Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

Hilton Honors Website Security - Accounts hacked Oct 2014

Hilton Honors Website Security - Accounts hacked Oct 2014

Old Jan 13, 15, 8:12 pm
  #136  
 
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,071
Originally Posted by JohnMacWW View Post
It just occured to me (as I was logging in) that Hilton has a huge vulnerability in its security of HH account access and security by the way most Hilton family hotels have Gold and Diamond members enter their HH Account # and PIN (and room number) in order to get the free WIFI promised to G/D members.

This has to mean that the HH access information for its highest using members is either being stored by all the local ISP's or is being passed back and forth by local ISP's to/from some master Hilton data base.

Moreover, there is not even any CAPTCHA protections or anything. In fact there are not even and mechanisms for stopping access attempts after a certain number of tries. I know this because after I changed my HH PIN I forgot that I and tried about 15 times to log into WIFI acount a few months ago before I realized I was entering my old PIN and not my new PIN.

There are all sorts of ways this is a vulnerability that needs to be fixed.
If wifi signin page ever asks for HH Number AND pin do not continue. Hotels can not valdate your HH pin so would not ask. Any signup screen asking will be a rogue hotspot masquerading as Hotel wifi in attempt to steal your account ! I would not even be happy entering HH MemberNumber.

Normal wifi signin is Surname+room_number, or a voucher code
scubaccr is offline  
Old Jan 13, 15, 8:22 pm
  #137  
 
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
Originally Posted by scubaccr View Post
If wifi signin page ever asks for HH Number AND pin do not continue. Hotels can not valdate your HH pin so would not ask. Any signup screen asking will be a rogue hotspot masquerading as Hotel wifi in attempt to steal your account ! I would not even be happy entering HH MemberNumber.

Normal wifi signin is Surname+room_number, or a voucher code
I disagree, almost all Hilton chain hotels in the US are now requiring you to enter your HH#, PIN and room number in order to claim free Gold or Diamond Free WIFI. It is not a roque hotspot, it is the way Hilton is doing business now.
JohnMacWW is offline  
Old Jan 13, 15, 9:02 pm
  #138  
FlyerTalk Evangelist
 
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy Titanium, Hyatt Explorist, others
Posts: 11,697
Originally Posted by scubaccr View Post
If wifi signin page ever asks for HH Number AND pin do not continue. Hotels can not valdate your HH pin so would not ask. Any signup screen asking will be a rogue hotspot masquerading as Hotel wifi in attempt to steal your account ! I would not even be happy entering HH MemberNumber.

Normal wifi signin is Surname+room_number, or a voucher code
Anybody good enough to set up a rogue hotspot and hijack a wired connection doesn't actually need to steal information retail from me.
sethb is offline  
Old Jan 15, 15, 10:16 am
  #139  
 
Join Date: Nov 2013
Posts: 130
The funniest part about the whole "PINs are not secure" discussion is that this is probably just the most glaringly obvious problem. Think about it this way: they have demonstrated they do not value security over convenience. Fine. Let's also consider that the PIN you enter is checked against a database. How do you think that database is secured by an IT department such as this one? Do you have confidence they properly salt and hash (=scramble) your personal information or would you guess that it's all right there and if someone happened to find the database file it would be trivial to read it?

The Hilton website is a lot scarier than you might already think.
pandablood is offline  
Old Jan 15, 15, 2:35 pm
  #140  
 
Join Date: Feb 2013
Location: Somewhere In The Five Eyes
Posts: 228
> Do you have confidence they properly salt and hash

No. None. Non. Nyet.
gqZJzU4vusf0Z2,$d7 is offline  
Old Jan 15, 15, 4:23 pm
  #141  
 
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
Originally Posted by pandablood View Post
.....

The Hilton website is a lot scarier than you might already think.
Okay except I am not even talking about the Hilton website, I am talking about individual hotel websites for their wifi system.

If all of those individual hotel wifi websites are taking in everyone's HH account number and PIN and doing something with it to verify that its the correct PIN for that HH# then we go from being scary to being horrifying.
JohnMacWW is offline  
Old Jan 17, 15, 4:40 pm
  #142  
 
Join Date: Dec 2005
Location: Göteborg Sweden
Programs: SPG GOLD / BA GOLD/Club Carlson Gold/AMEX Plat.
Posts: 1,041
Originally Posted by UVU Wolverine View Post
Just a heads up to everyone, my account was hacked.

