According to a recent survey of loyalty program managers on behalf of Cybersource, this type of fraud — where miles are stolen from a loyalty rewards account — is a growing challenge. We all talk about saving our miles, spending them or even cashing them in. All words associated with cash and money.
Perhaps, not surprisingly the fraudsters have noticed that miles have value. A lot of value. Cash and money are always high on the fraudsters list. On top of that, they found that it was a lot easier to get in to many loyalty program accounts than an online bank account. They saw an opportunity for easy pickings and they have been exploting it — so, yes your miles can be stolen. And, it is probably much easier than you might think.
Loyalty programs are always looking for ways to engage with their members and the internet and smartphones have been two great ways to build those relationships. But behind the scenes these options bring huge new issues both for the program operators and for their members. One major loyalty program even has a head of cybersecurity whose job it is to protect both the company and their members from having their miles stolen.
Nearly everyone has heard of the theft of credit card data from the likes of Target. But less people know about theft of thousand of records of the frequent flyer program of Japan Airlines. Or the 10,000 compromised records at Air India — and these are just a couple of examples in the public domain — there are, no doubt, others that have gone publicly unreported. United Airlines has a bounty program for people to hack their frequent flyer system.
And hack people have. One person found some 20 ways in to their systems. Another found a way in that paid out the maximum from United — 1 million miles — which must have been a major potential problem that they have now fixed. It shows how seriously United views loyalty fraud and it is just one of a myriad of defences they have to protect its frequent flyers miles.
The dark web
How do the fraudsters turn stolen data and passwords in to cash? Some of it is straightforward. Access your account, book a flight or even more likely turn it in to goods that can be sold for cash. More and more programs have redemption malls giving the fraudsters even more opportunities to turn miles and points in to cash. The malls are great for members as well, giving them lots more chances to turn their hard-earned points and miles in to items they want. But it hasn’t gone unnoticed by the fraudsters.
Lots of these compromised accounts are turning up on the dark web. In a recent report from American Express, they cited examples of stolen miles from major U.S. programs that are openly for sale on the dark web. Law enforcement in Europe cite examples from other North American programs with a website all branded to look like the airline and offering cheap flights, all using stolen miles and credentials.
The dark web started out as a legitimate enterprise (and still can be) and is not as difficult to access as it might seem. This is one reason the fraudsters are using it to advertise the miles and points they have stolen.
What can you do?
Data breaches at a corporate level is something that individual members don’t have a huge amount of direct control over. However, lots of stolen miles don’t happen in the cloud or at a corporate level. It is often as simple as logging on to an unsecured WiFi hotspot and having your credentials stolen. How does that happen? It is very simple for a fraudster to create a WiFi hotspot and use that to download keystroke-tracking software on to your computer or device.
Then they can easily have access to anything that you have logged on and typed in your password to. If that has been your frequent flyer or hotel reward program then there is a good chance these types of fraudster have got your password and are on their way to hacking your accounts. One frequent flyer program member, who was a victim of this type of fraud, had all his miles stolen and turned in to a flat screen TV that was not delivered to his address.
In these circumstances, being careful about what WiFi hotspots you log on to, perhaps considering a virtual private network service can also help with security via encryption. In addition to that, not using the same passwords for everything or simple passwords are good first steps to protecting yourself.
Fraudsters are also able to easily get to two key bits of information about frequent flyer members. They can easily Google ”boarding passes” and from those they’ll be able to get your name and, in many cases, your frequent flyer number. Airlines still print the full number on the boarding pass and many people post these online (not a good idea if you want to protect your account) or they are left lying around on the floor next to the baggage carousels. Armed with those two bits of information, criminals are just a password away from your hard-earned miles.
How program operators are helping
The main loyalty program operators have also moved to beef up security. Some have teams of people protecting their systems both from major corporate breaches but also watching individual accounts. Watching the patterns of redemption, for example — if you generally cash in your miles for short haul flights and suddenly do something different usually sets the alarm bells ringing.
Other program operators have forced members to have more complex passwords involving those special characters along with upper and lower case letters and numbers — and now you know you know why they’ve asked you to change it. Others have gone further with processes to make sure it is not a machine that is working through passwords to force their way in to your account.
Some programs are looking at other methods to help prevent miles being stolen such as sending you a text message before turning your hard earned miles in to a free flight. The additional step in this two-factor authentication can be a hassle but better that than your miles being stolen.
Hanging on to hard-earned miles
It’s probably never occurred to you that your miles could be stolen or redeemed by a fraudster. But they can and they are. As the program managers introduce more and more ways for you to use your miles — and having this choice and more options is great for members — but it also means fraudsters have more ways to steal.
You can help protect yourself with a few simple steps. The first applies not just to your frequent flyer or hotel loyalty program account, but anything that you wouldn’t want people to have access to, is to be careful which WiFi you connect to. This is the easiest way for your personal details to be hijacked.
For frequent flyers particularly, be careful where you share your name and FFP account number. With those two bits of information, fraudsters just need to guess your password and they are in to your account. And, everything then looks like it is you to the program managers and their chances of catching the fraud are less.
Another good tip is to not to have a guessable password. It can be a hassle to remember but better that then to log on to your account to cash in for that well-earned trip to find you’ve been cleared out.
If this article has made you think about how your frequent flyer miles and points are worth a lot and that you want to go check your balance, then that brings us to the final tip. If you have a good balance in your accounts you might, after you’ve changed the password to something that you can remember but is a bit harder to guess, want to check the balance more often. You may even find lots of new ways to use your miles for flights, hotel nights or other goods and services.