Loyalty fraud is on the rise — here's what happens when your points are stolen
Despite being in the middle of a global pandemic, hackers are still targeting travel loyalty accounts. In fact, loyalty account fraud is on the rise, but not for the reasons you might think.
A recent report out of Akamai — a cybersecurity company in the loyalty space — shows there were over 100 billion credential stuffing attacks between July 2018 and June 2020. These attacks are when a hacker uses stolen passwords to gain access to other accounts owned by the same person. So if someone gets your Marriott password and it's the same as your Hilton password, they then have access to both accounts.
Of these attacks, 63 billion were targeted at retail, travel and hospitality. Think airline, hotel and retail loyalty programs like Fuel Rewards and Kroger Community Rewards.
The scariest thing about these attacks, though, is why they happen. Hackers want access to your accounts, not just for your points but for your personal data as well. They can then use this data to build a profile about you that they can later sell on the darknet for identity fraud.
I sat down with Steve Ragan — a Security Researcher and Technical Writer at Akamai and one of the report's co-authors — to discuss the report and how travel loyalty accounts are being affected by fraud during the coronavirus pandemic. Here, I'll give you a look at why fraud is up, how hackers are taking over accounts and discuss what they do with your data. Then, I'll give you a few of Ragan's tips on how to protect your accounts.
Let's get started!
Sign-up for the TPG daily newsletter to get points and miles coverage like this delivered to your inbox.
Loyalty fraud is on the rise — here's why
The reason why loyalty fraud is on the rise this year is actually pretty simple. Shortly after the coronavirus pandemic started spreading throughout the world, we saw airlines, hotels and other loyalty programs start to extend elite status, point expiration, and other awards. According to Ragan, hackers started to look through their old password lists just to "see what stuck" at the same time. As it turns out, a lot stuck.
One reason hackers chose to get into loyalty accounts during the pandemic because we were all stuck at home. Members weren't traveling, so they wouldn't have a huge incentive for these members to check their account balances. This created the perfect time for hackers to access these accounts without getting caught.
The image below shows all of the daily credential stuffing attacks performed between July 2018 and June 2020. As discussed, there were over 100 billion attacks during this time frame, with 63 billion being in the retail, travel and hospitality space. With numbers this high, there's a good chance your account was targeted by one of these attacks too.
Related: Marriott has second massive data breach in 2 years; over 5 million guests compromised
How hackers gain access to loyalty accounts
So, how did hackers actually get into these accounts? As discussed in the intro, hackers used credential stuffing to break into accounts. Hackers can buy password lists on the darknet. These may be from massive data leaks or successful brute force attacks. Then, they attempt to use the same credentials to log into other accounts.
In short, this means that if you use the same password for your Marriott Bonvoy and United MileagePlus accounts, a hacker can access both if they find the credential for either.
To me, it's scary just how easy this is. Many people use the same password for all of their online accounts, opening up all of their accounts to a hacker that can find a single credential pair. Let this be a warning not to use the same password for all your accounts — if you do, you're setting yourself up to be hacked.
Related: 5 ways to avoid getting hacked when charging your phone at the airport
Hackers sell points and even have their own travel agencies
Perhaps the scariest part of my conversation with Ragan is what hackers do when accessing your loyalty accounts. According to Ragan, hackers will oftentimes cash out your points or sell them on the darknet. In fact, the study shows examples of listings for Hilton Honors and Fuel Rewards points. Sometimes they'll use points to book for other people. Other times they'll cash them out if possible.
In fact, there are even criminal travel agencies out there. Akamai's report notes that these travel agents will buy stolen accounts and book travel for their clients at a steep discount. The report says: "Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a $2,000 booking on a well-known travel comparison/booking website would cost about $700 on the darknet."
Sometimes hackers use a mixture of stolen credit cards and loyalty accounts to make these bookings. Because of this, the report says, "the risk is assumed entirely by the person taking the trip."
Related: You are most likely to be hacked in these U.S. airports
Hackers want more than just your points
But here's the scarier part: they want your personal information too. Akamai's report notes that "retail and loyalty profiles contain a wealth of personal information," like addresses, credit card numbers, and other sensitive things about your life. For example, United asks for your address, gender, date of birth and various other bits of information when you sign up for a new MileagePlus account.
