Share Travel Plans? How to Password Protect Your Airline and Hotel Reservations

I’ve always been amazed by the lack of verification required to make or change an airline or hotel reservation, especially when booking a reward for someone else. Funny enough, I say this as someone that spends most of their time booking award ticket for others, with good intentions.

Airlines all have different approaches to “verifying” the identity of people making bookings by phone. At Continental and Delta for example, you need to verify your four digit PIN in order to make an award booking. American, on the other hand, requires the person redeeming miles to use a credit card in their name for the taxes on an award ticket. Then there are airlines like US Airways, which will simply verify the address of the member in order to make an award booking, if even that.

Certainly there’s a tradeoff between security and convenience though. On one hand I want my account protected (meaning I don’t want anyone else to have unauthorized access to the account), but at the same time I don’t want to spend five minutes verifying information every time I book something to prove who I am.

So when it comes to award redemptions among airlines, I think Delta has the best system. Each member has a four digit PIN, and in order to make a booking you need to enter your PIN in the automated system when you call, at which point you’re considered “verified.” The process is simple and does a good job of protecting your security. Continental has a similar system in theory, though you need to tell the agent your four digit PIN when making an award reservation. I’m not a fan of that system at all, mainly because I’m often in public and don’t want to say my four digit PIN out loud.

On the other end of the spectrum is Air Canada Aeroplan, one of my favorite loyalty programs. Nonetheless they have one of the silliest rules out there. Only the actual member can make a reward booking, and the way they verify that is by asking for the address and phone number of the member. However, the member can call and have someone else be authorized on the account by verifying that same information. There’s nothing preventing someone from calling in pretending to be that person in order to make a booking. It just seems like such a superficial security system to me. I far prefer the PIN based system where anyone can call in and make a booking for me, as long as they have my PIN.

Anyway, on to the topic of this post. Up until a few months ago I thought all of this was moot. Who’s really going to try to use my miles or cancel one of my reservations? Well, apparently someone.

A couple of weeks ago I was scheduled to fly to Paris on American Airlines. I had booked a discounted business class ticket and applied systemwide upgrades so that I could fly first class, so it looked to be quite a nice trip, especially since I would be earning top tier status with them upon the completion of the trip.

Everything looked fine until the afternoon before the flight, when I tried to check-in online. I logged into my AAdvantage account and went to the “My Reservations” tab and accessed my reservation. Under that same record locator a reservation pulled up for travel from Raleigh to Los Angeles in coach several weeks later. I chuckled, thinking it was an IT error. I closed my browser, opened a different browser, and pulled up my reservation again. The same reservation appeared.

As it turns out, someone decided to change my reservation just an hour earlier, I assume out of spite. After 90 minutes on the phone with an absolute savior of a service director my itinerary was fully restored, which I was thankful for. It could have very well ended up uglier, though, especially since I had some British Airways segments on my itinerary.

I would chalk it up to a fluke, though this was actually the second time this has happened to me. The first time around I assumed it was an IT glitch or maybe a human error. However, after the second time it was clear to me that there’s someone out there that’s quite malicious and desperate, which is why I looked into better ways to protect my mileage accounts.

The fact is, it was incredibly easy for him to change my itinerary. He probably called up earlier in the day, knowing I was flying from Miami to London, and pretended to be me, probably claiming to have forgotten the record locator. After confirming his name (pretending to be me) the agent likely gave him the record locator. Then he probably called back, after pulling up the reservation on American’s website, and with full confidence claimed to be me. They really don’t ask any questions at that point, assuming you have someone’s record locator and name, so he could do with my reservation whatever he wanted. And therein lies the value of password protecting your loyalty program account or a particular reservation.

But it’s not just travel bloggers that should protect their travel plans. I know members of online travel bulletin boards that posted their travel plans and had others make changes to their reservations, from minor things like a seat change to outright canceling a reservation. The same could happen if you have a disgruntled employee, ex-girlfriend/boyfriend/wife/husband, or any of a number of other different scenarios.

As a result of that I’ve done some research as to the policies of each of the major US airlines and hotel chains regarding password protecting accounts. As a starting point it’s probably worth mentioning that virtually all US airlines have no real form of security when it comes to revenue tickets. Anyway here’s a breakdown (and I don’t want to be too specific, because that could lead to further abuse):

Airline or Hotel

Award Travel Security

Recommendation

Contact

American Airlines

Medium: Credit card needs to be in member’s name, though you can always get a card in someone else’s name

Revenue tickets: Password protect by calling reservations

Award travel: Call AAdvantage customer service

Reservations & AAdvantage:
(800) 882-8880

Continental

Strong: PIN required

Revenue tickets: Password protect by calling reservations

Award travel: Use PIN

Reservations:
(800) 523-3273

Delta

Strong: PIN required

Revenue tickets: Password protect entire SkyMiles Account by calling reservations; remind agent to check SkyMiles to add pw to each new reservation

Award travel: Use PIN

Reservations:
(800) 221-1212

United

Medium: Only zip code required when making reservations for someone with same last name, though more verification if making reservation for others

Revenue tickets: Submit password request in writing to Mileage Plus; all new reservations will use this password

Award travel: see above

Mileage Plus Service Center P.O. Box 6120 Rapid City, SD  57709-6120

 

US Airways

Weak: Only asked address and possibly phone number or email address

Revenue tickets: Password protect by calling reservations

Award travel: see above

Reservations:
(800) 428-4322

Hilton

Strong: PIN required for verification

Revenue stays: No password protection, but you’ll be prompted for personal data and last 4 digits of credit card

Award travel: PIN required for verification

n/a

Hyatt

Weak: Only basic information is asked (address, phone number, etc.)

Revenue stays: Password protect by calling reservations

Award travel: see above

Reservations:
(888) 591-1234

Marriott/

Ritz-Carlton

Weak: Only basic information is asked (address, phone number, etc.)

Revenue stays: Requires confirmation number or last four digits of credit card

Award travel: see above

n/a

Priority Club

Weak: Only basic information is asked (address, phone number, etc.)

Revenue stays: No password protection available

Award travel: No password protection available

n/a

Starwood

Strong: Security question required for verification

Revenue stays: Requires verification of security question you selected online

Award travel: see above

n/a

If you enjoyed this, please follow TravelSort on Twitter or  like us on Facebook to be alerted to new posts. 

Become a Member to find your perfect luxury or boutique hotel at up to 50% off: TravelSort Hotels


  • |
  • Print
    print |
Related Articles
Square_php8mx0efpm
Business Travel
by Ben Schlappig on 3/13/2012
Square_php8mx0efpm
Business Travel
by Ben Schlappig on 3/6/2012
Comments
Picture?type=large Kent O. commented 22 Jun 2011

Thanks for putting together this article: it is a great resource. The schmuck whom cancelled and altered your travel plans should be identified and shamed throughout the web travel community. What he did is out of line and unacceptable, but I do think that instant karma will catch up to him.

With regards to the Hilton program, I am asked almost every time for my PIN from an agent whether calling the HHonors line and the reservations usually requires it as well.

Avatar_60_hilary Hilary Stockton commented 22 Jun 2011

Kent, thanks for your comment, and update for Hilton--are you prompted for PIN for both revenue and award bookings? 

Picture?type=large Ben Schlappig commented 22 Jun 2011

Thanks for the correction, Kent. It's my understanding that's only for awards, though, right? I went ahead and updated the post to reflect that, though if it's still not right, let me know.

Picture?type=large Kent O. commented 23 Jun 2011

Ben and Hillary,

I make most of my bookings online with my HHonors account which requires entering a password or PIN to access the account. Whenever you make a change or cancel a reservation online or via phone, you then receive an email from Hilton notifying you of the action which was taken, so it makes it much easier to oversee. If someone alters a person's Hilton hotel reservation, he would be alerted very quickly.

AFAIK, the Hilton reservations agents do not distinguish between award and general reservations. They usually request your name and PIN before they will proceed further on a call. Then again, I have not made many award bookings or reservations changes via phone, so I will be more observant in regards to what info they request.

 


Leave a Comment
Comment
Facebook-logo
Get Free Email Blog Updates
Popular Articles
Square_ritz-carlton_rewards_card-_70k_bonus_points_no_annual_fee_offer_worth_it
Business Travel
by Hilary Stockton on 7/29/2014
Square_top_credit_card_signup_bonuses_you_can_get_again
Business Travel
by Hilary Stockton on 8/3/2014
Square_55k_united_mileageplus_explorer_with_50_statement_credit
Business Travel
by Hilary Stockton on 8/2/2014
Square_combine_frequent_flyer_miles_for_award_redemption
Business Travel
by Hilary Stockton on 8/11/2014
Square_emirates_a380_first_class_awards_for_two_with_alaska_airlines_miles
Business Travel
by Hilary Stockton on 8/6/2014
Square_top_12_airline_ticket_booking_errors_to_avoid
Business Travel
by Hilary Stockton on 8/21/2014
Square_how_to_complain_to_a_hotel
Business Travel
by Hilary Stockton on 7/30/2014
Square_earn_50k_united_mileageplus_explorer_signup_bonus_again
Business Travel
by Hilary Stockton on 10/15/2014
Square_american_airlines_compensation_for_cancelled_flight_or_delayed_flight
Business Travel
by Hilary Stockton on 8/18/2014
Square_etihad-buy_economy_fly_business_class
Business Travel
by Hilary Stockton on 9/9/2014