Thank you, United: Redemption fraud caught
Aug 6, 2014, 10:06 am
#1
Original Poster
Join Date: Dec 2000
Location: San Francisco, California
Programs: UA 1K 2MM, AA CK 2MM, DL DM 1MM, WN CP, AS MVP, B6 Mosaic3, Marriott Titanium Lftm, Hyatt GLB
Posts: 943
Thank you, United: Redemption fraud caught
Got a call from United corporate security today enquiring whether I had redeemed ~800k miles from my MP account to buy an IPad and other electronics.
Someone had hacked into my account, changed the primary e-mail address, and helped themselves to my miles.
A very nice woman from United alerted me to the issue, helped me reinstate the miles, and walked me through the process of resetting my account. Thank you!
I've been guilty of using this forum to complain more than praise, so thought I should call out good customer service when I see it...
Someone had hacked into my account, changed the primary e-mail address, and helped themselves to my miles.
A very nice woman from United alerted me to the issue, helped me reinstate the miles, and walked me through the process of resetting my account. Thank you!
I've been guilty of using this forum to complain more than praise, so thought I should call out good customer service when I see it...
Aug 6, 2014, 10:10 am
#2
FlyerTalk Evangelist
Join Date: Oct 2003
Location: Floating around
Programs: UA 1K (1MM), DL Gold (1MM), Marriott LTT
Posts: 10,335
Nice job, UA! ^
-RM
-RM
Aug 6, 2014, 10:13 am
#3
Join Date: Dec 2009
Location: ORD
Posts: 869
Nice job that they proactively solved the whole thing, but they really move on from the simple 4-digit pin to a more robust password system.
Aug 6, 2014, 10:14 am
#4
Join Date: Feb 2007
Location: Suburban Philadelphia
Programs: Marriott Lifetime Plat, IHG Gold
Posts: 3,392
^ glad you didn't get hosed by the crooks.
Aug 6, 2014, 10:15 am
#5
Join Date: Dec 2012
Location: YVR, HNL
Programs: AS 75k, UA peon, BA Bronze, AC E50k, Marriott Plat, HH Diamond, Fairmont Plat (RIP)
Posts: 7,828
Got a call from United corporate security today enquiring whether I had redeemed ~800k miles from my MP account to buy an IPad and other electronics.
Someone had hacked into my account, changed the primary e-mail address, and helped themselves to my miles.
A very nice woman from United alerted me to the issue, helped me reinstate the miles, and walked me through the process of resetting my account. Thank you!
I've been guilty of using this forum to complain more than praise, so thought I should call out good customer service when I see it...
Someone had hacked into my account, changed the primary e-mail address, and helped themselves to my miles.
A very nice woman from United alerted me to the issue, helped me reinstate the miles, and walked me through the process of resetting my account. Thank you!
I've been guilty of using this forum to complain more than praise, so thought I should call out good customer service when I see it...
Aug 6, 2014, 10:21 am
#6
Join Date: Oct 2013
Location: ORD
Programs: UA Silver, Marriott Platinum/LT Platinum, Hilton Gold
Posts: 5,594
Did you not receive and email to your account when the primary email address was changed? That scares me as I don't check all my FF accounts daily, or even weekly in some cases. I have always thought that, when an email address is changed, one got an email stating the change was made and if it was me who did it, no action was necessary. If I didn't make the change, then I should contact them immediately. Didn't that happen here? Bad practice if it didn't.
Good job by UA on proactively identifying unusual account behavior though. I have a couple friends & family who have had this happen, and UA wasn't proactive, but was very easy to work with in reinstating the miles.
Aug 6, 2014, 10:24 am
#7
Join Date: Jan 2005
Location: San Francisco
Programs: All-Around Kettle
Posts: 3,287
Good to hear. ^
Aug 6, 2014, 10:26 am
#8
Join Date: Mar 2007
Posts: 4,960
800k for an ipad? They could have had some nice flights :-)
Aug 6, 2014, 10:28 am
#9
Moderator, Omni, Omni/PR, Omni/Games, FlyerTalk Posting Legend
Join Date: Oct 2004
Location: Between DCA and IAD
Programs: UA 1K MM; Hilton Diamond
Posts: 67,106
Glad to hear the positive outcome!
This does serve as yet another reminder, though, that UA needs to do away with PIN-based authentication--or require, at a minimum, a PIN and a password. It's simply too easy to hack accounts with only a 4-digit PIN controlling access.
This does serve as yet another reminder, though, that UA needs to do away with PIN-based authentication--or require, at a minimum, a PIN and a password. It's simply too easy to hack accounts with only a 4-digit PIN controlling access.
Aug 6, 2014, 10:30 am
#10
Original Poster
Join Date: Dec 2000
Location: San Francisco, California
Programs: UA 1K 2MM, AA CK 2MM, DL DM 1MM, WN CP, AS MVP, B6 Mosaic3, Marriott Titanium Lftm, Hyatt GLB
Posts: 943
Did you not receive and email to your account when the primary email address was changed? That scares me as I don't check all my FF accounts daily, or even weekly in some cases. I have always thought that, when an email address is changed, one got an email stating the change was made and if it was me who did it, no action was necessary. If I didn't make the change, then I should contact them immediately. Didn't that happen here? Bad practice if it didn't.
Aug 6, 2014, 10:32 am
#11
Join Date: Apr 2014
Location: Houston / Philadelphia
Programs: UA 1K
Posts: 276
Glad to hear it all worked out and great job UA security!
Thanks for highlighting this issue to FT. I check my account often more to check on upcoming flights seats but always look at my miles and upgrades to ensure there is no issue.
Thanks for highlighting this issue to FT. I check my account often more to check on upcoming flights seats but always look at my miles and upgrades to ensure there is no issue.
Aug 6, 2014, 11:14 am
#12
FlyerTalk Evangelist
Join Date: May 2008
Location: San Francisco
Programs: GM on VX, UA, AA, HA, AS, SY; Budget Fastbreak
Posts: 27,549
Thank you, United: Redemption fraud caught
I just read the npr story of 1 billion web id-password combos stolen. Was ual one of the corporate victims?
Aug 6, 2014, 11:21 am
#13
Join Date: Jan 2006
Posts: 134
The part that drives me crazy about United's account security is that no matter how good a password you choose, someone can get in using your MP number and a 4 digit numeric only PIN.
I haven't found a way to remove the PIN login "feature" anywhere.
I haven't found a way to remove the PIN login "feature" anywhere.
Aug 6, 2014, 11:48 am
#14
FlyerTalk Evangelist
Join Date: May 2006
Location: Pasadena, California
Programs: UA 1K, 1MM
Posts: 10,409
I'd be quite happy if this were possible. I never use my PIN to access my account. I don't even know what it is!
Aug 6, 2014, 12:19 pm
#15
Join Date: Jul 2013
Location: Kaiserslautern
Programs: UA G 1.9MM, HH Diamond, Global Entry
Posts: 439