By Robert McGarvey
The dark web is aflood with stolen airline miles for sale. That’s the surprising punch to the face in a recent report from Comparitech.
The subhead delivers the message: “There’s a black market for your frequent flyer miles. Stolen frequent flyer accounts and rewards points are a hot commodity on the Dark Net.”
According to Javelin Strategy + Research, in 2017 11% of attacks on existing financial accounts were on loyalty programs. That’s up from 4% in 2016.
According to Barry Kirk, Vice President of Loyalty, Maritz Motivation Solutions, “Every sizable loyalty program was a victim of attempted fraud or hacking in 2017. Those who believe they weren’t simply haven’t paid attention.”
Maritz research says that 7% of us self identify as victims of program fraud.
Left unknown is how many of us are victims but haven’t realized it – probably because a little used account was pilfered. If we do eventually return to that site, we may have forgotten what our miles total should be and just accept that, well, I must have emptied it out, I forget on what.
Headline winning breaches of loyalty programs are few. The Hilton attack four years ago comes to mind.
In 2015 United and American admitted their programs had been hacked – but both were relatively small thefts. Some 10,000 accounts were said to be compromised at American, fewer at United.
Yet hackers are continually nibbling away at our stashes of miles and points.
A proof is that brisk dark web marketplace, reported by Comparitech, which observed: “On Dream Market, one of the largest black markets on the dark web, a single vendor sells reward points from over a dozen different airline reward programs, including Emirates Skywards, SkyMiles, and Asia Miles. Going by the handle @UpInTheAir, they sell a minimum of 100,000 points for the reward program of your choice, starting out at $884 as of time of writing (this was probably $1,000 originally, but Bitcoin price fluctuations caused it to go down).”
A rule of thumb is that miles are worth 1 to 2 cents apiece (of course smart shoppers can get significantly greater value and less astute shoppers will get lower returns).
On the dark web, however, the going rate, according to Comparitech, appears to be much lower – often as little as 1/10th of the typical value.
There’s a reason for that. Stolen miles probably will not get cashed in for flights, mainly because of ID issues. So what are they good for?
For instance, in 2017, Air Miles, a Canadian loyalty scheme, issued a warning that thieves were using miles to buy merchandise in stores that participate in the program.
In other cases, bolder crooks redeem miles for flights and then sell the travel on websites, often at huge discounts. See a flight going for half what it’s worth and that’s a red flag for trouble ahead.
How do thieves get most of their stolen miles? Generally by hacking into individual accounts – meaning they figure out your user name and password, or they use a robot to try enough combinations until it stumbles into the proper formula. It sounds labor intensive but, increasingly, it is automated.
Loyalty programs now are in a fast track mode to contain fraud. According to Maritz’ Kirk, “Until very recently, program fraud was only discussed in hushed tones or dismissed as a non-issue. Now all major loyalty agencies proudly promote their fraud protection tools and process.”
Even so, the burden is on you. The miles and points are yours and that also means they are yours to safeguard.
How? That’s easy. Comparitech offered a number of tips, including:
“Shred your boarding pass after a flight.
Never post a photo of your boarding pass online.
Use a strong and unique password for your frequent flyer account.
Monitor your account for suspicious activity.”
The last is crucial. Make it a habit to stop into your loyalty accounts at least monthly.
And also make it a habit to change your passwords occasionally, certainly yearly.
One last bit of advice: just don’t use public wifi to access your loyalty accounts. Of course it’s tempting when you are sitting at the airport to put the time to use surfing your airline and hotel websites. Don’t. At least don’t on public wifi. Use a cellphone hotspot instead.
It’s up to you to protect your miles. Know that and do it.