UA Account Hacked / Reports of Fraudulent Award Travel Redemption
 

Hey all. Just had a post-Xmas surprise in that someone hacked my account and did the following:

1. Purchased 3x revenue tickets, for 3 separate people, using my corporate card saved in my account for a total of ~$5k.
2. Used GPUs/RPUs to upgrade said tickets.
3. Used half my miles in my account for an award flight and charged the taxes and fees to my CC.
4. Booked a hotel with the other half of my miles, taking me down to just a few thousand total.

I got through to a fraud rep in Manila and she started the process of refunding everything. So far I have only gotten a refund on the CC for one of the flights and the miles for the award flight.

What really bothers me about this is that all it takes for someone to go into your account and do this is your MP# and your 4 digit PIN. The rep indicated there's no way at the moment to have the login more secure, but she hinted they are working on something this year that will allow it to be password-protected instead of just the PIN.

Either way, it's really shoddy that someone can access your account, create new travelers, drain all your miles, and charge up thousands on your CC with just a 4 digit PIN and no login captcha or the like to prevent brute force attacks. Sites like Amazon do this properly in that if you go to add a new shipping address, you have to confirm the full 16-digit CC # before you can charge a stored CC and ship it to that address.

Anyone else have this happen to them or know of any way to make their accounts more secure to prevent this?

I don't use a 4 digit pin, I use a password, for my MP account.

Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".

I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.

Yes, I've gone ahead now and set a password, but form what I see now and what the rep told me, I can still login with my MP# and PIN. Can add travelers and whatnot too.

Did you pull your credit card data out?

Captchas are like the TSA... security theatre, not effective against someone who is determined to get through. It's far more likely that a username and password/pin was compromised by malicious software on a computer used to access the site, than password guessing. Public computers (think hotel business center) and public wifi hotspots are far more likely places to loose control of your account.

I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value.

Yup

I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.

This is all unfathomably ballsy. Flying is awfully hard to do without revealing your identity. Maybe it's a scam where they collect cash from someone for "totally legitimate plane tickets." Seems crazy though.

Concur that it is extremely worrying re: the real lack of security to access MP account info, but in terms of tracking these purchases, it should be fairly easy for UA (or the police if they get involved) given the names that have to be attached to each reservation....can imagine the authorities being alerted to someone trying to check in for / board these flights.....

.....unless the perps realize that they didn't get away with it / their reservations have been cancelled and don't even attempt to fly. UA should almost just leave them in tact and trap them at the airport.

Not sure UA is really in the trapping business...

Sorry to hear of the hacking, brp1264.

Yup, just changed my password but can still access my account with the 4-digit PIN.

Did you make report to police/FBI? If they got tickets, the tickets will have names on them and the hotel will too, though hotel may just be your name.

You need to remove the pin after you set up the password.

1. Do not use a 4-digit PIN, stick to a passphrase (UA can acommodate up to 20 characters).
2. Do not ever store CC information with online accounts (not just UA).
3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too.

This is almost certainly a commercial operation in which some suckers were sold ultra-cheap F /C tickets. Yes, they will now show up at some departure airport and their tickets won't be valid, but that is between them and the crooks who hacked your account.

There are a number of things which UA and others could do to make access more secure, but that would make customers crazy and they would complain. For instance, logging in could require that you enter a code texted or phoned to you. It could require you to answer security questions each time.

Have you asked for the PIN to be removed from your account? Not sure if that's even possible, I haven't tried. You can always change it to a random number and never use it again.

United.com doesn't show the full card number, and doesn't show the CVV (3 or 4 digit security code). In fact, they aren't even allowed to store the security code on their servers. There's no reason to go through the hassle of getting a new card when there is next to zero chance these criminals could retrieve the whole card number.

I find it incredible the site uses only a PIN for security. Does the website at least lock out after several failed attempts?