My SPG Account Got Hacked
#76
Join Date: Oct 2012
Posts: 970
The "hacking" is almost always an inside job - whether by an SPG employee or a hacker who got access to SPG's database. So strength of one's password is probably totally immaterial as they probably already know it...
#77
Join Date: Mar 2002
Location: London, Vancouver, Tokyo, San Francisco, NYC
Posts: 265
Another recent trend is once a hacker obtained combination of userid and password from somewhere, he use to try same for other sites. In that case, eventhough origin might be an insider, the actual attacker is not. Need to generate site specific password by a specific software to protect...
#78
Moderator: CommunityBuzz!, OMNI, OMNI/PR, and OMNI/Games & FlyerTalk Evangelist
Join Date: Nov 2000
Location: ORD (MDW stinks)
Programs: UAMM, AAMM & ExPlat, Marriott lifetime Plat, IHG Plat, Hilton Diamond
Posts: 23,506
#79
Join Date: Jul 2001
Programs: Marriott LT Tit; Hyatt Explorist; Hilton CC Gold; IHG CC Plt; Hertz (MR) 5 star
Posts: 5,536
Slightly off topic - I went to Paul McCartney's Orlando concert this year. A couple in front of me had internet tickets. Turned out whomever they bought them from had already sold the tickets to at least one other couple.
I bought my tickets from someone in person and made sure that they were the 'old' style tickets and saw the receipt for them. Caveat emptor.
#80
Join Date: Aug 2010
Location: Formerly Box 350, Boston Mass, Oh two one three four. Now near Beverly Hills 90210
Programs: Loyal Order of Water Buffalos
Posts: 3,937
I SO wished the cops were interested enough to show up and arrest the ticket holder, but they were not interested in doing that.
#81
Join Date: Aug 2010
Programs: jetblue mosaic, spg plat/ambassador, UA GS, AA EXP
Posts: 163
Respectfully disagree. You could see a variety of industry studies like the most recent VZ DBIR, the Mandiant report, anything from Krebs, etc, but in general the "hacking" is most likely a keylogger running on one of the many computers s/he has logged into over the years. The criminals have a variety of ways of monetizing stolen accounts. I had to work a breach of a large payment processor a couple months ago that was having rewards accounts logged into using valid creds, where the criminal was transferring points to apple gift cards and then resold them on ebay.
#82
Join Date: Jan 2012
Location: NY/NJ USA
Programs: BAEC Gold, Marriott Platinum, HHonors Diamond
Posts: 137
^ +1
Call me paranoid, but people's willingness to type a password into a random text box on an unknown website without thinking of the possible consequences is worrying!
#83
Join Date: Aug 2002
Location: YYZ
Programs: BA Gold/Marriott Gold/HH Diamond/IC Plat Amba
Posts: 5,990
I rarely check on my SPG balance but got my e-statement today and sure enough I have got cleaned out by some hacker transferring to Etihad. While I hate the idea that I might lose all the points it's a good kick in the butt to change all my other website passwords. I've been lucky that this is the first time I've had this happen. I'd hate it to be my various banking websites.
#84
Join Date: Oct 2012
Posts: 970
Respectfully disagree. You could see a variety of industry studies like the most recent VZ DBIR, the Mandiant report, anything from Krebs, etc, but in general the "hacking" is most likely a keylogger running on one of the many computers s/he has logged into over the years. The criminals have a variety of ways of monetizing stolen accounts. I had to work a breach of a large payment processor a couple months ago that was having rewards accounts logged into using valid creds, where the criminal was transferring points to apple gift cards and then resold them on ebay.
#85
 
Join Date: Nov 2000
Location: Upcountry Maui, HI
Posts: 13,308
Either way they really need to increase and review their own security, password length/strength, internal procedures to make sure verbal passwords are never the same as a members passwords and are never revealed internally, and so on. Another good security measure would be a different way to enter the verbal password so as not to have to give it to an agent at all (keypad entry, for example.)
Unfortunately, given their history ... but one can always hope for enlightenment.
-David
#86
Join Date: Sep 1999
Programs: AA EXP, SPG PLT, Hyatt DIA, Hilton GLD
Posts: 974
Or they are being targeted directly or indirectly.
Either way they really need to increase and review their own security, password length/strength, internal procedures to make sure verbal passwords are never the same as a members passwords and are never revealed internally, and so on. Another good security measure would be a different way to enter the verbal password so as not to have to give it to an agent at all (keypad entry, for example.)
Unfortunately, given their history ... but one can always hope for enlightenment.
-David
Either way they really need to increase and review their own security, password length/strength, internal procedures to make sure verbal passwords are never the same as a members passwords and are never revealed internally, and so on. Another good security measure would be a different way to enter the verbal password so as not to have to give it to an agent at all (keypad entry, for example.)
Unfortunately, given their history ... but one can always hope for enlightenment.
-David
#87
 
Join Date: Nov 2000
Location: Upcountry Maui, HI
Posts: 13,308
yes, you do ... Not creating it .. You need it for anything you do over the phone involving your points or your reservations. Many awards can't be booked online. Some changes can't be done easily online either. They use the verbal password as one of several things they try to use to confirm your identity. They ask you for it when they need it to help confirm your identity.
It's more like an account PIN and maybe it would be better if that's what they called it, and their software should make sure it's not the same as your account password. At least they make you pick a 6 character minimum now.
-David
It's more like an account PIN and maybe it would be better if that's what they called it, and their software should make sure it's not the same as your account password. At least they make you pick a 6 character minimum now.
-David
#88
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,409
SPG could also restrict transfers out of Starpoints into airline accounts that have not been open for a while or even those into which no airline points have yet been earned. The MO for this fraud seems to be that someone finds the SPG account and password, opens an airline account in that name, and then uses the transferred miles to issue an award ticket in a different person's name. If the airline doesn't have more controls on the scenario of a new account, miles transferred in and then immediately going out as an award ticket in a different name, then SPG should restrict such transfers or at least strongly investigate their legitimacy before approving the transfer. SPG transfers don't seem to be instantaneous so we can hardly count on the strategy of finding award space and then transferring from SPG immediately anyway.
I assume SPG is enforcing the control of only allowing Starpoints to airline FF program transfers when the names and addresses on the two accounts are the same or at least similar (initials versus full name, middle name, etc., or home and business addresses in same city).
I assume SPG is enforcing the control of only allowing Starpoints to airline FF program transfers when the names and addresses on the two accounts are the same or at least similar (initials versus full name, middle name, etc., or home and business addresses in same city).
#89
Moderator: CommunityBuzz!, OMNI, OMNI/PR, and OMNI/Games & FlyerTalk Evangelist
Join Date: Nov 2000
Location: ORD (MDW stinks)
Programs: UAMM, AAMM & ExPlat, Marriott lifetime Plat, IHG Plat, Hilton Diamond
Posts: 23,506
probably right, however I still would like to see that person pulled aside at the airport, so that it is a painful event for them as I'm just guessing here, the deal was too good to be true. Might even make the news so that other folks might think twice about where they purchase their tickets.
disappointing to hear, perhaps because it is fraud it is not the proper authority to get involved?
Did SPG corp become involved and if so, what was resolution?
Did you try sending story to local newspapers or TV? (most have a Consumer Help/Ombudsman section)
Perhaps even send to travel magazines such as http://www.cntraveler.com/ombudsman
--
Did SPG corp become involved and if so, what was resolution?
Did you try sending story to local newspapers or TV? (most have a Consumer Help/Ombudsman section)
Perhaps even send to travel magazines such as http://www.cntraveler.com/ombudsman
--
#90
Join Date: Aug 2010
Location: Formerly Box 350, Boston Mass, Oh two one three four. Now near Beverly Hills 90210
Programs: Loyal Order of Water Buffalos
Posts: 3,937
probably right, however I still would like to see that person pulled aside at the airport, so that it is a painful event for them as I'm just guessing here, the deal was too good to be true. Might even make the news so that other folks might think twice about where they purchase their tickets.disappointing to hear, perhaps because it is fraud it is not the proper authority to get involved?
Did SPG corp become involved and if so, what was resolution?
Did you try sending story to local newspapers or TV? (most have a Consumer Help/Ombudsman section)
Perhaps even send to travel magazines such as http://www.cntraveler.com/ombudsman
--
Did SPG corp become involved and if so, what was resolution?
Did you try sending story to local newspapers or TV? (most have a Consumer Help/Ombudsman section)
Perhaps even send to travel magazines such as http://www.cntraveler.com/ombudsman
--