4 Lessons from a Hack: My Airline Miles Were Stolen

Yahoo Tech
image

I might not have noticed that I had been hacked had it not snowed so much last winter.

A terrible snowstorm kept me away from the January CES trade show in Las Vegas in 2014, so for this upcoming CES, in January, 2015, I was more compulsive than usual in planning and monitoring the trip. When I saw that United Airlines had updated its iOS app the other day, I went to check up on the reservation I made for my flight to Vegas, a flight I had booked and confirmed months ago.

But the app didn’t accept my password. I tried it several times, and then I got locked out completely and was directed to call the help desk. I thought it odd but put the call off for a few days: I got busy and thought it was likely just a site glitch.

It wasn’t.

Hack Lesson #1: If a site or app behaves oddly, you should pursue it, sooner rather than later. If something seems odd, something is odd.

When I got around to it, I pointed a browser to the United.com website. I’d been logged in the last time I visited, and the site kept me logged in on this visit (it didn’t ask for my password again). It showed me the last flights I had taken, as well as two mileage withdrawals within the previous week: one for 25,000 miles and one for 100,000 miles.

I hadn’t made those withdrawals. Somebody was stealing my miles.

I immediately called United’s Mileage Plus desk — the only number I could find — to tell them that I’d been locked out of my account and that something weird was going on. The customer service agent asked for my PIN, which did not match what they had on record. Nor did my email jibe with their records. Fortunately, I knew the last few flights I’d taken and could answer all the personal information she asked for, so I convinced her that I was, in fact, me.

I was back into my account, but it’d been ransacked. I was able to see two new flights purchased with my miles: a one-way from Phoenix to Boston and a first-class round-trip reservation for Christmas night from Sidney, Australia, to Beijing. They were booked under a name I did not know.

And the CES reservation I had compulsively set up so far in advance? Gone. The Bad Guys had canceled it. Jerks.

The United agent could give me my account back, but not the flight. I was told to email securitytips@united.com with details of the problem and ask that my miles and reservation be restored. I got an autoresponder, promising a response within seven to 10 business days.

Seven to 10 days. For a trip that was commencing in 11. I don’t think so.

I posted on my Facebook feed and on Twitter, complaining and asking for advice. I searched the United website for a customer service link or phone number where one could get more help with fraud or security problems. Oddly, there was none.

Hack Lesson #2: Don’t give up. Security is a big deal for all companies that do commerce online. Even if it may not seem like it at first, there are people at the company who have the job of protecting you. You may have to do some legwork to find them, though.

I will also say this: Companies for whom fraud and security are important should have an obvious place for customers to report problems — and should respond faster than a week or two.

I fly enough to have made the lower ranks of premium status on United, but I’m not elite. United doesn’t treat me with the deference of more serious frequent flyers. Fortunately, I’ve got a buddy who flies so much on United that it put him in one of their ads. I hate imposing on friends, but I dropped him a quick email and asked if he could direct me to someone who’d respond with a sense of urgency.

An hour or so later, I got a call from a woman at United Airlines Corporate Security. She was very courteous and very thorough, and evinced not a trace of a sense of humor — exactly what you want from a security pro. We went through my account point by point, removing the three unauthorized email addresses that had been added to it, nipping and tucking some settings that had made the account a little easier to get access to than it should have been.

She also asked if I’d been traveling lately (duh) and if I’d used a hotel Wi-Fi system or any free Wi-Fi while away. I had, as many of you probably have. That’s where my info probably got snatched, she said. Don’t do that anymore, she (ahem) suggested. Use a cell hotspot. Don’t be stupid.

Hack Lesson #3 (the United version): Stay away from public Wi-Fi, and be suspicious of hotel Wi-Fi, too. When you’re conducting business, use a cellular hotspot like your cellphone or a dedicated device like a Mi-Fi. 

I’m glad United has a corporate security department, because it does need it: Its website lets you log in insecurely. When you want to check in miles, you can log in without using the encrypted SSL standard, and anyone monitoring your Wi-Fi can sniff out the password you use.

Hack Lesson #3 (the more reasonable version): Make sure your connection to any site that requires a password is secure. It’s not that hard: Use your company’s VPN (virtual private network) if you have one, or type “https://” before the site URL to turn on encrypted browsing.

United’s site doesn’t use SSL until after you log in. So if you have to type in a credit card, that will be secure. But your login password isn’t, unless you use “https://” before the United.com Web address. Is the United smartphone app secure? I have no idea, which means I won’t be using it anymore, at least on Wi-Fi.

So here’s another tip for United: Hey, United, enable secure mode (SSL), by default, on all your login screens. You should know better.

Fortunately, my story ended happily. I got lucky, because I discovered the problem early. I got my miles back. I got my canceled reservation back. Even the credit card charges that the Bad Guys made to my card (gotta buy that extra-cost comfy seat to Boston, right?) were reversed. I got off incredibly light: All it cost me was a couple of hours of worry.

Hack Lesson #4: Get a real empowered person to help as soon as you can. United’s people have helped me out of more than one jam recently where an automated system would have left me stranded. Don’t be a jerk on the phone, though, because while it may make you feel better, it doesn’t actually solve anything. And, remember, the person helping you did not design the system that caused your problem.

Will I get satisfying revenge on the thief who tried to steal my hard-earned miles? That’s not my department. But I do know that it is difficult to get on airplanes pseudonymously. United Security knows these guys’ names and what they did. One of them, at least, has a fairly unusual name and a home address near the city he was traveling from. And I get to hold in my mind the warm thought of a surprise waiting for a crook expecting to fly the 11 hours from Sydney to Beijing in comfort. At best, he’s not getting on that plane.

For more travel stories and advice, go to Yahoo Travel.

Dan Rosenbaum is a longtime tech journalist and editor. He’s currently the head of Center Ring Media and writes the website Wearable Tech Insider. He’ll be at CES this year, come hell or high water.