Westcoaster

Thanks for the data point. It's encouraging. I did an award reservation yesterday online and it did not trigger the 2FA. So maybe, at least for now, it's only for use when we call in.

kazuyuki330

Finally, my points were returned today. It took 17 days after the report. The e-mail from Hilton recommended me to set up 2FA. I didn't see that option in my profile in the past, but that option appeared today.

DFB

mudpuppy

Regarding the dual factor authentication sub-topic of this thread, I signed up for DFA a while back and have not been prompted to use it any time I've logged into my account. But, yesterday I called to book a night with an AMEX weekend certificate and needed the DFA for the redemption. It was awkward because the SMS didn't send right away so the agent went on hold a couple times and came back an asked me if I received it. Took a few minutes but the code did finally come through.

It seems kind of pointless to use the DFA when you call in for a redemption since they verify your e-mail address and phone number when you call in regardless, but at least it seems like it may be triggered for a points redemption even if it is not triggered when you log in. I haven't tested this with an online points redemption yet, though.

sdsearch

Someone posted in another thread the other day that some time back (a year or two ago?) Hilton advised them to set up something like dual-factor authentication (DFA) that would kick in if a redemption other than for a hotel was tried.

When looking a recent posts,,I see people saying things like they tried it for an online hotel redemption and it didn't kick in. Well, did anyone who set up DFA try it for a non-hotel redemption of any kind?

Hackers are less likely to book a hotel in your name, more likely to try to redeem for gift cards, store purchases, and stuff like that. So it'd be useful and yet convenient IMHO if DFA didn't apply to hotel redemptions but did apply to other kinds of redemptions that hackers prefer. But is that how it works?

Petdog

That would be fine, except right there's nothing keeping someone from deactivating 2FA on your Hilton account without you being notified.

For example, I just:

1) logged into my Hilton account
- was not asked for 2FA to log in

2) went to the profile page and deactivated 2FA
- was not asked for 2FA to deactivate it
- was not notified by text or email that 2FA had been deactivated.

crunchie

Was it triggered by the agent after the conversation had started or did it trigger before being connected to the agent? If it's the former, it sounds like it's a human initiated action since I called the regular desk for a reservation last week and 2FA was not triggered. That makes 2FA largely useless in the most common attack vector: online account breach. Also, triggering for a room reservation seems pretty low down the list of risky events.

Maybe this is one of Hilton's lifetime experiences thingy. Exchange a few hundred thousand HH points for a security theater + reality show starring 2FA and YOU!!!

Gundy1990

Just experienced this for the first time this past Sunday. I had 300,000 stolen from my Honors account. I spoke with the Diamond Desk Sunday morning and they assured me I would have a new account with the points reinstated within 5 days. I have a few questions for those who have experienced this:

- Did anyone receive an influx of unrelated spam emails at the same time they receive an email from Hilton stating that the points had been redeemed at Amazon? I did, and I'm thinking this was done in hopes that the Hilton email would go unnoticed.
- Did you get a new HHonors number/account altogether, or were the points reinstated to your existing account?
- Does anyone have an Aspire card? If so, were you able to simply call AmEx and have your new HHonors number applied to your AmEx account?
- At the moment, I'm 2 nights shy of the 50 night milestone bonus - can anyone confirm that if they did get a new HHonors account that this information is transferred as well?

Thanks for any help/feedback.

Hotel Points Guy

Gundy1990

Thank you. This is one that I didn't even consider that I will be sure to inquire to the Diamond desk about after I get things sorted out with 'HH Fraud Protection'. Generally speaking, my experiences with the Diamond Desk and Hilton customer service are generally positive. The frustrating thing about this is there's no way to communicate with Fraud Protection via a phone call. This is a time where it would really be refreshing to talk to someone and ask questions to better protect myself in the future. That being said, as others have suggested, I don't believe this to be the fault of the consumer for not changing their password frequently enough.

Thanks for sharing. This is another good point that I will inquire to the Diamond Desk about after sorting things out with Fraud Protection. My experiences with the Diamond Desk and Hilton customer service have generally been positive. It's a shame there isn't a way to communicate with HH Fraud Protection via phone because now would really be a good time to speak with someone to ask questions to better protect myself in the future and try to figure out how this is happening.

itsallgood

Quote:

Originally Posted by sbiddle

There isn't a lot Hilton can do if people are being compromised (and it's clear at least some of the attacks are a direct result of this) because they're stupid enough to use the same password across multiple websites or services on the Internet.

I don't have a single password, but I've got ~30 different password protected accounts. Many of them share the same username and password or a variant. Many are accessed daily; some are accessed very sporadically. It would be nice to have a simple life where one only has a few password protected accounts so that you can use unique usernames and UNIQUE STRONG passwords on each of them. Most of us don't have such a simple life.
I haven't been hacked ... yet. I will continue to do this until I get hacked.
Note that most accounts don't allow you to change the username.

