New Marriott Security Measures
 

There has been a large response to the account security email that was sent yesterday. Those of you who mentioned that it was valid are correct (see threads here and here). Account security is more important than ever. In the coming weeks, Marriott will be adding enhanced security features to further protect your account. Taking this one extra step now to update your profile information makes your account even more secure, and will help prevent unauthorized access.

These changes will also help prevent my access. If Marriott thinks that I will be doing 2-step authorization to make a hotel reservation, they are mistaken.

++1

Yes, this is going to suck and be an overreaction. I bet it's limited to redemptions and predict it won't be smooth or easy - just burdensome like trying to log into some banks from an "unrecognized" computer...

You're already indignantly objecting before you know how any changes will be executed. My guess is that two-factor authentication will be required for award redemptions, points transfers, profile changes, etc., but not for routine transactions. That's a pretty standard 2FA implementation for e-commerce.

Whatever the changes, I'll reserve judgment until after the facts are known.

+2
 

+2

Damn those web based MBA consultants who work for Mrt, they know how to run the meter !

So does anyone else think it's funny that both of the links marriottconciege provided links back to the 2 on flyertalk? :rolleyes:

Cheers

Not too long ago my company moved toward 2-factor authentication for many applications. Yes, it's a bit of a rigamarole, but certainly preferable to getting hacked and having to deal with the consequences of a total stranger enjoying the fruits of your labor. ;)

Something to consider for the future: Account security is indeed important which is why I'm not going to click on a link in an email asking me to update or verify account info. I was immediately suspicious of the email Marriott sent me because it asked me to click on a link. If Marriott is serious about account security then send me an email asking me to go to the Marriott website on my own and verify/update whatever info is required. Encouraging people to click on links in emails is not indicative of concern regarding security. Just my two cents.

Maybe Marriott should have a zero-liability opt-in. You can use the non-secure single authentication if you want, but you agree to hold Marriott harmless from any liability for a hack.

The people kvetching here will be the first to rant when they lose something.

So basically Marriott is asking you to provide a phone number and email to get ready for their new authentication. Presumably if you already have that and you'r e happy with it there should be no problem.

Fwiw - I thought Marriott was going to ask for a stronger password. If hackers can already access my account, they'd already have my email and phone number.

Cheers

Didn't they already increase the minimum password length a year or so ago? I remember having to go from 6 to 8 characters.

Anyway, by using password alone, Marriott seems light year ahead of IHG Club which still uses only PIN, UA which allows only PIN despite also having passwords, and even Hilton which just dropped PIN only a couple a months ago. An 8-character password (with some rules about how it must be formed) seems light-years ahead of a numeric-only 4-digit PIN!

That was my thought exactly when I got the email. I did not click a link - I went into my account to check / update. Terrible security to ask people to click an email link.

The horror of a possible extra 10-15 seconds to complete an award reservation.

I believe Marriott is at least 8 characters and has to have at least one number and one upper case letter the last time I changed it. May be misremembering that but it was about a month ago.

If I have to do a password update, I'd rather have it be an incidental update after I have gone directly to the marriott.com site on my own instead of being directed there by an emailed link.

The cat and mouse game continues -- in large part because of government and corporate practices, but also because of consumer laziness. This won't put a stop to the cat and mouse games.

I doubt that such an approach would be upheld as legal in all the markets where Marriott operates -- not that Marriott will go to such an anti-consumer extreme as you suggest and let it get to the point of being tested. ;)

Well there was a reason your company moved to that; too bad they didn't do it sooner (sorry, couldn't resist :D)

Agree.

Agree with most of the above, except the United part. I've only ever used a password with UA, not a PIN.

I think it has a length requirement & perhaps a symbol or character, but it still accepts lower case on the letters. Last year I switched my password to 14 numbers/letters (no symbol & no caps) & it still works.

Cheers.

Depending on how it is implemented, it can be quite a problem. When my credit union went to enhanced security, they required a phone number to send SMS code...no other option presented. Well for those of us that are global, that is a ridiculous requirement. My phone number changes quite often, depending on where in the world I am and what SIM card(s) are in my phone. They finally relented and allowed the use of an email account instead of a phone number, but it was a pain to get that exception.

I am quite supportive of enhanced security, but design it to work for everyone.

Agree.

Ouch. :D

But at least it makes the transition to Marriott's 2-factor authentication an easy one.

Where it tends to get tricky is when you are using inflight wifi, and can only use one device at a time. If you want to log into Marriott's site through your laptop, and you have no mechanism for receiving a text on your laptop, you are hosed. I had to have our I.T. department set me up with a special token on my iPhone to enable me to get the code in an off-line environment on my phone, so that I could type it into my laptop while it was connected to the inflight wifi.

I don't have a problem with requiring 2FA, depending on how it's implemented.

Whether you use it or not, your UA account has a 4 digit PIN associated to.
All of them do, even if you didn't set it.
That 4 digit number and your MP # are all it takes to get in to your account.

I got a headache reading that.

Cheers.

The real issue (and I get this problem with banks often) is that you have to give a phone number to receive an voice or text code in order to proceed. Now the entity has your cell phone number and some how it get passed to marketers and abused, no matter what your "privacy" preferences are. So I only give out a number I don't care about (which causes more problems...)

I have used the enhanced method on PayPal, Chase and Citi and they always give you the option to have it texted or emailed.
Also on PayPal you can actually bypass it by answering a couple of security questions (only works once before having to use the code).

The code can be emailed as well if it is like the ones I posted above.

Times thousands of customers a day, times 365 days a tear, times the growing number of companies going to multi-factor, with minimum password lengths of 14 or 18 characters, upper and lower case required, special characters required, can't be one of your last 24 passwords, must change quarterly, or monthly, or weekly...

The net result is far less productivity, AND far less security, as people go back to the Post-It method of password "security."

Shame on Marriott and other companies for foisting IT security off on its customers.

I find part of the e-mail laughable -- When I'm cracking passwords at my job (fun job), uppercase, numbers, and keyboard symbols are already part of the rainbow tables we use and in our brute-force algorithms in the server farm. I've not run a brute-force with only lowercase characters in over 10 years, probably longer than that.

Length, not complexity, is what stops hackers. In my office we now have a 16-character minimum, but we use pass phrases instead of passwords.

My gripe is that most 2-factor auths are done via SMS(Text message for the Yanks). Nice if I'm in my home country, but if I'm abroad I usually have yanked the SIM on my mobile and am using a local SIM instead. Also, depending on what I'm working on, my mobile phone might not be allowed to be carried with me.

THIS is exactly why I encourage everyone to have the longest pass phrase their e-mail system will allow. Once you get into someone's e-mail, you have their entire life. Just start entering their e-mail addy into various sites, click Forgot Password, and get a fresh one e-mailed to you.

So true, Grate advice!

This is what I have now, but as I stated up-thread, it was not offered at program inception. I had to escalate several levels at the Credit Union to get the email option.

At the outset, it was a phone number for an SMS...or nothing.

This. Exactly true.

So you are in an environment where a cellphone (oh, sorry, mobile phone for you non yanks :) ) is not allowed...I get that, I've been there, but access to Marriott.com in that same secure zone is not an issue? Not likely.

If this is a frequent issue, then maybe look into using a Google Voice number as your MR contact. I do believe you can pick up and send SMS messages via your laptop should the phone not be working or available.

I'm hoping the 2FA will be limited to redemptions only. Otherwise, it's an overkill for a loyalty program.

I put a PIN on my account after a friend lots points for some bogus reservations. It isn't 2FA but it adds a slight delay for the question to be asked and answered.

I don't foresee a problem except overseas or in secure installations.

This is completely untrue. United have spent the past year and more trying to
persuade me and many others to add a PIN to our accounts instead of/in addition to a password, just because pre-merger Continental customers had them. We have steadfastly refused to do so on security grounds. We have never had PINs and will not agree to invent them. My pre-merger United 2-digit 6-letter password is infinitely better security than any 4-digit PIN.

It happens. A lot more often than you might imagine.

I added the 4-digit PIN security pin to my Marriott account so if someone (including me) tries to reserve an award ressie via phone then they have to provide the PIN. My password is also really long.

Agree. I've never had a PIN on my United account, although I heard that CO had them. My United password is really long & contains #s/letters. Will it totally protect against a brute force attack? No, but mine has a better chance of surviving it than someone who just has a PIN.

Cheers.

There's a major difference between someone having (knowing) my phone # or email address, and them being able to read texts sent to them.

If you say so. It's the same IT system. My money is on you having one, whether you added one or not.

My money says that if I tried to add my own, and I did actually already have one, the system would then lock me out....

I attempted a password reset and the whole "we will email you a code" thing put me in an errored loop. Now, when I attempt either the new or old password, I get an error message that they are experiencing technical difficulties. :rolleyes: