InfoSec

by Robert McGarvey’

The headline in hotel trade pub Hotel News Now made me wince: “Personalization, Tight Budgets Dictate Hotel Tech in 2021.”

The sub-head was the face slap: Lack of Funds Hamper Tech Improvements.

Here’s the problem: pre-Covid most hotels I stayed in desperately need significant tech upgrades.

In the Covid era that has not changed. In fact, hotels need more tech because of Covid such as touchless, keyless room entry, apps that permit self-check in and checkout without interacting with a front desk, and – ideally – I want just about everything in the room controllable by an Alexa or Google device and, yes, I have both apps on my phone and both kinds of devices around my home.

Just as I can turn on a light, or a TV, without touching the device at home I now want that same interface in shared spaces such as a hotel room.

Sure, the Covid crisis will pass and probably by mid 2022 just about all of us who will get vaccinated will have been. Business travel will substantially pick up, possibly in Q4 2021. It will never reach the heights it achieved in 2019 but pick up it will.

But we’ll be wanting all that touchless and remote interface tools in hotels even once Covid begins its slow vanishing act because we have gotten used to them.

There goes a good chunk of hotel tech monies.

The money pile will definitely not be tall because hotel analytics company STR has officially declared 2020 the “worst year on record.” How bad is it? So bad that already bottom feeders are circling, looking to pick up failing hotels for pennies on the dollar.

Here’s the problem: there already was a stack of critical hotel tech upgrades that had seemed to be on permanent pause, despite their being needed.

Such as?

In case it has been so long since you have been in a hotel that you have forgotten the tech miseries they inflicted on us, here are the three worst.

Dramatically better hotel WiFi is necessary. Zoom recommends a minimum speed of 1.5 MBPS – but personally I want many times that.  I usually connect at around 350 MBPS – 346 this a.m. – via Google mesh and still I have recurring sound issues on Zoom.  

How fast is hotel WiFi? A website hotelwifitest says it has the data and, in a glance at Phoenix, the fastest wifi I saw was 26.9 at Aloft Airport.  The slowest was 4.6 at Pointe Hilton Tapatio Cliffs Resort.  

I cannot vouch for the recency of these data but it doesn’t matter. Those who have used a lot of hotel wifi don’t need a website to tell us the obvious: hotel wifi sucks.

Wifi at events and meetings is if anything worse than in-room wifi.

Remember, use VPN and your speed loss may be 10 to 30%, sometimes more.  

These speeds are abysmal.  Why so slow? Hoteliers have simply been reluctant to invest in the gear needed to up the speed – even as guests stumble with connections to everything from Netflix to Zoom to corporate servers.

We live online, in the cloud, and yet hoteliers are foisting antiquated and slow Internet at us.

It has to stop and, very probably, as travelers return to hotels one of the first things they notice is the lack of Internet speed.  Complaints will be loud, angry and possibly online (if the users can get online). Get in line and be ready to yell.

Improved cellular access is a must.  When my home WiFi goes out, I shrug, pick up a T-Mobile phone and create a hotspot (and the cellular data is free on that account).  How easy is that?

Except it often doesn’t work in hotels where bad cellular is a longstanding problem.  Here’s a 2004 New York Times article headlined: The Cellphone That Doesn’t Work at the Hotel.  

Nothing has improved in 17 years.

Often, too, the voice connections also falter. How often have you had dropped calls at a hotel?

There are fixes, they are known – but hoteliers haven’t wanted to spend the money and that was before the pandemic.  Their willingness to part with the cash for reliable cellular is no higher now.  

Maybe they still hope we will pick up their inroom phone and use it (although I cannot remember the last time I did).

So shall we must and will yell about bad cellular when we are back on the road.

Porous hotel cyber security.  I have written about this so often I have little left to say except that our personal data – everything from credit card numbers to loyalty account log ins – has been leaking out of hotels for decades.  

Hotels need to take this seriously and agree to a hotel safe data pledge.  

We need to yell, loudly and often, to remind hotels they are compromising our Internet security by not taking their own security seriously.

That’s three big tech steps forward, on top of the Covid related steps. Will hoteliers heed any of our demands?  What I can say with certainty  is that if we don’t lift our voices they will do the same exact nothing about these three tech frailties for a decade.

Speak up or suffer in silence.

by Robert McGarvey

I applauded when I saw the headline earlier this year: “Marriott International faces class action suit over mass data breach.”

Hotel groups have mismanaged data security for at least a decade. This negligence has put our data in the crosshairs of cyber criminals.

In the Marriott case, the source of the malaise is Starwood, which Marriott acquired in a merger. With Starwood, the group also acquired a massive data breach. Hotel News Now reported that approximately 327 million guests were affected by the breach.

Why am I re-hashing this sorry affair now, two years after the breach was announced? Because the saddest part is that the industry hasn’t learned from it.

Continued at Cybersecurity Writers

By Robert McGarvey

By Robert McGarvey

If you don’t know where your frequent flier miles and hotel loyalty points are the bad news is that cyber crooks just may. That’s because, with most of us traveling so much less in the last eight months, we have become less focused on our loyalty totals – why check a balance that is inert? Add in the deep economic hits suffered by travel providers in the pandemic, and resulting slashing of staffing, and a perfect invitation was in effect extended to cyber criminals.  Call this invitation accepted.

According to research out of Akamai, “Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks, and more than 63 billion of them targeted retail, travel, and hospitality.”

Chew on the magnitude of this attack. Billions and billions of them! And Akamai numbers show the number of attacks increasing in the pandemic.

Criminals have gotten smarter about how to cash in on the full value of our points and miles. Used to be a cyber criminal did a simple smash and grab once he/she had log-in credentials.  He’d empty the points balance, cashing them in for readily monetized goods (Apple gear has been a favorite).  

Today’s hacker might still do that. But many are seeking out other ways to cash in on our loyalty.

Nowadays that hacker is likely to monetize the information about you that they steal in the hack. Usually there’s a name, an address, a phone number, possibly a passport number, often a credit card number, etc.  Said Steve Ragan, an Akamai security researcher, “Retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

Back up a second. In case you stumbled over the infosec geek term “credential stuffing” this is where where crooks try a log in that’s been stolen from one site – say from the Starwood breach where some 500 million guest records were stolen – at random sites.  Computers do the work. Crooks collect the winnings when the log ins work at more sites and often they do because we all know we shouldn’t reuse log ins but we all do anyway.

In recent years criminals have harvested bounties of credentials from various programs, Hilton, United, and American included as well as Starwood. There are mountains of travel related data already in the hands of cyber criminals. And the crooks are credential stuffing at a pace that has never before been seen.

Today, too, there are still more ways to monetize our data.  For instance: Now some hackers prefer to sell your account to another crook, inclusive of any miles or points in the kitty. Reports Akamai, “Hotel rewards are also popular, including those from major chains like Hilton. Accounts are sorted and sold based on their point value.”  How much? In its report Akamai shows an ad where one seller offers Hilton accounts with at least 10,000 points for $3 apiece and accounts with 40,000 points sell for $40.  Accounts with million point balances fetch $850.

Still others actually sell travel on the dark web. Noted Akamai: “Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a $2,000 booking on a well-known travel comparison/booking website would cost about $700 on the darknet.”

You’ve gotten the message: your loyalty stashes are in peril?  

Here’s what you need to do: Right now, go to your top travel loyalty sites and change the passwords. Use a password manager – I use Google’s but there are many – to generate a long, random string. And use a different password at every site. Then set a reminder in your calendar to change the passwords every three or six months.

That isn’t perfect protection. But it is pretty good.  

What about accounts with trivial balances? I ignore them for now. I have 2, or is it 3, nights in the Hilton program from a meeting I attended but I installed the app only because I have status via Amex and the status got me a few perks.  On a very slow day I will log in and use a random password.  But it’s not a priority.

The takeaway here is that our loyalty miles and points are under attack.  It’s up to us to protect them – and if we don’t they just may be stolen when next we look for them.

By Robert McGarvey

I applauded when I saw the headline: “Marriott International faces class action suit over mass data breach.”

The lede sets the table: “Hotel group Marriott International is facing a class action lawsuit in London’s high court from millions of customers, who are seeking compensation after their personal details were stolen in one of the world’s largest data breaches.”

