FlyerTalk Forums

FlyerTalk Forums (https://www.flyertalk.com/forum/index.php)
-   United Airlines | MileagePlus (https://www.flyertalk.com/forum/united-airlines-mileageplus-681/)
-   -   UA Account Hacked / Reports of Fraudulent Award Travel Redemption (https://www.flyertalk.com/forum/united-airlines-mileageplus/1538481-ua-account-hacked-reports-fraudulent-award-travel-redemption.html)

brp1264 Jan 6, 14 12:21 pm

UA Account Hacked / Reports of Fraudulent Award Travel Redemption
 
Hey all. Just had a post-Xmas surprise in that someone hacked my account and did the following:
  1. Purchased 3x revenue tickets, for 3 separate people, using my corporate card saved in my account for a total of ~$5k.
  2. Used GPUs/RPUs to upgrade said tickets.
  3. Used half my miles in my account for an award flight and charged the taxes and fees to my CC.
  4. Booked a hotel with the other half of my miles, taking me down to just a few thousand total.

I got through to a fraud rep in Manila and she started the process of refunding everything. So far I have only gotten a refund on the CC for one of the flights and the miles for the award flight.

What really bothers me about this is that all it takes for someone to go into your account and do this is your MP# and your 4 digit PIN. The rep indicated there's no way at the moment to have the login more secure, but she hinted they are working on something this year that will allow it to be password-protected instead of just the PIN.

Either way, it's really shoddy that someone can access your account, create new travelers, drain all your miles, and charge up thousands on your CC with just a 4 digit PIN and no login captcha or the like to prevent brute force attacks. Sites like Amazon do this properly in that if you go to add a new shipping address, you have to confirm the full 16-digit CC # before you can charge a stored CC and ship it to that address.

Anyone else have this happen to them or know of any way to make their accounts more secure to prevent this?

Akulashark Jan 6, 14 12:27 pm

I don't use a 4 digit pin, I use a password, for my MP account.

Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".

I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.

brp1264 Jan 6, 14 12:32 pm


Originally Posted by Akulashark (Post 22096724)
I don't use a 4 digit pin, I use a password, for my MP account.

Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".

I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.

Yes, I've gone ahead now and set a password, but form what I see now and what the rep told me, I can still login with my MP# and PIN. Can add travelers and whatnot too.

Akulashark Jan 6, 14 12:36 pm

Did you pull your credit card data out?

valleygeek Jan 6, 14 12:37 pm

Captchas are like the TSA... security theatre, not effective against someone who is determined to get through. It's far more likely that a username and password/pin was compromised by malicious software on a computer used to access the site, than password guessing. Public computers (think hotel business center) and public wifi hotspots are far more likely places to loose control of your account.

I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value.

brp1264 Jan 6, 14 12:45 pm


Originally Posted by Akulashark (Post 22096792)
Did you pull your credit card data out?

Yup


Originally Posted by valleygeek (Post 22096801)
I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value.

I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.

mgcsinc Jan 6, 14 12:58 pm

This is all unfathomably ballsy. Flying is awfully hard to do without revealing your identity. Maybe it's a scam where they collect cash from someone for "totally legitimate plane tickets." Seems crazy though.

GroundStop Jan 6, 14 1:00 pm


Originally Posted by brp1264 (Post 22096675)
  1. Purchased 3x revenue tickets, for 3 separate people, using my corporate card saved in my account for a total of ~$5k.
  2. Used GPUs/RPUs to upgrade said tickets.
  3. Used half my miles in my account for an award flight and charged the taxes and fees to my CC.
  4. Booked a hotel with the other half of my miles, taking me down to just a few thousand total.

Concur that it is extremely worrying re: the real lack of security to access MP account info, but in terms of tracking these purchases, it should be fairly easy for UA (or the police if they get involved) given the names that have to be attached to each reservation....can imagine the authorities being alerted to someone trying to check in for / board these flights.....

.....unless the perps realize that they didn't get away with it / their reservations have been cancelled and don't even attempt to fly. UA should almost just leave them in tact and trap them at the airport.

mgcsinc Jan 6, 14 1:04 pm


Originally Posted by GroundStop (Post 22097009)
...unless the perps realize that they didn't get away with it / their reservations have been cancelled and don't even attempt to fly. UA should almost just leave them in tact and trap them at the airport.

Not sure UA is really in the trapping business...

FlytheTail Jan 6, 14 1:07 pm

Sorry to hear of the hacking, brp1264.


Originally Posted by brp1264 (Post 22096911)
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.

Yup, just changed my password but can still access my account with the 4-digit PIN.

Baze Jan 6, 14 1:08 pm

Did you make report to police/FBI? If they got tickets, the tickets will have names on them and the hotel will too, though hotel may just be your name.

sahiljain22 Jan 6, 14 1:09 pm


Originally Posted by FlytheTail (Post 22097079)
Sorry to hear of the hacking, brp1264.
Yup, just changed my password but can still access my account with the 4-digit PIN.

You need to remove the pin after you set up the password.

Often1 Jan 6, 14 1:10 pm

1. Do not use a 4-digit PIN, stick to a passphrase (UA can acommodate up to 20 characters).
2. Do not ever store CC information with online accounts (not just UA).
3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too.

This is almost certainly a commercial operation in which some suckers were sold ultra-cheap F /C tickets. Yes, they will now show up at some departure airport and their tickets won't be valid, but that is between them and the crooks who hacked your account.

There are a number of things which UA and others could do to make access more secure, but that would make customers crazy and they would complain. For instance, logging in could require that you enter a code texted or phoned to you. It could require you to answer security questions each time.

valleygeek Jan 6, 14 1:11 pm


Originally Posted by brp1264 (Post 22096911)
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.

Have you asked for the PIN to be removed from your account? Not sure if that's even possible, I haven't tried. You can always change it to a random number and never use it again.


Originally Posted by Often1 (Post 22097114)
3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too.

United.com doesn't show the full card number, and doesn't show the CVV (3 or 4 digit security code). In fact, they aren't even allowed to store the security code on their servers. There's no reason to go through the hassle of getting a new card when there is next to zero chance these criminals could retrieve the whole card number.

nonstarter Jan 6, 14 1:25 pm

I find it incredible the site uses only a PIN for security. Does the website at least lock out after several failed attempts?


All times are GMT -6. The time now is 1:47 am.


This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.