One of the most common forms of fraud occurs when unauthorized individuals gain access to an account by discovering or guessing the account’s password. In the past, a 4-digit PIN, offering 10,000 possible combinations, was used for logging into loyalty accounts. While most individuals wouldn’t have the patience to try all 10,000 combinations manually, a computer can perform this task rapidly.
Once the fraudster gains access to your account, they can alter your account details, prevent you from accessing it, and then utilize your points to book travel, such as flights and hotels, by sending the confirmation to a newly created email account. Then, it’s up to the customer to prove that they weren’t the ones traveling, and while they wait for the fraud division to investigate, all their points are either gone or in limbo.
That’s why companies stopped having you use a PIN to access your account. At first, passwords could be simple words, but now you can find websites that require you to use a password with a series of letters, numbers and symbols that aren’t easily guessable.
As you probably already know, hackers can still access loyalty accounts with travel programs and steal points by booking last-minute flights and hotel rooms. This can happen because a company was hacked, and user names, emails, and passwords were stolen and shared on the dark web. This is why you should use a different password for each website.
Two-Factor Authentication
The newest mainstream way websites are trying to prevent hackers from breaking into your account is by using two-factor authentication, or 2FA for short. Here’s how Cloudflare, you know, the company that broke all the corporate Windows computers in the world, describes 2FA:
Two-factor authentication, abbreviated as 2FA, is an authentication process that requires two different authentication factors to establish identity. In a nutshell, it means requiring a user to prove their identity in two different ways before granting them access. 2FA is one form of multi-factor authentication.
While there are different ways to accomplish 2FA, most websites use a code that they send customers by email or text message when they use their username and password to log into their account. This has two advantages: It ensures that the person trying to log in is actually who they say they are, and they’ll also be alerted if someone who is trying to log into the account isn’t the “real” person.
Of course, there are ways to trick 2FA, but that’s not the reason for this post. All you need to know is that banks and loyalty programs increasingly rely on 2FA methods to access accounts.
What’s the problem?
Ever since I started collecting loyalty points, I’ve relied on AwardWallet to keep track of my accounts. Once you’ve linked your accounts, AwardWallet will automatically monitor your balances (as long as the loyalty programs permit it). This worked well until some programs introduced two-factor authentication (2FA). Lately, I’ve been getting emails and texts with a code at random times, day and night, prompting me to log into my account. Initially, I thought it was a fraud attempt to hack my account. Eventually, I realized it was just AwardWallet attempting to access my account to update my balance.
Besides the inconvenience of receiving emails and text messages, some programs took the step of locking accounts after a certain number of times of requesting a 2FA code and not logging in. I’ve had problems with Air Canada, Jet Blue and Qantas and have received messages from Citi and Bilt. Even if I was at my computer, since the process runs in the background, I couldn’t enter the code through AwardWallet, even if I wanted to.
Here’s the Fix
Since I didn’t want to stop using AwardWallet, I reached out to their help desk to see what could be done to stop updating accounts in the background. This way, I could manually update the accounts I knew used 2FA when I was at the computer and able to enter the codes.
They provided me with three methods to keep AwardWallet from updating accounts automatically:
Please note that you can move your accounts from the “Active Accounts” tab to the “Archive Accounts” tab to make background updates a lot less frequent (your accounts will be updated in the background once every three months). You can archive any accounts via the “Actions” menu:
If you don’t want some of your accounts to be updated in the background at all, you can save the passwords for these accounts locally on your device. All you need to do is select “Locally on this computer” while adding/editing any of your accounts:
You can also change where the passwords are stored via the “Actions” menu:
Background updating for such accounts will be turned off. Every time you clear your cookies or switch devices, you need to enter all the passwords again.
I’m going with the “Archive” function for now. I can select the accounts I know use 2FA and update them manually, leaving the other accounts to receive regular updates. If that doesn’t work, I’ll store the passwords locally.
Final Thought
This problem has been bugging me for a while. I want to thank the staff at AwardWallet, who responded to my question quickly and provided clear directions on how to fix the problem. There’s no way they can control whether a program requires 2FA, but at least they have a workaround in place, so I don’t receive text messages from Australia and Japan in the middle of the night asking to verify my account.
Want to comment on this post? Great! Read this first to help ensure it gets approved.
Want to sponsor a post, write something for Your Mileage May Vary, or put ads on our site? Click here for more info.
Like this post? Please share it! We have plenty more just like it and would love it if you decided to hang around and sign up to get emailed notifications of when we post.
Whether you’ve read our articles before or this is the first time you’re stopping by, we’re really glad you’re here and hope you come back to visit again!
This post first appeared on Your Mileage May Vary
