Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

How Secure is Marriott.com's Login Process?

How Secure is Marriott.com's Login Process?

Reply

Old Mar 18, 19, 12:46 pm
  #1  
Original Poster
 
Join Date: Dec 2007
Location: SFO
Programs: UA Plat and 1MM, Marriott Ti/LTP, Hertz PC
Posts: 798
How Secure is Marriott.com's Login Process?

The email that was associated with my marriott.com account was compromised three days ago. As soon as I discovered it, I changed the email address to a new one on marriott.com. I had a very short window when I could still see emails at my compromised email account, and I didn't see any email confirmation of the change at either my old email or new email account. Then last night, I also removed my mobile number (they got access to my email account through a process called SIM swap) on marriott.com. Again, no email confirmation.

I have logged into marriott.com with my new email address and have been able to log on fine. My profile also lists the new email address correctly. So no harm has been done. However, my concerns are:
  1. Why was there no email confirmation from Marriott for the change of (1) email address; and (2) the phone number?
  2. There's no two-factor authentication I can turn on. Without 2FA, all our accounts are vulnerable.

P.S. I did go into Communications Preferences, and there is no option to turn on account alerts for suspicious activities. How secure are our online accounts with Marriott? Or maybe I have missed something.
naumank is offline  
Reply With Quote
Old Mar 18, 19, 1:55 pm
  #2  
2019 FlyerTalk Awards
 
Join Date: Feb 2015
Posts: 31
I agree. Marriott needs to give us the option of 2-Factor authentication. SPG website had the secret question option whenever a device tried to log in. Marriott has no such option. Apart from 2-Factor auth, there needs to be a system that triggers alerts when new/unknown devices attempt a log in.
itsaboutthejourney likes this.
GarudaSoars is offline  
Reply With Quote
Old Mar 18, 19, 2:17 pm
  #3  
 
Join Date: Jan 2010
Posts: 595
Originally Posted by GarudaSoars View Post
I agree. Marriott needs to give us the option of 2-Factor authentication. SPG website had the secret question option whenever a device tried to log in. Marriott has no such option. Apart from 2-Factor auth, there needs to be a system that triggers alerts when new/unknown devices attempt a log in.
agree, they took a step backwards! and are also dealing with a major breach. you think they would have someone making sure their current stuff is secure...
mysterym is online now  
Reply With Quote
Old Mar 18, 19, 2:48 pm
  #4  
2019 FlyerTalk Awards
 
Join Date: Aug 2008
Location: Somewhere in Florida
Posts: 1,653
2-factor authentication ain't all that secure. There's plenty of ways to circumvent it. In the OP's case, SMS was how their account got compromised.

BUT...any time something is changed on someone's account profile, they should get an e-mail or similar notification about it.
KRSW is offline  
Reply With Quote
Old Mar 18, 19, 2:54 pm
  #5  
 
Join Date: Jan 2010
Posts: 595
Originally Posted by KRSW View Post
2-factor authentication ain't all that secure. There's plenty of ways to circumvent it. In the OP's case, SMS was how their account got compromised.

BUT...any time something is changed on someone's account profile, they should get an e-mail or similar notification about it.
depends on the implementation, it can be extremely secure.
mysterym is online now  
Reply With Quote
Old Mar 18, 19, 4:34 pm
  #6  
Original Poster
 
Join Date: Dec 2007
Location: SFO
Programs: UA Plat and 1MM, Marriott Ti/LTP, Hertz PC
Posts: 798
Originally Posted by mysterym View Post
depends on the implementation, it can be extremely secure.
I have been doing a lot of reading on this topic. SMS-based 2FA is not secure at all. This is one article on it. It needs to to be app-based or hardware-based. But at the very least, Marriott should (1) send an email alert about any changes made to the account; and (2) use some form of 2FA (even asking a few security questions is better than nothing) while avoiding using SMS.
JBord and KRSW like this.
naumank is offline  
Reply With Quote
Old Mar 18, 19, 4:57 pm
  #7  
 
Join Date: Jan 2010
Posts: 595
Originally Posted by naumank View Post
I have been doing a lot of reading on this topic. SMS-based 2FA is not secure at all. This is one article on it. It needs to to be app-based or hardware-based. But at the very least, Marriott should (1) send an email alert about any changes made to the account; and (2) use some form of 2FA (even asking a few security questions is better than nothing) while avoiding using SMS.
​​​​​​Yup app or hardware are very secure
mysterym is online now  
Reply With Quote
Old Mar 18, 19, 5:25 pm
  #8  
 
Join Date: Feb 2017
Programs: DL DM, UA Gold, Alaska MVP, Bonvoy (lol) Ambassador
Posts: 1,923
Originally Posted by naumank View Post
I have been doing a lot of reading on this topic. SMS-based 2FA is not secure at all. This is one article on it. It needs to to be app-based or hardware-based. But at the very least, Marriott should (1) send an email alert about any changes made to the account; and (2) use some form of 2FA (even asking a few security questions is better than nothing) while avoiding using SMS.
I agree that SMS-based 2FA is not super secure - and obviously one should be using, e.g., hardware token authentication for anything important (high-balance bank accounts come to mind). That said, to throw one's hands up in the air and say that SMS 2FA is worthless is throwing the baby out with the bathwater.

