Points Stolen
Oct 1, 2018, 7:08 pm
#16
FlyerTalk Evangelist
Join Date: Sep 2002
Location: Chicagoland, IL, USA
Programs: WN CP, Hilton Diamond
Posts: 14,174
Oct 2, 2018, 6:48 am
#19
Original Poster
Join Date: Oct 2018
Posts: 7
Below is their response. I have asked twice as to how this happened with no response. I also asked why there was no verification since the ship to address was not mine. Also no response. I can't confirm but I think they screwed up and are doing CYA right now. As long as I get my points back I will just move on.
Thank you for contacting us about your Rapid Rewards account. We appreciate the opportunity to review the account activity with our Business Integrity team.
We take the security of our Members’ Rapid Rewards accounts seriously, and we protect our Members from fraudulent activity by fortifying your data against a breach. To partner with those technology safeguards, we also require Members to enter a password prior to accessing any of their account information on southwest.com . We encourage you to use a strong password and highly recommend that you do not use your Rapid Rewards account password for any other online accounts.
Please know that our Rapid Rewards terms and conditions specifically state, “Southwest Airlines is not responsible for unauthorized access to a Member's Account and will not replace stolen points or awards.” However, as a one-time gesture of goodwill, we will reinstate xxxx points. Login to your account, validate that all of your contact information is correct and change your password if you haven’t done so already.
Thank you again for reaching out to us. Please know that we value your business, and we look forward to seeing you on a Southwest flight soon.
Sincerely,
Candice, Southwest Airlines
The file reference number for your email is xxxxx.
[/QUOTE]
Thank you for contacting us about your Rapid Rewards account. We appreciate the opportunity to review the account activity with our Business Integrity team.
We take the security of our Members’ Rapid Rewards accounts seriously, and we protect our Members from fraudulent activity by fortifying your data against a breach. To partner with those technology safeguards, we also require Members to enter a password prior to accessing any of their account information on southwest.com . We encourage you to use a strong password and highly recommend that you do not use your Rapid Rewards account password for any other online accounts.
Please know that our Rapid Rewards terms and conditions specifically state, “Southwest Airlines is not responsible for unauthorized access to a Member's Account and will not replace stolen points or awards.” However, as a one-time gesture of goodwill, we will reinstate xxxx points. Login to your account, validate that all of your contact information is correct and change your password if you haven’t done so already.
Thank you again for reaching out to us. Please know that we value your business, and we look forward to seeing you on a Southwest flight soon.
Sincerely,
Candice, Southwest Airlines
The file reference number for your email is xxxxx.
[/QUOTE]
Oct 2, 2018, 7:24 am
#20
Suspended
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 50,262
It took one business day.
Did WN really say it would take 10 busienss days or something like, "up to 10" or "as long as 10"
It takes however long it takes.
If you flip through FT, you will see that there are all kinds of posts from people who propose all manner of frauds. Not that this incident was a fraud. But, given the prevalence of fraud, is it really much to expect that a vendor would take a bit of time.
Did WN really say it would take 10 busienss days or something like, "up to 10" or "as long as 10"
It takes however long it takes.
If you flip through FT, you will see that there are all kinds of posts from people who propose all manner of frauds. Not that this incident was a fraud. But, given the prevalence of fraud, is it really much to expect that a vendor would take a bit of time.
Oct 2, 2018, 8:09 am
#21
Join Date: Mar 2011
Posts: 6,286
That reply is boilerplate, but I suspect the important part with regards to understanding how this happened is:
We encourage you to use a strong password and highly recommend that you do not use your Rapid Rewards account password for any other online accounts.
It's likely that your account password was hacked, either by force and/or by using a list of your possible passwords purchased from a hacker who got them through another site's breach.
Most importantly, Southwest reinstated your points, so it all worked out in the end.
We encourage you to use a strong password and highly recommend that you do not use your Rapid Rewards account password for any other online accounts.
It's likely that your account password was hacked, either by force and/or by using a list of your possible passwords purchased from a hacker who got them through another site's breach.
Most importantly, Southwest reinstated your points, so it all worked out in the end.
Oct 2, 2018, 11:07 am
#22
Join Date: Oct 2005
Location: ORD, MDW or MKE
Programs: American and Southwest. Hilton and Marriott hotels primarily.
Posts: 6,459
It's great that Southwest restored your points.
Absent a breach of security where multiple accounts were hacked rather than someone figuring out your specific password, I'm not clear why there is an expectation that Southwest restore your points. This restoration appears to be costing Southwest real money through no apparent fault of their own.
Absent a breach of security where multiple accounts were hacked rather than someone figuring out your specific password, I'm not clear why there is an expectation that Southwest restore your points. This restoration appears to be costing Southwest real money through no apparent fault of their own.
Oct 2, 2018, 11:13 am
#23
FlyerTalk Evangelist
Join Date: Sep 2002
Location: Chicagoland, IL, USA
Programs: WN CP, Hilton Diamond
Posts: 14,174
It's great that Southwest restored your points.
Absent a breach of security where multiple accounts were hacked rather than someone figuring out your specific password, I'm not clear why there is an expectation that Southwest restore your points. This restoration appears to be costing Southwest real money through no apparent fault of their own.
Absent a breach of security where multiple accounts were hacked rather than someone figuring out your specific password, I'm not clear why there is an expectation that Southwest restore your points. This restoration appears to be costing Southwest real money through no apparent fault of their own.
I have never ever even given my WN password to my WIFE of 32 years.
So if someone breaks in and steals my points, it ain’t MY fault. It’s WN’s crappy security.
Oct 2, 2018, 12:43 pm
#24
Join Date: Oct 2005
Location: ORD, MDW or MKE
Programs: American and Southwest. Hilton and Marriott hotels primarily.
Posts: 6,459
I guess none of us will really know. It certainly seems unlikely to me that someone broke through WN’s security and only stole your points.
Oct 2, 2018, 12:45 pm
#25
FlyerTalk Evangelist
Join Date: Nov 2000
Location: Nashville -Past DL Plat, FO, WN-CP, various hotel programs
Programs: DL-MM, AA, SW w/companion,HiltonDiamond, Hyatt PLat, IHF Plat, Miles and Points Seeker
Posts: 11,072
How complex is the password?
Did the user log into a public computer and maybe not log out?
or did the computer save the password or maybe computer has a key logger on it
Sometimes the "free" hotel wifi is really not the hotel, but somebody monitoring all traffic.
Has someone hacked the user's computer or phone and gotten many passwords?
Side note - rather interesting the end user did not change the email to prevent you from getting the notification.
Oct 2, 2018, 1:13 pm
#26
Original Poster
Join Date: Oct 2018
Posts: 7
So just to add to the debate:
1: I don't use Public Wifi or Hotel Wifi. I use my cellular data on my iPhone
2: At home I have my own wifi thru Fios
3: I don't us public computers
4: I don't think my phone or computer was hacked because this is the only incident. There would be many more if I was hacked.
5: Suspicious that they didn't change my email isn't it
6: How did SWA not catch it when it was being sent to a different name and city other than mine.
This would all be answered if only SWA would tell me the answer to the question I have asked them 3 times now. I also asked them how to prevent use of More Rewards.
1: I don't use Public Wifi or Hotel Wifi. I use my cellular data on my iPhone
2: At home I have my own wifi thru Fios
3: I don't us public computers
4: I don't think my phone or computer was hacked because this is the only incident. There would be many more if I was hacked.
5: Suspicious that they didn't change my email isn't it
6: How did SWA not catch it when it was being sent to a different name and city other than mine.
This would all be answered if only SWA would tell me the answer to the question I have asked them 3 times now. I also asked them how to prevent use of More Rewards.
Oct 2, 2018, 11:17 pm
#27
Join Date: Jun 2005
Posts: 137
That's exactly the point he's making though. You don't know about that. There are so many attack vectors nowadays that it's not always easy to attribute. An example is if he wrote down his password in email or a note taking app, that could've been breached by say the recent facebook oauth hack. How? It doesn't seem likely or related right? The issue is that a lot of people use single sign on services, but if a single sign on provider (e.g. fb) gets compromised, then it effectively causes a breach on each site that uses said provider. If more credentials are stored on those secondary sites, then it causes another set of breaches, and so on... Did you know about this? Now keep in mind what I've described is just a single attack vector. There are probably dozens more that everyone is vulnerable to. It's just a matter of time. If you're lucky, it gets patched before anything happens.
I would tend to agree with lougord99--absent a breach of multiple southwest accounts, it's not likely all southwest's fault. Could they have had better security (e.g. validating the ship to address vs home address)? Yes.
I would tend to agree with lougord99--absent a breach of multiple southwest accounts, it's not likely all southwest's fault. Could they have had better security (e.g. validating the ship to address vs home address)? Yes.
Oct 3, 2018, 12:11 am
#28
FlyerTalk Evangelist
Join Date: Nov 2000
Location: Nashville -Past DL Plat, FO, WN-CP, various hotel programs
Programs: DL-MM, AA, SW w/companion,HiltonDiamond, Hyatt PLat, IHF Plat, Miles and Points Seeker
Posts: 11,072
So just to add to the debate:
1: I don't use Public Wifi or Hotel Wifi. I use my cellular data on my iPhone
2: At home I have my own wifi thru Fios
3: I don't us public computers
4: I don't think my phone or computer was hacked because this is the only incident. There would be many more if I was hacked.
5: Suspicious that they didn't change my email isn't it
6: How did SWA not catch it when it was being sent to a different name and city other than mine.
This would all be answered if only SWA would tell me the answer to the question I have asked them 3 times now. I also asked them how to prevent use of More Rewards.
1: I don't use Public Wifi or Hotel Wifi. I use my cellular data on my iPhone
2: At home I have my own wifi thru Fios
3: I don't us public computers
4: I don't think my phone or computer was hacked because this is the only incident. There would be many more if I was hacked.
5: Suspicious that they didn't change my email isn't it
6: How did SWA not catch it when it was being sent to a different name and city other than mine.
This would all be answered if only SWA would tell me the answer to the question I have asked them 3 times now. I also asked them how to prevent use of More Rewards.
As to #6 - I have not used "More Rewards", but I assume that is outside the SWA control? Does it even validate your home address (vs shipping address)?
I would also like to know how to block use of "More Rewards".
Even if SWA knows what happened, I would not expect them to reveal it. And if it is a fault of theirs, then just about 100% chance they will not reveal it. Too much risk that information causes them more problems.
Oct 3, 2018, 11:41 am
#29
Join Date: Feb 2014
Posts: 921
How many data breaches has Southwest suffered? It seems like a lot of companies have security issues; but I'm failing to remember any that has affected our personal info on file at Southwest, which would seem to say their security protocols are better than others. Maybe you have another example to support your position.
