They Are Still Stealing Your Loyalty Miles and Points

March 5, 2020 | rjmcgarvey | InfoSec, Travel

By Robert McGarvey

Call it deja vu all over again: A March 2, 2020 Travel Weekly headline screams: “Latest targets of fraudsters are hotel and airline loyalty points.”

I first recall writing about this in 2014: The Hilton HHonors Hack: Loyalty Programs Under Siege and How to Protect Yourself.   

Again in 2015: United’s MileagePlus, American’s AAdvantage Loyalty Programs Have Been Hacked.

I wrote about it most recently a year and a half ago in this space: Do You Know Who’s Stealing Your Airline Miles?

You might think the bad news is that nothing has changed. You’d be wrong.  The worse news is that, yes, nothing has changed and cyber thieves – knowing we now have so many ways to accumulate miles and points – are more energetically emptying out our accounts because, apparently, neither hotels nor airlines have done much to batten those hatches and secure their loyalty program against pickpockets.

What’s the allure for crooks? As I wrote in the Hilton story six and one-half years ago: “Huge buckets of Hilton points – sometimes in the hundreds of thousands – have shown up in hacker bazaars, where one vendor, for instance, offered 250,000 points for $3.50. At the Hilton shopping mall, an Apple iPad Air 64G is yours for 489,000 points – so at that criminal exchange rate, maybe $7 (payable in Bitcoin) will grab it. There are other, reported cases where around $10 in Bitcoin bought enough points to claim over $1,000 in hotel room nights.”

What a deal.

The Loyalty Security Association meanwhile estimates that 1% of airline mile redemptions are fraudulent.

But that number may be growing, oddly in part because of a consumer friendly gesture on the part of carriers. Reported Travel Weekly, “Jeff Wixted, vice president of product management and operations for Accertify, an American Express subsidiary that provides fraud-prevention services, said loyalty fraud has especially accelerated in the past 15 to 18 months, with fraudsters buoyed recently by the growing trend among airlines to do away with point expirations.”

That of course meant there are more miles to steal from more inattentive consumers.

Wixted added that the value of US loyalty accounts is around $100 billion.

US consumers belong to some 3.8 billion loyalty programs, according to Clarus.  54% are inactive and those dormant accounts of course are prime for thievery.  If you haven’t checked your Delta account in years, would you even notice if miles had been pilfered?  Of course not.

I know I wouldn’t and, yes, over the years I’ve left multiple airline and hotel loyalty accounts go fallow and I have no idea if the zero balances I see are because the vendor wiped the account after X months of inactivity or if an enterprising thief hoovered them out.

Amex’s Wixted, by the way, predicted to Travel Weekly that the value of loyalty fraud will eventually eclipse the value of credit card fraud.

As for how criminals get our loyalty program details, the surest answer is the many breaches suffered by travel companies.  From Starwood to BA, there have been massive breaches involving hundreds of millions of us, probably billions of us all accounted.  

Experts warn that many of us also fall victim to phishing schemes – where we get a tasty offer from what appears to be a known travel provider, we respond with our program details and they are off to the races, while not only don’t we get the proferred deal, our loyalty balances are emptied out.

Criminals also are known to erect sham great deal pages where they harvest credit card and loyalty program info from bargain hunters who stumble in and can’t resist a prime New York hotel room at $49, for instance.

Know this: smart crooks increasingly are determined to rob our loyalty points and miles and they are succeeding at this larceny.

That does not mean the situation is hopeless.

Here’s our best defense: check loyalty programs regularly. My habitual practice was to review an account only when I wanted to cash in miles or points.

No more. Now I check the few accounts I  have decided to maintain – three airline programs, two hotels, one credit card – monthly. I do not rely on the hotels and airlines; their track records don’t breed confidence. So I provide my own vigilance.

Nope, I have detected no fraud.  

You might want to check more often, or maybe quarterly.  A right answer varies with how many miles and points are at stake.  And what those balances mean to you.

But accept this: in 2020, protection of our loyalty balances is on us.  

Leave a Reply

Your email address will not be published. Required fields are marked *