Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Southwest Airlines | Rapid Rewards
Reload this Page >

RR account hacked and SW has been unresponsive

RR account hacked and SW has been unresponsive

Old Jan 11, 2019, 3:17 pm
  #16  
 
Join Date: May 2004
Location: Colorado
Programs: UA & IHG Plat, SWAlist, Frontier 100k, Marriott Titan, IHG-Hilton-Hyatt-Wynd Gold, Nat EE, Hertz PC
Posts: 445
I am sorry to hear this happened to you. I hope that you get all of your miles back, it's the right thing for SWA to do. With the myriad of breaches of data from everything from Credit Reporting Agencies to just about ever store you shop at, it is no wonder this is not happening more. Chances are that some account was breached, SWA, or otherwise and the Op used the same email and password combination, or the person that did it figured out another way to do it. I would be willing to bet that whatever it was involved a compromise of information, outside of their control. SWA needs to do better to protect its customers from having this happen, the failure to notify you when your email and account information is changed, then used to book airfares using nearly all of the accounts miles. This shows you they have nothing in place to prevent it from happening, which makes your RR account a lucrative target for fraudsters.

I had this happen two years ago with IHG, wiped out my account and booked airfare using nearly all of my points. IHG at least notifies you when the contact email on your account is changed, the person doing this knew that and initiated an email denial of service attack on my email account, sending me over 7,700 emails in the course of a few hours. It took me over four hours to search through and find the email change email on my IHG account, contacting them (getting India), demanding fraud and getting someone from the US on the phone. They verified my account, they had changed the name, phone, and email on it to one's in Russia. They restored my points, cancelled the transaction to the partner for the airfare (booked for a flight within Russia for the next day), and I was whole again. I'm still dealing with the increased spam caused by it even now, but it's much less now. IHG accounts are still at risk, they still rely on a 4-digit Pin code for your password, and I could never get a good response to what their incorrect password policy was, suspend after how many invalid tries, etc. Someone could easily get your Pin with a bot hitting it, so long as it never violated the unknown incorrect password policy.

I changed every account password I had and started using a Password Tracking service, and I roll passwords sporadically across all of my accounts now.

I have enacted increased security on all of my financial, and travel accounts. I am torn on two-factor authentication for accounts I use often though, they work great if you get the second factor okay, if you do not, it's not easy to access your account, and it's going to happen when you are away from home. So, I recommend using strong passwords, if you hear about a breech someplace, find out if it affected you.

-Patrick
TIGA31328 is offline  
Old Jan 11, 2019, 3:21 pm
  #17  
 
Join Date: Aug 2012
Location: RDU
Posts: 679
Why can't they just track it down via the people that actually flew on the tickets? WN has the pax name, which theoretically matches the pax's ID at the airport. Each of the pax would have some link to the person(s) that breached the account. The pax may or may not knowingly realize that they were flying on stolen points, but could potentially provide clues on the person(s) that booked the actual ticket.

If the pax was not flying under their actual name, that's a separate (and bigger) issue.
flyer4512 likes this.
tearex is offline  
Old Jan 11, 2019, 3:23 pm
  #18  
 
Join Date: Jan 2010
Location: ATL
Posts: 1,904
They don't capture ID info at the airport
dmbolp is online now  
Old Jan 11, 2019, 3:38 pm
  #19  
 
Join Date: Jun 2015
Posts: 16
Originally Posted by LegalTender
I don't consider that a prized asset. The liabilities are boundless.
absolutely a prized asset. Most of us frequent fliers, that consequently have A-list, do not obtain that status by using our points for personal flights.
booatx is offline  
Old Jan 11, 2019, 3:39 pm
  #20  
Suspended
 
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 50,262
It also doesn't matter If the bad guys sold the points by issuing a ticket for John Q. Smith and someone with that ID showed up at the airport, he would be boarded. Because he is John Q. Smith.

If OP kept a CC on file (anybody who still does this with WN or anybody else is a prime candidate for fraud and identiy theft), he should also report this to his card issuer and obtain a new card.
Often1 is offline  
Old Jan 11, 2019, 3:44 pm
  #21  
 
Join Date: Jun 2015
Posts: 16
Originally Posted by NoStressHere
Good catch. Somebody had to pay the $5.60. There are a few ways to pay this without revealing who you are.

1 - If they logged into the RR account, they can just use the credit card on file. That is what I do with all of our award tickets, and companion.

2 - They could use a legit debit/prepaid credit card that has no name tied to it.

3 - They could use a stolen credit card.

4 - They could use a SW gift card that has no name tied to it - other than other bookings if SW wanted to dig deeper.
The person who actually traveled would have had to show ID. That person would have undoubtedly had some connection to whoever booked the flight.
booatx is offline  
Old Jan 11, 2019, 3:47 pm
  #22  
 
Join Date: Sep 2002
Location: Blue Ridge, GA
Posts: 5,492
Originally Posted by booatx

absolutely a prized asset. Most of us frequent fliers, that consequently have A-list, do not obtain that status by using our points for personal flights.
A-listers don't obtain status by using points. Now, I'm clear.
LegalTender is online now  
Old Jan 11, 2019, 3:49 pm
  #23  
 
Join Date: Jun 2015
Posts: 16
Originally Posted by dmbolp
They don't capture ID info at the airport
TSA requires and ID and a boarding pass to proceed.
booatx is offline  
Old Jan 11, 2019, 3:49 pm
  #24  
 
Join Date: Aug 2012
Location: RDU
Posts: 679
Originally Posted by dmbolp
They don't capture ID info at the airport
Originally Posted by Often1
It also doesn't matter If the bad guys sold the points by issuing a ticket for John Q. Smith and someone with that ID showed up at the airport, he would be boarded. Because he is John Q. Smith.
Originally Posted by booatx
The person who actually traveled would have had to show ID. That person would have undoubtedly had some connection to whoever booked the flight.
This is my point. Regardless of whether ID info was captured, the name of the pax should match the ID that was shown to the TSA screener, so the pax's name is presumably accurate. If the pax name is unique/uncommon, they can be traced down easily and questioned on the acquisition method of their ticket, because it would have some connection to the bad guys, whether direct or indirect.
flyer4512 likes this.
tearex is offline  
Old Jan 11, 2019, 3:51 pm
  #25  
 
Join Date: Sep 2002
Location: Blue Ridge, GA
Posts: 5,492
Originally Posted by booatx

TSA requires and ID and a boarding pass to proceed.
Who knew?
steved5480 likes this.
LegalTender is online now  
Old Jan 11, 2019, 3:54 pm
  #26  
 
Join Date: Jan 2010
Location: ATL
Posts: 1,904
Originally Posted by booatx

TSA requires and ID and a boarding pass to proceed.
Right, so Southwest and TSA know that someone claiming to be John Smith made it thru TSA and flew...what do you do with that info?
dmbolp is online now  
Old Jan 11, 2019, 4:16 pm
  #27  
 
Join Date: Jul 2012
Posts: 203
There is about a 100% chance that this is not southwest's fault, and about a 100% chance that someone got into your account because you either reused a password from another site (that got hacked), or disclosed your password in some other manner (phishing, etc). That most certainly being the case, southwest has no obligation to reimburse the points to you, so just know that going forward, and interact with them accordingly, ie. that they are doing you a favor by investigating this, as it was almost certainly not a failure on their end.

That being said, they will probably reimburse your points, but chances are you won't find out who did this. My guess would be some unknown 3rd party got your password, logged into your account, changed your account info, then bought tickets for people online who paid the 3rd party, not realizing the points were stolen. You may be able to track down the people who used the tickets, but chances are you'll never locate the "hacker" who likely profited off selling your points (chances are they aren't even in this country).

Going forward, practice good password security to avoid things like this happening in the future, other companies aren't as good at southwest when it comes to covering losses that aren't their fault.
ursine1 likes this.
camaross is offline  
Old Jan 11, 2019, 5:37 pm
  #28  
FlyerTalk Evangelist
 
Join Date: Nov 2000
Location: Nashville -Past DL Plat, FO, WN-CP, various hotel programs
Programs: DL-MM, AA, SW w/companion,HiltonDiamond, Hyatt PLat, IHF Plat, Miles and Points Seeker
Posts: 11,064
Originally Posted by booatx

The person who actually traveled would have had to show ID. That person would have undoubtedly had some connection to whoever booked the flight.
Wrong.
To board, you just board showing your boarding pass. You do NOT show your ID. Or even a fake ID.

To get through the TSA checkpoint you need a boarding pass for a flight leaving that airport that day. It can be any airline. They could have bought a refundable ticket for any other airline.

or

They could have gotten to that airport via a flight from another airport.

Lots of ways to deal with this stuff.

FAKE ID
FAKE FLIGHTS
AIRPORT EMPLOYEE
joshua362 likes this.
NoStressHere is offline  
Old Jan 11, 2019, 6:32 pm
  #29  
Suspended
 
Join Date: Aug 2018
Posts: 590
Originally Posted by NoStressHere
Good catch. Somebody had to pay the $5.60. There are a few ways to pay this without revealing who you are.

1 - If they logged into the RR account, they can just use the credit card on file. That is what I do with all of our award tickets, and companion.

2 - They could use a legit debit/prepaid credit card that has no name tied to it.

3 - They could use a stolen credit card.

4 - They could use a SW gift card that has no name tied to it - other than other bookings if SW wanted to dig deeper.
1) Presumably OP would notice a fraudulent airline charge on his card and would file a chargeback. How does that work? Once that is processed, I would think the airline would DK the ticket.

2) As long as the prepaid card wasn't purchased with another credit card. Then that can be tracked.

3) This is why some airlines require passengers to present proof of payment when checking-in at the airport.

4) SW gift cards cannot be used to pay the security fee when points were used to redeem an award.
kapooncha is offline  
Old Jan 11, 2019, 7:01 pm
  #30  
 
Join Date: May 2003
Location: San Francisco, CA Frmr AA Plat AW Plat Frmr UA 1K Frmr HGP Plat now just UA 1MM/1P
Posts: 320
Several misapprehensions in responses on this thread:

1) That the persons traveling are the ones who stole the points. A more professional thief will sell tickets for 25% to 50% under list price, online.
2) The attack was via a password crack. Maybe, but maybe the OP's email was broken into. Another route is having a phone sim cloned. In either case, the password recovery systems are abused to change the password into the account. A much lower chance that it is a Southwest employee that improperly accessed the account.
c1ue is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.