There’s nothing new here. Hoteliers suck at data security. From Trump to White Lodgings, the roll of shame grows louder.  Hotel News Now offers a catalog of the worst offenses going back to 2008 when Wyndham suffered the first of what became three breaches extending into 2010.  

Give a hotel your credit card and you put your finances in jeopardy. Hand over a debit card – with its weaker consumer protections – and you have entered a high risk zone.

So it is about time that consumers are banding together in a class action suit to seek to exact a reputational pound of flesh, plus some actual lucre, from Marriott. The source of the breach is Starwood.  Reported Hotel News Now: “For approximately 327 million of these [breached] guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates.”

What’s stunning is that the breach appears to have gone undetected from 2014 to 2018.

Was no one minding the store? Obviously, uh, no.

Alas, as I read about the suit it seems to involve only guests from England and Wales.

Even so, some of us who cannot join the suit still might want to savor Schadenfreude and watch the action. The Internet makes this easy.

This is 2020 so of course there is a Twitter feed about the suit.  

And there’s a website with plenty of information about the suit and the breach that caused it.

Want to be updated on the status of the suit? Here’s where to register.

Michael Bywell, one of the lawyers involved in filing the suit, explained the why of the suit: “Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”

Martin Bryant, who brought the action, added: “I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly.”

The sad bit is that exactly the same could and should be said about many other hotel management companies because indifference to data security is the industry norm.  Go back and look again at the Hotel News Now database of breaches.  It is only a minor exaggeration to say that if you stayed in a US hotel in the past decade, very probably you are a victim of a data breach.

I wish I could say that because of the publicity over breaches, the fines, and now the lawsuits, hotels are safer today.

But they aren’t. If anything, in the pandemic with the resulting collapse in bookings and revenues, the fear is that many hotels and management companies are cutting back on data security.  And criminals live to exploit weaknesses.

For some years I have said that, sadly, protection against data breaches when traveling is on us.  That’s all the more so now.

That means giving hotels the least amount of information possible.  If asked for information you don’t believe they have a valid need for, lie.

Always use credit cards with the smallest possible balances.

Monitor loyalty accounts with a regularity that suits your balance.  I never check my Bonvoy account (an Amex plat perk) because I have not had an eligible stay. But if I had many thousands of points I’d check weekly.

Assume that when you travel, your data may be hacked. It could be the restaurant where you eat that is breached.  It could be a nation state breaches your cellphone. 

But in my eyes it’s hotels that pose the biggest security risks.

It’s dangerous on the road, my friends, act accordingly.

By Robert McGarvey

The news out of the Ritz London has to fry you: scammers have been calling customers with restaurant reservations and prying out of them credit card details that the scammers quickly put to use making online purchases.

The problem is that this may threaten all of us who dine out, even if we have never set foot in the Ritz and have no plans to.  That’s because these scammers have shined a spotlight on a failing that may entrap us all.

The Ritz said this in an August 15 tweet: “We can confirm that on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data. This does not include any credit card details or payment information.”

Where did the credit card info get into this? Apparently the scammers called diners with reservations and said, “Sorry, there’s a problem validating your credit card info to secure the reservation. Can we have it again?” Or words to that effect.

To use the language of the trade, the crooks – who apparently had access to the hotel’s restaurant reservations – used social engineering to pry the valuable info out of the cardholders.

According to the BBC, “One woman, who had made an online booking for afternoon tea at the Ritz as part of a celebration, received a call the day before her reservation.

“The scammers asked her to ‘confirm’ the booking by providing her payment card details.

“The call was convincing because it appeared to have come from the hotel’s real phone number, and the scammers knew exactly when and where her reservation was.”

The last bit is important. What it means is that the crooks gamed caller id to spoof the Ritz’s real phone number.

Number spoofing is so easy even a caveman could do it. Details here.

Never believe a phone number that pops up on your screen.  It may be real, it may be spoofed.

So, where do you come into this frame? If there is a theme song among restauranteurs in this pandemic it is complaints about dining no shows. The Washingtonian headline tells the story: Don’t be the jerk who no shows on a restaurant reservation during a pandemic.  

