Account hacked, points spent
#46
Join Date: Feb 2009
Location: Netherlands
Programs: SQ S, IHG Diamond/Amb, Accor S
Posts: 703
Apart from the four digit pin code which should be changed to a decent password, I don't understand why there is no verification process for changing the email address. It should be fairly simple: e-mail is sent to the current email address and change will only be effective after a confirmation. In the rare occasion that the current email address cannot be used anymore the member will need to call the service desk, but in my opinion that's an acceptable burden for increased security and less risk of points being stolen.
#47
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,072
Or set up an IHG internal flag .. So that if an accounts associated email address is changed, accounts points balance can then not be redeemed/spent in anyway (reward nights/money vouchers/goods) for, say 10days.
10days is not too much of an inconvenience to account holder but allows for account holder to notice and alert IHG in time before points are hijacked.
Most IHGers with a high enough balance to be worth hacking/stealing will mostly try to book at least 1night a week or check a previous stay weekly , find they can no longer login or reset password and alert IHG. And those with high in 100k's balance value might well check weekly even if not actively using their account temporarily.
10days is not too much of an inconvenience to account holder but allows for account holder to notice and alert IHG in time before points are hijacked.
Most IHGers with a high enough balance to be worth hacking/stealing will mostly try to book at least 1night a week or check a previous stay weekly , find they can no longer login or reset password and alert IHG. And those with high in 100k's balance value might well check weekly even if not actively using their account temporarily.
#48
Join Date: May 2004
Location: SIN (LEJ once a year)
Programs: SQ, LH, BA, IHG Diamond AMB, HH Gold, SLH Indulged, Accor Gold, Hyatt Discoverist
Posts: 7,739
Make that checking daily these days as part of the morning routine . One can't rely on IHG to offer adequate means to secure our hard earned points.
#49
Join Date: Aug 2005
Programs: UA*G(1K), PC Diamond Amb, Marriott Titanium, Accor Platinum
Posts: 4,671
HTB.
#50
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,072
Yes an email may give acct holder timely enough notice to get back to IHG within 24hours to stop goods, but with email $$$ vouchers to false address being often the theft, still too late.
Much better to stop points leaving the account in the first place.
#51
Join Date: Feb 2009
Location: Netherlands
Programs: SQ S, IHG Diamond/Amb, Accor S
Posts: 703
Agreed. And that's why a change of email address should only become effective after a confirmation by clicking on a link that is sent to the "old" email address. That's a very common approach even on sites where there is much less $$ value at stake. And quite easy to achieve.
#52
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,072
Agreed. And that's why a change of email address should only become effective after a confirmation by clicking on a link that is sent to the "old" email address. That's a very common approach even on sites where there is much less $$ value at stake. And quite easy to achieve.
An example would be change of jobs, you change to new email only after you start new job, so old jobs email account closed to you.
Another would be email account linked to homes ISP , when you change provider you lose first providers associated @xxxx.com account and new isp is email account at @yyyy.com. Again one only changes accounts email after the switch.
#53
Join Date: May 2010
Location: Australia
Programs: SQ & QF
Posts: 1,302
#54
Join Date: Nov 2006
Location: HNL / TPE
Programs: 1K, SPG Gold, HH Gold
Posts: 375
Got an email from the hotel in Singapore asking for my flight details about a stay on 9/16/16...what? That's what alerted me about my account breach. I signed into my acct, cancelled the reservation, called IHG CS and was supposedly connected to fraud dept. when I asked but phone was cut off while he was checking. Did research and found out about these hacks. I called the hotel and there was a CC listed on the reservation that can't be mine since I did not have one on file with my IHG acct. That should be the way for the fraud dept. to investigate further right - check the CC used to book the hotel. I got my points back but will monitor.
#55
Company Representative - InterContinental Hotels
Join Date: May 2011
Location: Salt Lake City Utah
Programs: IHG Rewards Club
Posts: 166
Dear sjl,
Thank you for your comments. Please contact IHG Rewards Club department directly as they are in the best position to assist. You may call them at 1-888-211-9874 (US and Canada) or send an email to [email protected]. For other region, please click on https://www.ihg.com/hotels/us/en/cus...are/contact-us.
Sincerely,
Joel A
Case Manager
IHGService
Thank you for your comments. Please contact IHG Rewards Club department directly as they are in the best position to assist. You may call them at 1-888-211-9874 (US and Canada) or send an email to [email protected]. For other region, please click on https://www.ihg.com/hotels/us/en/cus...are/contact-us.
Sincerely,
Joel A
Case Manager
IHGService
#56
Join Date: Sep 2014
Programs: IHG Platinum
Posts: 629
Dear turner32,
Safety and Security at IHG are our first and foremost concern. IHG has a number of behind the scenes security processes to protect our guests while considering guest's requests for ease of use of their IHG Rewards Club Accounts. If you have concerns about any unauthorized access to your accounts, please contact the IHG Rewards Club Service Center at the contact details on the back of your IHG Rewards Club Card.
Sincerely,
Karen C.
Case Manager
IHGCare
Safety and Security at IHG are our first and foremost concern. IHG has a number of behind the scenes security processes to protect our guests while considering guest's requests for ease of use of their IHG Rewards Club Accounts. If you have concerns about any unauthorized access to your accounts, please contact the IHG Rewards Club Service Center at the contact details on the back of your IHG Rewards Club Card.
Sincerely,
Karen C.
Case Manager
IHGCare
I thought adding my birthdate after the first occurrence would help....NOPE, it happened again.
In both cases calls to IHG were a waste of time and effort....
No wonder accounts are getting hacked left and right!
#57
Original Member
Join Date: May 1998
Location: NYC
Programs: AA 2MM, Bonvoy LTT, Hilton Diamond
Posts: 14,638
Wow. I thought Hyatt IT were staffed with second tier amateurs due to their frequent website "maintenance" in the middle of the day on weekdays.
Seems like IHG is not much better in staffing technology with competent personnel.
If a hacker gets a copy of the user/PIN database, cracking each PIN would take less a second.
Seems like IHG is not much better in staffing technology with competent personnel.
If a hacker gets a copy of the user/PIN database, cracking each PIN would take less a second.
#58
Join Date: Aug 2005
Programs: UA*G(1K), PC Diamond Amb, Marriott Titanium, Accor Platinum
Posts: 4,671
Wow. I thought Hyatt IT were staffed with second tier amateurs due to their frequent website "maintenance" in the middle of the day on weekdays.
Seems like IHG is not much better in staffing technology with competent personnel.
If a hacker gets a copy of the user/PIN database, cracking each PIN would take less a second.
Seems like IHG is not much better in staffing technology with competent personnel.
If a hacker gets a copy of the user/PIN database, cracking each PIN would take less a second.
HTB.
#60
Join Date: Sep 2009
Location: IAH
Programs: UA 1K, 1MM; IHG Spire; HH Diamond; Marriott Gold (UA); National Executive Elite
Posts: 669
I got hacked in the last few days. I didn't have any points left in my account, so no real harm done AFAICT.
I only found out when I tried to log in and failed. It turns out that my account was registered to a new email address.
But I guess the IT deficiency that still uses 4-digit PIN is the same one that prevents IHG from sending a confirmatory email to my old e-address.
Edit: and what is to stop the hackers from just doing it again tomorrow?!
I only found out when I tried to log in and failed. It turns out that my account was registered to a new email address.
But I guess the IT deficiency that still uses 4-digit PIN is the same one that prevents IHG from sending a confirmatory email to my old e-address.
Edit: and what is to stop the hackers from just doing it again tomorrow?!
Last edited by Motorskills; Nov 14, 2016 at 6:44 pm