Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

2014 UA Issued Awards on Air China (CA) Are Mysteriously Being Canceled (Hacked?)

2014 UA Issued Awards on Air China (CA) Are Mysteriously Being Canceled (Hacked?)

    Hide Wikipost
Old May 13, 14, 4:42 am   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: Pat89339
Wiki Link
A number of folks with award flights booked on CA (Air China) found their reservations cancelled. The only notification of cancellation appears to be an email in from UA written in chinese. UA reps confirmed that cancellations were made online and CA award space was no longer available. UA can rebook on other flights when award space is available.

It is plausible that a third party with access to PNR and pax name on the flight can fraudulently cancel an existing itinerary and book the reopened award seat.

Affected FlyerTalk members with links to where in this discussion they posted their experiences include:
  1. MikeMpls
  2. nihaoa
  3. lewende Reported 4 friends with this issue
  4. ordbkk
  5. twebst
  6. kb1992
  7. litesleeper
  8. zombietooth
  9. critten Reported 2/3 confirmations (3 people CA Business class) cancelled at the same time
  10. skyvanman Also 1 friend with the issue
  11. chris1234
  12. atiger29
  13. bubble o bill
  14. genemk2
  15. jefftiger
  16. CuddlyFlyer
  17. gpeso8
  18. imm2b
  19. acf1270
  20. dgxoxo
  21. ACM two passengers
Originally Posted by ordbkk View Post
It seems everybody wants to see the message.. here was mine:
united.com 通知 - 航班预订取消
2014年4月17日 (星期四)
united.com | 优惠促销 | 预订 | 赢取前程万里 (MileagePlus) 奖励里程 | 我的帐户

先生 ORDBKK
您的预订 MYRES123 已取消,我们已收到您的退款申请。申请信用卡退款需 7 个工作日。如果信用卡退款未在一个付款周期内寄出,请联系信用卡公司。对于包括现金退款在内的 所有其他形式 的付款,需要 20 个工作日。

如需详细信息或查看退款的状态,请访问 united.com 并提供您的机票号码。

感谢您使用 united.com

电子邮件信息
请不要使用回复地址回复此邮件。
此电子邮件中的信息仅供原接收人使用。
如果您遇到技术问题,请通过电子邮件或电话联系 united.com 服务支持。
通知:机票取消确认
电子邮件地址: [email protected]

Originally Posted by ordbkk View Post
For tracking purposes, I went through the 27 pages of this thread and compiled a list of those affected:

MikeMpls
nihaoa
lewende (reported 4 friends with this issue)
ordbkk
twebst
kb1992
litesleeper
zombietooth
critten
skyvanman (also 1 friend with the issue)
jefftiger (but, happened during October 2013)

So we're at 13 people affected, although some like critten have had multiple trips canceled.
From what I understand, all of these occurred in the last 3 weeks.
Print Wikipost

Old Apr 12, 14, 10:01 pm
  #91  
 
Join Date: Apr 2000
Location: Chicago Illinois
Programs: 1MM UA
Posts: 1,750
Originally Posted by lewende View Post
...
People in this hemisphere may not be aware of how booming a business is at China right now for award seat scalping. Due to the language and food preference, CA (Air China) F and C cabin award seats are in high demand from Chinese travelers. As such, award seat scalpers in China are constantly looking for TPAC award inventory for their clients and if they find no inventories available, they will create availability by themselves.

...
If this hypothesis is correct, then soon after the award seats were
cancelled, someone booked one or other of the two legs with an
award seat. Seems it ought to be fairly easy for an IT person to track
down, if United and Air China cooperate. And if there is a pattern,
the "scalpers" could be identified.
sosafan is offline  
Old Apr 12, 14, 10:04 pm
  #92  
Suspended
 
Join Date: Aug 2005
Location: BOS
Posts: 15,027
Originally Posted by nihaoa View Post
I am victim 1. This is what I got from UA--"I can confirm, our system indicates someone logged in as a guest, canceled XXXXXX at 10:42pm and then canceled XXXXXX at 10:50pm".
Dieuwer is offline  
Old Apr 12, 14, 10:12 pm
  #93  
 
