s0ssos

So I called in to ask for what's going on, since it has been more than 2 weeks and I never got any communication. They said they are still waiting on the redemption department to restore the points.
I asked to speak to someone who can actually do something, got a supervisor, and she is creating a new number to move my points over to.

peripateticlife

I'm so glad you're getting everything straightened out. Did they give any hint at better security coming?

Bowgie

IHG restored my stolen 9,000 points from about two weeks ago. No explanation, and the only change is a different pin for my existing account. My account is insecure as always

s0ssos

I think they noted lots of fraud reports, but no mention of anything else (though she did say personally she would change the email address on my account)

I wonder if there is a threshold of how many points before they do more (mine was a bit more than 9k)

traveller42

My account was hacked a few weeks ago. I called immediately after getting the email about the details on the account being changed.
After a couple of weeks I'd heard nothing so I called up. The points had been restored but I needed to create a new account with a new email address. That went mostly OK although the automatically generated PIN number I was sent didn't work and I had to request a new one.
It wasn't a particularly bad experience but continuing to use these PIN numbers is insane.

DeepUnderground

Update: Got all 271,000 points back yesterday.

extramileage

I subscribe to this thread via email and the frequency of emails is steadily increasing...

bosman

Had 77k points fraudulently redeemed from my account. Got the "your account has been changed" email. Called to report the fraudulent activity. Rep said they would look into it and, if appropriate restore my points in 5-7 days. I did have to change email associated with the account and reset the pin. Pain to have to do this; at least I very infrequently stay at IHG properties so not a major immediate disruption, but pia nonetheless.

mpattdu

Add me to this club. Saw the email address and PIN change notification emails about an hour after they were sent and called right away. The CSR said they were busy with fraud calls all morning already. My 98K points had already been drained and used on Amazon from a UK email. I set up a new email and they called back today to link it with my account and email out the new PIN. Points have already been restored. I appreciate how quickly they restored my account but it's troubling that they haven't moved to a more secure system.

FlyerTalker688786

That is because [it seems] IHG still believes (or have evidence of) that the fraudsters have access to your email account first before the IHG PIN. That is why they are emphasising on asking people to change their email address first.

yurtripper

That is like saying there are some burglars that know your home address so don't bother putting a lock on the door.

There really is no justifiable rationale for maintaining a 4-digit PIN. All the supposed justifications I've seen are as absurd as the excuse given above. Any attempts to make this policy sound reasonable are as foolish and pointless as debating how many angels can dance on the head of a pin.

FlyerTalker688786

You are missing the point. Let me try to explain.

If the fraudster have control of your email, they can submit forgot PIN any time and change your PIN without your knowledge. In that case, even if your PIN is 128 characters long with 80 kinds of Ł$% special characters, it all does not matter. Because the system will only respond by sending a new password to your registered email address.

With current system, if the fraudster got the PIN wrong, the system will lock them out after few attempts. There are protocol in IHG's outdated IT system prevent random guessing of the PIN. If there are some changes in your account setting, IHG will email you. Whether it is 6 characters long password or 8 characters, it all does not matter if the fraudster have access to your registered email address.

Of course, 4 digits PIN is not as secure as 6 or 8 characters password. No one can deny that. But there is no material difference if the fraudsters gained access to your prime email address. I hope you can understand this scenario.

yurtripper

None of that justifies having a massively insecure 4-digit PIN. Even if they know my entire DNA sequence, along with my email address and whatever other confidential information you can think of, it does not justify persisting with a password mechanism that is essentially useless.

And a password reset link should be sent to the original email address so unless the hacker has taken over control of your email account then it's not a problem. If someone has hacked into your email account then you're royally screwed in any case.

The problem you describe can also be fixed with 2FA.

bosman

Points were reinstated this morning, just 24 hours after I notified them of the fraudulent redemption. Seems like that part of the equation is working faster; now if they could do something to stop the hacking.

FlyerTalker688786

Since you finally understands what the real problem I was talking about. Now go back to the first paragraph. Once your email is hacked, tell me how 4-digits PIN or 8 characters password would make any difference? Then again you must understand that I am not disputing: 1>, 4-digits PIN is inadequate; and 2>, IHG should make online security better. What I am trying to say is my original post:



There are questions IHG needs to answer in this saga. But if IHG believes that 4-digits PIN is not the cause of the problem, then we should concentrate on the issue of why hack happened.