Warning: Don’t Give Your Frequent Flyer Accounts This Password

If you set the combination of your frequent flyer accounts to 1-2-3-4-5 (or your luggage), that’s not secure and anyone can guess it.

Award Wallet, the system I continue to use to track my frequent flyer accounts, identified a brute force attack where less than 1/10th of 1% of their members’ accounts were compromised. Most of those either had:

  • the same username and password (Username “JohnSmith” and password “JohnSmith”), or
  • a password like abcd (which might as well be 1-2-3-4)

Award Wallet identified all of the affected accounts and notified members. They also verified that as of this writing no one had their accounts drained of miles.

A system like Award Wallet is still good for your account security. There’s no substitute for checking your account balances regularly to identify whether any miles are disappearing. If you check your miles daily as I do, with a single click, you’re going to be far more secure than if weeks go by without your noticing missing miles.

And Award Wallet offers two-factor authentication. You should use it. This is something I’m required to do for access to my work files, and I care about my miles at least as much (don’t tell my boss).

Here’s the message Award Wallet sent out to the 250 affected members:

Today we have detected that a hacker tried accessing AwardWallet accounts using a brute-force method. Please note that we lock accounts whenever multiple invalid logon attempts happen; however the hacker was still able to login to about 250 accounts. There were different types of accounts compromised:

(1) accounts had the same username and password, for example: username: JohnSmith password: JohnSmith (this was by far the majority of accounts) and

(2) accounts whose passwords were not unique to AwardWallet and were already compromised via different website, or passwords that were easily guessable, like abcd.

Unfortunately, your account was one of those 250 accounts. The hacker then was able to get all of your loyalty account usernames and passwords that you have stored in AwardWallet. This means that you need to change all those loyalty account passwords immediately to avoid the possibility of those accounts being compromised and you need to reset your AwardWallet password using this link:

https://awardwallet.com/?forgotPassword=1

Please set a unique password that you never used anywhere else and please make it complex.

We also suggest you login to all the loyalty accounts for which you have stored credentials on AwardWallet and see if there has been any unauthorized activity. We checked and as far as we see there were no deductions from any of the affected loyalty programs as a result of this issue. If there has been unauthorized activity, please contact the loyalty program to report the unauthorized activity but also please let us know and we will do what we can to help you recover your points/miles.

We sincerely apologize for this! Please also note that there is not much we can do to protect your account if you use a password that is either the same as your login name or if your password is not unique to AwardWallet. Hackers are very sophisticated and if there is any easy way to guess a password, they will guess it.

Finally, we strongly recommend you to enable two-factor authentication on your account:

https://awardwallet.com/faqs.php#44

As a courtesy, we’ve also upgraded your account to AwardWallet Plus for the next 12 months.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

Comments

  1. “… accounts had the same username and password, for example: username: JohnSmith password: JohnSmith (this was by far the majority of accounts) …:

    And just how would they know this? This would indicate they had access to passwords (or at least that user names and passwords used identical hashes). That would be an unforgivable security practice. A site should NEVER have access to your password in clear-text.

  2. “Two-factor authentication is only available for AwardWallet Plus members”
    I understand where they are coming from, but still think it is a bit lame

  3. Does two factor authentication require that every single time you load the web site? I use awardwallet literally dozens of times per day some days from multiple computers.

  4. @Bill G is right. Are account passwords not stored in an encrypted format? Or did the hacker just break the hash/encryption and leave them exposed on their way out?

  5. @Bill G @Sean

    They know this because they have access to their own hashing (and hopefully salting) procedure. They can arbitrarily hash everyones username using the method normally used for passwords, and compare the result hash to the stored password hash.

  6. It says they used brute force method. They acted like the hackers. Hashing , salting should not let the admin know your password.

  7. Bill, you wrote:
    =============
    “… accounts had the same username and password, for example: username: JohnSmith password: JohnSmith (this was by far the majority of accounts) …:

    And just how would they know this? This would indicate they had access to passwords (or at least that user names and passwords used identical hashes). That would be an unforgivable security practice. A site should NEVER have access to your password in clear-text.
    ============

    Who they? The hacker or AwardWallet team? In either case no one knew this until they (and we) tried the same username and password. This is what brute-force attacks are all about, you try millions of combinations until you hit a winner. This is how we encrypt passwords (per https://awardwallet.com/faqs.php#10):

    * Your AwardWallet passwords are hashed with bcrypt, cost:13, plus unique salt for each user.
    * For the passwords that users store locally on their computers we use Rjindael (similar to AES), 256 bit.
    * The “remember me” cookie is a sha 256 hash of certain user attributes
    * Loyalty account passwords are encrypted with 1024 RSA key.
    * If someone is trying to brute-force your account we will lock them out for a period of time after few invalid login attempts.

    And I do agree with you that “That would be an unforgivable security practice.” if we did something like what you described.

    Thanks,
    -Alexi

  8. Sean, you wrote:
    ==========
    @Bill G is right. Are account passwords not stored in an encrypted format? Or did the hacker just break the hash/encryption and leave them exposed on their way out?
    ==========

    No the hacker didn’t have access to the hashes, so they did not break the hashes. They used a brute-force attack. All they had is access to https://awardwallet.com/ the same way you do and they tried different combinations like username: JSmith password: JSmith. 99.999% of accounts won’t work this way, but on 0.001% you will hit the right combination. This is why they were only able to access 250 accounts out of 300,000+ that we have.

Leave a Reply

Your email address will not be published. Required fields are marked *