HHonors Points Stolen Through Amazon.com
#121
And another thing. I needed to type six digits into six boxes, one at a time. Compare this to the procedure at Chase: Chase sends a code, I copy and paste it, and I'm done. No mistyping a number, no fuss. It's as if Hilton went out of the way to be user-hostile—although that seems to be the philosophy of its revamped web site.
#122
Join Date: Aug 2002
Location: NYC
Posts: 335
Good question. This 2FA isn't behaving like the 2FA systems used by my financial institutions, email, etc. I keep going back to the wording I quoted before:
"Choose how you'd like to receive verification codes, and we'll send you one whenever we need to confirm your identity...."
They haven't told us their criteria for using the code. It would be nice to hear from someone who has been asked for the code to verify that it does indeed get triggered by something.
"Choose how you'd like to receive verification codes, and we'll send you one whenever we need to confirm your identity...."
They haven't told us their criteria for using the code. It would be nice to hear from someone who has been asked for the code to verify that it does indeed get triggered by something.
- 4 internet service providers
- 3 devices (with cleaned browser caches)
- 2 foreign countries via VPN (Netherlands and Hong Kong)
#123
Join Date: Feb 2006
Posts: 1,065
1. Login to your account
2. Under MY PROFILE, you should see PERSONAL INFORMATION. Click it
3. You should see ENHANCED SECURITY and the ability to add 2 Factor Authentication
Good Luck.
#125
Join Date: Feb 2006
Posts: 1,065
#126
Join Date: May 2007
Location: Seattle area
Programs: Peasant at large
Posts: 595
Couldn't find anything on hilton.com on what triggers 2FA. Not all implementations, including some banks', trigger 2FA at login. They trigger on specific events/actions deemed impactful. Has anyone with Hilton 2FA enabled tried to change/add/remove email/phone/address, use points (redeem for stay or transfer), change password, etc...? If none of those trigger 2FA then it's just for show and someone with media contacts should report them.
#127
Join Date: Aug 2002
Location: NYC
Posts: 335
Email add/switch primary/remove: 2FA not triggered
Password change: 2FA not triggered
#128
Join Date: Sep 2006
Posts: 376
Checked again today - last time I looked I wasn't offered 2FA - saw it today and it was offered, enrolled.
As a side note, I would tend to think that changing BOTH your username and your password SHOULD offer a bit more protection - as it appears point stealing is still underway.
As a side note, I would tend to think that changing BOTH your username and your password SHOULD offer a bit more protection - as it appears point stealing is still underway.
#129
Join Date: Aug 2008
Location: MCO
Programs: DL-DM/1MM, HILTON-DIA, .HYATT-DIA/GLOB , IHG-PLT,HERTZ 5*, NATIONAL ES
Posts: 8,691
I am assured they will replace the points, but it sounds like a nightmare to push them to do so.. Hoping my luck is a little better......
I miss this community as I was always in the know when I traveled thanks to you all.
#130
Join Date: Aug 2008
Location: MCO
Programs: DL-DM/1MM, HILTON-DIA, .HYATT-DIA/GLOB , IHG-PLT,HERTZ 5*, NATIONAL ES
Posts: 8,691
Basically what happened was that I was having some issues logging in, and was not receiving the email for a password reset. I reached out via chat on the Hilton site and was eventually able to change the email account so that I could receive the link on my work email. Once I logged in I quickly noticed the points were missing, but there was not activity showing where they had gone, so I inquired with support. They informed me that the points were used for Amazon purchases. I find it odd that they can be used and not show in the activity of the account... I used to watch the account much closer, but I am off the road most of the time since I started a business.
I am assured they will replace the points, but it sounds like a nightmare to push them to do so.. Hoping my luck is a little better......
I miss this community as I was always in the know when I traveled thanks to you all.
I am assured they will replace the points, but it sounds like a nightmare to push them to do so.. Hoping my luck is a little better......
I miss this community as I was always in the know when I traveled thanks to you all.
Just to update, As I was typing my reply here, I received an email stating that the fraud department had verified my case and returned the points to the account. I am very much relieved and hope this does not happen to anyone else...
I appreciate the quick resolution from Hilton. It means a lot.
#131
Join Date: Oct 2000
Location: Seattle WA, USA
Programs: Hilton Diamond, Marriott LT Plat, AS Lounge
Posts: 3,478
Couldn't find anything on hilton.com on what triggers 2FA. Not all implementations, including some banks', trigger 2FA at login. They trigger on specific events/actions deemed impactful. Has anyone with Hilton 2FA enabled tried to change/add/remove email/phone/address, use points (redeem for stay or transfer), change password, etc...? If none of those trigger 2FA then it's just for show and someone with media contacts should report them.
#132
Join Date: Sep 2006
Posts: 376
#133
Join Date: Oct 2001
Location: SJC
Programs: AA 2MM PLT, HH Gold, Marriott Silver
Posts: 612
FYI, it's still happening - lost (temporarily, I hope) over 500k points overnight with the usual emails, used for an Amazon redemption. I've contacted customer support, changed my password and enabled 2FA but it sounds like the latter isn't actually being used for anything.