hmmm
This should make an interesting topic of conversation at work for the next few days.
Millions of Hilton HHonors* rewards points are being stolen and sold online traded in by scammers for gift cards and goods. Points appear to be stolen through brute force attacks. One user on a forum has released simple capture code alleged to have been used to breach accounts protected only with a four-digit PIN on the Hilton …
I know I have a Nectar card and a Clubcard but the points awarded are os such a low value that I don't really bother waving the card about much.
I do occasionally check to see how many Nectaar points I've got then laugh at what I can get for them.
But it's good to see one of these 'points' companies being caught with thier protection down -- I've often wondered how to get enough points for them to be of any use -- now I know.
Troy Hunt blogged a few years ago about the vulnerability of Tesco and their Clubcard points:
http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html
Not surprisingly, the inevitable happened this year and Tesco was hacked. Troy further blogged on how it might have happened:
http://www.troyhunt.com/2014/02/the-tesco-hack-heres-how-it-probably.html
Not really been Tesco's year, has it...
The company has yet to acknowledged [STET] a breach, although customers claim it has reimbursed stolen credit to individuals reporting theft.
Perhaps if they don't make eye contact, this will all go away. This program is supposed to entice customers to use their services. Instead, the way they have so far handled this should encourage them to look elsewhere. The way to deal with this should be more along the lines of 1) publicly admitting there was a problem, 2) explain what has been and/or will be done to correct it, and 3) restore any points lost by customers before they ask, and 4) give additional points to all of their customers to apologize for any inconvenience they may have experienced (AKA a bribe).
For a customer loyalty program, they are doing an excellent job for their competitors.
Forgive my naivety, but I've always wondered, once an account has been hacked like this, what next?
I mean, you've got someone else's points but surely you run a high risk of getting caught when you try and cash them out? I'm assuming it'll be you wanting that fancy hotel room for free, or you who will be wanting that high-value giftcard? Are there no verifications on names and/or addresses?
I've always wondered whether the Hilton customer DB had been pwned, ever since I got received an SMS spam around 10 minutes after giving the front desk my work mobile number. I hadn't had spam in the few years before that, and curiously never in the few years since.... Perhaps it was just a coincidence...