UA Account Hacked / Reports of Fraudulent Award Travel Redemption
Hey all. Just had a post-Xmas surprise in that someone hacked my account and did the following:
I got through to a fraud rep in Manila and she started the process of refunding everything. So far I have only gotten a refund on the CC for one of the flights and the miles for the award flight. What really bothers me about this is that all it takes for someone to go into your account and do this is your MP# and your 4 digit PIN. The rep indicated there's no way at the moment to have the login more secure, but she hinted they are working on something this year that will allow it to be password-protected instead of just the PIN. Either way, it's really shoddy that someone can access your account, create new travelers, drain all your miles, and charge up thousands on your CC with just a 4 digit PIN and no login captcha or the like to prevent brute force attacks. Sites like Amazon do this properly in that if you go to add a new shipping address, you have to confirm the full 16-digit CC # before you can charge a stored CC and ship it to that address. Anyone else have this happen to them or know of any way to make their accounts more secure to prevent this? |
I don't use a 4 digit pin, I use a password, for my MP account.
Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password". I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase. |
Originally Posted by Akulashark
(Post 22096724)
I don't use a 4 digit pin, I use a password, for my MP account.
Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password". I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase. |
Did you pull your credit card data out?
|
Captchas are like the TSA... security theatre, not effective against someone who is determined to get through. It's far more likely that a username and password/pin was compromised by malicious software on a computer used to access the site, than password guessing. Public computers (think hotel business center) and public wifi hotspots are far more likely places to loose control of your account.
I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value. |
Originally Posted by Akulashark
(Post 22096792)
Did you pull your credit card data out?
Originally Posted by valleygeek
(Post 22096801)
I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value.
|
This is all unfathomably ballsy. Flying is awfully hard to do without revealing your identity. Maybe it's a scam where they collect cash from someone for "totally legitimate plane tickets." Seems crazy though.
|
Originally Posted by brp1264
(Post 22096675)
.....unless the perps realize that they didn't get away with it / their reservations have been cancelled and don't even attempt to fly. UA should almost just leave them in tact and trap them at the airport. |
Originally Posted by GroundStop
(Post 22097009)
...unless the perps realize that they didn't get away with it / their reservations have been cancelled and don't even attempt to fly. UA should almost just leave them in tact and trap them at the airport.
|
Sorry to hear of the hacking, brp1264.
Originally Posted by brp1264
(Post 22096911)
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.
|
Did you make report to police/FBI? If they got tickets, the tickets will have names on them and the hotel will too, though hotel may just be your name.
|
Originally Posted by FlytheTail
(Post 22097079)
Sorry to hear of the hacking, brp1264.
Yup, just changed my password but can still access my account with the 4-digit PIN. |
1. Do not use a 4-digit PIN, stick to a passphrase (UA can acommodate up to 20 characters).
2. Do not ever store CC information with online accounts (not just UA). 3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too. This is almost certainly a commercial operation in which some suckers were sold ultra-cheap F /C tickets. Yes, they will now show up at some departure airport and their tickets won't be valid, but that is between them and the crooks who hacked your account. There are a number of things which UA and others could do to make access more secure, but that would make customers crazy and they would complain. For instance, logging in could require that you enter a code texted or phoned to you. It could require you to answer security questions each time. |
Originally Posted by brp1264
(Post 22096911)
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.
Originally Posted by Often1
(Post 22097114)
3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too.
|
I find it incredible the site uses only a PIN for security. Does the website at least lock out after several failed attempts?
|
All times are GMT -6. The time now is 2:42 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.