Don’t Let Your Travel Points Get Stolen By Hackers
My friend just had all her points stolen from her Marriott account plus they booked hotels all over the world using the Amex card on her account
You should go look at your Marriott or any other travel account you have if you haven’t logged in for a while.
She has a Marriott number and she used to have about 49,000 points associated with that number. The other day she got an email that her hotel room was ready. In London. She was reading her email in Seattle.
She went to check her app and noticed that all her points were gone and that she had 5 bookings mostly in Manchester City but also one in Chicago.
In addition, she had an American Express card associated with that Marriott app that was closed. But because she had another American Express card, somehow the thieves were able to book trips and the charges transferred to the new card. Not sure why American Express allows this in the first place but she had to call them to get those transactions reversed. Also, I don’t think she got her points back.
She admitted to me that she did not have a good password on her account. In addition, she clearly did not have two-factor authentication enabled.
I went in to check my own account and I saw that two-step or two-factor authentication was not enabled. I always enable this on every account if it is an option. I’m not sure if this was just added or got turned off somehow, or maybe when I installed a new app on a new phone I presumed my account settings would transfer over and they did not. I’m not sure but I immediately enabled it.
I wrote about why two step, two factor, or multi-factor authentication is important in another post.
In this scenario, if the attackers were able to guess my friend’s weak password, they still wouldn’t be able to login if they could not enter the code generated by a device that is required to get into her account.
One of the best forms of 2-step authentication is a Yubikey. You associate with your account and push a button on the device to get in.
Unfortunately Marriott does not support Yubikeys, but they do have two-step verification. They call it Enhanced Security.
Click the gear icon at the top right of your Marriott app. Scroll down to Enhanced Security. Make sure that toggle is enabled as shown below.
If it is not enabled, when you toggle it on, it will ask to send a text message to your phone or email. You will then get a code which you can enter into the app.
After you do that, every time you log into the app, you will have to enter a code texted to your phone or sent to your email in order to get into your app. Yes, it’s a pain, but it’s better than losing all your points and having to call banks about your abused credit card accounts, no?
I wrote about multi-factor authentication (MFA) here:
What was odd also is that after I logged in I had to try a couple of times to actually get the Enhanced Security button to stick. Not sure if I did something wrong. After you get it set up, return to the main page of the app. Then return to your settings and verify that the security toggle is on.
Now go check all your other accounts and especially your bank accounts to make sure you have that two factor, two step, multi-factor authentication, advanced security, or whatever else they call it enabled on your accounts.
Also make sure you are using a strong password that is not easy to guess and change your passwords periodically. I change my banking passwords about once a year and sometimes more often.
There was one other odd thing about these reservations. They were in names that did not match the names on her account. Once, when my friend was at a hotel, they wouldn’t even let her husband check in or use her points because it wasn’t her name. So how is it that these shysters were able to create reservations and use her points when the booking did not match her name? Seems strange and maybe something Marriott can look into to find any other suspect transactions in their system.
My friend told me about some other issues as well which I’ll write about in future posts.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2024
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab