Announcement

Collapse
No announcement yet.

SIA investigating after woman loses 76,000 KrisFlyer miles in alleged hack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SIA investigating after woman loses 76,000 KrisFlyer miles in alleged hack

    https://www.channelnewsasia.com/news...-hack-10147092

    SIA investigating after woman loses 76,000 KrisFlyer miles in alleged hack



    SINGAPORE: When 34-year-old general manager Sherie Low logged into her KrisFlyer account on Sunday (Apr 15), she discovered that the bulk of her frequent flyer miles had been cleaned out under the names of four Russian individuals she did not know.

    Of the 76,769 miles she had, just 769 were left.

    Ms Low, who said she first registered for an account on Singapore Airlines (SIA)'s frequent flyer programme 10 years ago, told Channel NewsAsia she had last logged into her account to redeem miles in mid-March.

    Shortly after, between Mar 24 and Mar 25, four redemptions were made for Lufthansa flights from Frankfurt, Germany to Saint Petersburg at 12,500 miles each, and another 26,000 miles were converted to points for Virgin Australia's Velocity frequent flyer programme.

    The redemptions were made in the names of four individuals - Ms Kseniia Migel, Mrs Elena Migel, Mr Matvei Kotliar and Mr Andrei Migel - holding Russian passports. According to screengrabs shared with Channel NewsAsia, all four had been added as nominees to her account on Mar 23, just a day before they started making redemptions.


    KrisFlyer nominees can use a member's miles to redeem tickets and flight upgrades.

    Ms Low told Channel NewsAsia that once she noticed the suspicious activity, she called the KrisFlyer hotline.

    The airline's representatives said they did not want to give her "false hope" that she would get her miles back and could not give her a timeline for the investigation, she said.

    They also said their investigation team would get back to her within 24 hours, but only called back the next day to "reiterate the same thing" which was that "they don't want to give me false hope".


    Under her Facebook name Kiki Koh, Ms Low posted an account of the alleged hack on SIA's Facebook page on Tuesday.


    "As a Singaporean and a loyal supporter of SIA, although I could choose other loyalty programmes (for) my credit card miles, I always chose SIA," she told Channel NewsAsia.

    "But after this incident, probably I will look for an airline with a better security system."


    SINGAPORE AIRLINES SAYS INVESTIGATING MATTER

    In response to Channel NewsAsia's queries, SIA said: "Singapore Airlines can confirm that we received this complaint from our KrisFlyer member regarding the loss of her KrisFlyer miles. We are currently investigating this issue and we will be following up with the customer directly."

    "Singapore Airlines is also aware that some KrisFlyer member accounts may have been compromised due to possible phishing. We are monitoring these accounts closely and will work with relevant authorities in their investigations, if required.

    "We have also reached out to the affected members and advised them to take various measures to prevent further phishing. These include using stronger passwords, changing their passwords regularly, using a reliable anti-virus programme and logging in to their KrisFlyer accounts only via the official SIA website at www.singaporeair.com.

    "CANNOT HAVE SUCH A FLIMSY SYSTEM"


    While there were alerts about the redemptions sent to an email address linked to her Krisflyer account, Ms Low said that the account is inactive and she did not check it.

    Ms Low said she thought that KrisFlyer should update its system security. Currently, members can log into their accounts using their membership account number and a six-digit PIN.


    "At the very least it should be protected with a one-time password," she said. "They cannot have such a flimsy system that allows hackers to get into accounts so easily and also add nominees so easily."

    One other person recently posted on SIA's Facebook page about an alleged theft of KrisFlyer miles. A user called Abhishek Singh wrote on Feb 25 that he had reported a theft of his miles three days before but had yet to see any outcomes.

    On Saturday, SIA had also sent out an online security advisory via email to KrisFlyer members, asking them to be wary of phishing emails that could be targeting their accounts.

    "Reports on phishing attacks have been on the rise in recent months. We would like to advise our customers to be wary of unsolicited emails, messages and phone calls that claim to be from Singapore Airlines," the company said in the advisory.

  • #2
    It may very well be a case of the lady not even knowing she had been phished. The number of people I know who can still think that a phishing email is real is astounding. And for her to have not even had an active email address for her KF account? It's like having a fancy home security system with remote alerts sent to a number not in use, and then blaming the security provider for not making their system tougher to crack when burglars break in.

    2FA is not a requirement - how many airlines' FFP require 2FA? Some of the major banks in Singapore don't even require 2FA when logging in to redeem credit card rewards points.

    Comment


    • #3
      2FA is not required. Common sense however........

      Comment


      • #4
        do you think it is a good idea to hang your krisflyer card at your luggage? probably 1 out of 1000 will admire the color of the card but there could be several in a thousand wanting to find out what's beneath the card.

