# No more Email Log In?



## Long Train Runnin' (Nov 19, 2014)

Maybe its just me, but I just tried to sign into my AGR account, and it longer says Member Number or email address it only will take your member number now. Seems odd to take a step backwards.


----------



## Lakeshore (Nov 19, 2014)

Yeah, I noticed that too. I log on the main Amtrak site with my e-mail and go to AGR from there since I don't have my number memorized.


----------



## AmtrakBlue (Nov 19, 2014)

Hey, at least now I can log in. I have not been able to log in for quite a few days and they have been slow in helping me (via "contact us").

I can't link my Amtrak w/AGR because I had to use a different email with AGR due to not getting their promo emails. Didn't want to miss out on any 30-50% bonus deals.


----------



## Orie (Nov 19, 2014)

Lakeshore said:


> Yeah, I noticed that too. I log on the main Amtrak site with my e-mail and go to AGR from there since I don't have my number memorized.


Ditto. It gets a little annoying >_>


----------



## CHamilton (Nov 19, 2014)

Lakeshore said:


> I don't have my number memorized.


You don't? You mean your AGR membership number is not the most important number in your life?


----------



## Lakeshore (Nov 19, 2014)

CHamilton said:


> Lakeshore said:
> 
> 
> > I don't have my number memorized.
> ...


I can't remember what I did yesterday, let alone a number I use once a year... 

I am glad that it gets populated automatically when I book a ticket. I know I have the card somewhere, but then I would have to remember where it is...


----------



## BCL (Nov 19, 2014)

It's been that way for a while. However, if your Amtrak.com and AGR accounts are linked, logging on to Amtrak.com will show a direct link to your AGR account in the upper right corner. I pretty much never log on to AGR directly.


----------



## AmtrakBlue (Nov 19, 2014)

Well, if it's been that way for a while, and I did not notice that I had to use my AGR # (will look at my screenshots when I get home), then why can't AGR tell me that's my problem - that I'm trying to use my email instead of my AGR #.


----------



## AmtrakBlue (Nov 19, 2014)

AmtrakBlue said:


> Well, if it's been that way for a while, and I did not notice that I had to use my AGR # (will look at my screenshots when I get home), then why can't AGR tell me that's my problem - that I'm trying to use my email instead of my AGR #.


And I just got a response (after the initial response which said to clear my cookies, etc) telling me that I'm putting in my email where I should be putting in my AGR #. Maybe they should have posted a banner to let us know they changed the log in procedure.


----------



## the_traveler (Nov 19, 2014)

At least for me, the AGR # is "saved" in my computer and is entered when I go to log in.

And if you don't know your number or have the card, what do you do when you call AGR such as to redeem for a trip or ask a question? :huh: One of the first questions asked (either by the recording or the agent) is "Enter (or what is) your AGR number"!


----------



## AmtrakBlue (Nov 19, 2014)

I don't carry my card with me, but I always have my AGR CC with me, so the number is with me always.


----------



## Lakeshore (Nov 19, 2014)

For me, I have only ever booked one trip on points, a few years ago. I probably logged into AGR and wrote the number on a piece of paper.

It's just used so infrequently that if I needed the number to log onto a website or do anything with it, it would take me a little work to find it.


----------



## BCL (Nov 19, 2014)

Lakeshore said:


> For me, I have only ever booked one trip on points, a few years ago. I probably logged into AGR and wrote the number on a piece of paper.
> 
> It's just used so infrequently that if I needed the number to log onto a website or do anything with it, it would take me a little work to find it.


I've never booked a trip or made a redemption of any kind with AGR - yet. However, I use the website to check when points have posted, That's the subject of the AGR points "hole" from last month.


----------



## Long Train Runnin' (Nov 19, 2014)

Okay glad it wasn't just me. AGR numbers are 10 digits so I have mine stored as a contact in my cell phone. Just seems odd that they would take away something like that. I know its kind of a new thing when I first joined AGR you could only use your number to log in then they added support for your email address, which I guess was only a temporary thing.


----------



## I always rode the Southern (Nov 19, 2014)

I can't remember what I intended to do 30 seconds ago, I have all needed numbers stored on my phone, but I have imprinted and remembered my agr number from day 1 with little effort and I have it written down nowhere.

I was fortunate enough to be given a number sequence that is not consecutive, but a very easily remembered semi-repeating sequence. :giggle:


----------



## Devil's Advocate (Nov 19, 2014)

the_traveler said:


> If you don't know your number or have the card, what do you do when you call AGR such as to redeem for a trip or ask a question? One of the first questions asked (either by the recording or the agent) is "Enter (or what is) your AGR number"!


In the past I would login to the website with my email address and then read the AGR number to the reservations clerk. I have loyalty accounts with over a dozen airlines and hotel chains all of which allow me to use my email or a username of my own choosing. Only AGR requires me to memorize a ten digit numerical sequence of their choosing. In 2014 this kind of technical regression sticks out like a sore thumb.


----------



## SarahZ (Nov 19, 2014)

Devil's Advocate said:


> the_traveler said:
> 
> 
> > If you don't know your number or have the card, what do you do when you call AGR such as to redeem for a trip or ask a question? One of the first questions asked (either by the recording or the agent) is "Enter (or what is) your AGR number"!
> ...


Same here. I used to log into AGR to check my points and then call the number.

It switched a couple of weeks ago, I think. I remember wondering why it wouldn't take my email address anymore. I keep forgetting to change the stored info in Chrome.


----------



## Ryan (Nov 19, 2014)

Use something like Lastpass, and you won't have to remember anything. And you can actually use secure passwords everywhere to boot.


----------



## amamba (Nov 19, 2014)

I noticed the other day, too. It's annoying. Bring back the ability to log in with an email address please!! I routinely log into my H's account and I can't remember his number


----------



## amamba (Nov 19, 2014)

RyanS said:


> Use something like Lastpass, and you won't have to remember anything. And you can actually use secure passwords everywhere to boot.


ugh my h and I share a last pass account and I can't remember the password for it.


----------



## the_traveler (Nov 20, 2014)

Well, you at least know that it's secure! :giggle:


----------



## OlympianHiawatha (Nov 20, 2014)

AGR is probably doing this only to step up security-all someone needed to get into your account was an e-mail which is readily available. While they may not steal Points, they can sniff around your Profile information.


----------



## Devil's Advocate (Nov 20, 2014)

OlympianHiawatha said:


> AGR is probably doing this only to step up security-all someone needed to get into your account was an e-mail which is readily available. While they may not steal Points, they can sniff around your Profile information.


What are you talking about? Unless you can give us a step-by-step example for how someone could access a foreign profile with nothing but an email address I'm calling foul on this nonsensical claim.


----------



## the_traveler (Nov 20, 2014)

I last pulled up my BIL's AGR account, so ałl I had to do is go to "my profile" (his). It showed me:

1) his name (including the spelling of his uncommon first and last names)

2) his e-mail address

3) his exact birthday

4) his gender (Chris could be either)

5) his mailing address

6) his billing address

7) his mobile phone number

8) his home phone number

9) his business phone number and extension

I think I'll go do some damage!


----------



## Devil's Advocate (Nov 20, 2014)

the_traveler said:


> I last pulled up my BIL's AGR account, so ałl I had to do is go to "my profile" (his). It showed me:
> 
> 1) his name (including the spelling of his uncommon first and last names)
> 
> ...


You seem to be describing AGR's inexplicable lack of a full automatic logoff. It's a genuine problem that absolutely undermines AGR's security and credibility. However, the lack of a true automatic logoff has no logical connection to the use of an email address in lieu of an account number (or lack thereof).


----------



## the_traveler (Nov 20, 2014)

He was logged out, I just had to log him back in - using his AGR number that in my computer's memory. BTW, I can do the exact same thing for his Delta Airlines SkyMiles account - just by entering his e-mail address and password (the same thing AGR asks for).


----------



## Ryan (Nov 20, 2014)

That's a failure of a completely different type, and as you note has nothing to do with the topic of logging in with AGR number vs. email address. You've still got to know the password.


----------



## the_traveler (Nov 20, 2014)

Likewise with AGR, if you are logged off and even if you know the e-mail, you still must know the password. So what is the difference if you use an e-mail address or an account number? :huh: I don't see how one is more secure - you need to know the password with both! :wacko:


----------



## OlympianHiawatha (Nov 20, 2014)

the_traveler said:


> Likewise with AGR, if you are logged off and even if you know the e-mail, you still must know the password. So what is the difference if you use an e-mail address or an account number? :huh: I don't see how one is more secure - you need to know the password with both! :wacko:


I haven't gone into my account in so long (Points always show on the cover screen) I forgot about having to enter a password as well. I guess I need to track that down.....


----------



## VentureForth (Jan 16, 2015)

This is super irritating. I can barely read the tiny numbers on my card. I actually have a card; I don't think they even issue then anymore. And who remembers their AGR number? I have to sign in to Amtrak, go to my profile, find my number, copy and paste it into the AGR login screen and how by then I can still remember my password.

Had no one talked to AGR Insider about this?


----------



## jis (Jan 16, 2015)

Actually I do remember the AGR number as I also remember many other numbers and names and email addresses and passwords that I use often. But of course each individual's memorizing capacity may vary.


----------



## Ryan (Jan 16, 2015)

/me raises his hand

Like many other things, it's burned into my brain. The repeating pattern in it probably helps.

Also, if you use something like LastPass, you don't have to remember anything, facilitating the use of different, secure passwords at every site you visit, which should be SOP for anyone on the internet these days.


----------



## the_traveler (Jan 16, 2015)

I also remember my number. But also, if you're on your own computer (not a public one like at a library), you can have it "remember" your number. It's always pre-entered on my iPad when I go to my bookmarks. And if you enter the Points for Shopping portal via the link on your AGR account, it is automatically entered.


----------



## StriderGDM (Jan 16, 2015)

Devil's Advocate said:


> OlympianHiawatha said:
> 
> 
> > AGR is probably doing this only to step up security-all someone needed to get into your account was an e-mail which is readily available. While they may not steal Points, they can sniff around your Profile information.
> ...



It's not "nothing but the email address" but what's becoming increasing common is hackers will get a list of emails and passwords from a hack like the Target or recent Home Depot one and the run a script to try to log into as many sites as they can.

Once a hacker gets a list of emails and passwords from a compromised site, it's really just a matter of minutes before they either use the information, or sell it to the highest bidder(s).

If they (or others) use it, it's really a race at that point to see who can steal what accounts at that point.

As such,I HIGHLY recommend you don't use the same password on any multiple sites (or at least any sites you care about, like ones involving money).

Definitely do NOT use the same password to access your email (such as gmail, etc) as any other site since if I know your email address and email password, it's done. I can pretty much own any account of yours online in a matter of minutes.

That said, in this specific case I wonder if it's something else. From talking to an Amtrak rep awhile back, I learned that the AGR site was originally 3rd party and when it was brought entirely in-house is apparently when they added the account number OR email option. Wonder if something there has changed.


----------



## Devil's Advocate (Jan 16, 2015)

StriderGDM said:


> Devil's Advocate said:
> 
> 
> > OlympianHiawatha said:
> ...


The primary problem with Target and Home Depot is our continuing lack of effective two factor authentication for credit and debit transactions. A rather obvious issue that Europe resolved by law two decades ago while we chose to allow the financial markets to self-regulate instead. As a result of this decision recouping losses from fraud in the form of inflated processing fees became yet another profit center and gave the banks a financial interest in leaving the door open. The idea that preventing the use of an email address during login would make your Target, Home Depot, or AGR account information safer is illogical. AGR account numbers are still being sent, displayed, and saved in clear text as part of AGR's website functionality and routine communications. Their forced use during login provides no additional safety whatsoever.



RyanS said:


> Also, if you use something like LastPass, you don't have to remember anything, facilitating the use of different, secure passwords at every site you visit, which should be SOP for anyone on the internet these days.


Last Pass is a great idea but the more popular it becomes the closer it gets to becoming the ultimate digital treasure chest. Last Pass uses conventional security protocols in order to work smoothly with the widest number of gadgets and devices. Unfortunately we currently live with a growing imbalance in security effectiveness that favors the success of nimble offensive attacks over relatively stagnant defensive prevention schemes, both in the technical sense and the social engineering angle. In addition legal penalties for breached data remain relatively weak and the recovery options for affected customers are limited. As a result we may be regressing back to the point where passwords written on paper and stored in a physical safe could become more effective than the very best cloud based solutions. Over time this trend may reverse and future security implementations may eventually overcome the gains made in digital fraud, but there's no telling how long that could take. Last Pass as a cloud service is a great idea that appears to either be ahead of its time or behind the curve.


----------



## SarahZ (Jan 16, 2015)

VentureForth said:


> This is super irritating. I can barely read the tiny numbers on my card. I actually have a card; I don't think they even issue then anymore. And who remembers their AGR number? I have to sign in to Amtrak, go to my profile, find my number, copy and paste it into the AGR login screen and how by then I can still remember my password.
> 
> Had no one talked to AGR Insider about this?


Do you have AGR linked to your Amtrak account? If so, just click the AGR link at the top right of the screen.




If you don't have it linked, I think you get something like 500 points for doing so.

I agree that it's still a pain to do it this way, but it saves a few steps (and you get points!)

I have to go through the Amtrak site at work since it's a shared computer and I don't store anything on it. My number is saved on my home computer, laptop, and phone. Chrome and Safari use the auto-fill feature and Keychain, respectively.


----------



## SarahZ (Jan 16, 2015)

Home now. Resized the picture so it wasn't HUGE.


----------



## StriderGDM (Jan 16, 2015)

Devil's Advocate said:


> StriderGDM said:
> 
> 
> > Devil's Advocate said:
> ...


The lack of two-factor security is definitely an issue, but tangential to the user case I mentioned.

But my point stands. If a hacker has your email and password from one site, they will try it on 100s of others. That's standard procedure. If I hack your Target account, I might get your email and password, but I certainly wouldn't get your AGR account number. As such, I couldn't even TRY to log into your AGR account.

Also, as far as I can tell, the entire AGR site uses HTTPS, so nothing should be being sent in cleartext.

That all said, I do agree if they did this for security reasons, it's a pretty stupid reason.


----------



## amamba (Jan 16, 2015)

RyanS said:


> /me raises his hand
> 
> Like many other things, it's burned into my brain. The repeating pattern in it probably helps.
> 
> Also, if you use something like LastPass, you don't have to remember anything, facilitating the use of different, secure passwords at every site you visit, which should be SOP for anyone on the internet these days.


Unless lastpass prompts you for the password, which you can't remember because your spouse set it up.....is that just me?!


----------



## JayPea (Jan 17, 2015)

I too have my AGR number memorized. Like Ryan's, it has a repeating pattern that makes it easier to remember. I also have the vast majority of my other passwords and user names memorized. Most of those are remembered by the particular site as no one but me uses my computer. And just in case I also keep track of them the old fashioned way, written down and kept in a safe place.


----------



## VentureForth (Jan 22, 2015)

SarahZ said:


> VentureForth said:
> 
> 
> > This is super irritating. I can barely read the tiny numbers on my card. I actually have a card; I don't think they even issue then anymore. And who remembers their AGR number? I have to sign in to Amtrak, go to my profile, find my number, copy and paste it into the AGR login screen and how by then I can still remember my password.
> ...


They are linked. That's how I get to it. I generally access Amtrak.com and my AGR account from work, and they are always clearing my cookies, so I have to log into Amtrak to get my account info that helps me log into AGR.

Ooooo - didn't know that it'll open AGR with me signed in. Cooler than remember my ID to log into AGR straight.


----------



## Just-Thinking-51 (Jan 30, 2015)

Both Amtrak (29 Jan) and Starwood (23 Jan) has sent out e-mails in the last week. The short story is they are asking you to change your passwords. Starwood report a small number of accounts are having unauthorized activity. AGR just say it good idea to change your password.

One thinks this why AGR insider was so busy.


----------



## AmtrakBlue (Jan 30, 2015)

Just-Thinking-51 said:


> Both Amtrak (29 Jan) and Starwood (23 Jan) has sent out e-mails in the last week. The short story is they are asking you to change your passwords. Starwood report a small number of accounts are having unauthorized activity. AGR just say it good idea to change your password.
> 
> One thinks this why AGR insider was so busy.


I think AGR Insider was busy getting all those legal connections back into the system for people wanting to do AGR trips using the EB.


----------



## Just-Thinking-51 (Jan 30, 2015)

I like your story better than mine. However I fear otherwise.


----------



## Ryan (Jan 30, 2015)

Got the same email the other day, and my "something's off" antenna twitched a bit. Of course, good password security means if someone got it, they don't really have access to anything important.


----------

