Hilton Honors Security Hack

Discussion in 'Hilton | HHonors' started by Terry Yap, Oct 4, 2014.  |  Print Topic

  1. Terry Yap

    Terry Yap Gold Member

    Messages:
    1,464
    Likes Received:
    2,934
    Status Points:
    1,425
    Just read on TOBB that some HHonors members have had their accounts hacked and their points used for example to purchase items. Apparently, HHonors reinstated the points after members flagged up the breach.

    not sure how widespread this is, HHonors MPers may wish to check their accounts again and also consider change their username/passwords if there is concern..
     
    gaijin62 and ACMM like this.
  2. techguru
    Original Member

    techguru Silver Member

    Messages:
    321
    Likes Received:
    376
    Status Points:
    520
    Perhaps this is why the website seems to be constantly updating our profiles...
     
  3. Abidjan

    Abidjan Silver Member

    Messages:
    34
    Likes Received:
    27
    Status Points:
    130
    Hilton IT at it's finest - - changed my PIN, then website says my PIN wasn't changed. Subsequently received an email confirming my PIN was changed (and it was).
     
    Dublin_rfk likes this.
  4. Sammich

    Sammich Gold Member

    Messages:
    5,645
    Likes Received:
    22,442
    Status Points:
    11,025
    You can tell Hilton's IT security is a damn joke when the passwords aren't hashed.

    I get a clear text of my password in the email when I try to perform a password reset.
     
    gaijin62, bigx0 and ACMM like this.
  5. lapointdm

    lapointdm Silver Member

    Messages:
    367
    Likes Received:
    537
    Status Points:
    575
    Hackers can get access to almost anything if they really want to badly enough. even credit card companies need to worry abut hacking. I think it will take a long time before security can really keep hackers out and I could see that never actually happening...
     
  6. Sammich

    Sammich Gold Member

    Messages:
    5,645
    Likes Received:
    22,442
    Status Points:
    11,025
    That is true right now. No system is hacker proof. However it's all about minimizing losses now. Using preventive measures such as hashing (encryption of user data on server side), SSL, IDS, etc. Will minimize the impact it has on the business.

    If Hilton is sending me clear texts, that means it's not being encrypted on the server side. Meaning that anyone can read it anyways (even their own employees)
     
    gaijin62 likes this.
  7. blackjack-21

    blackjack-21 Gold Member

    Messages:
    1,437
    Likes Received:
    3,000
    Status Points:
    1,910
    I made a reservation on the Hilton website last week as I usually do, signed in to my Honors account, and so far all is well with my Honors account and points, etc. However this time the website "captured" my CC number and issuer, even though I don't want it on their site and always prefer to just enter it each time I make a reservation for security reasons, especially with all the hackers out there. My several attempts to delete the CC from the Hilton website using the delete button on my profile page have failed, as it always returns to the current CC as I entered it for my most recent reservation. Someone on FT had suggested to try changing the expiry date of the CC, when other people had also tried to delete theirs, but that didn't work for me. After three nights of trying to remove my CC from their website, tonight I called Honors, and two people there said: first she would transfer me to someone who may be able to help as she saw the CC (number partially xxxxx'ed out), and then the guy she transferred me to said that he couldn't see my CC on the website, even though I was looking at it on the Hilton site as we talked. Finally he said it may take a few days for me to see it off their site, even though I've been trying for three days as of now. So how long is "a few days"?

    Any other suggestions how to remove my CC from their site? My wife guessed that possibly because I have a current reservation outstanding that may be the reason that my CC info can't be deleted, but I don't think that's the reason.
     
  8. Sammich

    Sammich Gold Member

    Messages:
    5,645
    Likes Received:
    22,442
    Status Points:
    11,025
    If nothing works. You can always overwrite the cc info with a cancelled card number or use a virtual cc (some banks provide this).


    Doesn't seem like Hilton places an authorization on the cc when the info is entered. (Meaning if you put a cancelled cc in Hilton wouldn't know.
     
    blackjack-21 likes this.
  9. blackjack-21

    blackjack-21 Gold Member

    Messages:
    1,437
    Likes Received:
    3,000
    Status Points:
    1,910
    Thanks, I had tried changing everything in the CC space on the website. Different number, dates of expiry, but as soon as I hit "Save Changes" after the delete button, the new page still had my exact number and expiry as before. So it appears that nothing can be done to remove the CC once entered and saved on the HHonors website. Annoying to say the least. I'll give it a couple of more days, and if the number still shows, I'll contact the HHonors rep on MP for help and hopefully some results.
     
    Sammich likes this.
  10. trippin_the_rift
    Original Member

    trippin_the_rift Silver Member

    Messages:
    54
    Likes Received:
    66
    Status Points:
    245
    If I were a hacker I'd be going after something more valuable than Hotel points that are fully traceable....

    I'm shocked Hilton wouldn't have hashed passwords though...
     
    Sammich likes this.
  11. Sammich

    Sammich Gold Member

    Messages:
    5,645
    Likes Received:
    22,442
    Status Points:
    11,025
    I hear Hilton added a CAPTCHA to their login page...
     
    blackjack-21 likes this.
  12. blackjack-21

    blackjack-21 Gold Member

    Messages:
    1,437
    Likes Received:
    3,000
    Status Points:
    1,910
    Saw the CAPTCHA when I tried to sign in tonight to see if they've finally removed my CC info from the website (still there). Was able to flip the CAPTCHA five times before I could make the letters readable to me, but signin worked the first time with it. But what difference would the CAPTCHA make to any hacker who already may have previously gotten your HHonors number and pin/password? Anyone can use the CAPTCHA if they already have your signin info.

    Now I'm off to find the HHonors rep on MP to see if he can help me finally remove my CC number from the website. If only I could find him here on MP.
     
    Last edited: Oct 9, 2014
  13. Terry Yap

    Terry Yap Gold Member

    Messages:
    1,464
    Likes Received:
    2,934
    Status Points:
    1,425
    is there a HHonors rep on MP ??;)

    CAPTCHA i thought was a screen to see if it was a human or a robot trying to log in...
     
  14. blackjack-21

    blackjack-21 Gold Member

    Messages:
    1,437
    Likes Received:
    3,000
    Status Points:
    1,910
    Finally went to FT to find the HHonors rep there, and after several emails back and forth and getting a response that they were able to remove my CC from the Hilton website without changing anything else for me, including not needing a new HHonors account, or new password/pin, etc., that problem is solved. Now if I could only get the HHonors website to keep my email choices for offers and information, as those checked options always seem to have disappeared on subsequent visits to the site, so the only way I find out about those offers is from either MP or FT, and not by the Hilton emails.
     
  15. Sammich

    Sammich Gold Member

    Messages:
    5,645
    Likes Received:
    22,442
    Status Points:
    11,025
    There was a new article a few days back by a security firm (IIRC), that showed screenshots of Hhonors accounts being sold on the black market.
     
  16. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    A solid write-up from Krebs, shedding some light into what's going on in places like Evolution Market where someone was selling a million points for about $200.

    http://krebsonsecurity.com/2014/11/thieves-cash-out-rewards-points-accounts/

    I'm sure there are shady places on the deep web where you can find the goods, but it would probably not be a good idea to get involved with this, since it clearly involves stealing points from someone's account.
     
    HaveMilesWillTravel likes this.
  17. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,507
    Likes Received:
    20,199
    Status Points:
    16,520
    Wonder if the new united.com, whenever it is going to be released, will address their security shortcomings. @UA Insider, care to comment on the concerns voiced in the article about United?
     
    Sammich likes this.
  18. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    I noticed Delta switched to using passwords as the requirement rather than PINs on their accounts, but other programs like IHG still allow you to log into your account using only the (numeric) account number and a (numeric) PIN.

    I'm not sure what the threshold is for blocking an account based on incorrect login attempts, but I wouldn't be surprised if we see accounts compromised from a brute force attack sooner rather than later.
     
    Sammich likes this.
  19. blackjack-21

    blackjack-21 Gold Member

    Messages:
    1,437
    Likes Received:
    3,000
    Status Points:
    1,910
    The other evening, when I logged in to check my wife's UA MP account, after I put in her MP number and pin, the next page asked us to then enter a new password and security question to remind her of the password, in addition to her pin number. So that's a new addition they're trying to attempt to increase security.
     
  20. Woosang Lee

    Woosang Lee New Member

    Messages:
    2
    Likes Received:
    1
    Status Points:
    15
    About HHonor Gold fast track, If you have VISA Infinite member, you can get it easily.
    Just contact Visa infinite websites.
     
  21. emrauld14

    emrauld14 Member

    Messages:
    10
    Likes Received:
    0
    Status Points:
    35
    Can you please let me know about HHonor Gold fast track or where to find information about it. thanks
     
  22. Dublin_rfk

    Dublin_rfk Gold Member

    Messages:
    4,251
    Likes Received:
    6,110
    Status Points:
    4,770
    Big fail for the Latest CAPTCHA on iPad. The numeral version ok the new text version too fuzzy, takes a couple of alternates to get a readable script.
     
  23. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,507
    Likes Received:
    20,199
    Status Points:
    16,520
    The whole captcha thing is pretty annoying.
     
    Dublin_rfk and viguera like this.
  24. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
  25. HaveMilesWillTravel
    Original Member

    HaveMilesWillTravel Gold Member

    Messages:
    12,507
    Likes Received:
    20,199
    Status Points:
    16,520
    Yup.

    The mere fact that Hilton saw the need for for a captcha on a login screen is telling.
     

Share This Page