Account hacked, points spent
#256
Join Date: Sep 2008
Posts: 7,875
So I called in to ask for what's going on, since it has been more than 2 weeks and I never got any communication. They said they are still waiting on the redemption department to restore the points.
I asked to speak to someone who can actually do something, got a supervisor, and she is creating a new number to move my points over to.
I asked to speak to someone who can actually do something, got a supervisor, and she is creating a new number to move my points over to.
#257
Join Date: Nov 2015
Location: Indiana
Programs: IHG Spire- Marriott-Hilton Diamond sort of- Choice Diamond
Posts: 114
So I called in to ask for what's going on, since it has been more than 2 weeks and I never got any communication. They said they are still waiting on the redemption department to restore the points.
I asked to speak to someone who can actually do something, got a supervisor, and she is creating a new number to move my points over to.
I asked to speak to someone who can actually do something, got a supervisor, and she is creating a new number to move my points over to.
#258
Join Date: Jun 2004
Location: San Diego
Programs: IHG Spire Amb, HH Diamond, DL Diamond and 1MM
Posts: 3,610
IHG restored my stolen 9,000 points from about two weeks ago. No explanation, and the only change is a different pin for my existing account. My account is insecure as always
#259
Join Date: Sep 2008
Posts: 7,875
I wonder if there is a threshold of how many points before they do more (mine was a bit more than 9k)
#260
Join Date: Dec 2007
Location: Brussels, London, Geneva, ....
Programs: Priority Club Gold, Eurostar Carte Blanche, formerly BA Gold, formerly KLM silver
Posts: 245
My account was hacked a few weeks ago. I called immediately after getting the email about the details on the account being changed.
After a couple of weeks I'd heard nothing so I called up. The points had been restored but I needed to create a new account with a new email address. That went mostly OK although the automatically generated PIN number I was sent didn't work and I had to request a new one.
It wasn't a particularly bad experience but continuing to use these PIN numbers is insane.
After a couple of weeks I'd heard nothing so I called up. The points had been restored but I needed to create a new account with a new email address. That went mostly OK although the automatically generated PIN number I was sent didn't work and I had to request a new one.
It wasn't a particularly bad experience but continuing to use these PIN numbers is insane.
#261
Join Date: Jan 2014
Location: The Indo Jungle
Programs: AA EXP, IHG Spire
Posts: 1,319
Update: Got all 271,000 points back yesterday.
#263
Join Date: Apr 2004
Programs: AA Plat/2MM, DL Silver, UA Silver (via Marr), Marr LTT, HH Gold (via cc), Hyatt Disc
Posts: 1,039
Had 77k points fraudulently redeemed from my account. Got the "your account has been changed" email. Called to report the fraudulent activity. Rep said they would look into it and, if appropriate restore my points in 5-7 days. I did have to change email associated with the account and reset the pin. Pain to have to do this; at least I very infrequently stay at IHG properties so not a major immediate disruption, but pia nonetheless.
#264
Join Date: May 2006
Location: MSN
Programs: DL, AA, UA
Posts: 294
Add me to this club. Saw the email address and PIN change notification emails about an hour after they were sent and called right away. The CSR said they were busy with fraud calls all morning already. My 98K points had already been drained and used on Amazon from a UK email. I set up a new email and they called back today to link it with my account and email out the new PIN. Points have already been restored. I appreciate how quickly they restored my account but it's troubling that they haven't moved to a more secure system.
#265
Suspended
Join Date: Jul 2007
Posts: 4,477
That is because [it seems] IHG still believes (or have evidence of) that the fraudsters have access to your email account first before the IHG PIN. That is why they are emphasising on asking people to change their email address first.
#266
Join Date: Dec 2016
Location: WAW
Programs: A3(*G), Marriott Platinum, Hilton Diamond, IHG Diamond Ambassador
Posts: 2,534
There really is no justifiable rationale for maintaining a 4-digit PIN. All the supposed justifications I've seen are as absurd as the excuse given above. Any attempts to make this policy sound reasonable are as foolish and pointless as debating how many angels can dance on the head of a pin.
#267
Suspended
Join Date: Jul 2007
Posts: 4,477
That is like saying there are some burglars that know your home address so don't bother putting a lock on the door.
