avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2686

Abstract

ey could not enter the code generated by a device that is required to get into her account.</p><p id="a17d">One of the best forms of 2-step authentication is a Yubikey. You associate with your account and push a button on the device to get in.</p><div id="08bf" class="link-block"> <a href="https://readmedium.com/i-got-a-yubikey-now-what-47e737953d7c"> <div> <div> <h2>I Got a Yubikey — Now What?</h2> <div><h3>How to use a Yubikey with your online accounts</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*iPLIyvbze5WEUcU9DL2P1g.png)"></div> </div> </div> </a> </div><p id="576e">Unfortunately Marriott does not support Yubikeys, but they do have two-step verification. They call it<b> Enhanced Security</b>.</p><p id="3065">Click the gear icon at the top right of your Marriott app. Scroll down to Enhanced Security. Make sure that toggle is enabled as shown below.</p><figure id="3f6e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*bI9ouKtOXHyC4qOAQLcQIQ.png"><figcaption></figcaption></figure><p id="25d9">If it is not enabled, when you toggle it on, it will ask to send a text message to your phone or email. You will then get a code which you can enter into the app.</p><p id="8bef">After you do that, every time you log into the app, you will have to enter a code texted to your phone or sent to your email in order to get into your app. Yes, it’s a pain, but it’s better than losing all your points and having to call banks about your abused credit card accounts, no?</p><p id="7c68">I wrote about multi-factor authentication (MFA) here:</p><div id="6da4" class="link-block"> <a href="https://readmedium.com/mfa-is-a-pain-a492679d70ea"> <div> <div> <h2>MFA is a pain — why bother?</h2> <div><h3>Can we get rid of passwords too?</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*pAM8e8gVsAEKlt-R3V5suQ.jpeg)"></div> </div> </div> </a> </div><p id="7c69">What was odd also is that after I logged in I had to try a couple of times to actually get the <i>Enhanced Security</i> button to stick. Not sure if I did something wrong. After you get it set up, return to the main page of the app. Then return to your settings and verify that the security

Options

toggle is on.</p><p id="76a2">Now go check all your other accounts and especially your bank accounts to make sure you have that two factor, two step, multi-factor authentication, advanced security, or whatever else they call it enabled on your accounts.</p><p id="0a43">Also make sure you are using a strong password that is not easy to guess and change your passwords periodically. I change my banking passwords about once a year and sometimes more often.</p><p id="09da">There was one other odd thing about these reservations. They were in names that did not match the names on her account. Once, when my friend was at a hotel, they wouldn’t even let her husband check in or use her points because it wasn’t her name. So how is it that these shysters were able to create reservations and use her points when the booking did not match her name? Seems strange and maybe something Marriott can look into to find any other suspect transactions in their system.</p><p id="0250">My friend told me about some other issues as well which I’ll write about in future posts.</p><p id="79c0">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2024</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="3b5e"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="5610"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Don’t Let Your Travel Points Get Stolen By Hackers

My friend just had all her points stolen from her Marriott account plus they booked hotels all over the world using the Amex card on her account

You should go look at your Marriott or any other travel account you have if you haven’t logged in for a while.

She has a Marriott number and she used to have about 49,000 points associated with that number. The other day she got an email that her hotel room was ready. In London. She was reading her email in Seattle.

She went to check her app and noticed that all her points were gone and that she had 5 bookings mostly in Manchester City but also one in Chicago.

In addition, she had an American Express card associated with that Marriott app that was closed. But because she had another American Express card, somehow the thieves were able to book trips and the charges transferred to the new card. Not sure why American Express allows this in the first place but she had to call them to get those transactions reversed. Also, I don’t think she got her points back.

She admitted to me that she did not have a good password on her account. In addition, she clearly did not have two-factor authentication enabled.

I went in to check my own account and I saw that two-step or two-factor authentication was not enabled. I always enable this on every account if it is an option. I’m not sure if this was just added or got turned off somehow, or maybe when I installed a new app on a new phone I presumed my account settings would transfer over and they did not. I’m not sure but I immediately enabled it.

I wrote about why two step, two factor, or multi-factor authentication is important in another post.

In this scenario, if the attackers were able to guess my friend’s weak password, they still wouldn’t be able to login if they could not enter the code generated by a device that is required to get into her account.

One of the best forms of 2-step authentication is a Yubikey. You associate with your account and push a button on the device to get in.

Unfortunately Marriott does not support Yubikeys, but they do have two-step verification. They call it Enhanced Security.

Click the gear icon at the top right of your Marriott app. Scroll down to Enhanced Security. Make sure that toggle is enabled as shown below.

If it is not enabled, when you toggle it on, it will ask to send a text message to your phone or email. You will then get a code which you can enter into the app.

After you do that, every time you log into the app, you will have to enter a code texted to your phone or sent to your email in order to get into your app. Yes, it’s a pain, but it’s better than losing all your points and having to call banks about your abused credit card accounts, no?

I wrote about multi-factor authentication (MFA) here:

What was odd also is that after I logged in I had to try a couple of times to actually get the Enhanced Security button to stick. Not sure if I did something wrong. After you get it set up, return to the main page of the app. Then return to your settings and verify that the security toggle is on.

Now go check all your other accounts and especially your bank accounts to make sure you have that two factor, two step, multi-factor authentication, advanced security, or whatever else they call it enabled on your accounts.

Also make sure you are using a strong password that is not easy to guess and change your passwords periodically. I change my banking passwords about once a year and sometimes more often.

There was one other odd thing about these reservations. They were in names that did not match the names on her account. Once, when my friend was at a hotel, they wouldn’t even let her husband check in or use her points because it wasn’t her name. So how is it that these shysters were able to create reservations and use her points when the booking did not match her name? Seems strange and maybe something Marriott can look into to find any other suspect transactions in their system.

My friend told me about some other issues as well which I’ll write about in future posts.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Travel Rewards
Hacker
Points
Miles
Data Breach
Recommended from ReadMedium