Last week I wrote about how I discovered that my IHG account had been hacked and almost 80,000 points were stolen. The agent on the phone told me that my account would be disabled for three to five business days while they investigated the incident.
Sure enough, five days after that, they called me and told me that they restored the lost points in my account and were ready to reactivate it. They recommended that I change the e-mail address associated with the account, so I gave them a new one. I logged in and saw that my points were back.
Additional response from IHG
A couple hours later, I received an email from a person at IHG with the title “Executive Liaison.” It said:
Greetings from the Executive Office of IHG. The matter regarding the activity within your IHG Rewards Club Platinum Elite account has been forwarded to my attention for review.
I’m sorry that I wasn’t able to speak with you. I called your phone number but couldn’t reach you or leave a message. Programs such as IHG Rewards Club are occasionally the target of fraud. IHG takes the security of our members very seriously, and we implement active steps in order to maintain that security for our members and to prevent any loss. When a potential concern is brought to our attention, we take immediate action to protect both IHG and our members. Our standard protocol is for our internal Fraud department to complete an audit. While I understand your desire for additional information, we are unable to confirm any specific details of our investigations.
Moving forward, I do apologize for the delay in response from our Rewards Club center after your call about the activity in your account. I’m glad you were able to speak our Rewards Club office earlier today to change your email address and PIN, in addition to being advised of your points being returned and your account re-opened. Because of the frustration caused by the delayed response in gaining access to your account, I’ve deposited 15,000 points into your account. I know you would have preferred to have had access to your account and the points you’ve earned sooner, and for that I apologize. We do encourage you to ensure your IHG account is linked to a secure email address with 2 factor security authentication enabled, and that the security of your PIN is safeguarded.
If you want to discuss your concerns about this situation in more detail, please feel free to contact me at xxx-xxx-xxxx. I’m available Monday through Friday, 9 AM to 6 PM, Mountain Standard Time. In the event that I’m unavailable, please leave a message with your number and time when I can reach you.
Thank you for being an IHG Rewards Club Platinum Elite member. I hope we have the opportunity to host you as our guest soon.
Overall I was impressed with this response – 15,000 points was a nice show of good will, especially considering that I never complained to IHG about the length of time my account was frozen (it was less than a week, and that doesn’t seem unreasonable to me).
The ongoing concern
As many people pointed out in the comments of my previous post, the area where IHG really needs to improve is in account security. A few of the areas where IHG doesn’t seem to follow best practices are:
- A four-digit PIN serves as your password, and you can log in with just the PIN and your account number or the email associated with your account
- IHG doesn’t send an email to your previous e-mail address when the e-mail address associated with your account is updated
- When you reset your PIN, they email a new PIN to you, meaning that if you don’t change it, your IHG account is vulnerable if your email is hacked
Is it really cheaper for IHG to keep restoring points stolen from breached accounts than it would be for them to just invest in better account security? Haven’t high-profile breaches at companies like Target and Equifax taught organizations that data security is a worthwhile investment?
C’mon, IHG.
How can you protect yourself?
A few people in the comments on last week’s post mentioned AwardWallet, which notifies you when a redemption has been made on any of your linked accounts. That’s a good way to keep track of fraudulent activity across all your loyalty accounts.
You should also try to log into your accounts every month or so (had I done that, I would have caught this sooner), and change your PIN every now and then.
Do you have any other suggestions for how to safeguard your travel accounts from unauthorized access?
Why not add 2FA? Password alone is not secure enough.
And, just in case anyone think that (ss7-dependent) two-factor authentication implementations are a panacea, here’s one article on why they’re not, written in 2017 no less:
https://arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/
IHG account illegally locked.
My IHG account was hacked. They restored my points but now say my account has been locked.
How can we start a class action lawsuit against them?
The 4 pin password is as everyone said a joke in today's cyber security world of anti-hacking. I read some place that a combination of caps and numbers takes 300 years to crack vs a few hours for a 4 pin password. (I could be wrong about the 300 years but it is very very long).
IHG could easily change it. Other hotel chains have done so.
@EVR you must be stupid. Award wallet lets you store your pw on your computer, but they still see it, it's being used on their website and servers. It's up to you, if you like to be risky, and roll the dice. There's no guarantee that there won't be a breach on their servers. Anytime you leave allow access whether local or directly on third party servers, you are setting yourself up for failure. and...
@EVR you must be stupid. Award wallet lets you store your pw on your computer, but they still see it, it's being used on their website and servers. It's up to you, if you like to be risky, and roll the dice. There's no guarantee that there won't be a breach on their servers. Anytime you leave allow access whether local or directly on third party servers, you are setting yourself up for failure. and when your account gets hacked, you have no one else to blame but yourself.
Lol. The TYPOS. Sorry all. Forgot to check for autocorrect issues
@ken - Sorry. Your post is misleadinf as tour information is only half right. Award wallet allows you to store your passwords on your computer or with them. Obviously and for the reasons you mentioned, keeping them on your own computer is the only choice.
@Frank - that's because you are not a famous travel blogger who can thrash a company's reputation lol
Award Wallet was the primary source of how my hotel pts were hacked!!!!!! don't blindly trust a 3rd party vendor to keep track of your pts. trust me, you are at their mercy if something goes wrong or if their website gets hacked.
Well, one up for World of Hyatt. Whenever you redeem points they immediately send you an email of the activity on your account.
Plus there are stats out there on the most popular 4 digit PIN codes out there ...
Seems quite possible to write a script that iterates through all 9999 PIN codes until hitting the correct guess. IHG is one of the LEAST secure accounts/sites anywhere on the web !!!
Ya, 4-digit pin for a password and they take security seriously. Seriously??? With a 4-digit number for password security, I wonder how many seconds it takes to hack an account. Damn, even my bank has graduated to eight digits. C'mon IHG get with it!
Are you going to contact Executive Office about the points you made about security?
Good you have access again. But without a new IHG number you will be hacked again. Its just 9999 combinations and brute force is easy.
My old account was hacked 3x before I got a new one each time 900k-1M points gone. They use it to buy gift cards flights but amso hotels (i had new bookings i didnt do).
My new account is OK now only I get newbie accelerate offers. But...
Good you have access again. But without a new IHG number you will be hacked again. Its just 9999 combinations and brute force is easy.
My old account was hacked 3x before I got a new one each time 900k-1M points gone. They use it to buy gift cards flights but amso hotels (i had new bookings i didnt do).
My new account is OK now only I get newbie accelerate offers. But was compesated more as just 15k points.
Mu trust in IHG there. Not the safety though. Hope they change it soon.
Question.... who is stealing these points? It seems that staying in a hotel, where ID is required, isn’t the best idea. Are people using fake IDs? Do they not fear being caught?
Or is there a more elaborate scam going on...maybe a shady OTA or travel agent taking advance payment for a room and booking it with stolen points?
Inside Job ? Like I gave someone access to my account to scam the hotel company ? That's laughable . I have no Idea where the redeemed points were spent and I'm sure Hilton know that . ..........Or you mean employees inside the hotel companies ? I really doubt that too .With the pathetic security requirements to most rewards programs its no surprise its a soft target for cyber hackers . Its up to the hotel chains to up their security systems .
My guess is these are all inside jobs.
My Hilton Account was hacked at the beginning of April . I had a new account within a couple of hours and 80K goodwill points on top of the lost points .
IHG are unbelievably stingy in all aspects of their rewards programme recently to the point where I feel that they think that they are doing you a favour by letting you be a member .
I have shifted my business away accordingly .
Totally agree with Robert F - why are they harping on about 2FA (which I may say I love!) for your email when they won't even let you have a proper account password!
> We do encourage you to ensure your IHG account is linked to a secure email address with 2
> factor security authentication enabled, and that the security of your PIN is safeguarded.
What's interesting here is that they're delegating security to the user. They're promoting the importance and 2FA, but they don't actually implement it. Instead, they're just suggesting that you get an email provider that does 2FA.
This would be like...
> We do encourage you to ensure your IHG account is linked to a secure email address with 2
> factor security authentication enabled, and that the security of your PIN is safeguarded.
What's interesting here is that they're delegating security to the user. They're promoting the importance and 2FA, but they don't actually implement it. Instead, they're just suggesting that you get an email provider that does 2FA.
This would be like buying a Camry without seat belts, having a terrible accident, and then being told by Toyota that you should really consider buying seat belts because they'll make for a much safer ride.
Wow, much better experience then I had with Hilton. Hilton took weeks to resolve and eventually issued me a new account number completely and never offered any type of point compensation.
I guess its Mr Lawyer frim executive office hagaha 15000 points,thats ridiculous,i would have declined them.
Even being Royal ambassador spire elite,IHG is a crap of crap.
Gotta love the american pc propaganda marketing corporate jibber jabber. Help Mr. Schalpig out--this is BS!!!
How long after paying off the card do the points show up?
I paid it off 2 weeks ago, and still shows no points balance ?
Any hotel account with a large balance I have fake hotel bookings to tie up the points. It's an added defense, and in case someone gets in first they won't see many points, second if they do cancel the bookings maybe I'll get an email.
I got hacked for 425k points ! Took a month to fix ! They said 5 days and I got no gesture .
How could possibly IHG take the security of their members very seriously while they only have 4-digit pin?
" IHG takes the security of our members very seriously"
....uses PIN codes as passwords.
what a bunch of unbelievable marketing BS.
also just curious, has anyone had an IHG card that has been hacked more than once? getting hacked 3 times and getting 15,000 points each time for the "frustration caused by the delayed response in gaining access to your account" is like signing up for a credit card to get the bonus. its...
" IHG takes the security of our members very seriously"
....uses PIN codes as passwords.
what a bunch of unbelievable marketing BS.
also just curious, has anyone had an IHG card that has been hacked more than once? getting hacked 3 times and getting 15,000 points each time for the "frustration caused by the delayed response in gaining access to your account" is like signing up for a credit card to get the bonus. its rather dumb but unfortunately i can see this happening to IHG account holders.
The best way to protect yourself in these instances is to either burn your points immediately or simply stop using IHG. Their crap security is one of the reasons that I won't use them. Also, Holiday Inn sucks so there's that.
This happened to me with HHonors last year. Someone got into my account and changed my email address - no email notification came to me (I believe they've since beefed up these security features). Then someone transferred 75,000 points out.
I logged in about 30 days later when I couldn't log into my account and noticed. I called in and they immediately noted that there was a new email address and that a large...
This happened to me with HHonors last year. Someone got into my account and changed my email address - no email notification came to me (I believe they've since beefed up these security features). Then someone transferred 75,000 points out.
I logged in about 30 days later when I couldn't log into my account and noticed. I called in and they immediately noted that there was a new email address and that a large points transfer had occurred. I was very impressed with how quickly they acted - within 48 hours the old account was closed, new account opened, and points reinstated. This is a great reminder to regularly check all of your awards accounts.