• Welcome to the FREE TUGBBS forums! The absolute best place for owners to get help and advice about their timeshares for more than 31 years!

    Join Tens of Thousands of other owners just like you here to get any and all Timeshare questions answered 24 hours a day!
  • TUG started 32 years ago in October 1993 as a group of regular Timeshare owners just like you!

    Read about our 32st anniversary: Happy 32st Birthday TUG!
  • TUG has a YouTube Channel to produce weekly short informative videos on popular Timeshare topics!

    All subscribers auto-entered to win all free TUG membership giveaways!

    Visit TUG on Youtube!
  • TUG has now saved timeshare owners more than $24,000,000 dollars just by finding us in time to rescind a new Timeshare purchase! A truly incredible milestone!

    Read more here: TUG saves owners more than $24 Million dollars
  • Sign up to get the TUG Newsletter for free!

    Tens of thousands of subscribing owners! A weekly recap of the best Timeshare resort reviews and the most popular topics discussed by owners!
  • Our official "end my sales presentation early" T-shirts are available again! Also come with the option for a free membership extension with purchase to offset the cost!

    All T-shirt options here!
  • A few of the most common links here on the forums for newbies and guests!

Got Hacked and lost 700,000 Marriott Reward Points

Ken555 said:
Wait. You use Lastpass but have five (now six) passwords you use on hundreds of sites? That's not using Lastpass as intended...

To login from a public computer simply go to www.lastpass.com and access your vault, then be sure to log off when done. Simple.


Sent from my iPad
Click to expand...

I still use 6 or so passwords in the past 10+ years and this is the only instance of someone hacking an account of mine out of hundreds of accounts.

My fear is Lastpass going out of business and all the passwords lost or they get hacked. I know Lastpass was on the verge of bankruptcy a few years ago and were sold to someone - hopefully not a hacker.

I don't know why biometrics passwords aren't being used widely by now.
 
MauiSunset said:
I still use 6 or so passwords in the past 10+ years and this is the only instance of someone hacking an account of mine out of hundreds of accounts.

My fear is Lastpass going out of business and all the passwords lost or they get hacked. I know Lastpass was on the verge of bankruptcy a few years ago and were sold to someone - hopefully not a hacker.

I don't know why biometrics passwords aren't being used widely by now.
Click to expand...


Either you use a password manager the way it's intended to be used, or you don't benefit by it.

Should Lastpass go out of business (doubtful) you can always reset your passwords at each site just as if you forgot them. You're still significantly more secure with it than without.


Sent from my iPad
 
jpc763 said:
What happens when someone hacks into LastPass? What a disaster that will be!
Click to expand...


I suggest you read a bit about how these password managers store their passwords before implying that they are quite as open for hacking as other sites.

On a related note, I told my bank yesterday that I'm considering moving to another because independent testing I performed showed that contrary to their constant marketing, they do not have very good security. I was able to secure one account by known IPs, but not all accounts, and they still don't have a multi factor authentication system (which Lastpass has, and I encourage all to use - it's yet another method to secure your passwords).

This really isn't rocket science, but it's not fun so is often ignored even by those who know all about it.


Sent from my iPad
 
I logged on to Marriott for the first time in many months and was forced to change my password.
I guess Marriott has had some kind of password hack or hackers are using the insecure passwords to access alternate sites.
To force this change indicates this is a big problem.
 
SMHarman said:
I logged on to Marriott for the first time in many months and was forced to change my password.
I guess Marriott has had some kind of password hack or hackers are using the insecure passwords to access alternate sites.
To force this change indicates this is a big problem.
Click to expand...

Many websites now require you to set up an account using your Facebook account and it pulls in your information then your posts contain your full name. Many then require you to submit a cell phone number and send a control number to you before you can use your account; including your eMail address associated with your Facebook.

That's the safest way to make sure the website is dealing with the person who set up the account.

But i.Imagine your employer typing in your name into Google - watch what you say on Facebook.
 
jpc763 said:
What happens when someone hacks into LastPass? What a disaster that will be!
Click to expand...


1password is only on your devices. I can't access anything from a public site, thus some of the grumbling I mentioned.
 
