Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Singapore Airlines | KrisFlyer
Reload this Page >

SIA investigating after woman loses 76,000 KrisFlyer miles in alleged

SIA investigating after woman loses 76,000 KrisFlyer miles in alleged

Old Apr 17, 18, 9:08 pm
  #1  
Original Poster
 
Join Date: Aug 2003
Location: Singapore
Programs: SIA PPS, OZ Asiana Club, CX MPC, IHG Royal Amb, SPG Gold, Hilton Silver
Posts: 1,998
SIA investigating after woman loses 76,000 KrisFlyer miles in alleged

It pays to monitor account activity and email regularly to ensure that there are no fraudulent activities on your KF account. Maybe SQ should follow the route as that of CX where a one-time password is needed to add nominees.

Source: CNA

SINGAPORE: When 34-year-old general manager Sherie Low logged into her KrisFlyer account on Sunday (Apr 15), she discovered that the bulk of her frequent flyer miles had been cleaned out under the names of four Russian individuals she did not know.

Of the 76,769 miles she had, just 769 were left.

While there were alerts about the redemptions sent to an email address linked to her Krisflyer account, Ms Low said that the account is inactive and she did not check it.

Ms Low said she thought that KrisFlyer should update its system security. Currently, members can log into their accounts using their membership account number and a six-digit PIN.

"At the very least it should be protected with a one-time password," she said. "They cannot have such a flimsy system that allows hackers to get into accounts so easily and also add nominees so easily."
hclee01 is offline  
Old Apr 19, 18, 12:21 am
  #2  
 
Join Date: Apr 2005
Programs: Lifetime Globalist
Posts: 2,872
What the customer demands here seems to be a bit unreasonable. Singapore Airlines is protecting the accounts with a 6-digit PIN code and in order to prevent fraud, sends e-mails for any kind of transaction (including adding redemption nominees). She would have received six e-mails in total: three for adding three people and then three ticket confirmations.

Most likely she gave her 6-digit PIN code away by answering to a phishing e-mail. A bit of common sense applies here as well.

Her suggested solution would cost SQ a lot of money as they have to pay for each and every OTP generated. Banks (where OTP are commonly used) are now moving to Apps producing this OTP free of cost and this is something SQ could consider but then I think that the e-mail notification in itself is more than sufficient.
davidj1, onlySIA and E55 like this.
SMK77 is offline  
Old Apr 19, 18, 12:26 am
  #3  
Suspended
 
Join Date: Oct 2015
Location: Economy, mostly :(
Programs: Skywards Gold
Posts: 7,766
Originally Posted by SMK77 View Post
What the customer demands here seems to be a bit unreasonable. Singapore Airlines is protecting the accounts with a 6-digit PIN code and in order to prevent fraud, sends e-mails for any kind of transaction (including adding redemption nominees). She would have received six e-mails in total: three for adding three people and then three ticket confirmations.

Most likely she gave her 6-digit PIN code away by answering to a phishing e-mail. A bit of common sense applies here as well.

Her suggested solution would cost SQ a lot of money as they have to pay for each and every OTP generated. Banks (where OTP are commonly used) are now moving to Apps producing this OTP free of cost and this is something SQ could consider but then I think that the e-mail notification in itself is more than sufficient.
OTPs can be sent by email, too, no cost.
skywardhunter is offline  
Old Apr 19, 18, 1:31 am
  #4  
 
Join Date: Mar 2015
Programs: HH Diamond, IHG Plat, GHA Black
Posts: 1,855
I wouldn't be surprised that her PIN was her birthday,
and that she posted some sort of boarding pass photo to social media that had her KF number uncensored.
natbam and davidj1 like this.
shuigao is offline  
Old Apr 19, 18, 1:51 am
  #5  
FlyerTalk Evangelist
 
Join Date: Mar 2002
Location: Berlin, SW Florida, and Toronto
Programs: UA 1K, Hilton Diamond, Discovery Black, and assorted others
Posts: 27,118
This happens more and more. I wish airlines would get on to two-factor authentication.
Silver Fox likes this.
LondonElite is offline  
Old Apr 19, 18, 6:43 am
  #6  
 
Join Date: May 2003
Location: Singapore
Programs: QF LTG, SQ EGTP, MH Silver, SPG Gold
Posts: 4,225
At the very least, a more sophisticated password could be used. Many airlines have moved to membership number + surname + 8 character password to access FF accounts, some also have challenge questions. One assumes there is a reason for them doing this, and perhaps SQ could move beyond a 6 digit number.
lokijuh is online now  
Old Apr 19, 18, 8:01 am
  #7  
Suspended
 
Join Date: Oct 2015
Location: Economy, mostly :(
Programs: Skywards Gold
Posts: 7,766
Originally Posted by lokijuh View Post
At the very least, a more sophisticated password could be used. Many airlines have moved to membership number + surname + 8 character password to access FF accounts, some also have challenge questions. One assumes there is a reason for them doing this, and perhaps SQ could move beyond a 6 digit number.
Any website permitting anything less than 8 characters for such sensitive data is being negligent. The fact TK still use a 6-digit PIN + membership number is also ridiculous. My passwords are generally 30+ characters,incl FF accounts
skywardhunter is offline  
Old Apr 19, 18, 3:56 pm
  #8  
 
Join Date: Feb 2017
Programs: MM, Krisflyer, QFF, VFF
Posts: 265
Originally Posted by hclee01 View Post
she discovered that the bulk of her frequent flyer miles had been cleaned out under the names of four Russian individuals she did not know.
There's breadcrumbs everywhere, and with the support of the various loyalty programs, SIA would be able to track where exactly the miles went and reverse.

Oh wait, program rules are so stringent nothing can be reversed
davidj1 is offline  
Old Apr 19, 18, 10:52 pm
  #9  
 
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,354
I've gotta join the bandwagon dumping on SQ here. Any organization that doesn't offer two-factor auth through OTP is simply incompetent today. This is trivial to build.

Add to that the utterly unacceptable six-digit pin used by SQ and we have an organization that clearly needs to rethink its IT security.

SQ is 100% at fault for not making it possible for their customers to keep accounts secure.

Originally Posted by lokijuh View Post
At the very least, a more sophisticated password could be used. Many airlines have moved to membership number + surname + 8 character password to access FF accounts, some also have challenge questions. One assumes there is a reason for them doing this, and perhaps SQ could move beyond a 6 digit number.
This is just barely better than requiring a password. At the end of the day is still one-factor authentication. Challenge questions are a useless attempt at security.
txflyer77 is offline  
Old Apr 20, 18, 3:14 pm
  #10  
 
Join Date: Jul 2015
Posts: 971
Originally Posted by SMK77 View Post
What the customer demands here seems to be a bit unreasonable. Singapore Airlines is protecting the accounts with a 6-digit PIN code and in order to prevent fraud, sends e-mails for any kind of transaction (including adding redemption nominees). She would have received six e-mails in total: three for adding three people and then three ticket confirmations.

Most likely she gave her 6-digit PIN code away by answering to a phishing e-mail. A bit of common sense applies here as well.

Her suggested solution would cost SQ a lot of money as they have to pay for each and every OTP generated. Banks (where OTP are commonly used) are now moving to Apps producing this OTP free of cost and this is something SQ could consider but then I think that the e-mail notification in itself is more than sufficient.
How unsurprising that you leap to SQ's unconditional defence. It's Pavlovian at this stage.

If you think a 6-digit number is secure then that pretty much says all one needs to know about your unwavering position as SQ's e-guardian. And speculating about how her pin was discovered only serves to solidify the fact that there is nothing you won't say to paint SQ as the righteous party in any and all scenarios. Why don't you also speculate on how pathetic SQ's IT systems are, as documented all too frequently on this board. Then again, impartiality isn't exactly a defining trait of blind loyalists.

God forbid that a business should have to (shock, horror)... SPEND MONEY in order to secure it's infrastructure and serve it's customers.
Phaze is offline  
Old Apr 21, 18, 9:13 pm
  #11  
 
Join Date: Oct 2016
Programs: Krisflyer
Posts: 251
Originally Posted by Phaze View Post
How unsurprising that you leap to SQ's unconditional defence. It's Pavlovian at this stage.
Pavlovian isn't quite appropriate, since Pavlov provided rewards to induce the desired behaviour from his dogs, whereas to my knowledge SQ have never done anything to reward those who defend crummy corporate practices.

