Amtrak Guest Rewards Account Hacked
One thing that technology has brought into our lives is more “accounts” and “logins” than ever existed before. For most people logins for email, banking and social media are enough, but us miles/points crazies just have to go and sign-up for every single loyalty program. More logins!
While we often think about securing our banking and social media logins, loyalty accounts are just as vulnerable. Unfortunately I learned that the hard way yesterday when I received the following email from Amtrak Guest Rewards:
Thankfully I saw the email almost right away and immediately went to login to my Amtrak Guest Rewards account. I have/had about 64K points in my account, mostly because I transferred over Ultimate Rewards before that option ended, but had to back out of a trip I was going to book.
Fortunately the thief had only changed my email address so I was able to login and see the bad news. My 64K balance was down to just 4K. Someone had tried to redeem my points for $300 in Gap gift cards and $300 in Gamestop gift cards. I called Amtrak almost immediately and went through the process of getting everything disputed.
While redeeming Amtrak points at $.01 each should be an additional crime, I’m quite sure we’ll never catch this person. Luckily since I was able to call so quickly they never received the gift cards and I have been told the points will be returned to my account shortly although it can take a couple of days.
Protecting Your Accounts
While I resisted for quite awhile, I finally began using a Password Manager awhile ago. I personally use LastPass which I am quite happy with. It generates very secure random passwords that are stored and easy for me to import when signing in. My only issue is that I neglected to change passwords on some loyalty accounts which obviously was a big mistake.
If you want to try LastPass you can get 1 free month of their Premium service with this referral link. There are other options out there as well. No matter which password manager you choose, I think it is an essential tool for protecting your accounts. I was skeptical of the hassle of getting it setup, but am happy with the ease of use and added security. Now I just need to get all of my accounts switched over to more secure passwords.
Conclusion
Thankfully companies are getting better and better at stopping these attacks through notifications and IP tracking. In this case Amtrak’s notification system worked and their customer service rep was very friendly and efficient on getting this escalated and fixed. I’m just glad my very valuable Amtrak points aren’t gone. Lesson learned.
Have you recently had any of your loyalty accounts hacked? Share your experiences in the comments.
Chase Sapphire Preferred® Card
Chase Sapphire Preferred® Card is the old king of travel rewards cards. Right now bonus_miles_fullLearn more about this card and its features!
Opinions, reviews, analyses & recommendations are the author’s alone, and have not been reviewed, endorsed or approved by any of these entities.
Sometimes I think it’s better to have a long password (as many characters as allowed) of a combination of lower case, upper case, numbers, and special characters and just write it on a piece of paper rather than keeping a password that’s easy to remember but easily hacked.
[…] Hacked: My Amtrak Rewards Compromised & Why This Is a HUGE Wake Up Call. – I use a password manager too to keep track of my passwords, which allows me to have even more complex passwords since I don’t have to memorize or use the same password across multiple sites. And I use services that alert me immediately whenever I book travel or have transactions post to my financial accounts. […]
Glad you were able to get your points back. I use several services like this for my bank and mileage accounts so that I’m alerted whenever there is activity on my accounts so that I can stop fraud as soon as it happens.
JL – brute force, in fact, is the most common way accounts are hacked. This is what gave rise to captcha/recaptcha.
JL – not true. Most hacks happen because the username/password combo from one website becomes compromised. Hackers use the leaked username/password list and try it against other sites. This usually works well because people use the same username/password across multiple sites.
I give lectures on identity theft often – the hospitality industry is the worst when it comes to securing online accounts. For some odd reason, they loathe implementing 2-step authentication.
Awardwallet already has 2-step authentication. I’ve been using it for months.
I dispute the usefulness of password managers. These hacks usually happens because the system itself or the data warehouse behind it was hacked / someone inadvertently left that data on a publicly accessible location. Rarely is it cracked via brute force.
In that case, no matter how “secure” the password is, it wouldn’t work.
Password Managers allow you to have unique secure passwords for each site. This means if the info for one site is compromised your password is not compromised on other sites. That is the main benefit.
I’ve been getting emails that look like legit reporting that are actually phishing attempts. I’ve received two of these emails in the past couple of days – one that appeared to come from Apple and one that appeared to come from Chase. These emails look very legitimate, but they are not. Be careful; never click anywhere in the email.
I agree – the worst part is the thief redeeming for gift cards….
Awardwallet should have 2 step authentication
The most scary place can get hacked is awardwallet,. Howard, If you see this.