Even across the pond in England a celebrated chef won applause from his peers for calling no shows “disgraceful.”  

As restaurateurs explain, in much of the US, restaurants are required to operate at a reduced capacity.  In Phoenix, for instance, they are required by an order of the governor to operate at no more than 50% capacity.  It’s 50% also in Seattle.  Ditto Texas.  

Many restaurant struggled to turn a profit pre Covid. Capacity limits have put more stress on them.  And every diner matters in reaching break even.

A solution: restaurant gurus are advocating what amounts to a no show fee be slapped on diners who don’t turn up. In some cases it might be $25 for a two-top – but some restaurants are charging multiple hundreds of dollars, that is, essentially requiring diners to pre-pay for their meal in order to secure a reservation.

Here is where the news gets worse: restaurants are among the most common victims of data breaches and you can be victimized two ways.  A crafty scammer who grabbed only a reservations log – which almost always includes a phone number – could recycle the Ritz London scam and call the diners asking for a credit card number to secure the reservation. Know that scammers are copy cats and when they saw that Ritz scam, they knew their next move.

At restaurants that require a prepayment there already is a credit card number in the file.

A round up of food service businesses that suffered breaches is here.

Big names are in the mix such as DoorDash and Landry’s which operates some 60 national chains including Joe’s Crab Shack and Morton’s. 

But I ask, are you more confident that small restaurants won’t be breached? I am not. Indeed, I wonder how many already are breached and don’t know it (and, sadly, often the only way they learn about it is when an energetic fraud researcher at one of the big credit card issuers follows the bouncing balls and traces back a fraud outbreak to a small restaurant. I know one very large credit union that actually traced it back to a particular server at a restaurant).

Not surprisingly, a poll found 62% of consumers already fear restaurant data breaches. The only surprise is that the number isn’t higher.

How can you protect yourself?

Get a call from a restaurant asking you to confirm a credit card number and standard advice is to say you will call them back – and make very sure you are calling a publicly listed number for the restaurant or hotel. Don’t call a number given you by the caller. They may just hang up and move on to the next fish in the net.

What about restaurant prepayments?  I understand the restaurateur angst. My standard suggestion is use a credit card with a very low credit limit.  If necessary, apply for one with, say, a $500 limit.  Do not use a debit card for this, never.  You probably can claw back money stolen on a credit card. Your rights are less with a debit card.

Last to-do – if you make a reservation, show up – or at least have the decency to cancel a day in advance.  I know that’s asking a lot in the Covid-19 era.  But it’s not to much for a restaurant to ask when their survival is at stake.

By Robert McGarvey

Call it a paradox: we just are not traveling, certainly not by air, and we are not staying in hotels but travel related fraud has exploded.

That’s according to the fraud experts at Forter which annually publishes a fraud attack index. The shock in this year’s edition is that fraud attack rates regarding airlines are up 72% over last year.  Fraud attack rates regarding hotels are up 109%.  Fraud attacks on car rental companies and rideshare services are up 86%.

Meantime, our travel habits have cratered. Last Sunday, June 7th, was something of a banner day because TSA screened more than 400,000, the highest number since March 22. That prompted The Points Guy to run a story headlined, Americans Are Flying Again. The story did note that this year’s total was only about 17% of the typical numbers pre-Covid-19.  The Points Guy added that in the first Sunday in June 2019, TSA screened more than 2.6 million people.

STR, which tracks hotel data, pegs average occupancy at about 25% nowadays, down 62% from last year. 

So what gives with the fraudsters?  What makes airlines and hotels so attractive to them?

First off, understand that although fraud is up for many of the sectors Forter tracks travel companies are especially victimized. Fraud is up 42% in variety stores.  32% in food and beverage. 13% in beauty.  9% in apparel.  5% in digital goods.  7% in ticketing and events. All much lower than the travel providers.

But there are sectors that saw a drop in fraud.  Auto parts is down 57%.  Jewelry down 25%.  Home and garden down 51%.

The only sector that rivals travel is what Forter calls money services and crypto currencies – up 90%. And call that the Willie Sutton effect.

Which brings us back to the key question: why the big jumps for travel related companies?  Forter bluntly explains why airlines are targets: “Data breaches and increased focus on loyalty program fraud are major contributing factors to this increase over the last year.”

For some years we have known and reported on attacks on airline loyalty programs.  Lots of data is out there, for sale, that will unlock loyalty programs for pilfering.  Make it a habit to frequently check any program in which you have significant points or miles.  How often is often enough? That’s your call.  For many of us once monthly is enough. 

Forter continues in its explanation of why airlines are prime victims: “Airlines have also suffered from a rising level of sophistication of fraud attacks.”

For instance: “fraudsters adapt their behaviors to better blend into good traffic. Instead of booking last-minute trips (which can often be a sign of potential suspicious activity), fraudsters are now booking their travel further in advance of the actual date of actual departure, making it more difficult for airlines and OTAs to distinguish fraud from legitimate customer activity.”

Simply put: criminals are getting smarter, airline defenses haven’t toughened up and so the theft grows.

Check your credit cards for flights you did not in fact take but are billed for. Forter told Travel Weekly that successful disputes of airline credit card sales were up 56% – which is a graphic proof of how active the crooks are. We need to be as determined as they are.

The Assault on Hotels

Here’s the irony: it’s something hotels have done right that has paved the way for more and more successful attacks.  Just about all the major hotel sites have worked hard to make it very easy to book a room.

So easy a criminal can more easily exploit the sites.

Said Forter: “The prevalence of increasingly ‘friction-free’ experiences for check-in to hotels have contributed to this increase. Fraudsters are taking advantage of these improved customer benefit offerings to slip into the legitimate bookings. This improved and seamless experience accounts for the rise in fraud in this area.”

When hotels noted the spike in fraud, they apparently built more speed bumps into the booking process – but that alienated some prospective guests and the hoteliers went back to an easy booking process.  Which the fraudsters are still exploiting.

Remember, too, to check hotel loyalty program holdings.  It’s up to you to monitor your balances. Those programs too have been looted by criminals.

And of course be ready to dispute any bogus hotel charges too.

On the Ground

As for ground transportation, it’s a similar story regarding frictionless booking proving tempting to crooks.  Said Forter: “car rentals and ride services apply less friction in their platforms (ease of pick up in parking, no ID required, etc.) in order to remain competitive in the market and for the perceived better customer experience. The push for friction-free customer experiences has created vulnerabilities in these platforms, which fraudsters have been targeting.”

The providers remain hung up on the horns of the familiar dilemma: if they introduce friction, they fear they will lose bookings. But if they maintain the status quo, fraudsters will pounce.

For you, it’s the same story: check any accounts you maintain with rideshare companies and rental companies – and be watchful for suspicious charges.

Here’s the reality: we just do not complain that loudly when travel providers get hacked.  The louder we yelled the more changes there would be.  But we stay mum and what we get is what we get.

By Robert McGarvey

In other news on March 31, Marriott disclosed what it called a “Property System Incident.”

We interrupt that to report a shoplifting at a dollar store, cutting now to the live police feed of this dramatic story.

You probably missed the Marriott news because it was an otherwise busy day with acres of – grim – Covid-19 reporting and with projected US death totals now reaching into six figures, shortages looming for ventilators, inexplicable mask shortages, and, well, who really had the bandwidth to process yet another report of a hotel data breach?

Not us.

Marriott doubtless hoped you would miss it because the company’s statement is calculatedly blah.  It says just about nothing and that’s tipped off by the word “incident” in the headline. Meaning absolutely nothing.

But the Marriott statement does note the personal info of about 5.2 million Marriott loyalty members apparently was compromised in the “incident.”  It elaborated:

“At this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved:

* contact details (e.g., name, mailing address, email address, and phone number)

* loyalty account information (e.g., account number and points balance, but not passwords)

* additional personal details (e.g., company, gender, and birthday day and month)

* partnerships and affiliations (e.g., linked airline loyalty programs and numbers)

* preferences (e.g., stay/room preferences and language preference).”

Marriott added: “Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

The real take away from this: the continuing indifference of the hotel sector to protection of guest data. How many breaches have to occur – from Trump hotels to Starwood and Hilton and just about everybody else? How many stories have to be written? Somebody needs to say, this is a problem.  It needs to be fixed.

Actually we’ve been saying all for that for some years now and nothing has changed.

We need a new campaign.  Complaining about hotelier incompetence is not enough.

Real change will start with us. 

We share culpability. We put up with it.  For some time I have suggested that probably the only safe way to stay in a hotel is with a bogus travel credential (a novelty Irish driver’s license for instance) and using a credit card paired to the bogus ID. Then annually burn that identity and create a new one.

Shop for ID online. Here for instance.  Note: I am not suggesting using any such ID to drive a car or any similar activity – many of which might be illegal.  Rather, I am suggesting we take a trick from the oldime restaurant critic’s playbook – from the era where they practiced anonymity – when every big newspaper and magazine handed out credit cards in bogus names to their critics so they could make anonymous reservations. As long as the bills got paid, no harm done.

We’d be a lot safer in hotels if we did something similar today.

A lot of work? Yeah. But so is the persistent credit monitoring we all do because we have been involved in so many data breaches, many involving hotels and restaurants.

In Marriott’s defense this breach was detected quickly by hotel standards – often years go by. In this case, just months.

But worrisome is that two employee accounts were apparently the tools.  And that they were used to perpetrate large amounts of data exfiltration that should have been detected and stopped quickly.  Screens against substantial data exfiltration just are good practice in well run organizations.

Not apparently in Marriott.

So what should you do now?  Paul Bischoff, privacy advocate with Comparitech, said: “The biggest threat Marriott guests might face as a result of this breach is targeted phishing. Guests should be on the lookout for targeted messages from scammers posing as Marriott or a related company. Don’t click on links or attachments in unsolicited emails. Check email addresses and don’t just trust display names. If you’re uncertain as to whether a message is legitimate or not, ask Marriott using contact information found through Google.”

Remember that. If you are among the 5.2 million you will begin getting targeted phishing emails as soon as the data sells on the dark web. And it will go on for years.

That novelty driver’s license is making ever more sense? 

It’s up to us to protect ourselves.  It’s become that obvious.

By Robert McGarvey

Call it deja vu all over again: A March 2, 2020 Travel Weekly headline screams: “Latest targets of fraudsters are hotel and airline loyalty points.”

I first recall writing about this in 2014: The Hilton HHonors Hack: Loyalty Programs Under Siege and How to Protect Yourself.   

Again in 2015: United’s MileagePlus, American’s AAdvantage Loyalty Programs Have Been Hacked.

I wrote about it most recently a year and a half ago in this space: Do You Know Who’s Stealing Your Airline Miles?

You might think the bad news is that nothing has changed. You’d be wrong.  The worse news is that, yes, nothing has changed and cyber thieves – knowing we now have so many ways to accumulate miles and points – are more energetically emptying out our accounts because, apparently, neither hotels nor airlines have done much to batten those hatches and secure their loyalty program against pickpockets.

What’s the allure for crooks? As I wrote in the Hilton story six and one-half years ago: “Huge buckets of Hilton points – sometimes in the hundreds of thousands – have shown up in hacker bazaars, where one vendor, for instance, offered 250,000 points for $3.50. At the Hilton shopping mall, an Apple iPad Air 64G is yours for 489,000 points – so at that criminal exchange rate, maybe $7 (payable in Bitcoin) will grab it. There are other, reported cases where around $10 in Bitcoin bought enough points to claim over $1,000 in hotel room nights.”

What a deal.

The Loyalty Security Association meanwhile estimates that 1% of airline mile redemptions are fraudulent.

But that number may be growing, oddly in part because of a consumer friendly gesture on the part of carriers. Reported Travel Weekly, “Jeff Wixted, vice president of product management and operations for Accertify, an American Express subsidiary that provides fraud-prevention services, said loyalty fraud has especially accelerated in the past 15 to 18 months, with fraudsters buoyed recently by the growing trend among airlines to do away with point expirations.”

That of course meant there are more miles to steal from more inattentive consumers.

Wixted added that the value of US loyalty accounts is around $100 billion.

US consumers belong to some 3.8 billion loyalty programs, according to Clarus.  54% are inactive and those dormant accounts of course are prime for thievery.  If you haven’t checked your Delta account in years, would you even notice if miles had been pilfered?  Of course not.

I know I wouldn’t and, yes, over the years I’ve left multiple airline and hotel loyalty accounts go fallow and I have no idea if the zero balances I see are because the vendor wiped the account after X months of inactivity or if an enterprising thief hoovered them out.

Amex’s Wixted, by the way, predicted to Travel Weekly that the value of loyalty fraud will eventually eclipse the value of credit card fraud.

As for how criminals get our loyalty program details, the surest answer is the many breaches suffered by travel companies.  From Starwood to BA, there have been massive breaches involving hundreds of millions of us, probably billions of us all accounted.  

Experts warn that many of us also fall victim to phishing schemes – where we get a tasty offer from what appears to be a known travel provider, we respond with our program details and they are off to the races, while not only don’t we get the proferred deal, our loyalty balances are emptied out.

Criminals also are known to erect sham great deal pages where they harvest credit card and loyalty program info from bargain hunters who stumble in and can’t resist a prime New York hotel room at $49, for instance.

Know this: smart crooks increasingly are determined to rob our loyalty points and miles and they are succeeding at this larceny.

That does not mean the situation is hopeless.

Here’s our best defense: check loyalty programs regularly. My habitual practice was to review an account only when I wanted to cash in miles or points.

No more. Now I check the few accounts I  have decided to maintain – three airline programs, two hotels, one credit card – monthly. I do not rely on the hotels and airlines; their track records don’t breed confidence. So I provide my own vigilance.

Nope, I have detected no fraud.  

You might want to check more often, or maybe quarterly.  A right answer varies with how many miles and points are at stake.  And what those balances mean to you.

But accept this: in 2020, protection of our loyalty balances is on us.  

by Robert McGarvey

For years I have pondered a puzzle: why do financial institutions spend so much on cybersecurity and employ wonderfully smart and talented people – but the results are not as good as one would hope.

Frequently financial institutions simply are whipped by their criminal opponents.

Just look back on how DDOS – distributed denial of service – brought innumerable institutions to their knees a few years ago.  It took months for credit unions to get it together to repel the attack.

Then look at ATM jackpotting. New account opening fraud. ATM skimming. The list could go on and on but you get the message: criminals often outwit credit unions and banks and that is despite the money spent and the talent employed.

Why don’t credit unions gain the upperhand?

Hear the related podcast with Authentic8 CEO Scott Petry here.

A new report, sponsored by cybersecurity firm Authentic8, involves a survey of 163 financial services professionals, and it tackles just that question: why do financial services firms so often fall victim to cyberattacks?

Here’s a hint at the reason: “Financial firms have some of the best-funded IT departments of any industry, that’s no secret,” said Scott Petry, CEO of Authentic8. “What’s perplexing to me, with data breaches and privacy violations at an all-time high, is how deep the divide still runs between IT, compliance and legal professionals in many firms.”

The report’s title spells out the problem: “Surprising Disconnect Over Compliance and Secure Web Use at Financial Firms.”

Keep reading at CUInsight

Passwords are broken. You know that.

But do you know call centers are heading that way?

Call centers are under attack by criminals. Smart criminals. And they are targeting credit unions.

Credit unions are responding by asking more members ever harder questions. Just one problem. As the questions get more obscure – what was the make of the second car you owned – more members give wrong answers.

Fraudsters incidentally often can perform quite well on these tests because they have amassed data via the dark web.

They probably know the name of that kindergarten teacher that you have forgotten.

Tough questions are no cure.

The better solution is to implement biometric authentication that eliminates the need for answering a series of obscure questions. Enter Illuma Labs which is focused on helping small and mid sized financial institutions – that means you, credit unions – implement passive voice recognition.

As for what passive recognition means it’s that it happens in the background, the member needs do nothing special. In a matter of quick seconds he/she is authenticated and you can get down to business.

That means quicker call times, lower costs, happier members and happier call center staff.

This podcast is a guided tour into how voice rec works, how to implement it quickly and at low costs, and why this is the 21st century solution to a lot of the fraud credit union call centers are experiencing.

Listen here

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.com

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto