How Marriott Is Promoting Better Loyalty Account Security

Today, TPG Senior Points & Miles Correspondent Jason Steele looks at loyalty account security and offers some tips for keeping your travel rewards where they belong.

We spend a lot of time discussing how to earn points and miles, as well as how to spend them. However, we don't often discuss the importance of protecting them. After the numerous security breaches of airline and hotel loyalty programs that have taken place, I thought it would be a good occasion to discuss some new account security procedures that are being implemented, as well as how vulnerable your loyalty accounts are, and what you can do to keep them secure.

Marriott's Latest Move

Marriott is one of many companies that has been victimized by hackers. Two years ago, the company had to temporarily shut down mobile access to its website, and required all users to change their passwords before accessing account information. In response to this and other cyber attacks, Marriott recently emailed members to inform them about new security procedures that are currently being implemented.

In particular, Marriott will be enabling a system called two-factor authentication for some transactions. This security method requires that users provide not only a password, but also a second, temporary authorization code that can be received through email, text message or by telephone. According to an email sent out to Marriott Rewards members, it appears that two-factor authentication will not be required every time you log in to your account, only when you redeem awards or make changes to your profile (such as updating your address or phone number).

How secure is this new system?

Two-factor authentication is the current standard in the banking industry, but Marriott is the first airline or hotel loyalty program to use it (as far as I'm aware). As I discussed in an earlier post on Computer, Mobile, & Internet Security Basics for Travelers, two-factor authentication makes it extremely difficult for anyone to access your account after stealing (or guessing) your password.

It's encouraging that Marriott is moving its account security toward banking standards, but even within this improvement, there's evidence of how much loyalty programs still have to learn: the email from Marriott asked members to sign into their accounts and update their profiles, and provided a link within the message. Unfortunately, this is nearly identical to one of the most common hacking threats — a technique called phishing, which works by way of an email with a link that encourages you to log in and update your personal information.

Of course, a real phishing attack would offer a link to an official sounding (but bogus) web address where hackers could harvest your username, password and more. While Marriott's email and the link it provided were legit, it's a violation of basic computer security standards to encourage users to click on links in emails, and recipients were right to suspect that Marriott's security email itself could have been an attempted attack.

Daily Newsletter

Reward your inbox with the TPG Daily newsletter

Join over 700,000 readers for breaking news, in-depth guides and exclusive deals from TPG’s experts

Email address

Sign up

By signing up, you will receive newsletters and promotional content and agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.

What can you do to protect your accounts?

Marriott isn't the only major travel provider to be troubled by hacking. British Airways was targeted earlier this year, as were American and United. In fact, United recently made headlines by offering 1 million miles to those who found and reported vulnerabilities in its website. Considering that most loyalty programs are still using single factor authentication which is notoriously vulnerable, it's a good idea to do everything you can to keep your account safe.

First, it's smart to use different passwords for each of your accounts. The idea is that if any one of them was compromised, hackers would effectively gain access to all of them. Of course, using a different password for each account can make it difficult to keep track of your login information. To get around this problem, you can use a password management program or a loyalty program manager that includes password management.

One benefit of using such a service is that you can elect to receive weekly emails detailing your award redemptions. This way, you could identify any unauthorized access to your account quickly and contact the company to try to limit your losses. Of course, if you choose to use any of these password management tools, then you will still have placed all your eggs in one basket, since any hack of that account could result in all of your accounts being compromised.

You should also be vigilant about adhering to basic computer security standards, such as not logging into your loyalty program accounts from publicly accessible computers, and keeping your mobile phone, laptop and tablet secure.

Finally, you need to be on the lookout for phishing attempts, so-called social engineering hacks and other scams. Never click on links in an email; use your own bookmarks instead, or just type in the address yourself. If you ever receive a phone call from someone claiming to be from a travel provider or a loyalty program, ask for their name and extension, and call them back at the company's published phone number before disclosing any account information.

How concerned should you be about the safety of your rewards?

While I take computer security very seriously, I think that loyalty programs are not a high-priority target for hackers. For one thing, points and miles generally must be redeemed for awards that could expose the hacker or could easily be canceled. As an example, redeeming an airline award would require a hacker to supply the name and birthdate of the recipient, so investigators would at least know where to find the traveler(s). While fraudulent hotel awards may be easier to redeem, I imagine that most criminals wouldn't find the risk of capture to be worth the potential reward of staying in a nice hotel for a few nights.

On the other hand, hackers might simply choose to redeem points or miles for merchandise awards, which could be shipped to a random address and picked up from the doorway shortly after delivery. Alternately, criminals could attempt to sell travel awards to unsuspecting buyers, which is one of the many reasons why you should never attempt to purchase an award. Nevertheless, your typical hacker will be far more interested in gaining access to your bank or credit card account than dealing with the greater risk and hassle of attempting to redeem and cash out points or miles without being caught.

What happens if your account is hacked?

Although loyalty account holders are not protected from fraud by federal laws, I have yet to hear of a victim of a cyber attack that has not been made whole by the travel provider. In contrast, federal laws protect credit card users from fraudulent charges of more than $50, but in practice nearly all card issuers offer a zero liability policy.

By taking prudent steps to protect your loyalty program account, it's very unlikely that you'll ever suffer losses from a security breach.

What strategies do you use to keep your loyalty accounts secure?