Loyalty fraud is on the rise — here’s what happens when your points are stolen

Oct 31, 2020

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Despite being in the middle of a global pandemic, hackers are still targeting travel loyalty accounts. In fact, loyalty account fraud is on the rise, but not for the reasons you might think.

A recent report out of Akamai — a cybersecurity company in the loyalty space — shows there were over 100 billion credential stuffing attacks between July 2018 and June 2020. These attacks are when a hacker uses stolen passwords to gain access to other accounts owned by the same person. So if someone gets your Marriott password and it’s the same as your Hilton password, they then have access to both accounts.

Of these attacks, 63 billion were targeted at retail, travel and hospitality. Think airline, hotel and retail loyalty programs like Fuel Rewards and Kroger Community Rewards.

The scariest thing about these attacks, though, is why they happen. Hackers want access to your accounts, not just for your points but for your personal data as well. They can then use this data to build a profile about you that they can later sell on the darknet for identity fraud.

I sat down with Steve Ragan — a Security Researcher and Technical Writer at Akamai and one of the report’s co-authors — to discuss the report and how travel loyalty accounts are being affected by fraud during the coronavirus pandemic. Here, I’ll give you a look at why fraud is up, how hackers are taking over accounts and discuss what they do with your data. Then, I’ll give you a few of Ragan’s tips on how to protect your accounts.

Let’s get started!

Sign-up for the TPG daily newsletter to get points and miles coverage like this delivered to your inbox.

In This Post

Loyalty fraud is on the rise — here’s why

(Photo by Thomas Trutschel/Photothek via Getty Images)

The reason why loyalty fraud is on the rise this year is actually pretty simple. Shortly after the coronavirus pandemic started spreading throughout the world, we saw airlines, hotels and other loyalty programs start to extend elite status, point expiration, and other awards. According to Ragan, hackers started to look through their old password lists just to “see what stuck” at the same time. As it turns out, a lot stuck.

One reason hackers chose to get into loyalty accounts during the pandemic because we were all stuck at home. Members weren’t traveling, so they wouldn’t have a huge incentive for these members to check their account balances. This created the perfect time for hackers to access these accounts without getting caught.

The image below shows all of the daily credential stuffing attacks performed between July 2018 and June 2020. As discussed, there were over 100 billion attacks during this time frame, with 63 billion being in the retail, travel and hospitality space. With numbers this high, there’s a good chance your account was targeted by one of these attacks too.

Akamai Report on Daily Credential Stuffing Attacks
(Image courtesy of Akamai)

Related: Marriott has second massive data breach in 2 years; over 5 million guests compromised

How hackers gain access to loyalty accounts

So, how did hackers actually get into these accounts? As discussed in the intro, hackers used credential stuffing to break into accounts. Hackers can buy password lists on the darknet. These may be from massive data leaks or successful brute force attacks. Then, they attempt to use the same credentials to log into other accounts.

In short, this means that if you use the same password for your Marriott Bonvoy and United MileagePlus accounts, a hacker can access both if they find the credential for either.

To me, it’s scary just how easy this is. Many people use the same password for all of their online accounts, opening up all of their accounts to a hacker that can find a single credential pair. Let this be a warning not to use the same password for all your accounts — if you do, you’re setting yourself up to be hacked.

Related: 5 ways to avoid getting hacked when charging your phone at the airport

Hackers sell points and even have their own travel agencies

Hackers could sell your identity with information taken from a hacked loyalty account. (Photo by Luis Alvarez via Getty Images)

Perhaps the scariest part of my conversation with Ragan is what hackers do when accessing your loyalty accounts. According to Ragan, hackers will oftentimes cash out your points or sell them on the darknet. In fact, the study shows examples of listings for Hilton Honors and Fuel Rewards points. Sometimes they’ll use points to book for other people. Other times they’ll cash them out if possible.

In fact, there are even criminal travel agencies out there. Akamai’s report notes that these travel agents will buy stolen accounts and book travel for their clients at a steep discount. The report says: “Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a $2,000 booking on a well-known travel comparison/booking website would cost about $700 on the darknet.”

Sometimes hackers use a mixture of stolen credit cards and loyalty accounts to make these bookings. Because of this, the report says, “the risk is assumed entirely by the person taking the trip.”

Related: You are most likely to be hacked in these U.S. airports

Hackers want more than just your points

But here’s the scarier part: they want your personal information too. Akamai’s report notes that “retail and loyalty profiles contain a wealth of personal information,” like addresses, credit card numbers, and other sensitive things about your life. For example, United asks for your address, gender, date of birth and various other bits of information when you sign up for a new MileagePlus account.

