British Airways rewards scheme hack highlights password problem

The hacking of British Airways’ executive club frequent flyer accounts shows the importance of using strong, unique passwords for all online accounts

The hacking of British Airways’ executive club frequent flyer accounts highlights the importance of using strong, unique passwords for all online accounts.

The airline has confirmed that hackers carried out an automated attack to access “a small number” of executive club accounts using login information stolen from another online service.

“From the sound of things, the attackers managed to get hold of a database of usernames and passwords and then threw it at the British Airways Executive Club website to see if they would also unlock accounts there,” said independent security consultant Graham Cluley.

But in an email to affected executive club members, British Airways said no personal information had been viewed or stolen and it had frozen affected accounts until the problem is resolved.

The airline also said no names, addresses, bank details or other personal information, including travel histories had been accessed.

Cluley said in a blog post that the breach once again underlines the importance of never using the same password for multiple websites and online services.

He said internet users should use a password manager like LastPass, 1Password and KeePass to enable them to use strong, unique passwords for every online account.

In November 2014, a report showed that 62% of UK consumers put their data at risk by using a single password across multiple online accounts.

Read more about password alternatives

This means if a hacker is able to access user credentials on one site, the same credentials will allow unhindered access to all the other sites where the same password has been used.

Password re-use is a significant challenge to enterprise security, with a February 2015 survey revealing that 56% of employees are reusing the same passwords between personal and corporate accounts.

The survey also showed employees are relying on an average of just three different passwords, with one in five respondents admitting they were sharing passwords with team members.

Cluley said affected executive club members should reset their passwords without delay, but should not use the link included in the warning message from British Airways.

“They should never have included a clickable link when they invited you to reset your password, as that's a classic trick used by criminals phishing for login credentials,” he said.

Online forums are also recommending that executive club members use the password reset function available on the home page of the British Airways website or contact customer services.

The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and hard to remember.

The Fast Identity Online (Fido) Alliance is a consortium of IT companies – including PayPal, Lenovo and Google – that hopes to revolutionise online authentication with an industry-supported standards-based open protocol.

In October 2014, Google launched a Fido-compliant USB security key to eliminate the reliance on mobile phones for its two-step verification service and sidestep hacker attempts to steal passcodes. 

The Fido protocol is designed to address the lack of interoperability among strong authentication technologies to reduce the reliance on usernames and passwords.

Previous attempts at introducing alternatives to passwords have failed because of the lack of an industry-wide standard, but pundits say Fido members may be big enough to make it happen.

Fido standards support a full range of authentication technologies, including biometrics, as well as further enabling existing technologies such as trusted platform modules, USB security tokens, embedded secure elements, smartcards and near-field communication.

In January 2015, a study by Visa revealed that the new generation of banking customers would rather use biometric security devices than PINs and passwords for authentication.

The study showed that 75% of 16 to 24-year-olds said they would have no problem using biometric security, with 69% expecting it to be faster and easier than a password or a PIN.

Read more on Privacy and data protection

Data Center
Data Management