Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA Account Hacked / Reports of Fraudulent Award Travel Redemption

UA Account Hacked / Reports of Fraudulent Award Travel Redemption

    Hide Wikipost
Old Sep 8, 18, 6:59 am   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: WineCountryUA
Wiki Link
This thread to follow reports of MP accounts that actually have been hacked / improperly accessed. If you have missing miles and beleive you have been hacked, contact [email protected]

In Suspended MP Accounts / Third Party Vendor "Security Breach?" - Dec 2014 there is discussion of a security breach of a 3rd party that UA seems to believe may lead to inappropriate access to UA accounts via the username method of logging into united.com. Let's follow the breach and log-in changes in the above thread.

A separate(?) "access denied" issue is covered in Consolidated " Is united.com or parts of it Down?" thread
Print Wikipost

Reply

Old Jan 6, 14, 12:21 pm
  #1  
Original Poster
 
Join Date: Nov 2011
Location: IAH
Programs: UA 1K, MR Bonvoy Bonzaiiiii, National EE
Posts: 616
UA Account Hacked / Reports of Fraudulent Award Travel Redemption

Hey all. Just had a post-Xmas surprise in that someone hacked my account and did the following:
  1. Purchased 3x revenue tickets, for 3 separate people, using my corporate card saved in my account for a total of ~$5k.
  2. Used GPUs/RPUs to upgrade said tickets.
  3. Used half my miles in my account for an award flight and charged the taxes and fees to my CC.
  4. Booked a hotel with the other half of my miles, taking me down to just a few thousand total.

I got through to a fraud rep in Manila and she started the process of refunding everything. So far I have only gotten a refund on the CC for one of the flights and the miles for the award flight.

What really bothers me about this is that all it takes for someone to go into your account and do this is your MP# and your 4 digit PIN. The rep indicated there's no way at the moment to have the login more secure, but she hinted they are working on something this year that will allow it to be password-protected instead of just the PIN.

Either way, it's really shoddy that someone can access your account, create new travelers, drain all your miles, and charge up thousands on your CC with just a 4 digit PIN and no login captcha or the like to prevent brute force attacks. Sites like Amazon do this properly in that if you go to add a new shipping address, you have to confirm the full 16-digit CC # before you can charge a stored CC and ship it to that address.

Anyone else have this happen to them or know of any way to make their accounts more secure to prevent this?
brp1264 is offline  
Reply With Quote
Old Jan 6, 14, 12:27 pm
  #2  
 
Join Date: Feb 2007
Programs: United 1K, Delta PM, Hilton Diamond, Starwood Gold, National Exec. Elite
Posts: 1,406
I don't use a 4 digit pin, I use a password, for my MP account.

Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".

I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.
Akulashark is offline  
Reply With Quote
Old Jan 6, 14, 12:32 pm
  #3  
Original Poster
 
Join Date: Nov 2011
Location: IAH
Programs: UA 1K, MR Bonvoy Bonzaiiiii, National EE
Posts: 616
Originally Posted by Akulashark View Post
I don't use a 4 digit pin, I use a password, for my MP account.

Go to united, login, go to My Mileageplus, scroll down. The Profile section at the bottom has a place to "set password".

I also only have 1 credit card attached to my account, its a $0 gift card and type in my credit card number when I purchase.
Yes, I've gone ahead now and set a password, but form what I see now and what the rep told me, I can still login with my MP# and PIN. Can add travelers and whatnot too.
brp1264 is offline  
Reply With Quote
Old Jan 6, 14, 12:36 pm
  #4  
 
Join Date: Feb 2007
Programs: United 1K, Delta PM, Hilton Diamond, Starwood Gold, National Exec. Elite
Posts: 1,406
Did you pull your credit card data out?
Akulashark is offline  
Reply With Quote
Old Jan 6, 14, 12:37 pm
  #5  
 
Join Date: Dec 2013
Location: San Francisco Bay Area
Programs: United - GS
Posts: 6
Captchas are like the TSA... security theatre, not effective against someone who is determined to get through. It's far more likely that a username and password/pin was compromised by malicious software on a computer used to access the site, than password guessing. Public computers (think hotel business center) and public wifi hotspots are far more likely places to loose control of your account.

I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value.
valleygeek is offline  
Reply With Quote
Old Jan 6, 14, 12:45 pm
  #6  
Original Poster
 
Join Date: Nov 2011
Location: IAH
Programs: UA 1K, MR Bonvoy Bonzaiiiii, National EE
Posts: 616
Originally Posted by Akulashark View Post
Did you pull your credit card data out?
Yup

Originally Posted by valleygeek View Post
I'll second the notion above... Security is in your hands, use a strong password on your account to protect it (and not a password you use on some other account), then avoid public computers and public wifi when you're accessing Any account of value.
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.

Last edited by iluv2fly; Jan 6, 14 at 2:39 pm Reason: merge
brp1264 is offline  
Reply With Quote
Old Jan 6, 14, 12:58 pm
  #7  
 
Join Date: Aug 2011
Programs: UA 1K
Posts: 8,634
This is all unfathomably ballsy. Flying is awfully hard to do without revealing your identity. Maybe it's a scam where they collect cash from someone for "totally legitimate plane tickets." Seems crazy though.
mgcsinc is offline  
Reply With Quote
Old Jan 6, 14, 1:00 pm
  #8  
 
Join Date: Apr 2006
Location: SFO
Programs: UA Premier Platinum (and falling fast)
Posts: 565
Originally Posted by brp1264 View Post
  1. Purchased 3x revenue tickets, for 3 separate people, using my corporate card saved in my account for a total of ~$5k.
  2. Used GPUs/RPUs to upgrade said tickets.
  3. Used half my miles in my account for an award flight and charged the taxes and fees to my CC.
  4. Booked a hotel with the other half of my miles, taking me down to just a few thousand total.
Concur that it is extremely worrying re: the real lack of security to access MP account info, but in terms of tracking these purchases, it should be fairly easy for UA (or the police if they get involved) given the names that have to be attached to each reservation....can imagine the authorities being alerted to someone trying to check in for / board these flights.....

.....unless the perps realize that they didn't get away with it / their reservations have been cancelled and don't even attempt to fly. UA should almost just leave them in tact and trap them at the airport.
GroundStop is offline  
Reply With Quote
Old Jan 6, 14, 1:04 pm
  #9  
 
Join Date: Aug 2011
Programs: UA 1K
Posts: 8,634
Originally Posted by GroundStop View Post
...unless the perps realize that they didn't get away with it / their reservations have been cancelled and don't even attempt to fly. UA should almost just leave them in tact and trap them at the airport.
Not sure UA is really in the trapping business...
mgcsinc is offline  
Reply With Quote
Old Jan 6, 14, 1:07 pm
  #10  
 
Join Date: Oct 2004
Location: Anywhere but home
Programs: UA 1K, AA EXP, DL 1MM/SM, HH Gold, AClub Plat, PC Plat, MR Gold
Posts: 4,164
Sorry to hear of the hacking, brp1264.

Originally Posted by brp1264 View Post
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.
Yup, just changed my password but can still access my account with the 4-digit PIN.
FlytheTail is online now  
Reply With Quote
Old Jan 6, 14, 1:08 pm
  #11  
FlyerTalk Evangelist
 
Join Date: Jul 1999
Posts: 10,574
Did you make report to police/FBI? If they got tickets, the tickets will have names on them and the hotel will too, though hotel may just be your name.
Baze is offline  
Reply With Quote
Old Jan 6, 14, 1:09 pm
  #12  
 
Join Date: Apr 2011
Location: BOS;NYC;YVR;YYZ;DEL;BOM
Programs: Amex Plat; HH Diamond; SPG Plat; Hyatt Diamond; United 1K; National EE; HSBC Premier
Posts: 526
Originally Posted by FlytheTail View Post
Sorry to hear of the hacking, brp1264.
Yup, just changed my password but can still access my account with the 4-digit PIN.
You need to remove the pin after you set up the password.
sahiljain22 is offline  
Reply With Quote
Old Jan 6, 14, 1:10 pm
  #13  
A FlyerTalk Posting Legend
 
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 41,265
1. Do not use a 4-digit PIN, stick to a passphrase (UA can acommodate up to 20 characters).
2. Do not ever store CC information with online accounts (not just UA).
3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too.

This is almost certainly a commercial operation in which some suckers were sold ultra-cheap F /C tickets. Yes, they will now show up at some departure airport and their tickets won't be valid, but that is between them and the crooks who hacked your account.

There are a number of things which UA and others could do to make access more secure, but that would make customers crazy and they would complain. For instance, logging in could require that you enter a code texted or phoned to you. It could require you to answer security questions each time.
Often1 is online now  
Reply With Quote
Old Jan 6, 14, 1:11 pm
  #14  
 
Join Date: Dec 2013
Location: San Francisco Bay Area
Programs: United - GS
Posts: 6
Originally Posted by brp1264 View Post
I'd love to use a strong password, but from what I see and have been told by the rep, a simple 4 digit pin is all that is needed to get into the account and have at it.
Have you asked for the PIN to be removed from your account? Not sure if that's even possible, I haven't tried. You can always change it to a random number and never use it again.

Originally Posted by Often1 View Post
3. Call the CC issuer and have a new card # issued. The bad guys have your 3-digit code and can use the card for other stuff too.
United.com doesn't show the full card number, and doesn't show the CVV (3 or 4 digit security code). In fact, they aren't even allowed to store the security code on their servers. There's no reason to go through the hassle of getting a new card when there is next to zero chance these criminals could retrieve the whole card number.

Last edited by iluv2fly; Jan 6, 14 at 2:39 pm Reason: merge
valleygeek is offline  
Reply With Quote
Old Jan 6, 14, 1:25 pm
  #15  
 
Join Date: Nov 2013
Posts: 91
I find it incredible the site uses only a PIN for security. Does the website at least lock out after several failed attempts?
nonstarter is offline  
Reply With Quote

Thread Tools
Search this Thread