Once a hacker has this information from multiple accounts, he or she can compile a portfolio made up of your personal information. This information can then be sold in whole or in pieces, and someone can effectively buy your identity online. This information could allow hackers to take out loans in your name or otherwise act like you.

Yep, it’s a pretty scary world out there.

Related: Your personal data was potentially exposed by a flaw in 140+ airlines’ software

What you can do to protect yourself

Person Typing on a Laptop
(Photo by Dmytro Tyshchenko/Shutterstock)

Thankfully, you don’t have to stay susceptible to these attacks. Ragan told me that the two biggest ways to prevent your loyalty accounts are using a password manager and enabling two-factor authentication. While not foolproof, these massively reduce your risk of being hacked.

Related: Scammers took 309,000 of my Hilton points — here’s how to get them back

Password managers are a great first line of defense

Using 1Password on a Mac
Use a password manager to create random passwords that are unique for each of your loyalty accounts. (Image courtesy of 1Password)

You may have heard of popular password management tools like 1Password and LastPass. In short, these let you generate random passwords for each of your accounts. Then, you can use the tool to fill in your passwords automatically. This means it’s easy to make hard-to-guess passwords that are unique for each of your accounts without having to remember a bunch of random characters.

In doing this, you will never have to use the same password on multiple accounts. Instead, you’ll use a unique password that’s hard to crack for each account. If one account is leaked, a hacker won’t have access to all of your accounts at once. Instead, you can simply change a single password and rest assured that the rest of your accounts are secure.

There’s another added benefit too. Ragan noted that most password managers have autofill features that will pop up when you visit a website and offer to fill in your passwords. For example, your password manager will offer to fill in your Delta username and password when you go to Delta.com. These won’t appear on other URLs, which is important in a phishing attack.

These attacks are where a hacker sends you an email pretending to be a major company. Within this email is a link to a fake website that looks just like the real one. You’ll be prompted to sign in using a fake form. Then instead of logging into your account, your credentials are sent to the hacker in question. The hacker then has your data. A password manager won’t prompt you to enter your credentials on these pages, so you’ll immediately know something is wrong.

Related: 1Password adds “Travel Mode” to keep accounts private while traveling

Enable multi-factor authentication wherever possible

Ragan says multi-factor authentication is another important part of preventing your loyalty accounts from being hacked. Simply put, multi-factor authentication is a secondary one-time password needed to access any given account. You’re sent this password in real-time via text message or a third-party app like Google Authenticator. Ragan recommends using the ladder as hackers may be able to clone your SIM card and then access your account.

“Multi-factor authentication single-handedly causes the most frustration to criminals that do credential stuffing attacks,” says Ragan, “when they come across accounts that have multi-factor authentication, they walk away.”

And this makes sense. It’s hard to crack these passwords, so criminals are more inclined to simply move onto their next victim instead of waste time on your account. That said, Ragan said a determined criminal could get past these, but it’s not common for simple account takeovers.

Related: How I learned that my credit card number was stolen

Other ways to keep your points safe

Of course, you should also follow common sense things like not writing your password on a piece of paper and not using common words in your passwords. Likewise, you should perform regular loyalty account audits and only give loyalty programs a minimal amount of your personal information. Take a look at TPG’s complete guide to protecting yourself against loyalty data breaches for more tips.

Related: How do you keep track of your points and miles?

Bottom line

You need to take loyalty fraud seriously in this day and age. Cybercrime is on the rise and — not only are your points at risk — but your identity is too. Use the tips outlined here to protect yourself against a growing threat.

Feature photo by ribeiroantonio/Shutterstock

Chase Sapphire Preferred® Card

WELCOME OFFER: 60,000 Points

TPG'S BONUS VALUATION*: $1,200

CARD HIGHLIGHTS: 2X points on all travel and dining, points transferrable to over a dozen travel partners

*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.

Apply Now
More Things to Know
  • Earn 60,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $750 toward travel when you redeem through Chase Ultimate Rewards®
  • 2X points on travel and dining at restaurants worldwide, eligible delivery services, takeout and dining out & 1 point per dollar spent on all other purchases.
  • Get 25% more value when you redeem for travel through Chase Ultimate Rewards®. For example, 60,000 points are worth $750 toward travel.
  • Get unlimited deliveries with a $0 delivery fee and reduced service fees on orders over $12 for a minimum of one year on qualifying food purchases with DashPass, DoorDash's subscription service. Activate by 12/31/21.
  • Earn 2x total points on up to $1,000 in grocery store purchases per month from November 1, 2020 to April 30, 2021. Includes eligible pick-up and delivery services.
Regular APR
15.99%-22.99% Variable
Annual Fee
$95
Balance Transfer Fee
Either $5 or 5% of the amount of each transfer, whichever is greater.
Recommended Credit
Excellent/Good

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.