Priority Club Point Theft
Aug 15, 2012, 12:15 pm
#61
FlyerTalk Evangelist
Join Date: Jul 2003
Location: Florida
Posts: 29,740
This guy seems pretty reputable: http://www.elliott.org/
Only when media is involved, bad publicity is generated, then there might be some hope for IHG/PC to improve its very poor IT system.
Aug 15, 2012, 1:39 pm
#62
Suspended
Join Date: Jan 2003
Posts: 8,720
Even better would be the folks on Boarding.com who blog on USA Todays website, such as Loyalty Traveler, et. al.
This issue directly affects the P/C membership and as such should be exposed and discussed so that others do not fall victim, as well. @:-)
This issue directly affects the P/C membership and as such should be exposed and discussed so that others do not fall victim, as well. @:-)
Aug 15, 2012, 2:58 pm
#63
Join Date: Dec 2007
Location: DFW
Programs: AA Lifetime Platinum, Hyatt Plat Hilton Gold, SPG Gold, Club Carl Gold, IHG Plat
Posts: 1,002
My ex used to (probably still does) log in and check his key accounts on a daily basis. First I thought he was a little OCD (probably still is 
) but then I started doing the same - and eventually realized the value. Does not stop identify theft - but I can spend fifteen minutes a day and hopefully address any issues before things goes to far.
) but then I started doing the same - and eventually realized the value. Does not stop identify theft - but I can spend fifteen minutes a day and hopefully address any issues before things goes to far.
Aug 15, 2012, 10:33 pm
#64
Join Date: May 2005
Location: Near Lichfield, UK
Programs: BMI DC Gold, BA Gold, LH SEN, Priority Club Platinum, Nectar purple
Posts: 949
Aug 16, 2012, 12:09 pm
#65
Join Date: Oct 2010
Location: The Wee County
Programs: IHG Platinum
Posts: 144
What a dreadful situation and pretty poor service and response from PC. Please do not give up on this. These thieves need to be caught.
Why not ask if anyone has an email address of someone high up in ICHG and fire off an email. I am sure then you will get a response.
Good luck
Why not ask if anyone has an email address of someone high up in ICHG and fire off an email. I am sure then you will get a response.
Good luck
Aug 17, 2012, 10:18 am
#66
Original Poster
Join Date: Aug 2012
Posts: 15
One last Post.
I believe I know now, how the theft could have been pulled off. It may scare you how simple this could be.
I have quite a few points left after the 300K was taken. Now that PCR has determined that no fraud has taken place, they opened a new account for me and transferred the remaining balance. Once this transfer had taken place, I needed to create a new pin. That's when it dawned on me how easily someone could take over your account.
To create a new pin, you need 4 things.
1. First Name
2. Last Name
3. Account Number
4. Zip Code
All of these items are displayed for the world to see, in a 2 inch square on your check-in ticket and check-out receipt!
The points balance is proudly displayed on your room key packet. When someone sees a balance of 700K, how hard would it be to get the information needed. Check in tickets are left in plain sight on the desk and check out silps are slid under our room door. Sometimes not completely under the door and half way in the hall.
Once you have created a new pin, your profile account can be accessed and e-mail changed. Now I have no access to my account and the thief has my points to do with what they will.
At one point credit card numbers were displayed on your receipt until thieves figured out how easy the pickings were.
I wonder if those first few individuals that were ripped off, experienced my same frustration!
Good Luck!
I believe I know now, how the theft could have been pulled off. It may scare you how simple this could be.
I have quite a few points left after the 300K was taken. Now that PCR has determined that no fraud has taken place, they opened a new account for me and transferred the remaining balance. Once this transfer had taken place, I needed to create a new pin. That's when it dawned on me how easily someone could take over your account.
To create a new pin, you need 4 things.
1. First Name
2. Last Name
3. Account Number
4. Zip Code
All of these items are displayed for the world to see, in a 2 inch square on your check-in ticket and check-out receipt!
The points balance is proudly displayed on your room key packet. When someone sees a balance of 700K, how hard would it be to get the information needed. Check in tickets are left in plain sight on the desk and check out silps are slid under our room door. Sometimes not completely under the door and half way in the hall.
Once you have created a new pin, your profile account can be accessed and e-mail changed. Now I have no access to my account and the thief has my points to do with what they will.
At one point credit card numbers were displayed on your receipt until thieves figured out how easy the pickings were.
I wonder if those first few individuals that were ripped off, experienced my same frustration!
Good Luck!
Aug 17, 2012, 10:36 am
#67
Suspended
Join Date: Jan 2004
Location: UK
Posts: 11,969
LarryMcAdoo,
It sounds like anyone wandering around a hotel could reap quite a harvest.
Sorry to hear that even with lot's of support and the intervention of the ICHG lurkers your issue doesn't sound like it has been resolved fairly or sensibly. Sadly, this also indicates that they probably plan to make no improvements to account security even though it would be simple. I presume so, because if they did it would infer it was previously inadequate and the honourable thing would be to reimburse you ... and then make some changes.
Out of interest, have you bought your latest theory to their attention so that they can reconsider their stance? If so what did they say?
It sounds like anyone wandering around a hotel could reap quite a harvest.
Sorry to hear that even with lot's of support and the intervention of the ICHG lurkers your issue doesn't sound like it has been resolved fairly or sensibly. Sadly, this also indicates that they probably plan to make no improvements to account security even though it would be simple. I presume so, because if they did it would infer it was previously inadequate and the honourable thing would be to reimburse you ... and then make some changes.
