How Secure is Marriott.com's Login Process?
The email that was associated with my marriott.com account was compromised three days ago. As soon as I discovered it, I changed the email address to a new one on marriott.com. I had a very short window when I could still see emails at my compromised email account, and I didn't see any email confirmation of the change at either my old email or new email account. Then last night, I also removed my mobile number (they got access to my email account through a process called SIM swap) on marriott.com. Again, no email confirmation.
I have logged into marriott.com with my new email address and have been able to log on fine. My profile also lists the new email address correctly. So no harm has been done. However, my concerns are:
P.S. I did go into Communications Preferences, and there is no option to turn on account alerts for suspicious activities. How secure are our online accounts with Marriott? Or maybe I have missed something. |
I agree. Marriott needs to give us the option of 2-Factor authentication. SPG website had the secret question option whenever a device tried to log in. Marriott has no such option. Apart from 2-Factor auth, there needs to be a system that triggers alerts when new/unknown devices attempt a log in.
|
Originally Posted by GarudaSoars
(Post 30902106)
I agree. Marriott needs to give us the option of 2-Factor authentication. SPG website had the secret question option whenever a device tried to log in. Marriott has no such option. Apart from 2-Factor auth, there needs to be a system that triggers alerts when new/unknown devices attempt a log in.
|
2-factor authentication ain't all that secure. There's plenty of ways to circumvent it. In the OP's case, SMS was how their account got compromised.
BUT...any time something is changed on someone's account profile, they should get an e-mail or similar notification about it. |
Originally Posted by KRSW
(Post 30902314)
2-factor authentication ain't all that secure. There's plenty of ways to circumvent it. In the OP's case, SMS was how their account got compromised.
BUT...any time something is changed on someone's account profile, they should get an e-mail or similar notification about it. |
Originally Posted by mysterym
(Post 30902350)
depends on the implementation, it can be extremely secure.
|
Originally Posted by naumank
(Post 30902708)
I have been doing a lot of reading on this topic. SMS-based 2FA is not secure at all. This is one article on it. It needs to to be app-based or hardware-based. But at the very least, Marriott should (1) send an email alert about any changes made to the account; and (2) use some form of 2FA (even asking a few security questions is better than nothing) while avoiding using SMS.
|
Originally Posted by naumank
(Post 30902708)
I have been doing a lot of reading on this topic. SMS-based 2FA is not secure at all. This is one article on it. It needs to to be app-based or hardware-based. But at the very least, Marriott should (1) send an email alert about any changes made to the account; and (2) use some form of 2FA (even asking a few security questions is better than nothing) while avoiding using SMS.
Security - just like safety systems in airplanes - relies on defense in depth. There is no single unhackable solution, but things like SMS 2FA significantly increase attack complexity. Right or wrong, many users reuse usernames/emails and passwords across multiple sites. A single breach at another site (if the user has a weak password or if the salting and hashing standards used by the site are subpar) makes it trivial to access a user's account if even weak 2FA like SMS authentication is not used. For something like a hotel loyalty program - where the prize for hacking is relatively small gain (point transfers aside, but that leads to its own audit trail and complexity) - login/password + SMS 2FA + real-time fraud analytics/detection is a perfectly valid solution. Would I use that with my bank? No, but it's "good enough" and "convenient enough" for most users in the context of a Marriott login. |
Originally Posted by mysterym
(Post 30902350)
depends on the implementation, it can be extremely secure.
odds of successful implementation ~ 0. |
Originally Posted by ethernal
(Post 30902898)
I agree that SMS-based 2FA is not super secure - and obviously one should be using, e.g., hardware token authentication for anything important (high-balance bank accounts come to mind). That said, to throw one's hands up in the air and say that SMS 2FA is worthless is throwing the baby out with the bathwater.
Security - just like safety systems in airplanes - relies on defense in depth. There is no single unhackable solution, but things like SMS 2FA significantly increase attack complexity. Right or wrong, many users reuse usernames/emails and passwords across multiple sites. A single breach at another site (if the user has a weak password or if the salting and hashing standards used by the site are subpar) makes it trivial to access a user's account if even weak 2FA like SMS authentication is not used. For something like a hotel loyalty program - where the prize for hacking is a relatively small gain (point transfers aside, but that leads to its own audit trail and complexity) - login/password + SMS 2FA + real-time fraud analytics/detection is a perfectly valid solution. Would I use that with my bank? No, but it's "good enough" and "convenient enough" for most users in the context of a Marriott login. |
Originally Posted by naumank
(Post 30901787)
The email that was associated with my marriott.com account was compromised three days ago. As soon as I discovered it, I changed the email address to a new one on marriott.com. I had a very short window when I could still see emails at my compromised email account, and I didn't see any email confirmation of the change at either my old email or new email account. Then last night, I also removed my mobile number (they got access to my email account through a process called SIM swap) on marriott.com. Again, no email confirmation.
I have logged into marriott.com with my new email address and have been able to log on fine. My profile also lists the new email address correctly. So no harm has been done. However, my concerns are:
P.S. I did go into Communications Preferences, and there is no option to turn on account alerts for suspicious activities. How secure are our online accounts with Marriott? Or maybe I have missed something. |
Originally Posted by naumank
(Post 30903802)
I agree with you. My biggest issue is that I didn't get any email alerts about the changes I made to the account (i.e. the change of email and then phone #). If a hacker did this, I would not have known until the next time I log in.
Never notified. Marriott has fully restored everything, but will not comment on why and how. They (fraud department) will not speak to you via phone and only replied via email. |
All times are GMT -6. The time now is 11:59 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.