Could Your Frequent Flyer Miles Be Hacked?
What would you do if hackers broke into your frequent flyer account and helped themselves to your hard-earned miles? Thousands of American and United travelers were faced with this question in December, when thieves hacked into their accounts and booked trips using their rewards.
3 Tips for Keeping Your Accounts Secure
We all know we should be mindful of data security and careful with the information we share online, but let’s be honest — it’s not always at the top of our to-do list. We enlisted Kevin O’Neill, Rocketrip’s VP of Engineering, to give us some practical, easy tips to keep us safe online.
1. Throw Out Your Weak Passwords
The problem that we all have these days is that we subscribe to a number of online services, and as a result we’re forced to remember a large number of username / password combinations. So what do most people do to solve this? Create an easy password that they can easily remember and then apply to all their online personalities. Something like: gonesurfing123!, Ilov3r3ading, p@55w0rd. These all seem pretty smart, right?
Well… the problem that most people don’t realize is that most data breaches are not from someone just randomly trying to access your account online like you see in the movies. Hackers have written computer programs to essentially brute force their way into systems by systematically trying millions of known password combinations until they’ve found the right one. Most software solutions guard against these types of attacks, but if a malicious user ever got direct access to the database, with time, they could easily expose all the users with weak passwords and then start doing harmful things with your account and online identity.
The better way to create passwords, then, is to create strong passwords for all your online identities to avoid this type of exposure. Some simple guidelines are:
a) Ensure that your password is at minimum 8 characters long
b) Avoid anything tied to your identity (e.g. name of family members/pets, car make, where you live or have travelled, fave color, etc.) With social media these days a number of these details can be found by a would-be hacker and used to expose you.
c) Ensure that there is a healthy mix of uppercase characters and symbols.
Here are some examples of strong passwords:
- XHE79o+k, 6=gw8uZC
- Even better would be to make them longer! The longer the password, the more difficult it is to crack
But who is going to remember 30 different “strong” passwords like these?
2. Use a Password Manager Solution
The problem with generating long, complicated passwords is that it’s hard (read: impossible) to remember different passwords like these across the 30 or so online services you’re inevitably subscribed to.
Here lies the problem with internet security. We all know that strong passwords are the “best practice,” but it’s too inconvenient to implement strong passwords for each site and then try to remember all of them to help ensure our security. As a result, everyone falls back to weaker, easier to remember passwords, allowing them to easily gain access to their accounts – but invariably putting themselves at risk!
This is why everyone should start thinking about leveraging a password management solution. We’re fans of 1password and Dashlane, but this is quickly becoming a competitive market with Apple even implementing a (limited) solution of their own. The great thing about a password management solution is that you do not have to remember your passwords, the password management solution takes care of that for you!
The way I work with 1password:
- I have 1password configured to generate ridiculously secure passwords that I’ll never care to remember (those passwords I noted above were straight from the 1password generator)
- Whenever I go to a site that requires me to authenticate, 1password plugins or the 1password iOS app are leveraged to either pre-populate the username and password field, or I simply copy and paste the password where required
- There are only 3 passwords that I actually remember:
- My gmail account password (still a very strong password). Given that all my other services are reset to this account, it’s critical that if anything ever happens to my password repository, I have access to gmail to reset my passwords.
- My 1password password, which gives me access to the repository.
- The password to my personal computer(s)
3. Understand HTTPS
While having strong passwords is really important to help block attacks from hackers who are trying to gain access to your online profiles, there’s another nuance of the internet that is not well understood. It has to do with HTTP and HTTPS. HTTP is the protocol that all web browsers leverage to have a discussion with internet services to issue requests for specific content that you ask for. So when you go to http://www.rocketripclub.tripprocms.com, an http request is made for the landing page, and Rocketrip responds with the web page for the main front page.
The discussion is essentially
User: “Hi, please give me this web page”
Rocketrip: “Ok, here you go!”
The problem is that this conversation between you and the server is in clear text. What that means is anyone on the same network as you can tap into the conversation and listen to all the information going back and forth. I want to stress ALL: this includes all information that you entered into the website that is submitted as part of that conversation. This is why people often say “stay off of hotel wifi!”, which is actually not the problem, it’s the security of the specific websites that you’re going to.
This is where HTTPS comes into play. HTTPS provides the same functionality as HTTP by allowing you to make requests from a website for a specific page, but this time, all communication is encrypted so no one on the network can see the data exchange if they tried. Unfortunately this is a feature of the website, in that the application has to be set up to work this way. In other words, you cannot force everything to be encrypted, you have to rely on the website to do this on your behalf.
So the general rule of thumb is: be aware of your environment (e.g. coffee shop, hotel, airport wifi) and understand when you are freely transmitting data on the open network versus sending it encrypted so that users cannot see this information. If a site is asking for your username & password and it’s not encrypted, be cautious. If you are sending information through a social network regarding personal information, again, be cautious.
We hope these tips will help keep your data — and those hard-earned miles — safe.
Have other tech-related questions for Kevin? Find him on twitter at @kevonil.