I received an award reservation confirmation email for the Hilton in Rotterdam costing 80,000 points, of which I of course did not make a reservation for. The funnier part was the confirmation was not in my name.

When I called Hilton, they seemed to straighten everything out over the phone. I received another e-mail from guest assistance asking if there was anything else they can help with, but the e-mail was addressed to whomever made the false reservation. Hilton even confirmed that I had called in to make the reservation, but for someone else. The credit card to be held for incidentals was also not one of my own. I just found it interesting that they addressed the e-mail to the fictitious person rather than me even though it was my account number.

Luckily, the confirmation e-mail was sent to me, and I read it within minutes because the reservation was for the same night I received the e-mail.

Just a word of warning for everyone to keep an eye out on your accounts. I have to have a new HHonors account created with everything (points, gold status, etc) rolled over to the new account so hopefully it won't be a huge headache. So far though, Hilton has been pretty easy to work with in the matter.
I just checked my account and guess what.. Yup.. The same thing. 80,000 for a hotel in MCO. I live in Sweden. They had my name and account #. They change the email address to a yopmail . These emails are for 1 time only deal. They changed my address to a intersection. They used a different cc# ,thank God.
Called Hilton and they had to start a case file.. Let's see what happens. I lost GOLD as well... At least I'm a patient man
Flyiboy is offline  
Old Jan 17, 15, 5:05 pm
  #143  
 
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
Originally Posted by Flyiboy View Post
I just checked my account and guess what.. Yup.. The same thing. 80,000 for a hotel in MCO. I live in Sweden. They had my name and account #. They change the email address to a yopmail . These emails are for 1 time only deal. They changed my address to a intersection. They used a different cc# ,thank God.
Called Hilton and they had to start a case file.. Let's see what happens. I lost GOLD as well... At least I'm a patient man
Hilton's silence on this is annoying me a lot. So far i think everyone has been made whole. If there is anyone outthere frustrated with Hilton's resolution I would like to hear about it.
But, even with the Captcha tech they have added for log ins still leaves other issues. Like my point about they allow all hotels to acquire HH# and PINs and compare them for WIFI access. Sure maybe so far they make everything better when somebody hacks, but it is a hassle that can be fixed. But everyone seems so acceptive about this. You would think every Hilton Honor member in FT would be commenting and mad about this.
JohnMacWW is offline  
Old Jan 17, 15, 5:14 pm
  #144  
 
Join Date: Dec 2005
Location: Göteborg Sweden
Programs: SPG GOLD / BA GOLD/Club Carlson Gold/AMEX Plat.
Posts: 1,041
What concerns me is when I ask the rep if this happens alot.. She hestitated and states.. IT happens more then you know.. Perhaps I should now reconsider my stay at the Conrad in Hong Kong..
Flyiboy is offline  
Old Jan 18, 15, 9:40 am
  #145  
 
Join Date: Feb 2013
Programs: Hilton Diamond
Posts: 2,921
Just a comment on ways people can get your account info. This morning under my door at the Doubletree Ocean Point Miami Beach North was not only a copy of my bill, but also for another Diamond staying a floor lower, a Mr. Augusto S and while his address is not on the bill, his Diamond number is.
Miesque is offline  
Old Jan 18, 15, 10:29 am
  #146  
 
Join Date: Feb 2013
Location: Somewhere In The Five Eyes
Posts: 228
> It is not a roque hotspot, it is the way Hilton is doing business now.

Correct.

The fact that Hilton WiFi login even asks for all the info required to seize control of an account ... is simply nuts. Somebody does not understand OPSEC.

Whoever Hilton is paying for I/T security advice does not understand the fundamentals of their job. They should be name'd, shame'd and fire'd. But I do not wish to be unreasonable. I am willing to compromise: They should be fired. The REDACTED BY MOD amateurs.

Last edited by squeakr; Jan 18, 15 at 8:57 pm Reason: semi profanity
gqZJzU4vusf0Z2,$d7 is offline  
Old Jan 18, 15, 4:19 pm
  #147  
 
Join Date: Dec 2010
Location: Sacramento, CA
Programs: UA 1K; Hilton: Diamond;Kimpton: ?? ; Omni: Black; Avis: First; Hertz: Five Star
Posts: 656
Hello, hello?
Conrad Hilton are you there?
There appears to be a some significant breaches of your ability to preserve the privacy of your customer's most important data.
Are you there? Are you going to respond?
JohnMacWW is offline  
Old Jan 18, 15, 8:18 pm
  #148  
 
Join Date: Jan 2011
Location: LAX
Programs: Delta Silver, Marriott Gold, HH Diamond, Ex-UA Gold, Ex-AA Gold , Ex-SPG Gold, Peon everywhere else
Posts: 577
I got hacked today for the tune of 225,000 points. Initially I had gotten an email (around 11:30am) saying my address had changed. So I went online and checked and sure enough, there was an address from Singapore on my account (I live in SoCal). I suspected something wrong, so I immediately changed it back to my address, changed my password and called customer service. Their response was that maybe someone had mistakenly given my account number while requesting an address change and since my point total was unchanged, I figured that was probably the case. As a precaution I asked the rep to annotate in my account that any future acct changes or point redemptions should prompt a DOB and PIN request. Then at around 4:30 pm I get another email from HHonors with an order confirmation. It was the redemption of 225,000 points for the two $200 GC's. Called customer service again to report it and was given a case number. Does anyone know if Hilton returns the points and if so, how long will it take?
eknock007 is offline  
Old Jan 19, 15, 9:19 am
  #149  
FlyerTalk Evangelist
 
Join Date: Jun 2004
Location: MSP
Programs: DL PM, MM, NR; HH Diamond, Bonvoy Titanium, Hyatt Explorist, others
Posts: 11,697
Originally Posted by eknock007 View Post
I got hacked today for the tune of 225,000 points. Initially I had gotten an email (around 11:30am) saying my address had changed. So I went online and checked and sure enough, there was an address from Singapore on my account (I live in SoCal). I suspected something wrong, so I immediately changed it back to my address, changed my password and called customer service. Their response was that maybe someone had mistakenly given my account number while requesting an address change and since my point total was unchanged, I figured that was probably the case. As a precaution I asked the rep to annotate in my account that any future acct changes or point redemptions should prompt a DOB and PIN request. Then at around 4:30 pm I get another email from HHonors with an order confirmation. It was the redemption of 225,000 points for the two $200 GC's. Called customer service again to report it and was given a case number. Does anyone know if Hilton returns the points and if so, how long will it take?
Based on what we've seen here, Hilton likely will return the points. I don't know how long it takes; that varies.
sethb is offline  
Old Jan 19, 15, 10:02 pm
  #150  
 
Join Date: Jan 2011
Location: LAX
Programs: Delta Silver, Marriott Gold, HH Diamond, Ex-UA Gold, Ex-AA Gold , Ex-SPG Gold, Peon everywhere else
Posts: 577
Originally Posted by eknock007 View Post
I got hacked today for the tune of 225,000 points. Initially I had gotten an email (around 11:30am) saying my address had changed. So I went online and checked and sure enough, there was an address from Singapore on my account (I live in SoCal). I suspected something wrong, so I immediately changed it back to my address, changed my password and called customer service. Their response was that maybe someone had mistakenly given my account number while requesting an address change and since my point total was unchanged, I figured that was probably the case. As a precaution I asked the rep to annotate in my account that any future acct changes or point redemptions should prompt a DOB and PIN request. Then at around 4:30 pm I get another email from HHonors with an order confirmation. It was the redemption of 225,000 points for the two $200 GC's. Called customer service again to report it and was given a case number. Does anyone know if Hilton returns the points and if so, how long will it take?
UPDATE: I got an email today from HHonors Loss Prevention informing me that my points had been restored. They cancel my old account number and created a new for me. Apparently they were able to cancel the GC order in time. Good to see that Hilton is on top of this when people end up of becoming a victim.
eknock007 is offline  

Thread Tools
Search this Thread
Search Engine: