstream anytime soon so working with what we have, long passwords are way harder to brute force than highly complex short passwords
• taking the first, second, last letter of well known phrases is a well known practice and there are tools and dictionaries designed specifically for this
• most importantly: layers of security really matter. For all the flaws of some 2FA/MFA implementations and phone/email based 1-time passwords/tokens, they add a layer that the attacker needs to figure out and compromise. A response that isn't actual words or names to challenge/response setup (as suggested above) is another helpful layer
• always report incidents, always. Not just to the party involved but consider law enforcement, depending on the nature and impact of the incident

thebakaronis

Sorry that the OP had to go through all this. Never a pleasant experience. But at least his miles were redeposited.

SIM-swap fraud is a fast growing vector of threat. T-mobile allowed someone to issue a new SIM card to them on my number. Once they had my phone number, they hacked into my email accounts using the 2FA that sent PINs to phone numbers. They then went into one of my financial accounts. This account used 2FA to recover password: PIN to the phone number & email to my email account. Both of which the thief now controlled. They then reset my password and siphoned off all the money in the account. Worth 10s of thousands of dollars.

T-mobile takes absolutely no responsibility for it. They claim I walked into one of their stores 3000 miles away and showed an employee my ID. They refuse to furnish proof of this (e.g., surveillance video at this store) due to "employee privacy" concerns. Never recovered the money. I could sue T-mobile. But lawyers are busy dealing with cases of people who lost millions this way, and my case just wasn't financially big enough for them to spend their time on.

Moral of the story: the weakest link is often your phone. SMS-based 2FA are extremely weak and it's criminal for companies to use this. I'm a cybersecurity professional. So I know.

Loren Pechtel

Unfortunately, you're not always allowed to. I have seen sites that specifically defeat this by making you pick from a list, I've seen sites that will reject a correct answer because it's too short (hey, asking for a color and rejecting 3-letter answers, I'm looking at you!) and rejecting duplicate answers.

It can. If it uses SMS that opens the alternative of a sim-swap attack. Secure 2FA works with a device or an authenticator app on your phone.