How Secure is your FF account?

NM · Aug 19, 2009

Reading this article about on-line account security highlights how easy it can be for on-line accounts such as Frequent Flyer, Frequent Stayer, Frequent Renter etc to be hacked. How safe are your FF accounts?

When I logged into one of my online accounts today it said it was locked out and I needed to call to get it reset. You wont believe what happened next.

...

I travel a lot on just about every airline you can think of. So as a result I've signed up for just about every frequent fly program there is. As you probably know, your frequent flyer number is conveniently printed out on every boarding pass you've ever had. Like many people, I'm guilty of not treating my boarding passes with security in mind. I sometimes leave it in the back of the seat pocket, throw it in the trash without shredding it, and just generally don't care if someone where to steal it (after my flight that is). Well that all stopped today. The account number that the person asked for to reset my account was my frequent flyer account number! So, let's see, someone finds/looks for ticket stubs which has your name and account number on it. They search whitepages.com and obtain your address and phone number. They lock out your online account, call the number and obtain a new password for your account. They login and steal your credit cards and any other bits of information available (itineraries, transfer miles, current email address, etc.)

Be careful out there .... there are plenty of bad people looking for opportunities. Treat your personal details, including FF number, as private.

I am not going to test the process with the likes of QFF, Velocity, AAdvantage, Krisflyer etc. But it would be interesting to hear from anyone who has any similar experiences, especially with their travel-related personal accounts.

samh004 · Aug 19, 2009

I suppose it would be possible, but I'm not that important so I don't worry.

On a different type of security, if you want to make sure your browsing of your frequent flyer account is protected, you can change http to https and it works just the same.

file51 · Aug 19, 2009

The one thing I don't like about QFF is that they only ask for a 4 digit numerical PIN/Password.

Not very secure at all

notzac · Aug 19, 2009

samh004 said:
On a different type of security, if you want to make sure your browsing of your frequent flyer account is protected, you can change http to https and it works just the same.

When you log in to QFF it should automatically switch to HTTPS mode - also the URL the login form posts to is secure, so there's no problems there either.

medhead · Aug 19, 2009

Interesting but may not be quite that bad. I thought the standard practice for password reset was to send it out to your listed email address. Someone might be able to have your password reset but hopefully, you would then receive the email with the new password. And then it should prompt for a new password once you log in.

This is how I think it normally works, but I vaguely recall being offered the new password over the phone.

NM · Aug 19, 2009

medhead said:
Interesting but may not be quite that bad. I thought the standard practice for password reset was to send it out to your listed email address. Someone might be able to have your password reset but hopefully, you would then receive the email with the new password. And then it should prompt for a new password once you log in.

This is how I think it normally works, but I vaguely recall being offered the new password over the phone.

But the author of that article just told the agent that the email address on-file was no longer valid and they updated the email address over he phone and then sent the info to the new address!

And not only that, they didn't reset the password but emailed the original password in clear text to the new email address!

medhead · Aug 19, 2009

NM said:
But the author of that article just told the agent that the email address on-file was no longer valid and they updated the email address over he phone and then sent the info to the new address!

And not only that, they didn't reset the password but emailed the original password in clear text to the new email address!

But that is only for one specific account that was discovered after starting to test all of their accounts, following the initial occurence that was quoted.

but clearly a big risk and we all need to be carefully. Well done those AFFers who save their BPs.

oz_mark · Aug 19, 2009

On my MH boarding passes, a number next to the letters FQTV is printed, but whatever the number is, it does not match my actual Enrich number.

(I do know people that have had hotel based program accounts hacked, but not an airline account)

harvyk · Aug 19, 2009

What you are talking about is a type of "hack" called a social engineering attack.

Put it simply all an attacker has to do is convince the person at the other end that you are who you claim to be and they'll usually spill the beans.

It's usually something which is done because of opportunity rather than a targeted attack. The simplest way to protect yourself is to destroy or store securely old boarding passes, credit card receipts and other things with personally identifiable information on them and you'll be fine.

The big problem is no matter how secure an system is, all it takes is one gullible person with access rights and an unauthorised person can find out and do just about anything they like on the system.

(I've also heard this called the orange safety vest syndrome, wear an orange safety vest anywhere and look like you know what your doing, you probably won't be challanged by anyone)

PS, I used to work as a IT security engineer, call centre staff who where too trusting where the bane of my existance...

Mal · Aug 19, 2009

Oh, and people need to watch what they post online as well.. (and to an extent, I am guilty of that although I tend to obfuscate some data - even though I know the dangers and should be better).

For example, does your Twitter account or facebook page contain your full name (including middle), does it give your family history (eg your mother's maiden name), show your pet names? Talk about your first pet? Where you once lived? Give your address? Favourite number? Favourite Colour? Date of birth? Home number? Mobile number?

Often challenge-response questions are fairly simple from companies - eg what was the first street you lived in? Oldest siblings name? Mother's maiden name? Favourite colour? Favourite Number? Name of first pet? Type of first car? Colour of first car?

Sometimes the answers to those are pasted all over the Internet...

QF WP · Aug 19, 2009

They'd never get my BP's as I collect them....

NM · Aug 20, 2009

Mal said:
For example, does your Twitter account or facebook page contain your full name (including middle), does it give your family history (eg your mother's maiden name), show your pet names? Talk about your first pet? Where you once lived? Give your address? Favourite number? Favourite Colour? Date of birth? Home number? Mobile number?

Which is why I am a twitter-free and Facebook-free zone

dajop · Aug 20, 2009

Interesting this morning I went into my KF account to change my seats on and upcoming SQ booking (or rather see if any better seats had freed up ..), and when I went into "select seats", it then took me to a screen requiring a PIN that would be sent to either the mobile or email address the booking was made with. Certainly not infallible, but interesting given this discussion. Two days ago I did the same thing, and didn't need to go through this process.

Grooba · Aug 20, 2009

Lindsay Wilson said:
They'd never get my BP's as I collect them....

I used to do that fo rthe first 2 years of business travel. After filling up a drawer in my desk I had to move house and decided to bin them. '

Sometimes I wish I had have kept them for some strange reason, not sure what that is yet though... :shock:

Grooba · Aug 20, 2009

Mal said:
Oh, and people need to watch what they post online as well.. (and to an extent, I am guilty of that although I tend to obfuscate some data - even though I know the dangers and should be better).

For example, does your Twitter account or facebook page contain your full name (including middle), does it give your family history (eg your mother's maiden name), show your pet names? Talk about your first pet? Where you once lived? Give your address? Favourite number? Favourite Colour? Date of birth? Home number? Mobile number?

Often challenge-response questions are fairly simple from companies - eg what was the first street you lived in? Oldest siblings name? Mother's maiden name? Favourite colour? Favourite Number? Name of first pet? Type of first car? Colour of first car?

Sometimes the answers to those are pasted all over the Internet...

I completely agree with this. I've never (that I can remember) actually put my full and correct name into facebook or anything like that. never have I wanted *too much* personal detail online.

As you say it's just to open for abuse.

Flashback · Aug 20, 2009

vec said:
I used to do that fo rthe first 2 years of business travel. After filling up a drawer in my desk I had to move house and decided to bin them. '

Sometimes I wish I had have kept them for some strange reason, not sure what that is yet though... :shock:

Having just moved house this week I know what you mean. I ended up getting ruthless and throwing a lot of things out that I was just hanging onto for "sentimental value".

Ikara · Aug 20, 2009

NM said:
Which is why I am a twitter-free and Facebook-free zone

I'm 62 years old and I have no idea what a "Twitter" or a "Facebook" is and from what I'm reading I think that is a good thing. Although I'm sure my four grand-daughters would say......."Poppy, get a life!" But I have one and I'm very comfortable with it. Played golf this morning and watched all the planes take off and land at ADL - which is probaly why my game was cough.

JB

Mal · Aug 20, 2009

Flashware said:
Having just moved house this week I know what you mean. I ended up getting ruthless and throwing a lot of things out that I was just hanging onto for "sentimental value".

Yah, I know the feeling. Managed to get everything of mine that I think I wanted to keep put into 6 storage boxes. Things like Boarding passes didn't make the cut unfortunately, although I did have good fun shredding them

All of my personal paperwork that I threw out was shredded, although I noticed later that I missed a couple of pieces of paperwork that I threw out but didn't shred. Oh well.

medhead · Aug 20, 2009

Originally Posted by Mal
For example, does your Twitter account or facebook page contain your full name (including middle), does it give your family history (eg your mother's maiden name), show your pet names? Talk about your first pet? Where you once lived? Give your address? Favourite number? Favourite Colour? Date of birth? Home number? Mobile number?

NM said:
Which is why I am a twitter-free and Facebook-free zone

Or you can just do what i do and lie on facebook.

JohnK · Aug 21, 2009

It is amazing the number of people I see leave their boarding passes behind in the aircraft cabin, thrown out in a bin in the terminal on arrival, bookmarks etc.

My boarding pass is either in my shirt pocket covered by a jacket or in a pocket on the inside of the jacket. Sometimes it will be in my hand for a short time and after the flight it is either sitting in a travel wallet or filed away (in a place never to be seen again) at home.

Other than personal details and possibly changing/cancelling flights I cannot see what a person has to gain by getting into your frequent flyer account. If they tried to transfer FF points to another account or book flights it will be extremely obvious and they could not possibly get away with it.

How Secure is your FF account?

Enthusiast

Enthusiast

Active Member

Established Member

Suspended

Enthusiast

Suspended

Enthusiast

Senior Member

Enthusiast

Enthusiast

Enthusiast

Enthusiast

Established Member

Established Member

Enthusiast

Active Member

Enthusiast

Suspended

Veteran Member

Become an AFF member!

AFF forum abbreviations