Christopher Staab of Airline Information just pointed me to an article about loyalty fraud:
http://www.tnooz.com/2012/11/29/news...mber_191725636

At first I was curious thinking it deals with folks bending the rule within the rules (I hear some of them frequent this forum ) and selling awards like mileage brokers etc, but this article focuses more on crooks getting hold of loyalty program access data and then draining accounts to redeem rewards. (OK the selling of an award via ebay in the article is bovine residue...)

Recently I saw David Armano tweet that his thank you point account was (cr)hacked into, but in general I don't see much reports of fraud happening to FTers. What are your experiences?

So far no losses for me, but as an internal control professional I do see most of the cracks and failures in the related bank, airline and point systems. This includes banks releasing other customers' information, using 4 number pins, developing security enhancements that don't work, or in my case, "enhancements" that allowed my 17 year old to "root" all my bank accounts at one institution.

My advice is to watch over your accounts carefully and firewall your passwords (make them all different) so that if one account is compomised the rest do not fall like dominoes. Also, when asked for answers to challenge questions, like your mother's maiden name, come up with an answer that is not you mother's maiden name. It is all too easy to find your high school name, your prior address, your mother's maiden name, etc. these days.

So long as folks here color within the lines no harm, no foul. But there is a world full of people out there who don't even see the lines.

This is especially good advice. The answers to my challenge questions actually never have anything to do with the question itself.

Street Number Where I Grew Up? Corey Feldman.

The trick is remembering the answers to the challenge questions...

USe the same answer

If it's obscue enough, it won't matter what the actual answer is

Long thread here about IHG Priority Club theft:
http://www.flyertalk.com/forum/inter...int-theft.html

Opening a second line of thought: in the above context I'm amazed people give away the pins/passwords to their loyalty programme to third party websites in order to track the size of their stash. Has any of you heard about such data being compromised and who bears responsibility if it happens?

I try to be as careful as possible. For example, with the bckstgr thing the other day for 1,000 UA miles, I changed my UA password, then signed up and linked my fake Facebook/Twitter/Foursquare accounts, then changed my UA password back. So bckstrg only had a temp password for UA and only for a short period.

In the case of sites like awardwallet, I give up some security for lots of convenience.

I doubt that banks and airlines are reading this, but in case they are, or anyone else in a position of influence is, two helpful solutions to fraud would be:Ebay and Paypal offer this today via a hardware fob, with a bypass in case you have an issue. I think they charge you $5 or $10 for the fob. The Fastmail email service offers you the option of a hardware key or a number of pre-generated one-time passwords. I think some banks may have implemented the RSA solution.Instead of one password and set of access rights, let me have two or maybe three. One read-only password and privilege level for balance queries, another higher one for moving money around, making changes or generating a one time CC number; in the case of FF programs, redemption or changing an existing flight booking. Possibly a 3rd rarely used for certain events such as fraud prevention override.

These are all absolutely terrible suggestions. No offense, guys. I realize they are the standard suggestions, and you mean every good thing by offering them. But there is lots of evidence that more and tougher passwords don't work, more and tougher security questions don't work, and so on. Why is that? Pretty simple. The human brain.

Nobody over the age of 23 or so can remember multiple passwords. Having a different password for every account is guaranteed hours lost out of your week every month -- if not every week. "Where do you go to high school? Corey Feldman." Like you're going to remember THAT eight years (or even 8 montsh later). I remember once chewing out my broker. "It won't let me log in because it wants to know my favorite movie. Hello, I'm an adult? I don't have a favorite movie." Later, when I realized what it was, I felt pretty foolish. I could have googled myself on the internet and found out what it was. Everybody in the world could have answered that question...except me. [Don't get excited, bad guys. I gave up on jumping through hoops every time I wanted to make a trade and closed the account.]

The more passwords, the more questions...the more your account is available only to the evil doer while you can't get into it yourself. You can't store all this garbage in retrievable form in the human brain so there must be some kind of storage system, on your computer, scribbled on a piece of paper, or whatever. Each of these systems leaves you vulnerable to being attacked, while providing an increasingly higher difficulty in you being able to use the program. Meanwhile, because you must have the information at your fingertips, the information is 1) very easy for family members, housekeepers, and other people who have access to your home to steal, and 2) the bank, CC company, etc. will NOT protect you --instead, they will threaten to prosecute you for fraud for giving the password to someone else and presumably splitting the proceeds.

