Consolidated "Hilton Honors Account Hacked" thread
After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.
In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login. This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries. SCARY. An email to Hilton's Privacy Department ([email protected]) has gone unanswered. |
Hilton should be shamed into changing their approach to account security!! I will certainly send an email to their privacy department - in fact, every person with a HHonors account might want to do the same.
Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information. Thank you anative for starting this thread. |
+1 to emailing. I sent my email off this morning. I have to think that they don't get too great a volume of emails so if we can make a high percentage of those emails about this issue over the next week, they will take notice. It can't be that difficult to change the log in procedure. Hell, I'd be even happier if they required both a password AND a pin.
|
Ooops, misread "PIN" for "password"
|
FYI: Also possible to login with username and 4-digit PIN.
|
Originally Posted by GoingGal
(Post 22722824)
...Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information..
I wrestle with this because I'm not crazy about handing my card over to be swiped every single time I check in either. As it is now they just use the one in my profile and I don't even take my card out of my wallet. I'm not sure where the greater danger lies. |
I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.
This goes against the PCI standards that are supposed to be used for sites that collect and store credit card data. https://www.pcisecuritystandards.org...PCI_DSS_v3.pdf |
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.
I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional. |
Originally Posted by bamboola
(Post 22732298)
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.
I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional. |
Originally Posted by sdsearch
(Post 22732496)
Can't you change it to another card, though? Including changing it to a card that isn't valid (say, a used-up gift card?) but has a still-valid expiration date (for now)?
|
Originally Posted by bamboola
(Post 22732546)
I can add a card, but the old one still cannot be deleted.
|
Originally Posted by bamboola
(Post 22732298)
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.
I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional. |
Originally Posted by anative
(Post 22722174)
This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.
Originally Posted by anative
(Post 22730019)
I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.
|
Originally Posted by GoingGal
(Post 22734418)
In order to delete the credit card info: Go to My Profile and selected Personal Information. One of the items of Personal Information is Payment Methods and this is where the credit card info resides. All you need to do is click the box to the right of the word Delete in order to delete the CC info from your account. This works like a charm. Good luck.
|
Originally Posted by cjd
(Post 22735011)
This is what bamboola and I have tried to do, but the "delete" function won't work.
|
All times are GMT -6. The time now is 12:21 pm. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.