Do You Know Where Your Miles and Loyalty Points Are?
By Robert McGarvey
By Robert McGarvey
If you don’t know where your frequent flier miles and hotel loyalty points are the bad news is that cyber crooks just may. That’s because, with most of us traveling so much less in the last eight months, we have become less focused on our loyalty totals – why check a balance that is inert? Add in the deep economic hits suffered by travel providers in the pandemic, and resulting slashing of staffing, and a perfect invitation was in effect extended to cyber criminals. Call this invitation accepted.
According to research out of Akamai, “Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks, and more than 63 billion of them targeted retail, travel, and hospitality.”
Chew on the magnitude of this attack. Billions and billions of them! And Akamai numbers show the number of attacks increasing in the pandemic.
Criminals have gotten smarter about how to cash in on the full value of our points and miles. Used to be a cyber criminal did a simple smash and grab once he/she had log-in credentials. He’d empty the points balance, cashing them in for readily monetized goods (Apple gear has been a favorite).
Today’s hacker might still do that. But many are seeking out other ways to cash in on our loyalty.
Nowadays that hacker is likely to monetize the information about you that they steal in the hack. Usually there’s a name, an address, a phone number, possibly a passport number, often a credit card number, etc. Said Steve Ragan, an Akamai security researcher, “Retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”
Back up a second. In case you stumbled over the infosec geek term “credential stuffing” this is where where crooks try a log in that’s been stolen from one site – say from the Starwood breach where some 500 million guest records were stolen – at random sites. Computers do the work. Crooks collect the winnings when the log ins work at more sites and often they do because we all know we shouldn’t reuse log ins but we all do anyway.
In recent years criminals have harvested bounties of credentials from various programs, Hilton, United, and American included as well as Starwood. There are mountains of travel related data already in the hands of cyber criminals. And the crooks are credential stuffing at a pace that has never before been seen.
Today, too, there are still more ways to monetize our data. For instance: Now some hackers prefer to sell your account to another crook, inclusive of any miles or points in the kitty. Reports Akamai, “Hotel rewards are also popular, including those from major chains like Hilton. Accounts are sorted and sold based on their point value.” How much? In its report Akamai shows an ad where one seller offers Hilton accounts with at least 10,000 points for $3 apiece and accounts with 40,000 points sell for $40. Accounts with million point balances fetch $850.
Still others actually sell travel on the dark web. Noted Akamai: “Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a $2,000 booking on a well-known travel comparison/booking website would cost about $700 on the darknet.”
You’ve gotten the message: your loyalty stashes are in peril?
Here’s what you need to do: Right now, go to your top travel loyalty sites and change the passwords. Use a password manager – I use Google’s but there are many – to generate a long, random string. And use a different password at every site. Then set a reminder in your calendar to change the passwords every three or six months.
That isn’t perfect protection. But it is pretty good.
What about accounts with trivial balances? I ignore them for now. I have 2, or is it 3, nights in the Hilton program from a meeting I attended but I installed the app only because I have status via Amex and the status got me a few perks. On a very slow day I will log in and use a random password. But it’s not a priority.
The takeaway here is that our loyalty miles and points are under attack. It’s up to us to protect them – and if we don’t they just may be stolen when next we look for them.