Last week, I wrote (access here) about Hilton HHonors account breaches were member accounts were empties by ordering merchandise using points.
I criticized Hilton for having very lax online logging system that requires user name OR account number AND password OR four digit PIN. These PIN numbers are not very secured because majority of people use easy PIN combinations such as 0000 or 1234.
You can access Hilton’s website here.
Now, Hilton HHonors has tried to patch their insecure account log in system by adding a CAPTCHA when log in happens on their website. This is not requirement on their app, however.
Conclusion
I guess that this is an interim solution for the account breaches that have been happening at increasing level as of late. It is not clear, whether Hilton HHonors has been breached or if the hackers are purely using brute force attacks to guess the account number and PIN combinations.
This new security measure is hopefully a temporary thing. I just was on the phone with the Diamond Desk and their technical support desk, both of which sympathized with my complaint about the added measure. Both reps acknowledged that they were not told ahead of time ( typical of most corporations where the employees find out about news from their customers ) and that they were fielding dozens if not hundreds of calls complaining of this. They said a spreadsheet had been set up for them to log the complaints and the upper brass were watching.
I do understand the need for security, especially when more and more breaches are happening. I am sure they would come back at me and inquire that wouldn’t I rather have the extra layer of security than have my account hacked and then all the trouble resolving the issue? The answer is yes, BUT!!!
First of all they did not notify us that this was going to happen.
Second, we were not given a choice of what kind of security we might use, such as security questions, a more difficult password combination, a 3rd key word, phrase or pic etc.
And third and most importantly, while the world is going mobile, there are still those of us that use both the web and mobile apps. The security number or word they want us to retype, is not the most well “lit” or clearly focused or clearly printed. Therefore, some of us with either not the best eyesight, or the best lighting in the current situation may not be able retype the correct word when prompted. At least not for first, second or third tries. By that time you are very frustrated and want to just move on.
Anyway, the tech support desk logged my complaint and hopefully Hilton will see that they need to find a better resolution to their security situation. I certainly hope so as I do not want to keep typing words to get into my account, especially if I have ticked or check marked the box, saying “Remember Me” and in fact while they do remember some of me, they require more of me, so the ticked box in fact becomes moot.
Here is the Hackforums picture and also if you look at the top of the picture it’s the URL of the seller.
http://imgur.com/7Y8R4i0