New Hilton website
#31
Join Date: Apr 2005
Posts: 522
Security Issues with New Site
On a regular basis I monitor my miles and points accounts to confirm accurate activity being recorded, and most importantly, to confirm that it is still my email address/phone/physical address listed in my profile page.
[To those unaware of why this is important, hackers who get into your account will change your contact info prior to setting up points transfers or booking awards for themselves - most commonly they'll change your email address. See the current threads about HH points stolen for Amazon purchases for recent experiences with this.]
But on the new site it's impossible to check your personal data. You're first given a page that shows your email address with only its last letter and the email domain, and there's an "Edit" button. But when you select "Edit" you're shown another page which also does not display your full contact info, but rather it's as I described above. So there seems to be no way to confirm that the email address that HH has associated with your account is actually yours. The only option I see is to re-enter your email as if it's a true update to your account.
Am I missing something? Is there a way to confirm that HH has your accurate email address on their new website?
[To those unaware of why this is important, hackers who get into your account will change your contact info prior to setting up points transfers or booking awards for themselves - most commonly they'll change your email address. See the current threads about HH points stolen for Amazon purchases for recent experiences with this.]
But on the new site it's impossible to check your personal data. You're first given a page that shows your email address with only its last letter and the email domain, and there's an "Edit" button. But when you select "Edit" you're shown another page which also does not display your full contact info, but rather it's as I described above. So there seems to be no way to confirm that the email address that HH has associated with your account is actually yours. The only option I see is to re-enter your email as if it's a true update to your account.
Am I missing something? Is there a way to confirm that HH has your accurate email address on their new website?
Last edited by JBD; Apr 12, 2019 at 2:11 pm Reason: typos
#32
Join Date: Feb 2014
Programs: Amex Plat, Hilton Diamond, SPG Gold, Carlson Gold, CM Presidential / *A Gold, Hertz 5*
Posts: 1,648
Hopefully you see that it is in fact more secure than them displaying all your info
If you are very concerned about security, then buy your own domain and use a different email address for everything
If you are very concerned about security, then buy your own domain and use a different email address for everything
#33
Join Date: Apr 2005
Posts: 522
Marriott's site similarily doesn't show the personal data unless you click on Edit, but when you do, you then see what's stored in there. I'd bet that's what the HH programmers were going for.
But perhaps the programmers thought as you seem to, that by prohibiting the customer from verifying their data is an enhancement. If so, I stand by my opinion that this is unwise as it gives hackers even more cover.
I've pm'd Lauren about this, asking her to please pass my concern along to the appropriate department. The new site is so buggy, I'm hoping that this does get ironed out.
#34
Join Date: Apr 2018
Posts: 18
Just bookmark this link to the old world, it seems to work for me:
https://secure3.hilton.com/en/hh/cus...ogin/index.htm
and thereafter as a hotlink to your list of bookings:
https://secure3.hilton.com/en/hh/cus...servations.htm
They'll sort themselves out eventually.......
https://secure3.hilton.com/en/hh/cus...ogin/index.htm
and thereafter as a hotlink to your list of bookings:
https://secure3.hilton.com/en/hh/cus...servations.htm
They'll sort themselves out eventually.......
#35
Join Date: Feb 2014
Programs: Amex Plat, Hilton Diamond, SPG Gold, Carlson Gold, CM Presidential / *A Gold, Hertz 5*
Posts: 1,648
So yea, them hiding some/most of an email address can enhance security, much like HH (and most other sites) hide some/most of your CC details on file too
True
#36
Join Date: Apr 2005
Posts: 522
...Hacker gains access to a HH account, due to a data breach, using a HH number and password. Hacker does not have the email address associated to that account. Hacker goes to the preferences/profile page and finds the email address attached to that account. Hacker then goes and tries to log into said email account using the same password, and it works due to [insert large percentage here] of people use the same password for everything. Once they log in, they can see all the emails that the person gets and can see which programs that person is part of. Hacker now has access to pretty much every one of them...
