What can we do about IHG storing our PINs in clear?
Dec 20, 2018, 6:53 am
#1
Original Poster
Join Date: Feb 2008
Programs: Flying Blue Platinum / Marriott Gold / Hilton Gold / IHG Platinum ... A former AA Platinum
Posts: 106
What can we do about IHG storing our PINs in clear?
I had to reset my PIN for ihg.com and I realized the "lost your pin" feature that emails you to recover access, is actually sending you your current PIN.
This means (for the non-techies) that IHG stores the PINs in clear. This means, crucially, that anyone with access to the database inside IHG (engineers, maintenance, possibly contractors even) has access to what I'm going to guess are often 'special dates' for given users -- since folks often use PINs that are meaningful 4 digits combos, that get reused in other circumstances.
THIS IS TERRIBLE for security. Especially since your IHG account is filled with personal info.
I suspect they are also exposed if anyone wants to launch some GDPR investigation in them, since they are not taking proper steps to protect personal informations of their customers.
I saw that there were folks on Twitter calling them out on this (twitter.com/FeMaven/status/1034141054621175810) but they don't seem to care ...
Does anyone have good relationships with the IHG folks to try and talk some sense into them and do the right thing to shore up their security standards?
This means (for the non-techies) that IHG stores the PINs in clear. This means, crucially, that anyone with access to the database inside IHG (engineers, maintenance, possibly contractors even) has access to what I'm going to guess are often 'special dates' for given users -- since folks often use PINs that are meaningful 4 digits combos, that get reused in other circumstances.
THIS IS TERRIBLE for security. Especially since your IHG account is filled with personal info.
I suspect they are also exposed if anyone wants to launch some GDPR investigation in them, since they are not taking proper steps to protect personal informations of their customers.
I saw that there were folks on Twitter calling them out on this (twitter.com/FeMaven/status/1034141054621175810) but they don't seem to care ...
Does anyone have good relationships with the IHG folks to try and talk some sense into them and do the right thing to shore up their security standards?
Dec 20, 2018, 9:24 am
#2
FlyerTalk Evangelist
Join Date: Dec 2003
Location: MAN and LON
Programs: Mucci, BAEC LT Gold, HH Dia, MR LT Plat, IHG Diamond Amb, Amex Plat
Posts: 13,773
I think all the hotel chains have some real problems here. I work for a company that delivers frictionless strong customer authentication formuse cases like this and that is exactly what the loyalty schemes need to put 8n p,a e especially post GDPR.
Dec 20, 2018, 10:19 pm
#3
Join Date: Jul 2009
Programs: Hilton Gold, Club Carlson Gold, IHG Platinum
Posts: 112
The 4 digit numerical pin is absolutely ridiculous. So 1990's level of security when most websites today are now requiring passwords with upper case, lower case, number, special character. My IHG account got hacked last year and got drained of 160,000 points. I knew something was up immediately because I received an email that my email had been changed. I was also not able to log into my account. Called IHG and they informed me that my email, my address, and my PIN had been changed and my account had been drained with the purchase of gift cards. IHG was nice enough and reset my account my previous contact information and a new PIN. They also restored my points. No compensation for the inconvenience. The silver lining is that later I got 16,000 points added to my account as a 10% rebate on the 160,000 points that were redeemed by the hackers.
Dec 21, 2018, 6:17 am
#4
Join Date: Dec 2017
Posts: 1,107
I had to reset my PIN for ihg.com and I realized the "lost your pin" feature that emails you to recover access, is actually sending you your current PIN.
This means (for the non-techies) that IHG stores the PINs in clear. This means, crucially, that anyone with access to the database inside IHG (engineers, maintenance, possibly contractors even) has access to what I'm going to guess are often 'special dates' for given users -- since folks often use PINs that are meaningful 4 digits combos, that get reused in other circumstances.
This means (for the non-techies) that IHG stores the PINs in clear. This means, crucially, that anyone with access to the database inside IHG (engineers, maintenance, possibly contractors even) has access to what I'm going to guess are often 'special dates' for given users -- since folks often use PINs that are meaningful 4 digits combos, that get reused in other circumstances.
Actually, it doesn’t mean that they are stored “in the clear.” They very well could be, and it’s obvious even to Rsy Charles and Stevie Wonder that a 4 digit code like this is weak AF.
However it still doesn’t mean it is stored plaintext in their DB. It could very well be an encrypt/decrypt sequence.
The short is that this is a known issue, and has been for a very long time. Hoping for change is like wishing in one and and... well, you know the rest. Let us know which hand fills up first.
Dec 25, 2018, 2:43 pm
#6
Join Date: Jan 2012
Location: London
Programs: BAEC GGL & GfL, HHons Diamond, Intercontinental Royal Ambassador, IHGSpire Elite, Kimpton Inner Circ
Posts: 62
Write/tweet to IHG and copy/tag your national Information Commissioner
It is staggering that so many hotel groups are so careless with security for their loyalty programs. Given Marriott have admitted they discovered the hack in September, but did not notify those affected until November they have a serious GDPR problem. The regs require consumers to be notified within 72 hours. In the extreme the fine could be 4% of global turnover. The EU will probably want to impose a fine which sends a clear messsage, perhaps in the tens of millions of €. I hope it is as the hotel groups are clearly being negligent and need to understand if they din’t fix this they will feel financial pain.
Anyone affected by Starwood should complain to their national information commissioner and encourage a punitive fine so hotels stop ignoring customer security.
It is staggering that so many hotel groups are so careless with security for their loyalty programs. Given Marriott have admitted they discovered the hack in September, but did not notify those affected until November they have a serious GDPR problem. The regs require consumers to be notified within 72 hours. In the extreme the fine could be 4% of global turnover. The EU will probably want to impose a fine which sends a clear messsage, perhaps in the tens of millions of €. I hope it is as the hotel groups are clearly being negligent and need to understand if they din’t fix this they will feel financial pain.
Anyone affected by Starwood should complain to their national information commissioner and encourage a punitive fine so hotels stop ignoring customer security.