A LoyaltyLobby reader sent us an email about her IHG Rewards Club that has now been compromised three times.
You can access IHG Rewards Club here.
Here’s the email from the reader:
I am wondering if you have heard of anyone having issues with their IHG accounts being high jacked? I got an email in Chinese from IHG back in January so I checked my account and all my info except my name was changed to someone in China. They had also used 20k points to stay at a hotel in China. I called IHG and they changed my info back and gave me back the points.
Within a few days after it was corrected there was a 2 night stay at a hotel in China. This time they refunded my points before I called and my info had not been changed. IHG assured me that they track down the people so it won’t happen again.
However, this morning I received an IHG email saying my email address had been changed. Sure enough my account information had again been changed to someone in China(see screenshot). I caught it right away and changed it back and so far they haven’t used my points. Do you know of any way to prevent this?
Unfortunately IHG only has a 4 number PIN and no other authentication so no way to put a strong password or have it text me a code to log in. One thing I did notice is that even if you change your PIN (which I did again today), I think if the perpetrator has the app on an “I-device” all they have to do is stay logged in and use their fingerprint or face to open the app and it will open even with the PIN changed. I have no way to test this but I know that is how my iPad works when I open the app. Any advice?
IHG Rewards Club account takeovers were very common in the past. We used to receive emails several times a week from affected readers.
IHG Rewards Club made some changes to account log ins (you couldn’t just keep trying to log in unlimited number of times before the account was locked) and seems that it decreased the number of successful takeovers.
The reader could ask IHG Rewards Club to issue her a new account number and transfer history + points over. I don’t know if there are any other ways to prevent these incidents from continuously happening over and over again.
Having a four digit PIN to guard an online account is certainly not the best practice in 2019. Hackers appears to have some sort of backdoor to access to member accounts, like the reader’s case here illustrates.
I hope that IHG Rewards Club would make account access and points use more secure, although they appear to restore points for affected members.