Is is this fraudulent activity that can be harnessed when you check your account data on a regular basis. And the HH's new website makes this self-verification impossible.
What you describe is not a concern of mine since I have different, and complex passwords for every account I access online. Because I learned to do that on FT
#37
Join Date: Feb 2014
Programs: Amex Plat, Hilton Diamond, SPG Gold, Carlson Gold, CM Presidential / *A Gold, Hertz 5*
Posts: 1,648
What I've read here and on other FT forums over the years, is not what you described above, but rather reports that a hacker got into someone's account, changed their email address on file, then booked a room or transferred to Amazon, or what have you, and the confirmation email didn't come to them, it went instead to the new email address.
Is is this fraudulent activity that can be harnessed when you check your account data on a regular basis. And the HH's new website makes this self-verification impossible.
Is is this fraudulent activity that can be harnessed when you check your account data on a regular basis. And the HH's new website makes this self-verification impossible.
You will rightly have issue with the second sentence
Good work, you are halfway there
#38
Join Date: Aug 2000
Location: Newton Centre, MA, USA
Programs: DL 2MM Gold, AA Plat Pro; Hilton Lifetime Diamond, Bonvoy Lifetime Titanium (via SPG), IHG Plat
Posts: 2,192
For the record, I was able to get the old webpage back by clearing all my cookies that had "hilton" in them.
Last edited by stc; Apr 13, 2019 at 8:26 pm Reason: spelling
#39
Join Date: Dec 2014
Location: Haze gray and underway
Programs: UA 1K 2MM, HH Diamond, Marriott 'clink clink' Titanium
Posts: 1,784
reCapta is also screwy some images are so blurred as to be useless.
#40
Join Date: Oct 2016
Programs: DL Gold, AA Plat, Hilton Diamond
Posts: 253
I still can't get over how stretched the image is. Some junior programmer just found an image and dragged it to make it fit the screen. That poor woman looks like her face is being reflected in a fun house mirror.
#41
Join Date: Mar 2003
Location: Los Angeles, CA
Programs: UA 1K 1MMer & LT UC (when flying UA); Hyatt Credit Cardist; HHonors Diamond; Marriott Gold via UA 1K
Posts: 6,956
for the new website challenged: https://secure3.hilton.com/en/hh/cus...ogin/index.htm
#42
Join Date: May 2016
Posts: 40
Just use the HHonors page instead:
https://hiltonhonors3.hilton.com/en/index.html
https://hiltonhonors3.hilton.com/en/index.html
#43
FlyerTalk Evangelist
Join Date: Aug 2001
Location: SF CA USA. I love large faceless corporations. And they cherish me in return (sometimes). ;)
Programs: UA Premier Gold/disappointed 1MM, HH Gold, IHG Plat, MB Gold, BW Diam Sel
Posts: 17,575
Still insanely buggy
Just use the HHonors page instead:
https://hiltonhonors3.hilton.com/en/index.html
https://hiltonhonors3.hilton.com/en/index.html
#44
Join Date: Aug 2000
Location: Newton Centre, MA, USA
Programs: DL 2MM Gold, AA Plat Pro; Hilton Lifetime Diamond, Bonvoy Lifetime Titanium (via SPG), IHG Plat
Posts: 2,192
Hilton IT seems to be taking lessons from Marriott.
#45
FlyerTalk Evangelist
Join Date: Oct 2011
Location: ATL
Programs: DL Scattered Smothered Covered Medallion, Some hotel & car stuff, Kroger Plus Card
Posts: 10,745
I'm just now noticing the new page. Went in to check points on a stay, and nothing shows up for any of my past stays (and certainly no way to expand to see the usual details of base+bonus+promo points). Is this happening to anyone else?
I can still see everything in the Android app; just not sure if there's a new place to find this info on the actual website.
I can still see everything in the Android app; just not sure if there's a new place to find this info on the actual website.