Out of interest, have you bought your latest theory to their attention so that they can reconsider their stance? If so what did they say?
Aug 17, 2012, 3:35 pm
#68
Suspended
Join Date: Jan 2003
Posts: 8,720
If so, a pain, but likely to keep points housed in a reward reservation far in the future to cancel. That way, you leave precious few points not tied up in your account. If you receive an an e-mail(s) that certain of your award reservation(s) has(ve) been cancelled and you did not do it, then that is the canary in the coal mine that something is going on with your account not of your making. Then, you must act fast! 
Aug 17, 2012, 4:38 pm
#69
FlyerTalk Evangelist
Join Date: Aug 2007
Location: PARIS (France)
Programs: AF/KLM Club 2000 | InterContinental Diamond RA |AMEX Plat | Visa Infinite |Hertz President's Circle
Posts: 10,947
I believe I know now, how the theft could have been pulled off. It may scare you how simple this could be.
To create a new pin, you need 4 things.
1. First Name
2. Last Name
3. Account Number
4. Zip Code
All of these items are displayed for the world to see, in a 2 inch square on your check-in ticket and check-out receipt!
Aug 17, 2012, 4:38 pm
#70
Join Date: Sep 2009
Location: Quebec City, Quebec, Canada
Programs: ACE50k,HHSilver, BW Diamond, Marriott Gold, National EE, Accor, IHG, SPG, Choice, Hertz#1Gold
Posts: 77
I think the comment about writing to Christopher Elliott is a really good idea. He has a lot of contact and a blog read by a lot of people... Check it out and maybe email him your story... I'll send his twitter page a link here...
Aug 18, 2012, 12:03 am
#71
Join Date: Dec 2004
Location: UK
Programs: Bonvoy Gold, AA Plat, Volare Premier, VS Silver, National Emerald Elite, Hertz President Circle
Posts: 2,526
ICH really need to come up with an explanation for this and take remedial action. They can't just say it was done online and wash their hands with it. I would understand if their records showed it's been done from the same IP the OP uses but this does not appear to be the case.
Last edited by wobbly wings; Aug 18, 2012 at 1:31 pm
Aug 18, 2012, 1:34 am
#73
Suspended
Join Date: Jan 2004
Location: UK
Posts: 11,969
LarryMcAdoo
I was trying to replicate what you say with my own account but I've looked at the web-site but I'm unable to locate where you can change the email address from
1. First Name
2. Last Name
3. Account Number
4. Zip Code
It seems to ask for your last email address. Can you post a link please?
I was trying to replicate what you say with my own account but I've looked at the web-site but I'm unable to locate where you can change the email address from
1. First Name
2. Last Name
3. Account Number
4. Zip Code
It seems to ask for your last email address. Can you post a link please?
Aug 18, 2012, 3:03 am
#74
FlyerTalk Evangelist
Join Date: Jul 2004
Location: UK
Programs: Mucci, BA LTG + GGL, SPG LTP, HHonors Diamond, IHG Spire Ambassador
Posts: 12,695
I too looked at the PIN reset option. To me the weak link would be the service centre comment. It says if you don't have an e-mail address you can call them to 'source your PIN' and set an e-mail. I suspect armed with the above info one could call up and say they had changed e-mails, forgotten their PIN but "it's obviously me as I remember my last balance from my last check-in at hotel X [where they saw the above info] on xx/xx" and fool an agent.
http://www.wired.com/gadgetlab/2012/...n-hacking/all/ shows just how easy it is to fool call centres - and that's ones you'd assume are halfway decent, not even ICHG's
This does seem really poor on ICHG's part and shockingly easy to exploit. They should do something about this - some of the ideas mentioned in this thread to protect online logins are good. And presumably extra checks if anyone calls up would be wise too - like asking for more recent/detailed stay histories to 'prove' it's you. The chances of some scumbag ripping off my info at a hotel are probably good...the chances of said scumbag being able to recite my last 3 stays, or "where were you staying on yy/yy and zz/zz dates" are probably slim?
http://www.wired.com/gadgetlab/2012/...n-hacking/all/ shows just how easy it is to fool call centres - and that's ones you'd assume are halfway decent, not even ICHG's
This does seem really poor on ICHG's part and shockingly easy to exploit. They should do something about this - some of the ideas mentioned in this thread to protect online logins are good. And presumably extra checks if anyone calls up would be wise too - like asking for more recent/detailed stay histories to 'prove' it's you. The chances of some scumbag ripping off my info at a hotel are probably good...the chances of said scumbag being able to recite my last 3 stays, or "where were you staying on yy/yy and zz/zz dates" are probably slim?
Aug 18, 2012, 7:18 am
#75
Join Date: Nov 2006
Programs: Seniors Bus Pass
Posts: 5,528
I stayed at a HI recently where on check-in they gave me a document that offered me ways of spending my points. It more or less went,
"Welcome Mr Antichef, we see that in your Priority Club account 12345678 you have 567,890 points .... Have you thought of spending them on A, B, C etc?"
I asked the front desk to shred it. I pointed out to the duty manager that such a document if just thrown into the bin in the room would allow almost anybody getting it to access my account by ringing up and making a redemption booking.
As Larry has pointed out these are often on the key card wallet too.
"Welcome Mr Antichef, we see that in your Priority Club account 12345678 you have 567,890 points .... Have you thought of spending them on A, B, C etc?"
I asked the front desk to shred it. I pointed out to the duty manager that such a document if just thrown into the bin in the room would allow almost anybody getting it to access my account by ringing up and making a redemption booking.
As Larry has pointed out these are often on the key card wallet too.