underpressure

Erin:

I appreciate you are the messenger, but this is one of the dumbest ideas I have ever seen. I use Wells Fargo Chase Citibank and American Express websites on a routine basis and they chose not to take the easy way out with CAPTCHA, they chose to actually address the core of the problem.

nlkm9

I called diamond desk yesterday almost in tears because the captcha had changed from a hotel room number to 2 words i couldnt read or hear--I asked why they couldnt stick with the hotel room number and that as someone who worked with hearing and visually impaired people, this was ridiculous.
Today I logged in and just got the hotel room number. I hope it stays like that!!!

PHLisa

If you're collecting feedback, you should share that this is really annoying for the end user, amateurish, and an obvious indicator that your IT staff need to go to a higher level seminar on security protocols. A lengthy alpha-numeric password would be far more secure and VASTLY less obnoxious.

infoworks

Hilton seem to be at the bleeding edge of stupid over-the-top security, and IMHO Captcha is painful roadblock.

The other issue with a lot of sites generally now, including Hilton is the short time to expiry from non-use. I again understand why, but sometimes we have to "line up the ducks" with airline, hotel and people reservations and can't be done so quickly!

treppenlaeufer

What I find amazing is that even RYANAIR (!!!) has abondend the use of Captchas... whereas Hilton introduces them. Makes sense.

skywalkerLAX

This is driving me nuts. My device doesn't display the captcha properly for whatever reason and I can't access my account $&*#^@#

cblaisd

Could someone wiser to the ways of internet security than I am comment on why Hilton presumably thinks that this is a security enhancement -- IF the problem they are seeking to alleviate is purloined passwords/pins?

I don't know a lot about such things, but it would seem to me that IF that's the presenting problem, a captcha doesn't do anything to ameliorate/address the issue, but just gives a potential thief another layer.

Or is there something else that is the presumed problem that Hilton is responding to where a captcha makes sense as an answer?

Not so much interested in rants about Hilton's IT (I've joined those often enough myself) but informed speculation about a) what the actual problem is they are seeking to solve, and b) where it does so or not.

sethb

If the information is stolen, capcha doesn't do much. But if there's a bulk attack (e.g. feed the PIN 4321 to 1,000,000 different accounts, and expect to succeed with at least 100 of them) capcha will stop it or at least slow it down greatly.

djibouti

+1 to captcha being an extremely annoying "fix". Get rid of the pins, use real passwords, and stop with this industry definitely-not-standard nonsense.

stimpy

I haven't see this answered in this thread yet (sorry if I missed it), but why can't Hilton just use the same security that all the other hotel sites use? Or airlines? Or a million other sites that have security that works? What is their excuse for not taking the very simple action of copying successful sites?

txflyer77

(Not defending Hilton)

I don't think the travel industry is the place to look for best practices here. How many people had Air China reservations booked with United miles cancelled by hackers? IHG has all sorts of hacked accounts.

Even security in the financial industry is pathetic. How many banks rely on wish-it-was-two-factor security questions (US Bank) or short PINs instead of passwords (Capital One 360)? Vanguard used to have laughable password policies but those have fortunately changed.

Honestly, I feel more secure about my Amazon and Netflix accounts than anything else. At least Amazon (Web Services) and Google allow true two-factor authentication.

stimpy

Maybe you are referring to hacks other than ones that brute force the login? I have accounts on every major hotel chain and most all of the major airlines (none in China though!) and have never experienced an attack or even heard of anything serious that I could have prevented with a stronger password. Ditto for banks, credit cards, and dozens of other sites.

NickW

The putative purpose of a Captcha is to verify that it's a human being on the other end; i.e. to limit the rate at which an advanced attacker can attempt his attack through automation.

If an attacker already has (through some means) the password for a given account, it serves no purpose. The attacker can just log in and do the Captcha like you or me.

Captcha does nothing to defend against attack vectors like phishing. The purpose is just to stop/slow down brute force/dictionary attacks. The same could be achieved by:

• locking the account after several incorrect login attempts, with an email sent with an unlock link
• use of a one-off Captcha when a given (username, IP address) pair logs in for the first time, or the first time per day (e.g.)
• removal of account number / PINs for login, instead requiring email address plus a higher-security password selection rule

... but all of those would - while being much more user-friendly - require more engineering effort than simply adding an additional Captcha verification callback to the existing login page.

Weatherboy

Yes because there's little security improvement ...and it makes it nearly impossible to log-in and use the account online to view/make reservations or check on account activity.

At least the numbers are up instead of the scribbled unreadable text.

txflyer77

http://www.flyertalk.com/forum/unite...ed-hacked.html