-
I received an email from BA saying the email associated with my account had been changed and that I should contact them if it wasn’t changed by me. I checked immediately and indeed it had been changed and not by me. I called BA and reported the issue and they blocked my account but in the meantime I saw in my account a “combine my Avios debit” of my entire balance. Presumably the hacker has tried to combine my Avios with their account thus stealing my Avios? Shouldn’t this be impossible as they would need a phone text verification to confirm the transfer? Also if there were a successful transfer wouldn’t it be easy for BA to trace the account the Avios were sent to? Any information or help on this would be greatly appreciated
IBPL is the code for the transfer
For 30 minutes before the hack I was bombarded with emails about confirming subscriptions to US universities presumably this was to distract me from reading the email from BA
Sorry to hear, but not much else you can do except wait for BA to reinstate your account.
BA can probably see where the Avios destination account, but they won’t report back.
The email bombardment is a known tactic.
See here: https://www.headforpoints.com/forums/topic/account-hacked-avios-stolen/
IBPL would suggest it was sent to an Iberia Plus account.
Thanks skywalker that’s very helpful. I caught it very quickly and the only delay was the 15 mins on hold with BA. Hopefully the Avios will return safely in a couple of weeks
Unlike bank accounts, Avios can be cancelled/reinstated easily. But you have probably been hacked in some way so I’d be more worried about other vectors. If you read the emails it’s a sign that hackers know you’re on-line. I’d batten down the hatches and invest in a password manager (eg Lastpass).
I’d also check to see if you use your email / password combination with any other account e.g. Amazon and change the password there.
It’s common for hackers to get access to a low security website and check the stolen username / password combinations with other sites (like BA) to see if you use the same password (or slight variation of) in different places.
Good advice about getting a password manager. 1Password / Bitwarden etc which allows you to use different passwords with each account.
Indeed @Ihar
@raynerdom hopefully someone will come along and say I’m wrong, but IIRC given that personal details have to match before making an Avios transfer, the scammer is likely have created an Iberia Plus mirror account and is now aware of your name, address and date of birth.If your passport details were stored in your BA account, they also have this.
Just a word of caution, look out for random applications on your credit report.
When my account was hacked last year, all my Avios were transferred to IBPL. I thought you could only have one account and all the info needed to match. However I already had an IB account, but the Avios were not transferred into my account! I didn’t get bombarded with emails. I was travelling back to the UK on a BA flight at the time! I had been unable to check in on line and assumed it was down to BA IT. There were also issues trying to check in at the airport, but it eventually got sorted. Assume it was just a coincidence. From what I see from other posts, this always seems to happen over a weekend/holiday. On the way home, I was then able to access the app and realised my email had been changed and my Avios balance was a few thousand, which had posted that day. So when I reported my stolen Avios as soon as I got home on the Sunday, all that could be done was for the CS agent to email the Fraud Team who would be back in the office on Monday.
Took a couple of weeks for Avios to be returned after a number of phone calls and emails.
My password was unique to BA. When I checked my records, the only other account I had with a very similar password was HfP!
I can share with you my BA password : mwyUfM3m539875H . Except I’ve changed one of the characters. 😂
Seriously you need a separate password for EVERY account nowadays, because as @vzzbuckz says they’ll hack some insecure site and then “credential stuff” those details into everything. I have around 500 unique logins/passwords, and I know exactly 3 of them. GET A PASSWORD Manager everyone!
2FA should be the default for ANY financial transaction – not that most 2FA is secure, but it’s more secure than 1FA.
Thanks guys. All very helpful advice
My friend who does cyber security says that the best password is 3 random words and don’t bother with fancy characters. Also, never use public wifi!
I heartily echo the recommendations to invest time in a password manager. But be aware Lastpass is long compromised (https://www.techrepublic.com/article/lastpass-review/ or google lastpass databreach) and is not recommended for storing sensitive data.
Bitwarden is a secure, free, fully featured alternative with Chrome, Android and IPhone appsMy friend who does cyber security says that the best password is 3 random words and don’t bother with fancy characters. Also, never use public wifi!
The ‘3 random word’ model is advocated because the level of entropy is high (longer passwords are harder to brute force) but people find it very difficult to come up with random words. A tool called ‘Diceware’ is available that generates three random words for you. You still need a password manager though as you have to have a different ‘3 random word’ combination for each site you visit.
Agree with public wi-fi but if you do need to use it, you should use a paid-for VPN like Express VPN or Nord VPN. The reason for this is that airports are notorious places where hackers put up fake wi-fi sites. People join these site but think the connection to their favourite websites is encrypted so they are ok. The problem is that the fake wi-fi also has a fake DNS server, so http://www.ba.com is not really sending you to ba.com. Most sites generate a hidden session key when you connect, so you don’t have to log in every time, and when you are connected to that dodgy wi-fi site, the owner will sniff that session key and then use it in what’s called a replay attack; this will allow them to log into your ba.com account without a username and password. (You connect to dodgy wi-fi, you connect to ba.com, the hacker’s DNS intercepts this, steals the session key your browser generates, forwards you to ba.com as though nothing has happened. They then connect to ba.com with your stolen session key and change your email address etc).
So general lesson is: use a paid-for VPN if on public wi-fi and use a password manager.
@ratiom : The Lastpass compromise could happen to any company. In fact, the raison d’etre of a password manager is that it DOES happen. There should be some kudos for identifying and reporting breaches, and be secure (sorry, bad pun) in the knowledge that even Lastpass (or any password manager) can’t get into your password vault if you forget your master password. I still use Lastpass (I have a degree in Computer Science) and worry more about technical details than someone stealing my locked vault.
“3 random words” does theoretically (mathematically) provide security, but who can remember 3 random words for every website visited?? Adding numbers/special characters provides greater security because it increases the “alphabet” range by 50% or more.
I use a VPN most of the time (SurfShark), but regardless any https encrypted connection is safe end-to-end. That said, @vzzbuckz is right – a rouge actor can probably steal your email address and also know what sites you visit (as DNS is not secure). So whilst you’re accessing your bank account they are sending you a phishing email to try and scam you.
@ratiom : The Lastpass compromise could happen to any company. In fact, the raison d’etre of a password manager is that it DOES happen. There should be some kudos for identifying and reporting breaches, and be secure (sorry, bad pun) in the knowledge that even Lastpass (or any password manager) can’t get into your password vault if you forget your master password. I still use Lastpass (I have a degree in Computer Science) and worry more about technical details than someone stealing my locked vault.
“3 random words” does theoretically (mathematically) provide security, but who can remember 3 random words for every website visited?? Adding numbers/special characters provides greater security because it increases the “alphabet” range by 50% or more.
I use a VPN most of the time (SurfShark), but regardless any https encrypted connection is safe end-to-end. That said, @vzzbuckz is right – a rouge actor can probably steal your email address and also know what sites you visit (as DNS is not secure). So whilst you’re accessing your bank account they are sending you a phishing email to try and scam you.
@the Ihar I only use my phone data if I need to use my password manager away from home. Is this safer than whatever free WiFi is offered, or should I still be using a VPN?
The problem is that the fake wi-fi also has a fake DNS server, so http://www.ba.com is not really sending you to ba.com. Most sites generate a hidden session key when you connect, so you don’t have to log in every time, and when you are connected to that dodgy wi-fi site, the owner will sniff that session key and then use it in what’s called a replay attack
Except BA doesn’t do this until you have logged in over an encrypted connection. So unless they are hijacking all the traffic with a fake certificate and you’ve accepted said fake certificate despite your browser’s warnings, they will be SOOL.
I personally think VPNs are oversold though I do have my own which I use mainly to bypass geo-blocking. I don’t use it for security and can’t anyway on my work phone as we policy out personal VPNs.
Doesn’t Android have its own password safe these days? Keychain in the latest iOS has proved good enough that I will let my 1Password subscription lapse this year.
The problem is that the fake wi-fi also has a fake DNS server, so http://www.ba.com is not really sending you to ba.com. Most sites generate a hidden session key when you connect, so you don’t have to log in every time, and when you are connected to that dodgy wi-fi site, the owner will sniff that session key and then use it in what’s called a replay attack
Except BA doesn’t do this until you have logged in over an encrypted connection. So unless they are hijacking all the traffic with a fake certificate and you’ve accepted said fake certificate despite your browser’s warnings, they will be SOOL.
I personally think VPNs are oversold though I do have my own which I use mainly to bypass geo-blocking. I don’t use it for security and can’t anyway on my work phone as we policy out personal VPNs.
Doesn’t Android have its own password safe these days? Keychain in the latest iOS has proved good enough that I will let my 1Password subscription lapse this year.
It’s not as unusual as you say. A lot of corporates send out their own self-signed root cert and employees have to accept this onto their personal devices to use the internet at work (it usually comes pre-loaded on corporate devices). People, especially business users, are used to this sort of thing and are likely to accept such a thing if offered by an offical sounding wifi hotspot.
Apple’s Password product is getting better. I’m keeping my 1Password subscription as it stores other stuff as well and works on Windows. Another useful Apple product is if you subscribe to iCloud+. you get a free VPN called iCloud relay, which works with Mail and Safari. This could help fight the battle against dodgy wi-fi hotspots too – you just need to remember to enable it.
Another useful Apple product is if you subscribe to iCloud+. you get a free VPN called iCloud relay, which works with Mail and Safari
Ironically I think the BA website gets confused about iCloud Relay. It seems to cause the ‘logged in from another device’ error.
@the Ihar I only use my phone data if I need to use my password manager away from home. Is this safer than whatever free WiFi is offered, or should I still be using a VPN?
Yes, your mobile provider should offer a secure connection (though without a VPN your provider can still see what sites you’re visiting, mainly for marketing purposes).
One issue is that I can buy the domain “freebawifi.com” today (with a security certificate) and set up a wifi hotspot in the lounge. Now any unencrypted traffic (not https) I can intercept. Worse, I can easily navigate you to https://executiveclub.co.uk via a landing page to login to your BA, steal your credentials without you knowing but pass them onto BA so they show the real “response page” (man in middle attack) . Then mess with your account whilst you are in the air.
Using a VPN solves some of this. More is about being careful that you are really on the right website (anyone can make an imitation BA website in seconds). Best is using separate passwords for EVERY site, because if compromised it will only be for that site.
Thanks for the clarity @Ihar.
I hadn’t appreciated that website data can be accessed by my network provider. Hackles have been risen. Presumably they have sought my permission to do this? Or maybe just part of the conditions of the contract.
I do use a password manager and the auto generated random passwords. The days of writing down pet’s name in my Filofax are long gone, but I still know a handful of close relatives who still do this!
Yet another incident hits the press https://www.thisismoney.co.uk/money/holidays/article-14284393/I-181-000-Avios-stolen-hacker-CRANE-CASE.html
Thanks for the clarity @Ihar.
I do use a password manager and the auto generated random passwords. The days of writing down pet’s name in my Filofax are long gone, but I still know a handful of close relatives who still do this!Sorry but I fully support the filofax/notebook method. They can’t be hacked, a password manager can.
Teaching my 82 yr old mother to write things down is much easier and safer than have her use yet another piece of software.
Yet another incident hits the press https://www.thisismoney.co.uk/money/holidays/article-14284393/I-181-000-Avios-stolen-hacker-CRANE-CASE.html
The hackers surely wouldn’t have much use for the companion vouchers though?!
Re the story below that one, the 18-year-old should have been educated in the likes of WhatsApp and Discord for free calls!
Yet another incident hits the press https://www.thisismoney.co.uk/money/holidays/article-14284393/I-181-000-Avios-stolen-hacker-CRANE-CASE.html
The hackers surely wouldn’t have much use for the companion vouchers though?!
Re the story below that one, the 18-year-old should have been educated in the likes of WhatsApp and Discord for free calls!
I hadn’t bothered to read that part but anyone who doesn’t have a cap on their account is crazy. I set mine at £5 just in case.
Riding the sleeper train from Vienna my mobile locked on to a Swiss tower and ran through the £5 before I woke up. Similar happened when I was hiking in Croatia within a line of sight to Bosnia.What is scandalous isn’t the charges but the fact that any cap doesn’t take effect until the next billing period so you can’t quickly enable/disable it for emergencies.
- You must be logged in to reply to this topic.