I know a victim very well who is still paying off what her daughter stole from her and she'll be paying off this debt for the rest of her life. On a credit card that would have had zero liability if some stranger in eastern Europe had stolen the money. Making these passwords etc. more difficult does not help older and vulnerable people. It hurts them. Because the company comes back and says, "Well, you must have given her the information because nobody would just figure out, 'where did you go to high school' 'corey feldman.'" And older people don't have enough time to left to go to court and hope justice is done...

I won't say I know all the answers. I will say that I know what DOESN'T work. Making the internet, online payment systems, banking, loyalty programs, etc more and more difficult for busy and older people to use DOESN'T work. That's why more and more people give up and give their passwords over to third party services. When you have someone else control your "wallet," you are responsible and you are out the money, miles, etc. any time you turn your password over to somebody else. I don't think there is any real legal debate about this. I could be wrong. But from what I've seen, all the business in question has to do is point out that you shared your password, and if your account is mis-used, it's YOUR problem. And if it's a family member who got the log in information, even if they stole it by snooping, because it was too much for you to remember so you had to record it SOMEWHERE...the company will CLAIM you shared it, and it will be a "he said, she said" situation.

Not to single out anyone's suggestion, but the idea of having 3 passwords to log into an airline loyalty program is just...ridiculous. Frustrating, time wasting, and, really, just not the way to treat older and busy customers who do have money to spend and shouldn't be forced to jump through endless hoops like trained seals.

Indeed. That bunch has especially poor internal controls IMHPO.

Agree with #2 but for #1 I like the idea of a one-time code being send to your cell phone.

There is a major bank out there which uses a defective process to require you to enter information from one of their issued cards. That scheme is fatally flawed and a poster child for what not to do.

LOL this is awesome.

Not terrible. You just need to think like a computer. You don't remember the actual password, just the location of the password. Lets say my car is insured by Geico and is a Cooper. I can write down "Geico1" (as a pseudo index value) and when I see "Geico1" I retrieve the password "Cooper1." For challenge questions you can come up with a standard set of responses like "Garbage One," "Garbage Two" and "Garbage Three."

And FTR I am just slightly over the age of 23 and still get carded. But now it is for my AARP card.

So, the premise of that novel of a post is that you're old and don't want to jump through hoops, despite the heightened fraud risk. Multifactor authentication IS the wave of the future. If the internet is so complicated for you at this point where you think that having multiple passwords is a worse alternative than potentially losing the points/miles that you worked to obtain (but aren't worth anything until you redeem, as most of the companies will tell you in a fraud case), then you're increasing the risk of fraud happening to you, and likely aren't taking proper safeguards elsewhere either. It's probably a good idea to step away from the computer, if this is truly the case.

It's like what happened to a number of Priority Club members when they allowed you to buy gift cards online with PC points. People who either worked for the hotels or someone staying at the hotel got access to your name and PC account number, and then it's pretty easy after that. Give them your email address too, and you might as well hand them the keys to the Caddy. It's way too easy to reset many of these loyalty program logins, and if they're as valuable to you as your money in the bank, then you'd be in favor of more restrictive password requirements from these companies.

They're not terrible suggestions in the least, and there are easy ways to maintain passwords secretly, even without using a pw management site. However, until the companies update their websites to bring their password authentication to the 21st century, there will still be heightened risk. PC, Delta and United are the worst, as far as I'm concerned.

I use 1password. Don't know how I ever lived without it. I now remember just one password: my 1password master password. The rest I don't know, or want to know. It auto-generates them, I copy and paste. I use the browser plugin to auto-fill. It's got a notes section on each login so you can put in your incorrect security question answers.

Passwords are stored, encrypted, on Dropbox, so it syncs up to my desktop, laptop, Android phone (Android is read-only at the moment, but I can get my passwords and use them, so it's good enough.)

I do wish everyone would get rid of 4 digit pins, and let us use real passwords everywhere.