Join Date: Aug 2011
Location: 10^7 mm from Ȱ
Programs: Hyatt D/HHonors D/ SPG P/ Marriott P/ IHG P/ UA 1K/ AA EXP/ DL D
Posts: 1,959
Originally Posted by sosafan View Post
If this hypothesis is correct, then soon after the award seats were
cancelled, someone booked one or other of the two legs with an
award seat. Seems it ought to be fairly easy for an IT person to track
down, if United and Air China cooperate. And if there is a pattern,
the "scalpers" could be identified.
Agree, but this needs cooperation between UA and CA, which I will not hold my breath onto it.

At the end of the day, it would be best for everybody if UA may enhance the security features of online award ticket cancellation to prevent such incidents from happening again.
lewende is offline  
Old Apr 13, 14, 3:24 am
  #94  
 
Join Date: Jun 2003
Location: Seattle WA
Programs: AS 100K, Marriott LT Gold
Posts: 1,810
Originally Posted by mahasamatman View Post
It works - not really better or worse than any other.
Really? Have you tried a DL or even AA award booking recently???

I don't have much nice to say about UA these days, but online award booking and the mobile app are among the few things it does best compared to DL/AA
Tracer_SEA is offline  
Old Apr 13, 14, 6:44 am
  #95  
 
Join Date: Sep 2008
Location: SF Bay Area
Programs: None - previously UA
Posts: 4,209
Originally Posted by nihaoa View Post
I am victim 1. This is what I got from UA--"I can confirm, our system indicates someone logged in as a guest, canceled XXXXXX at 10:42pm and then canceled XXXXXX at 10:50pm".
Basically United needs to responsible for tickets cancelled in this manner and re-instate on the original itin booked in original class or find suitable alternatives until they fix the their website security issues.
escapefromphl is offline  
Old Apr 13, 14, 9:13 am
  #96  
FlyerTalk Evangelist
 
Join Date: Jun 2005
Posts: 36,960
Originally Posted by nihaoa View Post
I am victim 1. This is what I got from UA--"I can confirm, our system indicates someone logged in as a guest, canceled XXXXXX at 10:42pm and then canceled XXXXXX at 10:50pm".
Originally Posted by dieuwer2 View Post
In other words, they cancelled it with name + PNR rather than from the account that booked the tickets.
Loren Pechtel is online now  
Old Apr 13, 14, 11:53 pm
  #97  
 
Join Date: Jan 2010
Location: SAN
Posts: 147
Originally Posted by Loren Pechtel View Post
In other words, they cancelled it with name + PNR rather than from the account that booked the tickets.
yep, since there is straight to cancel without any other verification....
thinthin is offline  
Old Apr 14, 14, 2:17 am
  #98  
 
Join Date: Jul 2003
Location: BOS, PVG
Programs: United Global Services and 1MM, Marriott Ambassador
Posts: 9,294
Originally Posted by channa View Post
Don't worry about the IP address comment. The history in SHARES is so convoluted, they probably didn't read it right anyway.
Does UA keep track of IP address when people log on MP account?
kb1992 is offline  
Old Apr 14, 14, 2:58 am
  #99  
 
Join Date: Jun 2003
Location: Seattle WA
Programs: AS 100K, Marriott LT Gold
Posts: 1,810
They should, but I found it very hard to believe upthread that UA phone agents have access to see the IP address and confirm it was same as the one that booked the ticket in the first place. Perhaps the agent was confused and thought they were referring to MP #... Or the agent was making something up.
Tracer_SEA is offline  
Old Apr 14, 14, 5:57 am
  #100  
A FlyerTalk Posting Legend
 
