hclee01

It pays to monitor account activity and email regularly to ensure that there are no fraudulent activities on your KF account. Maybe SQ should follow the route as that of CX where a one-time password is needed to add nominees.

Source: CNA

SINGAPORE: When 34-year-old general manager Sherie Low logged into her KrisFlyer account on Sunday (Apr 15), she discovered that the bulk of her frequent flyer miles had been cleaned out under the names of four Russian individuals she did not know.

Of the 76,769 miles she had, just 769 were left.

While there were alerts about the redemptions sent to an email address linked to her Krisflyer account, Ms Low said that the account is inactive and she did not check it.

Ms Low said she thought that KrisFlyer should update its system security. Currently, members can log into their accounts using their membership account number and a six-digit PIN.

"At the very least it should be protected with a one-time password," she said. "They cannot have such a flimsy system that allows hackers to get into accounts so easily and also add nominees so easily."

SMK77

What the customer demands here seems to be a bit unreasonable. Singapore Airlines is protecting the accounts with a 6-digit PIN code and in order to prevent fraud, sends e-mails for any kind of transaction (including adding redemption nominees). She would have received six e-mails in total: three for adding three people and then three ticket confirmations.

Most likely she gave her 6-digit PIN code away by answering to a phishing e-mail. A bit of common sense applies here as well.

Her suggested solution would cost SQ a lot of money as they have to pay for each and every OTP generated. Banks (where OTP are commonly used) are now moving to Apps producing this OTP free of cost and this is something SQ could consider but then I think that the e-mail notification in itself is more than sufficient.

skywardhunter

OTPs can be sent by email, too, no cost.

shuigao

I wouldn't be surprised that her PIN was her birthday,
and that she posted some sort of boarding pass photo to social media that had her KF number uncensored.

LondonElite

This happens more and more. I wish airlines would get on to two-factor authentication.

lokijuh

At the very least, a more sophisticated password could be used. Many airlines have moved to membership number + surname + 8 character password to access FF accounts, some also have challenge questions. One assumes there is a reason for them doing this, and perhaps SQ could move beyond a 6 digit number.

skywardhunter

Any website permitting anything less than 8 characters for such sensitive data is being negligent. The fact TK still use a 6-digit PIN + membership number is also ridiculous. My passwords are generally 30+ characters,incl FF accounts

davidj1

There's breadcrumbs everywhere, and with the support of the various loyalty programs, SIA would be able to track where exactly the miles went and reverse.

Oh wait, program rules are so stringent nothing can be reversed

txflyer77

I've gotta join the bandwagon dumping on SQ here. Any organization that doesn't offer two-factor auth through OTP is simply incompetent today. This is trivial to build.

Add to that the utterly unacceptable six-digit pin used by SQ and we have an organization that clearly needs to rethink its IT security.

SQ is 100% at fault for not making it possible for their customers to keep accounts secure.

This is just barely better than requiring a password. At the end of the day is still one-factor authentication. Challenge questions are a useless attempt at security.

Phaze

How unsurprising that you leap to SQ's unconditional defence. It's Pavlovian at this stage.

If you think a 6-digit number is secure then that pretty much says all one needs to know about your unwavering position as SQ's e-guardian. And speculating about how her pin was discovered only serves to solidify the fact that there is nothing you won't say to paint SQ as the righteous party in any and all scenarios. Why don't you also speculate on how pathetic SQ's IT systems are, as documented all too frequently on this board. Then again, impartiality isn't exactly a defining trait of blind loyalists.

God forbid that a business should have to (shock, horror)... SPEND MONEY in order to secure it's infrastructure and serve it's customers.

onlySIA

Pavlovian isn't quite appropriate, since Pavlov provided rewards to induce the desired behaviour from his dogs, whereas to my knowledge SQ have never done anything to reward those who defend crummy corporate practices.

Personally I would rank improving the core functionality of their website (e.g. speeding up search function and member's area) higher than this kind of one-in-a-million thing. As noted above, it requires someone's membership number to be given away, their PIN to be guessed (or brute forced) and them to overlook all the emails about redemption nominees.

TA

I am an infrequent visitor here, but have mileage with SQ through partners and credit cards. I also find it unbelievable that member numbers and passwords are pure numeric digits. It is not as if any phone function requires touch tone digits-only as a constraint causing this.

SMK77

Look, I am in banking and I am heading a risk function. I can demand all day long to invest millions of dollars to mitigate risks we are facing. It boils down to a question: what is my (monetary) risk if I don't increase my control environment and how much money would I have to spend.

Analysis: How much money has SQ lost last year due to third parties hacking 6 digit passwords? Answer: Zero. How much money does SQ think they will lose this year due to third parties hacking 6 digit passwords? Answer: Zero.

I agree with both your statements that 6-digit-passwords are not state of the art and that SQ's IT is outright pathetic. That doesn't change my assessment that SQ doesn't need to immediately have to drop any other priorities to make their system better. OTP: Assuming one SMS costs SQ 10 Cents and there are 10 million transactions every year. That's 1 million dollars in additional cost to avoid the odd case every year where someone claims they got hacked. Not worth it. Only people who ignore the circumstances and just demand costly action at any price can come up with the demands you are making.

The business of hacking accounts is not a very lucrative one: On the one hand you will get caught most of the times because the juicy accounts (read: accounts with many miles) will have active users monitoring their balances and second you always run the risk that the person who took the flight can be traced down. It's not surprising that the number of fraud cases are very limited.

Where SQ establishes that someone attacked the account, they will surely reimburse. Unless the number of claims and investigations reaches a dimension that warrants action, I am fully with SQ to accept the risk as is and not spend any money.

txflyer77

An SMS costs nowhere near 10 cents. They'd be paying under half a penny each, easily. (I work for the largest sender of SMS in the world. This is a cheap and solved problem) Even leaving aside 2FA, there is no ongoing opex to using actual passwords over six-digit PINs.

SQ has more than just a fiscal responsibility. They have a responsibility to their customers to protect their privacy. Jealous ex manages to get into an SQ account, figure out when someone is out of the country and uses that to ramsack the place. Intelligence agencies have used FF accounts to track persons-of-interest.

The age of this cavalier attitude is coming to a close. SQ is being negligent, full stop.

With the EU's GDPR requirements coming into effect next month, SQ's pathetic approach here could easily land them in hot water with regulators with fines that could top half a billion USD for SQ. (Yes, GDPR applies to companies outside the EU who do business with EU persons)

TravelwhileyouEat

I know it's been discussed before, but I still don't know why the PIN for a KF account is 6-digits instead of alphanumeric like soooooo many other accounts from FFPs, to Banking, to emails, to whatever... (same goes with IHG's 4-digit PIN). I doubt it would cost them 'crazy millions' to re-do this (else CX MPC and AM moving from a pin to a password would have been a big issue for their management).

I agree with txflyer77, SQ may fall on the wrong side of new requirements because they want to save a few million to set up some form of 2FA or even some manpower to re-write the PIN into a password. It's not just the EU looking into these requirements as other countries are also considering some form of legislation to the same or lesser effect.