Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

Hilton Honors Website Security - Accounts hacked Oct 2014

Hilton Honors Website Security - Accounts hacked Oct 2014

Old Apr 17, 14, 8:13 pm
  #1  
Original Poster
 
Join Date: Dec 2000
Location: Orlando, FL, USA (MCO)
Programs: Hilton-Diamond, Virgin-Gold, BA-Silver
Posts: 21
Hilton Honors Website Security - Accounts hacked Oct 2014

After the recent Heartbleed website vulnerability was announced I went through and made sure that I am using strong unique passwords on all of my web logins.

In the case of Hilton Honors that meant setting up a username and password instead of the Honors # and PIN I was using. The problem is that even after creating a Username and Password there is no way to turn off logging in with the Honors # and PIN. I thought I must be missing something so I called the Diamond Desk and was transferred to a Website person who confirmed that there is not currently a way to turn off the Honors # and PIN login.

This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.

SCARY.

An email to Hilton's Privacy Department ([email protected]) has gone unanswered.
anative is offline  
Old Apr 17, 14, 11:35 pm
  #2  
 
Join Date: Apr 2006
Programs: Hilton Diamond, Marriott Lifetime Titanium
Posts: 122
Hilton should be shamed into changing their approach to account security!! I will certainly send an email to their privacy department - in fact, every person with a HHonors account might want to do the same.

Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information.

Thank you anative for starting this thread.
GoingGal is offline  
Old Apr 18, 14, 10:27 am
  #3  
 
Join Date: Apr 2014
Location: DFW/LAX
Programs: HH Diamond, AA EXP
Posts: 534
+1 to emailing. I sent my email off this morning. I have to think that they don't get too great a volume of emails so if we can make a high percentage of those emails about this issue over the next week, they will take notice. It can't be that difficult to change the log in procedure. Hell, I'd be even happier if they required both a password AND a pin.
ericgdukie44 is offline  
Old Apr 18, 14, 10:30 am
  #4  
 
Join Date: Apr 2003
Location: Right here
Posts: 2,931
Ooops, misread "PIN" for "password"
clarence5ybr is offline  
Old Apr 18, 14, 11:02 am
  #5  
 
Join Date: Jun 2001
Location: CA & Europe
Programs: AA Life-Plat 5MM, HH Diamond, IHG Plat, UA, BA
Posts: 650
FYI: Also possible to login with username and 4-digit PIN.
IntFF is offline  
Old Apr 18, 14, 2:09 pm
  #6  
 
Join Date: Oct 2000
Location: Seattle WA, USA
Programs: Hilton Diamond, Marriott Titan, AS MVPG&AL, others no status
Posts: 3,409
Originally Posted by GoingGal View Post
...Note of warning - if you have a credit card number included in your HHonors account I strongly encourage you to remove it immediately. A web site that is this insecure isn't the best place to store credit card information..
Good point.

I wrestle with this because I'm not crazy about handing my card over to be swiped every single time I check in either. As it is now they just use the one in my profile and I don't even take my card out of my wallet. I'm not sure where the greater danger lies.
Westcoaster is offline  
Old Apr 19, 14, 5:39 pm
  #7  
Original Poster
 
Join Date: Dec 2000
Location: Orlando, FL, USA (MCO)
Programs: Hilton-Diamond, Virgin-Gold, BA-Silver
Posts: 21
I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.

This goes against the PCI standards that are supposed to be used for sites that collect and store credit card data.

https://www.pcisecuritystandards.org...PCI_DSS_v3.pdf
anative is offline  
Old Apr 20, 14, 10:35 am
  #8  
 
Join Date: Aug 2001
Posts: 1,177
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.

I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional.
bamboola is offline  
Old Apr 20, 14, 11:28 am
  #9  
FlyerTalk Evangelist
 
Join Date: Jan 2005
Location: home = LAX
Posts: 24,157
Originally Posted by bamboola View Post
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.

I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional.
Can't you change it to another card, though? Including changing it to a card that isn't valid (say, a used-up gift card?) but has a still-valid expiration date (for now)?
sdsearch is offline  
Old Apr 20, 14, 11:42 am
  #10  
 
Join Date: Aug 2001
Posts: 1,177
Originally Posted by sdsearch View Post
Can't you change it to another card, though? Including changing it to a card that isn't valid (say, a used-up gift card?) but has a still-valid expiration date (for now)?
I can add a card, but the old one still cannot be deleted.
bamboola is offline  
Old Apr 20, 14, 12:21 pm
  #11  
cjd
 
Join Date: Jun 2002
Location: Newcastle, UK
Posts: 2,274
Originally Posted by bamboola View Post
I can add a card, but the old one still cannot be deleted.
I managed to delete an active AMEX card and leave an unactive Visa card on file. I tried to delete this unactive card, but as mentioned above, the site would not let me. Doesn't really matter as the Visa card account has been closed due to some fraudulent activity some months ago (not related to Hilton.)
cjd is offline  
Old Apr 20, 14, 9:56 pm
  #12  
 
Join Date: Apr 2006
Programs: Hilton Diamond, Marriott Lifetime Titanium
Posts: 122
Originally Posted by bamboola View Post
I logged into my account and clicked on the Delete button next to my credit card. Nothing happened.

I called the Diamond Desk and the rep told me that, once the credit card info is in the profile, it cannot be deleted. She said the Delete button has never been functional.
In order to delete the credit card info: Go to My Profile and selected Personal Information. One of the items of Personal Information is Payment Methods and this is where the credit card info resides. All you need to do is click the box to the right of the word Delete in order to delete the CC info from your account. This works like a charm. Good luck.
GoingGal is offline  
Old Apr 20, 14, 10:18 pm
  #13  
 
Join Date: Apr 2007
Location: SEA
Programs: AS MVP, Hhonors Gold, National Executive, Identity Gold, MLife Gold
Posts: 2,684
Originally Posted by anative View Post
This means that anyone with your Honors # (which is on every receipt half tucked under your room door) could hack into your account in just 9999 tries.
Did the "website person" tell you how many attempts in a certain period of time you get before they block the account?

Originally Posted by anative View Post
I also know based on my call that Hilton is not even encrypting the passwords being used when you setup a Username and Password combination. The rep that I spoke with was able to see my password on his screen.
That doesn't mean they aren't encrypting the passwords.
OverThereTooMuch is offline  
Old Apr 21, 14, 2:10 am
  #14  
cjd
 
Join Date: Jun 2002
Location: Newcastle, UK
Posts: 2,274
Originally Posted by GoingGal View Post
In order to delete the credit card info: Go to My Profile and selected Personal Information. One of the items of Personal Information is Payment Methods and this is where the credit card info resides. All you need to do is click the box to the right of the word Delete in order to delete the CC info from your account. This works like a charm. Good luck.
This is what bamboola and I have tried to do, but the "delete" function won't work.
cjd is offline  
Old Apr 21, 14, 8:02 am
  #15  
 
Join Date: Aug 2001
Posts: 1,177
Originally Posted by cjd View Post
This is what bamboola and I have tried to do, but the "delete" function won't work.
Here's a work-around that I tried last night. I set the expiration date to April 2014 and got an error message. I then set the expiration date to May 2014 and managed to delete one of the two credit cards. I presume that after May 2014, I will be able to delete the other credit card.
bamboola is offline  

Thread Tools
Search this Thread