Join Date: Apr 2001
Location: NYC
Posts: 69,211
Originally Posted by channa View Post
Don't worry about the IP address comment. The history in SHARES is so convoluted, they probably didn't read it right anyway.
Not really. The IP address of every single action is logged pretty clearly in the PNR notes. I've got a printout of a recent trip and it reads something like this:
Code:
1. WEB CO*COM RESERVATIONS - ua
2. AVAILABILITY SOURCE - ITA
3. WEB CLIENT 24.215.NNN.YYY - PERFORMREWARDUPGRADE
...
The IP info is very, very clear.
Originally Posted by kb1992 View Post
Does UA keep track of IP address when people log on MP account?
Yes. Every action on a record is quite closely tracked.
Originally Posted by dieuwer2 View Post
Could this possibly be related to "HeartBleed"?
Unlikely for a variety of reasons. Among them UA uses Microsoft IIS and ASP.NET on their back-end systems, not OpenSSL, as I understand it.
sbm12 is offline  
Old Apr 14, 14, 6:13 am
  #101  
 
Join Date: Jul 2003
Location: BOS, PVG
Programs: United Global Services and 1MM, Marriott Ambassador
Posts: 9,294
Originally Posted by sbm12 View Post
Not really. The IP address of every single action is logged pretty clearly in the PNR notes.

Yes. Every action on a record is quite closely tracked.

Why does UA spend such resource on keeping track of IP address of every single action on a PNR?

Don't they have other better things to do, such as improving their website?
kb1992 is offline  
Old Apr 14, 14, 7:00 am
  #102  
 
Join Date: Jul 2000
Location: AUH
Posts: 7,948
Originally Posted by kb1992 View Post
Why does UA spend such resource on keeping track of IP address of every single action on a PNR?

Don't they have other better things to do, such as improving their website?
You do realise the IP addresses are not inputted manually into the PNR, right?

Also, I'm surprised you can't see the benefit of knowing the IP of the computer which actioned changes on the PNR.
stargold is online now  
Old Apr 14, 14, 7:10 am
  #103  
 
Join Date: Nov 2013
Location: NYC / TYO / Up in the Air
Programs: UA GS 1.5MM, AA 2MM, EK, BA, SQ, CX, Marriot LT, Accor P
Posts: 4,993
Originally Posted by stargold View Post
You do realise the IP addresses are not inputted manually into the PNR, right?

Also, I'm surprised you can't see the benefit of knowing the IP of the computer which actioned changes on the PNR.
So, assuming that the IP is part of the record sent to AC - would be really quite trivial to spoof that IP when cancelling - thus covering their tracks easily and making UA think the original person did it....
bmwe92fan is online now  
Old Apr 14, 14, 7:21 am
  #104  
FlyerTalk Evangelist
 
Join Date: Mar 2012
Posts: 16,049
Originally Posted by stargold View Post
You do realise the IP addresses are not inputted manually into the PNR, right?

Also, I'm surprised you can't see the benefit of knowing the IP of the computer which actioned changes on the PNR.
Limited benefit. My devices have different IP addresses when I'm at home or on the road. So do yours.
kale73 is offline  
Old Apr 14, 14, 8:28 am
  #105  
 
Join Date: Jul 2000
Location: AUH
Posts: 7,948
Originally Posted by bmwe92fan View Post
So, assuming that the IP is part of the record sent to AC - would be really quite trivial to spoof that IP when cancelling - thus covering their tracks easily and making UA think the original person did it....
The IP address logged in this manner is not the type of information that will be conveyed to CA, since the information can only be "shared with" other carriers if they are contained in the SSR/OSI sections, which are separate from the internal comments section of the PNR which is where the IP address is most likely listed. So having access to the PNR through CA's side of the system will be unlikely to reveal the IP address.
Originally Posted by kale73 View Post
Limited benefit. My devices have different IP addresses when I'm at home or on the road. So do yours.
Even if you are using different locations for access, there is likely to be enough information that can be gleaned from the IP addresses and their pattern such as the geographical location and pattern of use.

Of course, the IP address is not foolproof so it won't help against an intelligent and determined attacker, but then again we still have locks on various doors even though they can be picked or otherwise defeated, right?
stargold is online now  

Thread Tools
Search this Thread