        Comment


        • #5
          http://milelion.com/2018/04/18/singa...-to-bite-them/

          Comment


          • #6

            The conclusion, KrisFlyer needs to update its password protocols is, certainly, the first, easiest, and most important upgrade required.

            Comment


            • #7
              Originally posted by scooby5 View Post
              The conclusion, KrisFlyer needs to update its password protocols is, certainly, the first, easiest, and most important upgrade required.
              I think implement OTP for everything is just over kill. I think what KF should do is to do second verification on certain transaction, adding nominee is one of them.

              Other transaction like booking air ticket with the account holder name is very low risk to fraud in my opinion.


              Why everyone treat everything online like a bank
              visit my blog

              Comment


              • #8
                Originally posted by lingua101 View Post
                I think implement OTP for everything is just over kill. I think what KF should do is to do second verification on certain transaction, adding nominee is one of them.

                Other transaction like booking air ticket with the account holder name is very low risk to fraud in my opinion.


                Why everyone treat everything online like a bank

                OTP for everything is OTT, agreed. I was referring only to the 4-digit entry password. The link from tth_ben perfectly highlights the problem with it - and for IHG which many of us also use - it's too short.

                Comment


                • #9
                  Originally posted by scooby5 View Post
                  OTP for everything is OTT, agreed. I was referring only to the 4-digit entry password. The link from tth_ben perfectly highlights the problem with it - and for IHG which many of us also use - it's too short.
                  OK the password is 6 digit. But maybe only a few more milliseconds to crack based on that password strength website in the article. LOL. Couple of weeks back I entered my PIN wrongly though and they will lock your account with 3 wrong entries of PIN. I can't remember if this was a measure around from long ago or only recently though.

                  Comment


                  • #10
                    or it could be due to social media "leak"
                    There are tons of posting of boarding passes with uncensored FF details, ticket.. etc
                    Just punch in the PNR + Last Name
                    you can obtain personal data, her pin could be her birth date as well.

                    I usually PM my friends with their personal data screen shot to educate them

                    Comment


                    • #11
                      Originally posted by ninervictor View Post
                      or it could be due to social media "leak"
                      There are tons of posting of boarding passes with uncensored FF details, ticket.. etc
                      Just punch in the PNR + Last Name
                      you can obtain personal data, her pin could be her birth date as well.

                      I usually PM my friends with their personal data screen shot to educate them
                      We live in the era of explosive growth in online-exhibitionists of all sorts. An incident like this will recalibrate their minds. Like scooby5 said, common sense beats 2FA.

                      Comment


                      • #12
                        Originally posted by SQ_326 View Post
                        We live in the era of explosive growth in online-exhibitionists of all sorts. An incident like this will recalibrate their minds. Like scooby5 said, common sense beats 2FA.
                        Out of curosity, I just entered "singapore airlines boarding pass" into Google image search. Whilst majority of the BPs posted by people had their KF number blurred out, I already managed to find a couple of BPs with their KFLY number and full name for all to see.

                        Comment


                        • #13
                          CX Asia Miles already on 2FA.

                          Comment


                          • #14
                            Originally posted by tth_ben View Post
                            Out of curosity, I just entered "singapore airlines boarding pass" into Google image search. Whilst majority of the BPs posted by people had their KF number blurred out, I already managed to find a couple of BPs with their KFLY number and full name for all to see.
                            did they "mask" the barcode? I do not know what is in bar code, but many times I notice people assume no one can read that bar code.
                            visit my blog

                            Comment


                            • #15
                              Not sure if this change was due to this case, but received this in the mail today:

                              Dear Mr XXX,

                              We will be introducing two-factor authentication (2FA) on 29 June 2018 to enhance security and safeguard your KrisFlyer account.

                              With 2FA, you’ll be asked to enter a one-time password (OTP) each time for certain identified KrisFlyer transactions (e.g. when you access your profile or make changes to your redemption group nominees). As a default, the OTP will be sent to your registered mobile number to validate your identity. Should a mobile number not be available, the OTP will be sent to your registered email address as an alternative.

                              In preparation for the implementation of 2FA, please ensure the mobile number and email address indicated in your KrisFlyer profile belongs to you, is up-to-date, and actively used.

                              Please follow these steps to update your mobile number and email records:

                              1. Log in to your KrisFlyer account
                              2. Click on the “Profile” tab
                              3. Click on the “Edit” button beside “Personal Details”
                              4. Your mobile number and email address can be edited under the “Contact Details” section
                              5. Click “Save”

                              We strongly encourage you to update your records as soon as possible, before 29 June 2018, to continue accessing your KrisFlyer account seamlessly.

                              Yours Sincerely,
                              KrisFlyer Membership Services

                              Comment

                              Working...
                              X