farwest101

The "hacking" is almost always an inside job - whether by an SPG employee or a hacker who got access to SPG's database. So strength of one's password is probably totally immaterial as they probably already know it...

cozysuite

Another recent trend is once a hacker obtained combination of userid and password from somewhere, he use to try same for other sites. In that case, eventhough origin might be an insider, the actual attacker is not. Need to generate site specific password by a specific software to protect...

Sweet Willie

agreed, per your situation, I'd still like to see the airline bust the guy (at the airport when they show up) who used your points for an air award.

iflyjetz

It wouldn't surprise me if the award was sold to a third person.

Slightly off topic - I went to Paul McCartney's Orlando concert this year. A couple in front of me had internet tickets. Turned out whomever they bought them from had already sold the tickets to at least one other couple.
I bought my tickets from someone in person and made sure that they were the 'old' style tickets and saw the receipt for them. Caveat emptor.

Out of my Element

A number of years ago an associate at a former SPG property took my wife's CC info (given to her over the phone to make a reservation) and used it (or gave it to someone who used it) to buy airline tickets. For 2 months down the line.

I SO wished the cops were interested enough to show up and arrest the ticket holder, but they were not interested in doing that.

cleanfloor

Respectfully disagree. You could see a variety of industry studies like the most recent VZ DBIR, the Mandiant report, anything from Krebs, etc, but in general the "hacking" is most likely a keylogger running on one of the many computers s/he has logged into over the years. The criminals have a variety of ways of monetizing stolen accounts. I had to work a breach of a large payment processor a couple months ago that was having rewards accounts logged into using valid creds, where the criminal was transferring points to apple gift cards and then resold them on ebay.

PeterNem

^ +1

Call me paranoid, but people's willingness to type a password into a random text box on an unknown website without thinking of the possible consequences is worrying!

Crampedin13A

I rarely check on my SPG balance but got my e-statement today and sure enough I have got cleaned out by some hacker transferring to Etihad. While I hate the idea that I might lose all the points it's a good kick in the butt to change all my other website passwords. I've been lucky that this is the first time I've had this happen. I'd hate it to be my various banking websites.

farwest101

There is a consistent series of reports of SPG-specific accounts being hacked. That indicates SPG-specific breach has occurred.

LIH Prem

Or they are being targeted directly or indirectly.

Either way they really need to increase and review their own security, password length/strength, internal procedures to make sure verbal passwords are never the same as a members passwords and are never revealed internally, and so on. Another good security measure would be a different way to enter the verbal password so as not to have to give it to an agent at all (keypad entry, for example.)

Unfortunately, given their history ... but one can always hope for enlightenment.

-David

GB

You do not have to enter your verbal password over the phone with an agent. This can easily be done on line through editing your profile.

LIH Prem

yes, you do ... Not creating it .. You need it for anything you do over the phone involving your points or your reservations. Many awards can't be booked online. Some changes can't be done easily online either. They use the verbal password as one of several things they try to use to confirm your identity. They ask you for it when they need it to help confirm your identity.

It's more like an account PIN and maybe it would be better if that's what they called it, and their software should make sure it's not the same as your account password. At least they make you pick a 6 character minimum now.

-David

MSPeconomist

SPG could also restrict transfers out of Starpoints into airline accounts that have not been open for a while or even those into which no airline points have yet been earned. The MO for this fraud seems to be that someone finds the SPG account and password, opens an airline account in that name, and then uses the transferred miles to issue an award ticket in a different person's name. If the airline doesn't have more controls on the scenario of a new account, miles transferred in and then immediately going out as an award ticket in a different name, then SPG should restrict such transfers or at least strongly investigate their legitimacy before approving the transfer. SPG transfers don't seem to be instantaneous so we can hardly count on the strategy of finding award space and then transferring from SPG immediately anyway.

I assume SPG is enforcing the control of only allowing Starpoints to airline FF program transfers when the names and addresses on the two accounts are the same or at least similar (initials versus full name, middle name, etc., or home and business addresses in same city).

Sweet Willie

probably right, however I still would like to see that person pulled aside at the airport, so that it is a painful event for them as I'm just guessing here, the deal was too good to be true. Might even make the news so that other folks might think twice about where they purchase their tickets.disappointing to hear, perhaps because it is fraud it is not the proper authority to get involved?

Did SPG corp become involved and if so, what was resolution?

Did you try sending story to local newspapers or TV? (most have a Consumer Help/Ombudsman section)

Perhaps even send to travel magazines such as http://www.cntraveler.com/ombudsman

--

Out of my Element

Corporate quickly gave us points for our troubles but claimed they didn't have enough proof to identify a guilty employee. We knew the name of the person we had given the CC # to, but that wasn't enough for them to pursue