Personally I would rank improving the core functionality of their website (e.g. speeding up search function and member's area) higher than this kind of one-in-a-million thing. As noted above, it requires someone's membership number to be given away, their PIN to be guessed (or brute forced) and them to overlook all the emails about redemption nominees.
davidj1 and TravelwhileyouEat like this.
onlySIA is offline  
Old Apr 27, 18, 12:21 am
  #12  
TA
 
Join Date: Nov 1999
Location: if it's Thursday, this must be Belgium
Programs: UA 1K MM
Posts: 6,205
I am an infrequent visitor here, but have mileage with SQ through partners and credit cards. I also find it unbelievable that member numbers and passwords are pure numeric digits. It is not as if any phone function requires touch tone digits-only as a constraint causing this.
TA is offline  
Old Apr 27, 18, 1:30 am
  #13  
 
Join Date: Apr 2005
Programs: Lifetime Globalist
Posts: 2,872
Originally Posted by Phaze View Post
How unsurprising that you leap to SQ's unconditional defence. It's Pavlovian at this stage.

If you think a 6-digit number is secure then that pretty much says all one needs to know about your unwavering position as SQ's e-guardian. And speculating about how her pin was discovered only serves to solidify the fact that there is nothing you won't say to paint SQ as the righteous party in any and all scenarios. Why don't you also speculate on how pathetic SQ's IT systems are, as documented all too frequently on this board. Then again, impartiality isn't exactly a defining trait of blind loyalists.

God forbid that a business should have to (shock, horror)... SPEND MONEY in order to secure it's infrastructure and serve it's customers.
Look, I am in banking and I am heading a risk function. I can demand all day long to invest millions of dollars to mitigate risks we are facing. It boils down to a question: what is my (monetary) risk if I don't increase my control environment and how much money would I have to spend.

Analysis: How much money has SQ lost last year due to third parties hacking 6 digit passwords? Answer: Zero. How much money does SQ think they will lose this year due to third parties hacking 6 digit passwords? Answer: Zero.

I agree with both your statements that 6-digit-passwords are not state of the art and that SQ's IT is outright pathetic. That doesn't change my assessment that SQ doesn't need to immediately have to drop any other priorities to make their system better. OTP: Assuming one SMS costs SQ 10 Cents and there are 10 million transactions every year. That's 1 million dollars in additional cost to avoid the odd case every year where someone claims they got hacked. Not worth it. Only people who ignore the circumstances and just demand costly action at any price can come up with the demands you are making.

The business of hacking accounts is not a very lucrative one: On the one hand you will get caught most of the times because the juicy accounts (read: accounts with many miles) will have active users monitoring their balances and second you always run the risk that the person who took the flight can be traced down. It's not surprising that the number of fraud cases are very limited.

Where SQ establishes that someone attacked the account, they will surely reimburse. Unless the number of claims and investigations reaches a dimension that warrants action, I am fully with SQ to accept the risk as is and not spend any money.
HVB3172 likes this.
SMK77 is offline  
Old Apr 27, 18, 8:04 am
  #14  
 
Join Date: Mar 2012
Location: Boulder
Programs: AA Plat, CX Silver
Posts: 2,354
An SMS costs nowhere near 10 cents. They'd be paying under half a penny each, easily. (I work for the largest sender of SMS in the world. This is a cheap and solved problem) Even leaving aside 2FA, there is no ongoing opex to using actual passwords over six-digit PINs.

SQ has more than just a fiscal responsibility. They have a responsibility to their customers to protect their privacy. Jealous ex manages to get into an SQ account, figure out when someone is out of the country and uses that to ramsack the place. Intelligence agencies have used FF accounts to track persons-of-interest.

The age of this cavalier attitude is coming to a close. SQ is being negligent, full stop.

With the EU's GDPR requirements coming into effect next month, SQ's pathetic approach here could easily land them in hot water with regulators with fines that could top half a billion USD for SQ. (Yes, GDPR applies to companies outside the EU who do business with EU persons)
Silver Fox likes this.
txflyer77 is offline  
Old Apr 27, 18, 8:29 pm
  #15  
 
Join Date: Sep 2016
Location: MNL / SFO / NYC
Programs: IHG Spire | Marriott Plat | UA Plat | AA Plat Pro
Posts: 533
I know it's been discussed before, but I still don't know why the PIN for a KF account is 6-digits instead of alphanumeric like soooooo many other accounts from FFPs, to Banking, to emails, to whatever... (same goes with IHG's 4-digit PIN). I doubt it would cost them 'crazy millions' to re-do this (else CX MPC and AM moving from a pin to a password would have been a big issue for their management).

I agree with txflyer77, SQ may fall on the wrong side of new requirements because they want to save a few million to set up some form of 2FA or even some manpower to re-write the PIN into a password. It's not just the EU looking into these requirements as other countries are also considering some form of legislation to the same or lesser effect.
TravelwhileyouEat is offline  

Thread Tools
Search this Thread
Search Engine: