RR account hacked and SW has been unresponsive
#16
Join Date: May 2004
Location: Colorado
Programs: UA & IHG Plat, SWAlist, Frontier 100k, Marriott Titan, IHG-Hilton-Hyatt-Wynd Gold, Nat EE, Hertz PC
Posts: 445
I am sorry to hear this happened to you. I hope that you get all of your miles back, it's the right thing for SWA to do. With the myriad of breaches of data from everything from Credit Reporting Agencies to just about ever store you shop at, it is no wonder this is not happening more. Chances are that some account was breached, SWA, or otherwise and the Op used the same email and password combination, or the person that did it figured out another way to do it. I would be willing to bet that whatever it was involved a compromise of information, outside of their control. SWA needs to do better to protect its customers from having this happen, the failure to notify you when your email and account information is changed, then used to book airfares using nearly all of the accounts miles. This shows you they have nothing in place to prevent it from happening, which makes your RR account a lucrative target for fraudsters.
I had this happen two years ago with IHG, wiped out my account and booked airfare using nearly all of my points. IHG at least notifies you when the contact email on your account is changed, the person doing this knew that and initiated an email denial of service attack on my email account, sending me over 7,700 emails in the course of a few hours. It took me over four hours to search through and find the email change email on my IHG account, contacting them (getting India), demanding fraud and getting someone from the US on the phone. They verified my account, they had changed the name, phone, and email on it to one's in Russia. They restored my points, cancelled the transaction to the partner for the airfare (booked for a flight within Russia for the next day), and I was whole again. I'm still dealing with the increased spam caused by it even now, but it's much less now. IHG accounts are still at risk, they still rely on a 4-digit Pin code for your password, and I could never get a good response to what their incorrect password policy was, suspend after how many invalid tries, etc. Someone could easily get your Pin with a bot hitting it, so long as it never violated the unknown incorrect password policy.
I changed every account password I had and started using a Password Tracking service, and I roll passwords sporadically across all of my accounts now.
I have enacted increased security on all of my financial, and travel accounts. I am torn on two-factor authentication for accounts I use often though, they work great if you get the second factor okay, if you do not, it's not easy to access your account, and it's going to happen when you are away from home. So, I recommend using strong passwords, if you hear about a breech someplace, find out if it affected you.
-Patrick
I had this happen two years ago with IHG, wiped out my account and booked airfare using nearly all of my points. IHG at least notifies you when the contact email on your account is changed, the person doing this knew that and initiated an email denial of service attack on my email account, sending me over 7,700 emails in the course of a few hours. It took me over four hours to search through and find the email change email on my IHG account, contacting them (getting India), demanding fraud and getting someone from the US on the phone. They verified my account, they had changed the name, phone, and email on it to one's in Russia. They restored my points, cancelled the transaction to the partner for the airfare (booked for a flight within Russia for the next day), and I was whole again. I'm still dealing with the increased spam caused by it even now, but it's much less now. IHG accounts are still at risk, they still rely on a 4-digit Pin code for your password, and I could never get a good response to what their incorrect password policy was, suspend after how many invalid tries, etc. Someone could easily get your Pin with a bot hitting it, so long as it never violated the unknown incorrect password policy.
I changed every account password I had and started using a Password Tracking service, and I roll passwords sporadically across all of my accounts now.
I have enacted increased security on all of my financial, and travel accounts. I am torn on two-factor authentication for accounts I use often though, they work great if you get the second factor okay, if you do not, it's not easy to access your account, and it's going to happen when you are away from home. So, I recommend using strong passwords, if you hear about a breech someplace, find out if it affected you.
-Patrick
#17
Join Date: Aug 2012
Location: RDU
Posts: 679
Why can't they just track it down via the people that actually flew on the tickets? WN has the pax name, which theoretically matches the pax's ID at the airport. Each of the pax would have some link to the person(s) that breached the account. The pax may or may not knowingly realize that they were flying on stolen points, but could potentially provide clues on the person(s) that booked the actual ticket.
If the pax was not flying under their actual name, that's a separate (and bigger) issue.
If the pax was not flying under their actual name, that's a separate (and bigger) issue.
#19
Join Date: Jun 2015
Posts: 16
#20
Suspended
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 50,262
It also doesn't matter If the bad guys sold the points by issuing a ticket for John Q. Smith and someone with that ID showed up at the airport, he would be boarded. Because he is John Q. Smith.
If OP kept a CC on file (anybody who still does this with WN or anybody else is a prime candidate for fraud and identiy theft), he should also report this to his card issuer and obtain a new card.
If OP kept a CC on file (anybody who still does this with WN or anybody else is a prime candidate for fraud and identiy theft), he should also report this to his card issuer and obtain a new card.
#21
Join Date: Jun 2015
Posts: 16
Good catch. Somebody had to pay the $5.60. There are a few ways to pay this without revealing who you are.
1 - If they logged into the RR account, they can just use the credit card on file. That is what I do with all of our award tickets, and companion.
2 - They could use a legit debit/prepaid credit card that has no name tied to it.
3 - They could use a stolen credit card.
4 - They could use a SW gift card that has no name tied to it - other than other bookings if SW wanted to dig deeper.
1 - If they logged into the RR account, they can just use the credit card on file. That is what I do with all of our award tickets, and companion.
2 - They could use a legit debit/prepaid credit card that has no name tied to it.
3 - They could use a stolen credit card.
4 - They could use a SW gift card that has no name tied to it - other than other bookings if SW wanted to dig deeper.
#22
Join Date: Sep 2002
Location: Blue Ridge, GA
Posts: 5,512
#24
Join Date: Aug 2012
Location: RDU
Posts: 679
#27
Join Date: Jul 2012
Posts: 205
There is about a 100% chance that this is not southwest's fault, and about a 100% chance that someone got into your account because you either reused a password from another site (that got hacked), or disclosed your password in some other manner (phishing, etc). That most certainly being the case, southwest has no obligation to reimburse the points to you, so just know that going forward, and interact with them accordingly, ie. that they are doing you a favor by investigating this, as it was almost certainly not a failure on their end.
That being said, they will probably reimburse your points, but chances are you won't find out who did this. My guess would be some unknown 3rd party got your password, logged into your account, changed your account info, then bought tickets for people online who paid the 3rd party, not realizing the points were stolen. You may be able to track down the people who used the tickets, but chances are you'll never locate the "hacker" who likely profited off selling your points (chances are they aren't even in this country).
Going forward, practice good password security to avoid things like this happening in the future, other companies aren't as good at southwest when it comes to covering losses that aren't their fault.
That being said, they will probably reimburse your points, but chances are you won't find out who did this. My guess would be some unknown 3rd party got your password, logged into your account, changed your account info, then bought tickets for people online who paid the 3rd party, not realizing the points were stolen. You may be able to track down the people who used the tickets, but chances are you'll never locate the "hacker" who likely profited off selling your points (chances are they aren't even in this country).
Going forward, practice good password security to avoid things like this happening in the future, other companies aren't as good at southwest when it comes to covering losses that aren't their fault.
#28
FlyerTalk Evangelist
Join Date: Nov 2000
Location: Nashville -Past DL Plat, FO, WN-CP, various hotel programs
Programs: DL-MM, AA, SW w/companion,HiltonDiamond, Hyatt PLat, IHF Plat, Miles and Points Seeker
Posts: 11,072
To board, you just board showing your boarding pass. You do NOT show your ID. Or even a fake ID.
To get through the TSA checkpoint you need a boarding pass for a flight leaving that airport that day. It can be any airline. They could have bought a refundable ticket for any other airline.
or
They could have gotten to that airport via a flight from another airport.
Lots of ways to deal with this stuff.
FAKE ID
FAKE FLIGHTS
AIRPORT EMPLOYEE
#29
Suspended
Join Date: Aug 2018
Posts: 590
Good catch. Somebody had to pay the $5.60. There are a few ways to pay this without revealing who you are.
1 - If they logged into the RR account, they can just use the credit card on file. That is what I do with all of our award tickets, and companion.
2 - They could use a legit debit/prepaid credit card that has no name tied to it.
3 - They could use a stolen credit card.
4 - They could use a SW gift card that has no name tied to it - other than other bookings if SW wanted to dig deeper.
1 - If they logged into the RR account, they can just use the credit card on file. That is what I do with all of our award tickets, and companion.
2 - They could use a legit debit/prepaid credit card that has no name tied to it.
3 - They could use a stolen credit card.
4 - They could use a SW gift card that has no name tied to it - other than other bookings if SW wanted to dig deeper.
2) As long as the prepaid card wasn't purchased with another credit card. Then that can be tracked.
3) This is why some airlines require passengers to present proof of payment when checking-in at the airport.
4) SW gift cards cannot be used to pay the security fee when points were used to redeem an award.
#30
Join Date: May 2003
Location: San Francisco, CA Frmr AA Plat AW Plat Frmr UA 1K Frmr HGP Plat now just UA 1MM/1P
Posts: 320
Several misapprehensions in responses on this thread:
1) That the persons traveling are the ones who stole the points. A more professional thief will sell tickets for 25% to 50% under list price, online.
2) The attack was via a password crack. Maybe, but maybe the OP's email was broken into. Another route is having a phone sim cloned. In either case, the password recovery systems are abused to change the password into the account. A much lower chance that it is a Southwest employee that improperly accessed the account.
1) That the persons traveling are the ones who stole the points. A more professional thief will sell tickets for 25% to 50% under list price, online.
2) The attack was via a password crack. Maybe, but maybe the OP's email was broken into. Another route is having a phone sim cloned. In either case, the password recovery systems are abused to change the password into the account. A much lower chance that it is a Southwest employee that improperly accessed the account.