Security - just like safety systems in airplanes - relies on defense in depth. There is no single unhackable solution, but things like SMS 2FA significantly increase attack complexity. Right or wrong, many users reuse usernames/emails and passwords across multiple sites. A single breach at another site (if the user has a weak password or if the salting and hashing standards used by the site are subpar) makes it trivial to access a user's account if even weak 2FA like SMS authentication is not used.

For something like a hotel loyalty program - where the prize for hacking is relatively small gain (point transfers aside, but that leads to its own audit trail and complexity) - login/password + SMS 2FA + real-time fraud analytics/detection is a perfectly valid solution. Would I use that with my bank? No, but it's "good enough" and "convenient enough" for most users in the context of a Marriott login.
ethernal is online now  
Reply With Quote
Old Mar 18, 19, 8:07 pm
  #9  
 
Join Date: Aug 2012
Location: KHOU + KSFO
Programs: AA EXP | Marriott Bonvoy Ambassador
Posts: 4,225
Originally Posted by mysterym View Post
depends on the implementation, it can be extremely secure.
true, but spg managed to have a giant data hack go on for 4 years and had windows server 2000 servers with RDP exposed to the internet.

odds of successful implementation ~ 0.
Antarius is online now  
Reply With Quote
Old Mar 18, 19, 11:24 pm
  #10  
Original Poster
 
Join Date: Dec 2007
Location: SFO
Programs: UA Plat and 1MM, Marriott Ti/LTP, Hertz PC
Posts: 798
Originally Posted by ethernal View Post
I agree that SMS-based 2FA is not super secure - and obviously one should be using, e.g., hardware token authentication for anything important (high-balance bank accounts come to mind). That said, to throw one's hands up in the air and say that SMS 2FA is worthless is throwing the baby out with the bathwater.

Security - just like safety systems in airplanes - relies on defense in depth. There is no single unhackable solution, but things like SMS 2FA significantly increase attack complexity. Right or wrong, many users reuse usernames/emails and passwords across multiple sites. A single breach at another site (if the user has a weak password or if the salting and hashing standards used by the site are subpar) makes it trivial to access a user's account if even weak 2FA like SMS authentication is not used.

For something like a hotel loyalty program - where the prize for hacking is a relatively small gain (point transfers aside, but that leads to its own audit trail and complexity) - login/password + SMS 2FA + real-time fraud analytics/detection is a perfectly valid solution. Would I use that with my bank? No, but it's "good enough" and "convenient enough" for most users in the context of a Marriott login.
I agree with you. My biggest issue is that I didn't get any email alerts about the changes I made to the account (i.e. the change of email and then phone #). If a hacker did this, I would not have known until the next time I log in.
naumank is offline  
Reply With Quote
Old Mar 20, 19, 5:29 am
  #11  
FlyerTalk Evangelist
 
Join Date: Jan 2007
Location: BOS/UTH
Programs: AA EXP, LT PLT; QR PLT; Bonvoy LT TIT
Posts: 11,560
Originally Posted by naumank View Post
The email that was associated with my marriott.com account was compromised three days ago. As soon as I discovered it, I changed the email address to a new one on marriott.com. I had a very short window when I could still see emails at my compromised email account, and I didn't see any email confirmation of the change at either my old email or new email account. Then last night, I also removed my mobile number (they got access to my email account through a process called SIM swap) on marriott.com. Again, no email confirmation.

I have logged into marriott.com with my new email address and have been able to log on fine. My profile also lists the new email address correctly. So no harm has been done. However, my concerns are:
  1. Why was there no email confirmation from Marriott for the change of (1) email address; and (2) the phone number?
  2. There's no two-factor authentication I can turn on. Without 2FA, all our accounts are vulnerable.

P.S. I did go into Communications Preferences, and there is no option to turn on account alerts for suspicious activities. How secure are our online accounts with Marriott? Or maybe I have missed something.
So, seems to me that you're not really asking how secure it is. You're really saying that you don't think that it's secure enough.
Dr. HFH is offline  
Reply With Quote

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Thread Tools
Search this Thread