About 3 years ago I closed all unnecessary bank accounts, credit cards, etc. I also closed my Social Media accounts. (For the record FaceBook made this difficult.) Kind of like any account that might be worthwhile hacking is gone unless essential. I then put freezes on my accounts with all 3 Credit Reporting Agencies. In addition I check the activity on all my open bank accounts, credit cards, etc. daily. So far, so good.

George
 
jpc763 said:
What happens when someone hacks into LastPass? What a disaster that will be!
Click to expand...

As someone commented earlier in this string, passwords seem incredibly antiquated in this era of sophisticated thieves looking to rip off everything from bank accounts and credit card numbers to frequent flier miles and hotel reward points.

The first e-commerce site that replaces passwords with retina scans or fingerprints is going to have a huge competitive advantage.

I've been a subscriber to LifeLock for four years now, and have never had a problem. It's not foolproof, but their $1 million guarantee (essentially an identity protection insurance policy) does offer some peace of mind.
 
WalnutBaron said:
As someone commented earlier in this string, passwords seem incredibly antiquated in this era of sophisticated thieves looking to rip off everything from bank accounts and credit card numbers to frequent flier miles and hotel reward points.

The first e-commerce site that replaces passwords with retina scans or fingerprints is going to have a huge competitive advantage.

I've been a subscriber to LifeLock for four years now, and have never had a problem. It's not foolproof, but their $1 million guarantee (essentially an identity protection insurance policy) does offer some peace of mind.
Click to expand...
The problem with retina scans and fingerprints is once the bio signature is hacked you can't replace it.

Two factor is where this should be especially in this mobile age.

Something you have (your phone) generating a secureID type passcode/pin and Something you know. A password.

My UK bank accounts have achieved this. US HSBC has achieved it. Chase, BofA, CitI? Not so much!
 
2 factor is the way to go. If Anthem had 2 factor they may not have have been hacked.

The CTO was not a Tech person, and they did not want to burden their staff with 2 factor authentication. That silly mistake has cost them millions. And we are the victims.

Yes Denise I had Anthem Health Insurance last year and I got the dreaded letter in the mail
 
Last edited:
billymach4 said:
2 factor is the way to go. If Anthem had 2 factor they may not have have been hacked.

The CTO was not a Tech person, and they did not want to burden their staff with 2 factor authentication. That silly mistake has cost them millions. And we are the victims.
Click to expand...

What is 2 Factor?

I am woefully uninformed on security and appreciate the education....
 
I should really define this at Multi - factor Authentication. Have you ever used the RSA FOB to enter a 6 digit number (token) to access a corporate network remotely, or even internally.

Here are a few links to bring you up to speed. I am sure a worldly guy like GregT has used this but never realized what the buzzwords really mean ( multifactor authentication, or 2 factor)

You can even get these as apps on your smartphone and plug in the unique code.

http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

http://en.wikipedia.org/wiki/Multi-factor_authentication

http://www.emc.com/security/rsa-securid/index.htm

https://www.google.com/landing/2step/
 
Last edited:
I use ID Vault to manage all my passwords. Works great.
 
WalnutBaron said:
The first e-commerce site that replaces passwords with retina scans or fingerprints is going to have a huge competitive advantage.
Click to expand...

Fingerprints are a bad idea. There isn't anything less secure. You leave them in thousands of places daily. They may work ok for now in conjunction with an electronic device like the iPhone but long term they are not the answer.

Retina is obviously more secure but as mentioned once it is stolen and captured it can never safely be used again.

Where there is money, thieves will constantly be looking for a way to steal.
 
Last edited:
TIME article on Anthem and multi factor authentication or the lack thereof

http://time.com/3700203/anthem-identity-theft-hacking/

The additional measures New York State is likely to require are known as “multi-factor authentication” and include a range of approaches to verify the identity of those trying to sign on to a computer system. Options include sending a confirmation number to an individual’s cell phone, using a fingerprint or other biometric authentication, or using a separate identification source, like a swipe card.


Lawsky says he is eager to see that change. “The password system should have been buried a long time ago, and its high time we buried it,” Lawsky tells TIME. “We really need everyone to go to a system of multi-factor verification. It is just too easy, whether through basic hacking or through phishing or stealing basic information, for hackers to get a password and a user name and then to get into a system,” he says.
 
