FlyerTalk Forums

FlyerTalk Forums (https://www.flyertalk.com/forum/index.php)
-   Hilton | Hilton Honors (https://www.flyertalk.com/forum/hilton-hilton-honors-417/)
-   -   Hilton Honors Website Security - Accounts hacked Oct 2014 (https://www.flyertalk.com/forum/hilton-hilton-honors/1570071-hilton-honors-website-security-accounts-hacked-oct-2014-a.html)

anative Apr 17, 14 8:13 pm

Hilton Honors Website Security - Accounts hacked Oct 2014
 
After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.

In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login.

This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.

SCARY.

An email to Hilton's Privacy Department ([email protected]) has gone unanswered.

GoingGal Apr 17, 14 11:35 pm

Hilton should be shamed into changing their approach to account security!! I will certainly send an email to their privacy department - in fact, every person with a HHonors account might want to do the same.

Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information.

Thank you anative for starting this thread.

ericgdukie44 Apr 18, 14 10:27 am

+1 to emailing. I sent my email off this morning. I have to think that they don't get too great a volume of emails so if we can make a high percentage of those emails about this issue over the next week, they will take notice. It can't be that difficult to change the log in procedure. Hell, I'd be even happier if they required both a password AND a pin.

clarence5ybr Apr 18, 14 10:30 am

Ooops, misread "PIN" for "password"

IntFF Apr 18, 14 11:02 am

FYI: Also possible to login with username and 4-digit PIN.

Westcoaster Apr 18, 14 2:09 pm


Originally Posted by GoingGal (Post 22722824)
...Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information..

Good point.

I wrestle with this because I'm not crazy about handing my card over to be swiped every single time I check in either. As it is now they just use the one in my profile and I don't even take my card out of my wallet. I'm not sure where the greater danger lies.

anative Apr 19, 14 5:39 pm

I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.

This goes against the PCI standards that are supposed to be used for sites that collect and store credit card data.

https://www.pcisecuritystandards.org...PCI_DSS_v3.pdf

bamboola Apr 20, 14 10:35 am

I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.

I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional.

sdsearch Apr 20, 14 11:28 am


Originally Posted by bamboola (Post 22732298)
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.

I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional.

Can't you change it to another card, though? Including changing it to a card that isn't valid (say, a used-up gift card?) but has a still-valid expiration date (for now)?

bamboola Apr 20, 14 11:42 am


Originally Posted by sdsearch (Post 22732496)
Can't you change it to another card, though? Including changing it to a card that isn't valid (say, a used-up gift card?) but has a still-valid expiration date (for now)?

I can add a card, but the old one still cannot be deleted.

cjd Apr 20, 14 12:21 pm


Originally Posted by bamboola (Post 22732546)
I can add a card, but the old one still cannot be deleted.

I managed to delete an active AMEX card and leave an unactive Visa card on file. I tried to delete this unactive card, but as mentioned above, the site would not let me. Doesn't really matter as the Visa card account has been closed due to some fraudulent activity some months ago (not related to Hilton.)

GoingGal Apr 20, 14 9:56 pm


Originally Posted by bamboola (Post 22732298)
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.

I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional.

In order to delete the credit card info: Go to My Profile and selected Personal Information. One of the items of Personal Information is Payment Methods and this is where the credit card info resides. All you need to do is click the box to the right of the word Delete in order to delete the CC info from your account. This works like a charm. Good luck.

OverThereTooMuch Apr 20, 14 10:18 pm


Originally Posted by anative (Post 22722174)
This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.

Did the "website person" tell you how many attempts in a certain period of time you get before they block the account?


Originally Posted by anative (Post 22730019)
I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.

That doesn't mean they aren't encrypting the passwords.

cjd Apr 21, 14 2:10 am


Originally Posted by GoingGal (Post 22734418)
In order to delete the credit card info: Go to My Profile and selected Personal Information. One of the items of Personal Information is Payment Methods and this is where the credit card info resides. All you need to do is click the box to the right of the word Delete in order to delete the CC info from your account. This works like a charm. Good luck.

This is what bamboola and I have tried to do, but the "delete" function won't work.

bamboola Apr 21, 14 8:02 am


Originally Posted by cjd (Post 22735011)
This is what bamboola and I have tried to do, but the "delete" function won't work.

Here's a work-around that I tried last night. I set the expiration date to April 2014 and got an error message. I then set the expiration date to May 2014 and managed to delete one of the two credit cards. I presume that after May 2014, I will be able to delete the other credit card.


All times are GMT -6. The time now is 5:14 am.


This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.