Account hacked, points spent

Old Jun 10, 15, 7:22 am
  #1  
Original Poster
 
Join Date: Aug 2009
Location: UK
Programs: IHG
Posts: 1,221
Account hacked, points spent

I just had an email from IHG thanking me for updating my profile, saying if it wasn't me, then I needed to contact them.
So I logged in and my email and contact number had been changed. I changed them bag and amended the login PIN. However, upon logging in, I found that most of my points had gone.
Just spoken to AMB services, who promptly cancelled the "Redemption order event 1" as it was described in Account Activity, and it seems that "someone" had ordered Amazon vouchers on my account.
Luckily, the operator was able to cancel the transaction, as it had only just been processed, but I imagine it would have been a much bigger ordeal had I left it longer to call them. So, be careful!
turner32 is offline  
Old Jun 10, 15, 10:31 am
  #2  
 
Join Date: Jul 2007
Location: E
Programs: MSC (Miles Slut Club); Cunard- Diamond 300+; Princess- Elite 200+; RCCL- D Plus; QF LTG; CA P
Posts: 4,371
Hi could you provide more info?

1>, Is the email from IHG about updating your information genuine?
2>, Have you logged in to IHG in public computers recently?
3>, Have you told anyone of your IHG membership number?

I think it is easy for hackers to hack into your IHG account due to the weak password protection. But thank you for the thread! I will certainly watch out every hour again.
chongcao is offline  
Old Jun 10, 15, 11:04 am
  #3  
 
Join Date: Jan 2007
Location: Somewhere in Europe
Posts: 3,036
Yes, thanks for letting us know.

A timely reminder to change our PINs I suppose.

I do wish IHG would change to passwords or at the very least longer PINs.
chrism20 is offline  
Old Jun 10, 15, 1:51 pm
  #4  
Original Poster
 
Join Date: Aug 2009
Location: UK
Programs: IHG
Posts: 1,221
Originally Posted by chongcao View Post
Hi could you provide more info?

1>, Is the email from IHG about updating your information genuine?
2>, Have you logged in to IHG in public computers recently?
3>, Have you told anyone of your IHG membership number?

I think it is easy for hackers to hack into your IHG account due to the weak password protection. But thank you for the thread! I will certainly watch out every hour again.
The email from IHG was genuine, it's automatically generated if any details are amended on the account.
I don't use public computers, nor have I disclosed my account number, so it's a bit of a mystery..
turner32 is offline  
Old Jun 11, 15, 4:30 am
  #5  
 
Join Date: May 2004
Location: SIN (LEJ once a year)
Programs: A3*S, LH, SQ, BA, IHG Spire AMB, HH Gold, Marriot Silver
Posts: 5,043
Hope all works out well. I really think IHG should introduce real passwords for accounts or at least extend the PIN concept to 6-digits.
preahkaew likes this.
demue is offline  
Old Jun 11, 15, 9:29 am
  #6  
 
Join Date: Jan 2010
Location: NYC
Programs: IHG, RC, HH, AA, QF, UA, Aeroplan
Posts: 2,436
Originally Posted by turner32 View Post
The email from IHG was genuine, it's automatically generated if any details are amended on the account.
I don't use public computers, nor have I disclosed my account number, so it's a bit of a mystery..
with four digit pins, and millions of account numbers, i can't imagine it wld be a difficult job for even simple hackers, maybe the solution wld be an additional layer, like other sites, say answering a question the member has elected, mother's maiden name or other.
preahkaew likes this.
Tim O'Brien is offline  
Old Jun 11, 15, 10:23 am
  #7  
 
Join Date: Feb 2010
Location: YYZ / FRA
Programs: IHG RA; Avis First
Posts: 1,406
The stupid pin is ridiculous! If they want to continue with that maybe at least have Alpha-Numeric! Increases the security a bit!
preahkaew likes this.
BRAISKI is offline  
Old Jun 11, 15, 11:43 am
  #8  
htb
 
Join Date: Aug 2005
Programs: LH M&M (was: SEN), UA*G(1K), PC Spire Amb, Marriott Gold (by virtue of UA*G), Accor Gold
Posts: 4,588
Originally Posted by Tim O'Brien View Post
with four digit pins, and millions of account numbers, i can't imagine it wld be a difficult job for even simple hackers, maybe the solution wld be an additional layer, like other sites, say answering a question the member has elected, mother's maiden name or other.
Anyone with a bot net can easily bypass any security measures IHG could take. Just try each arbitrary account number with two or three different pins, maybe hours apart. Every 10000 tries you get a hit.

It's a bit like finding a cash card and trying out three arbitrary PIN numbers at the next cash machine. Chances to win are better than playing the lottery. Plus the bank will claim that you must have written the PIN number on the back of your card because it would otherwise be impossible for the thief to have known the number...

HTB.
htb is offline  
Old Jun 11, 15, 1:47 pm
  #9  
 
Join Date: Sep 2012
Location: Amsterdam, Asia, UK
Programs: IHG RA (Spire), HH Diamond, MR Platinum, SQ Gold, KLM Gold, BAEC Gold
Posts: 5,034
Originally Posted by turner32 View Post
The email from IHG was genuine, it's automatically generated if any details are amended on the account.
I don't use public computers, nor have I disclosed my account number, so it's a bit of a mystery..
Although an improvement over Summer2013 when points thefts first occurred and IHG were so unhelpful this extra email notification won't prevent points thefts BUT could be used by IHG to deny replacement by saying it is members fault for not viewing their emails every day/every few hours

Don't we only get 3attempts at pin now before a 30minute wait is implemented so on that basis maybe theif knew your pin/member-number somehow

Previously no notification went to existing email account when it was changed by a hacker/theif, so it could be days or weeks before holder finds they can not login and reports an issue and theft is known.

However even with IHG now correctly notifying existing email address of change to email address, UNLESS member uses automatic email notification to eg mobile/blackberry the theif can still get the emailed amazon type money voucher in 1-2days and use it etc before member sees email and contacts IHG
scubaccr is offline  
Old Jun 11, 15, 2:18 pm
  #10  
A FlyerTalk Posting Legend
 
Join Date: Jan 2002
Posts: 40,169
Originally Posted by BRAISKI View Post
The stupid pin is ridiculous! If they want to continue with that maybe at least have Alpha-Numeric! Increases the security a bit!
It wouldn't be a PIN then
Dave Noble is offline  
Old Jun 12, 15, 2:54 pm
  #11  
 
Join Date: Jul 2001
Programs: Marriott LT Tit; Hyatt Explorist; Hilton CC Gold; IHG CC Plt; Hertz (MR) 5 star
Posts: 5,428
Originally Posted by htb View Post
Anyone with a bot net can easily bypass any security measures IHG could take. Just try each arbitrary account number with two or three different pins, maybe hours apart. Every 10000 tries you get a hit.
You can do MUCH better. More than 25% of PINs are 10 combinations. 1234 is used by more than 10% of people. http://www.huffingtonpost.com/2013/0...n_3696560.html

If you see your PIN listed in the above article, you should consider something different.

Last edited by iflyjetz; Jun 13, 15 at 2:08 am
iflyjetz is offline  
Old Jun 12, 15, 9:52 pm
  #12  
 
Join Date: Nov 2009
Programs: US Air, Hilton, Priority Club, AA, UA
Posts: 32
New pins

Hilton changed from the 1234 pin to the Alphanum pin IHG can too
TomRI is offline  
Old Jun 15, 15, 3:40 am
  #13  
Original Poster
 
Join Date: Aug 2009
Location: UK
Programs: IHG
Posts: 1,221
to update, they closed my account without informing me. Will have to speak to someone..
turner32 is offline  
Old Jun 15, 15, 8:23 am
  #14  
Company Representative - InterContinental Hotels
 
Join Date: May 2011
Location: Salt Lake City Utah
Programs: IHG Rewards Club
Posts: 166
Dear turner32,

Safety and Security at IHG are our first and foremost concern. IHG has a number of behind the scenes security processes to protect our guests while considering guest's requests for ease of use of their IHG Rewards Club Accounts. If you have concerns about any unauthorized access to your accounts, please contact the IHG Rewards Club Service Center at the contact details on the back of your IHG Rewards Club Card.

Sincerely,

Karen C.
Case Manager
IHGCare
IHG Service is offline  
Old Jun 15, 15, 9:32 am
  #15  
Original Poster
 
Join Date: Aug 2009
Location: UK
Programs: IHG
Posts: 1,221
Originally Posted by IHG Care View Post
Dear turner32,

Safety and Security at IHG are our first and foremost concern. IHG has a number of behind the scenes security processes to protect our guests while considering guest's requests for ease of use of their IHG Rewards Club Accounts. If you have concerns about any unauthorized access to your accounts, please contact the IHG Rewards Club Service Center at the contact details on the back of your IHG Rewards Club Card.

Sincerely,

Karen C.
Case Manager
IHGCare



Thanks for your comments, Karen. I've contacted Ambassador services who informed me that my account was closed 4 days ago, due to unauthorized activity that took place. Unfortunately, no-one bothered to inform me of this, and now my account cannot be released for a couple of days at least.
turner32 is offline  

Thread Tools
Search this Thread