There really is no justifiable rationale for maintaining a 4-digit PIN. All the supposed justifications I've seen are as absurd as the excuse given above. Any attempts to make this policy sound reasonable are as foolish and pointless as debating how many angels can dance on the head of a pin.
There really is no justifiable rationale for maintaining a 4-digit PIN. All the supposed justifications I've seen are as absurd as the excuse given above. Any attempts to make this policy sound reasonable are as foolish and pointless as debating how many angels can dance on the head of a pin.
If the fraudster have control of your email, they can submit forgot PIN any time and change your PIN without your knowledge. In that case, even if your PIN is 128 characters long with 80 kinds of Ł$% special characters, it all does not matter. Because the system will only respond by sending a new password to your registered email address.
With current system, if the fraudster got the PIN wrong, the system will lock them out after few attempts. There are protocol in IHG's outdated IT system prevent random guessing of the PIN. If there are some changes in your account setting, IHG will email you. Whether it is 6 characters long password or 8 characters, it all does not matter if the fraudster have access to your registered email address.
Of course, 4 digits PIN is not as secure as 6 or 8 characters password. No one can deny that. But there is no material difference if the fraudsters gained access to your prime email address. I hope you can understand this scenario.
#268
Join Date: Dec 2016
Location: WAW
Programs: A3(*G), Marriott Platinum, Hilton Diamond, IHG Diamond Ambassador
Posts: 2,534
You are missing the point. Let me try to explain.
If the fraudster have control of your email, they can submit forgot PIN any time and change your PIN without your knowledge. In that case, even if your PIN is 128 characters long with 80 kinds of Ł$% special characters, it all does not matter. Because the system will only respond by sending a new password to your registered email address.
With current system, if the fraudster got the PIN wrong, the system will lock them out after few attempts. There are protocol in IHG's outdated IT system prevent random guessing of the PIN. If there are some changes in your account setting, IHG will email you. Whether it is 6 characters long password or 8 characters, it all does not matter if the fraudster have access to your registered email address.
Of course, 4 digits PIN is not as secure as 6 or 8 characters password. No one can deny that. But there is no material difference if the fraudsters gained access to your prime email address. I hope you can understand this scenario.
If the fraudster have control of your email, they can submit forgot PIN any time and change your PIN without your knowledge. In that case, even if your PIN is 128 characters long with 80 kinds of Ł$% special characters, it all does not matter. Because the system will only respond by sending a new password to your registered email address.
With current system, if the fraudster got the PIN wrong, the system will lock them out after few attempts. There are protocol in IHG's outdated IT system prevent random guessing of the PIN. If there are some changes in your account setting, IHG will email you. Whether it is 6 characters long password or 8 characters, it all does not matter if the fraudster have access to your registered email address.
Of course, 4 digits PIN is not as secure as 6 or 8 characters password. No one can deny that. But there is no material difference if the fraudsters gained access to your prime email address. I hope you can understand this scenario.
And a password reset link should be sent to the original email address so unless the hacker has taken over control of your email account then it's not a problem. If someone has hacked into your email account then you're royally screwed in any case.
The problem you describe can also be fixed with 2FA.
Last edited by yurtripper; Mar 1, 2018 at 7:32 am
#269
Join Date: Apr 2004
Programs: AA Plat/2MM, DL Silver, UA Silver (via Marr), Marr LTT, HH Gold (via cc), Hyatt Disc
Posts: 1,039
Points were reinstated this morning, just 24 hours after I notified them of the fraudulent redemption. Seems like that part of the equation is working faster; now if they could do something to stop the hacking.
#270
Suspended
Join Date: Jul 2007
Posts: 4,477
And a password reset link should be sent to the original email address so unless the hacker has taken over control of your email account then it's not a problem. If someone has hacked into your email account then you're royally screwed in any case.
The problem you describe can also be fixed with 2FA.
The problem you describe can also be fixed with 2FA.
That is because [it seems] IHG still believes (or have evidence of) that the fraudsters have access to your email account first before the IHG PIN. That is why they are emphasising on asking people to change their email address first.
There are questions IHG needs to answer in this saga. But if IHG believes that 4-digits PIN is not the cause of the problem, then we should concentrate on the issue of why hack happened.