And I'd say that the problem isn't people using the same password, it's not having 2FA on accounts. The problem isn't the end user, it's the company that doesn't secure their customer accounts.

Quote:

Originally Posted by Janepod

My points were stolen on July 19, at which time I was told I'd have them back in 24-48 hours. I then received an email saying 7-10 business days. Today I called to check up on what's going on (still no points!) and was told it would take about 30 days because the FBI and Interpol are working the case and cannot reinstate the points until their investigation of "all the relevant IP addresses" is complete. So thorough! Interpol, even! Maybe they will get James Bond and Jack Reacher on the case!

It's good to hear that they're pursuing some of these cases.

Gundy1990

Hi, all. I just wanted to check back in and provide a follow-up for anyone who's interested. I woke up with an email from HHFraudProtection that was sent at 2:02 AM EST. The email states that my 300K points would be reimbursed to my account with 24-48 hours, however, the points were already reinstated when I checked my account. The email said "Please be assured this activity does not have any bearing on the integrity of our systems". This clearly doesn't seem to be the case though, considering this is an ongoing issue faced by many Honors members. So to sum things up, I reached out to the Diamond Desk on Sunday, 8/25 and had my points back first thing on Thursday, 8/29. My experience was mostly positive for the exception that Fraud Proection had 0 interest in giving me any insight on how this is happening. I will now answer my own questions from my previous post quoted above.

- This is still unclear. I'm still getting a lot of spam emails - far more than ever before, however, I have them filtered in my gmail account so it isn't too much of a disturbance.
- I did not receive a new HHonors number. I'm not sure what to think of this since it seems others who faced the same issue were given a new one. I'm happy I didn't because I didn't want to lose my stay history and I'm not sure that getting a new account would have taken any further measures to stop the hacks. Previously, I had a password unique to my Hilton account and I created a new password unique to only my Hilton account. I have 2 factor authentication activated like before, however, I don't think this feature works properly. It's my understanding that I'm supposed to receive a verification text upon logging in, but I still don't.
- My HHonors number is once again linked to my AmEx account.
- Since my HHonors account did not change, neither did my total stays/nights count.

I'll continue to post in this thread should I encounter any new experiences.

SportsMan17

Add me to the list of Hilton Honors members having their points stolen. I've read the thread and it went exactly as stated. Email linking account to Amazon and subsequent emails with transaction notifications. I've contacted Hilton and had my account suspended. I'll be waiting to hear from the fraud team and hopefully the just over 104,000 points will be reinstated.

I found this forum through a google search so thanks to everyone for your discussion of the issue.

rxgeek

I assume enabling 2FA will not hamper Award Wallet updates.

FlyBitcoin

This HHonors/Amazon hack is still going on and Hilton has not done anything to fix this very vulnerable IT threat.
There are tons of hacks of companies (Starwood for one) and huge databases of emails and passwords from those hacks out there that anyone can access or purchase and begin hacking away at other commonly used accounts that have an easy gain.
Hilton uses a username, not just the HHonors member number for logins, which is a flaw. Most people share usernames across platforms or use the beginning of their email address before the "@". So a database with emails addresses/logins and passwords is a very fertile area. Even better if the data is from another hotel site. And I would bet this way, and not keyloggers and theft from hotel wi-fi is the way 99% of the people on this forum are getting HHonors points hacked.

Hacking a Hilton Honors account has the most to gain because you can quickly link the points to burner Amazon account, buy a gift card and cash out in seconds. No trail to catch them compared to hacking a bank account since there has to be another account to receive the money.

Moreover, aware of this vulnerability, I linked my HHonors to my Amazon back in April so that it could not get linked to a burner Amazon account in such a manner. However, I found out today that one can link a single HHonors account to THREE different Amazon accounts. So if your one Amazon prime account is already linked for safety, even if you have no intention of using the points, it doesn't even help. Nobody has to delete that in order to spend HHonors points at another Amazon account.

It says a lot about our corporate culture where hacks of $200 - $1000 of points are simple "write off's" to them. As we move toward fewer online merchants and fewer hotel chains out there, these organizations get so big and so bloated that they find it cheaper to just write this stuff off instead of prevent it. And every write off just funds the hackers to grow in numbers and sophistication. You think that kid who gets a successful hit from a password database and wins a $200 gift card from Amazon is going to retire from hacking after that one successful attempt?

If you have any HHonors points, change your HHonors password to something you have not used on any other website in the last 6 months.

And Hilton either needs to end the Amazon partnership or limit the linking to only ONE Amazon account.
Hilton also needs to add a clickable email confirmation link when a new Amazon account has been linked or a currently linked account is removed.