The worst part is that no matter how careful you are, everybody else may not be, and you are victimized.I am a current Anthem customer. There was nothing I could do to prevent my data loss...

Once the data is on the counterparty's server complex, and that complex gets hacked, They can hack the verification information, and/or put in a backdoor to bypass the verification...
 
Last edited:
So, I don't understand how a hacker would use MR points that are not in their name. When you get a reward cert don!t they electronically send it to a hotel to,cover a reservation that was made. The certs are issued in the account holders name aren't they?
 
KathyPet said:
So, I don't understand how a hacker would use MR points that are not in their name. When you get a reward cert don!t they electronically send it to a hotel to,cover a reservation that was made. The certs are issued in the account holders name aren't they?
Click to expand...

My thoughts exactly - the crook is going to have to give their real name at some point and Marriott will simply turn that over to the FBI for an easy prosecution.

Obviously no smart crook is going to let that happen so the crooks are doing something else.
 
MauiSunset said:
However if I use a public computer or a clients computer the add-on is worthless and I seem to do this many times during the week.
Click to expand...

With 1Password, I can get access to the password on my phone, and type it in to a computer I do not own. I then make sure to change that password when I get back to one of my machines. It's not that complicated.

Unless you are willing to use different passwords everywhere, you are at increased risk of this happening again.
 
bnoble said:
With 1Password, I can get access to the password on my phone, and type it in to a computer I do not own. I then make sure to change that password when I get back to one of my machines. It's not that complicated.

Unless you are willing to use different passwords everywhere, you are at increased risk of this happening again.
Click to expand...

True - I'm going to try an experiment and use Lastpass to create the next password I need and then dump all passwords to a memory stick and pretend Lastpass was hacked and all their files and backup files were destroyed and see if I can live with it.

Old habits are hard to break.
 
Just thinking about how someone could have used the points......... hmmm.

Would it be possible to have them used via a guest certificate to an unknowing (or knowing) person(s) ?


I am trying to figure out how they could have been used if not by the thief him/herself.



-
 
bogey21 said:
About 3 years ago I closed all unnecessary bank accounts, credit cards, etc. I also closed my Social Media accounts. (For the record FaceBook made this difficult.) Kind of like any account that might be worthwhile hacking is gone unless essential. I then put freezes on my accounts with all 3 Credit Reporting Agencies. In addition I check the activity on all my open bank accounts, credit cards, etc. daily. So far, so good.

George
Click to expand...

Did you file online or fill out the form for an extended Security freeze? If you don't do the latter, your freeze will expire after 90 days.

Here's a portion of the email that Experian sent to me:

Equifax will forward your initial 90 day fraud alert or active duty alert information to the other national credit reporting agencies, eliminating the need for you to contact them directly. They should also add an alert to their files. If you do not receive notification from Experian or TransUnion that they have added an alert for you on their credit files, please contact them directly using the following contact information:

TransUnion, PO Box 6790, Fullerton, CA 92634: (800) 680-7289 Experian, PO Box 9530, Allen, TX 75013: (800) 379-3742

In order to request an extended fraud alert be added to your credit file, please mail an extended fraud alert request form along with a valid police report, law enforcement agency report, or US Postal service report that alleges mail theft. To download an extended fraud alert request form please click the following link: https://www.alerts.equifax.com/AutoFraud_Online/pdf/Fraud_Alert_7.pdf. There is no fee for the placement of an extended fraud alert. To request an extended fraud alert be placed on your credit file please submit your request to:

Equifax Information Services LLC
PO Box 105069
Atlanta, GA 30348-5069
Click to expand...
 
LisaRex said:
Did you file online or fill out the form for an extended Security freeze? If you don't do the latter, your freeze will expire after 90 days.
Click to expand...

You are confusing the free 90 freeze with the "paid for" permanent freeze. I have the latter. With 2 of the Credit Reporting Agencies I requested (and paid for) the freeze online. The other required that it be done by mail. All three were done on the same day about 3 years ago and trust me all three are still in effect.

George

PS I think I read somewhere that you can now request and pay for permanent freezes with all 3 Credit Reporting Agencies online.
 
You must log in or register to reply here.
Top