Account hacked, points spent
#196
Join Date: Aug 2017
Posts: 1,610
Same with Hilton, Marriott etc.
If the hackers try to cancel any dummy booking (they likely won't) I will immediately get an email
#197
Join Date: Jul 2015
Location: LGB
Programs: AA Platinum Pro, Marriott Platinum, Hyatt Discoverist
Posts: 241
At minimum, one would think IHG would take a middle-ground approach and require people to change their password away from the current PIN as they log in. That would get IHG's most regular customers switched over in relatively short order, while leaving occasional users, who assuredly have much lower points balances, on average, on the old PIN.
#198
Join Date: Feb 2005
Location: Marin County, California
Programs: Amex Centurion
Posts: 412
You still do not understand that the account with minimum balance is targeted too. Your information is available for sale in dark web.
So let us say, the alleged IHG employee had to firstly be an IT expert to steal information from its system; then the said employee had to be a web engineer to set up online shops to sell those points; and the said employee had to be a master con-artists to make sure his/her online trail to be clean after such transaction; not to mention ample free time for such extra activities.
The hack is real. There are several patterns I have outlined in previous posts:
1, There are two groups of people: the hackers who sell your information on dark web; and the fraudster who bought your information and then sell your points for profit;
2, Fraudster log in to your account to be able to spend your points;
3, The scale of problem is well beyond the capabilities of any hotel employee.
Look, with your membership number and account balance, a simple human being could not pull the trigger. Without sophisticated hacking skills, one can do best is to guess your PIN number. And IHG website does lock you out from action if you guessed wrong. If the IHG employee has the skills of a junior hacker, he/she would not work for IHG for minimum wages.
Get real.
So let us say, the alleged IHG employee had to firstly be an IT expert to steal information from its system; then the said employee had to be a web engineer to set up online shops to sell those points; and the said employee had to be a master con-artists to make sure his/her online trail to be clean after such transaction; not to mention ample free time for such extra activities.
The hack is real. There are several patterns I have outlined in previous posts:
1, There are two groups of people: the hackers who sell your information on dark web; and the fraudster who bought your information and then sell your points for profit;
2, Fraudster log in to your account to be able to spend your points;
3, The scale of problem is well beyond the capabilities of any hotel employee.
Look, with your membership number and account balance, a simple human being could not pull the trigger. Without sophisticated hacking skills, one can do best is to guess your PIN number. And IHG website does lock you out from action if you guessed wrong. If the IHG employee has the skills of a junior hacker, he/she would not work for IHG for minimum wages.
Get real.
I never said the IHG employee does the actual hacking (necessarily). Maybe yes maybe not. You seem to think that all 25,000+ of them are "simple human beings" without the intelligence, experience or time to have the ability to create and run a program to attempt 9999 possibilities for a password crack.
The IHG employees DO have the ability to identify:
- Accounts with lots of points (high value accounts)
- Account Numbers of those "high value accounts"
So, even going with what you said, all 25,000+ IHG employees are incapable of this type of hack, it would take them literally minutes to put high value account information on the dark web or maybe even easier to an associate or friend they might know who is "smarter" than them.
#199
Suspended
Join Date: Sep 2017
Programs: M&S, Radisson
Posts: 758
The attacker will clearly change the email before spending the points so the user doesn't get emails on account activity. He will most likely attempt to change it right back after cleaning the account (so the users continuous to receive other emails from IHG such as promotional emails).
#200
Suspended
Join Date: Oct 2017
Location: Miami, Florida
Programs: AA ExPlat, Hyatt Globalist, IHG Spire, Hilton Gold
Posts: 4,009
Wait, on top of the lousy 4-digit PIN, if the email address associated with an IHG account is changed, no "your email address was updated (or changed)" message goes out to the old address?
#201
Join Date: Dec 2016
Location: WAW
Programs: A3(*G), Marriott Platinum, Hilton Diamond, IHG Diamond Ambassador
Posts: 2,534
#202
Join Date: Dec 2016
Location: WAW
Programs: A3(*G), Marriott Platinum, Hilton Diamond, IHG Diamond Ambassador
Posts: 2,534
That's the beauty of it (see the post immediately above yours). At least IHG are consistent in their wholesale incompetence and negligence.
#203
Join Date: Feb 2012
Programs: Priority Club
Posts: 110
Publicity ???
In the UK we have a consumer rights TV programme called Watchdog. If anyone with accounts hacked lives in the UK or a country that has a similar TV programme, maybe they would be interested. Cyber crime is big news, and it would have mileage as a story. The downside is the publicity - we'll all suddenly be vulnerable to account hacking once it goes on TV !!
Any thoughts ?
UKD
Any thoughts ?
UKD
#204
Join Date: Oct 2010
Location: San Diego, Ca
Programs: AA 2MM LT PLT; AS MVP Gold75k; HHonors Diamond; IHG PLT
Posts: 3,502
Not attempting to defend the indefensible, but IHG has been struggling to upgrade its reservation system for a couple of years now, appears 2018 will be yet another bumpy year http://hotelmarketing.com/index.php/...ollout_to_2019 http://hotelnewsnow.com/Articles/256...hanges-company
#205
Join Date: Jul 2015
Location: LGB
Programs: AA Platinum Pro, Marriott Platinum, Hyatt Discoverist
Posts: 241
In the UK we have a consumer rights TV programme called Watchdog. If anyone with accounts hacked lives in the UK or a country that has a similar TV programme, maybe they would be interested. Cyber crime is big news, and it would have mileage as a story. The downside is the publicity - we'll all suddenly be vulnerable to account hacking once it goes on TV !!
Any thoughts ?
UKD
Any thoughts ?
UKD
#206
Join Date: Nov 2009
Posts: 37
Guess it was just a matter of time, but I had my account hacked for 60,000 points for a 2-night stay in Thailand. I found out before the reservation happened because they opted me out of text messages, which prompted an opt-out text. The rep was very nice and reversed the points immediately and had me change my email and pin. But now I'm concerned about the extra info the hacker has (membership #- it wasn't changed, name, address, birthday, phone, cell phone, old email address that I use for other things, credit card last four digits + expiration date). Any ideas for security measures I can take at this point?
Just out of curiosity -- is the person who bought from the hacker likely to show up at the hotel?
Just out of curiosity -- is the person who bought from the hacker likely to show up at the hotel?
#207
Join Date: May 2002
Programs: WN F9 HA UA AA IHG HH MR
Posts: 3,305
Difficult to say who will show up and claim the room. The hotel where my stolen points were used: Mark Hopkins San Francisco, didn't bother to verify identification upon check in since the room was actually booked in my name. When IHG restored the points, the hotel generated a bill with my name and address on it for the stolen room.
#208
Join Date: Nov 2009
Posts: 37
Difficult to say who will show up and claim the room. The hotel where my stolen points were used: Mark Hopkins San Francisco, didn't bother to verify identification upon check in since the room was actually booked in my name. When IHG restored the points, the hotel generated a bill with my name and address on it for the stolen room.
#209
Suspended
Join Date: Jul 2007
Posts: 4,477
I think maybe fake ID is used in this case, or people with the same name. Hackers and fraudsters are getting clever. They would try to match the name of the victim and the buyer.
#210
Suspended
Join Date: Jul 2007
Posts: 4,477
You should get real.
I never said the IHG employee does the actual hacking (necessarily). Maybe yes maybe not. You seem to think that all 25,000+ of them are "simple human beings" without the intelligence, experience or time to have the ability to create and run a program to attempt 9999 possibilities for a password crack.
The IHG employees DO have the ability to identify:
- Accounts with lots of points (high value accounts)
- Account Numbers of those "high value accounts"
So, even going with what you said, all 25,000+ IHG employees are incapable of this type of hack, it would take them literally minutes to put high value account information on the dark web or maybe even easier to an associate or friend they might know who is "smarter" than them.
I never said the IHG employee does the actual hacking (necessarily). Maybe yes maybe not. You seem to think that all 25,000+ of them are "simple human beings" without the intelligence, experience or time to have the ability to create and run a program to attempt 9999 possibilities for a password crack.
The IHG employees DO have the ability to identify:
- Accounts with lots of points (high value accounts)
- Account Numbers of those "high value accounts"
So, even going with what you said, all 25,000+ IHG employees are incapable of this type of hack, it would take them literally minutes to put high value account information on the dark web or maybe even easier to an associate or friend they might know who is "smarter" than them.