Once a hacker has this information from multiple accounts, he or she can compile a portfolio made up of your personal information. This information can then be sold in whole or in pieces, and someone can effectively buy your identity online. This information could allow hackers to take out loans in your name or otherwise act like you.
Yep, it's a pretty scary world out there.
Related: Your personal data was potentially exposed by a flaw in 140+ airlines’ software
What you can do to protect yourself
Thankfully, you don't have to stay susceptible to these attacks. Ragan told me that the two biggest ways to prevent your loyalty accounts are using a password manager and enabling two-factor authentication. While not foolproof, these massively reduce your risk of being hacked.
Related: Scammers took 309,000 of my Hilton points — here’s how to get them back
Password managers are a great first line of defense
You may have heard of popular password management tools like 1Password and LastPass. In short, these let you generate random passwords for each of your accounts. Then, you can use the tool to fill in your passwords automatically. This means it's easy to make hard-to-guess passwords that are unique for each of your accounts without having to remember a bunch of random characters.
In doing this, you will never have to use the same password on multiple accounts. Instead, you'll use a unique password that's hard to crack for each account. If one account is leaked, a hacker won't have access to all of your accounts at once. Instead, you can simply change a single password and rest assured that the rest of your accounts are secure.
There's another added benefit too. Ragan noted that most password managers have autofill features that will pop up when you visit a website and offer to fill in your passwords. For example, your password manager will offer to fill in your Delta username and password when you go to Delta.com. These won't appear on other URLs, which is important in a phishing attack.
These attacks are where a hacker sends you an email pretending to be a major company. Within this email is a link to a fake website that looks just like the real one. You'll be prompted to sign in using a fake form. Then instead of logging into your account, your credentials are sent to the hacker in question. The hacker then has your data. A password manager won't prompt you to enter your credentials on these pages, so you'll immediately know something is wrong.
Related: 1Password adds “Travel Mode” to keep accounts private while traveling
Enable multi-factor authentication wherever possible
Ragan says multi-factor authentication is another important part of preventing your loyalty accounts from being hacked. Simply put, multi-factor authentication is a secondary one-time password needed to access any given account. You're sent this password in real-time via text message or a third-party app like Google Authenticator. Ragan recommends using the ladder as hackers may be able to clone your SIM card and then access your account.
"Multi-factor authentication single-handedly causes the most frustration to criminals that do credential stuffing attacks," says Ragan, "when they come across accounts that have multi-factor authentication, they walk away."
And this makes sense. It's hard to crack these passwords, so criminals are more inclined to simply move onto their next victim instead of waste time on your account. That said, Ragan said a determined criminal could get past these, but it's not common for simple account takeovers.
Related: How I learned that my credit card number was stolen
Other ways to keep your points safe
Of course, you should also follow common sense things like not writing your password on a piece of paper and not using common words in your passwords. Likewise, you should perform regular loyalty account audits and only give loyalty programs a minimal amount of your personal information. Take a look at TPG's complete guide to protecting yourself against loyalty data breaches for more tips.
Related: How do you keep track of your points and miles?
Bottom line
You need to take loyalty fraud seriously in this day and age. Cybercrime is on the rise and — not only are your points at risk — but your identity is too. Use the tips outlined here to protect yourself against a growing threat.
Feature photo by ribeiroantonio/Shutterstock
Top offers from our partners
How we chose these cards
TPG featured card
Rewards
10X | Earn 10x points on eligible hotels and car rentals booked through the Credit One Bank travel partner site |
5X | Earn 5x points on eligible travel, dining, and gas |
1X | Earn 1x points on all other purchases |
Intro offer
Annual Fee
Recommended Credit
Why We Chose It
The revamped Wander Card from Credit One Bank earns cardmembers up to 10 points per dollar spent on eligible travel purchases. With no foreign transaction fees, the card is also great for international travel. However, points earned from this card can only be used at a fixed value, so it may not be the best option for those striving to get maximum value from their rewards.Pros
- This card has no foreign transaction fees and earns up to 10 points per dollar on travel purchases through the Credit One Bank travel partner site.
Cons
- While cardholders can earn a significant amount of points on travel purchases, there isn't any way to redeem points from the Wander Card for maximum value (beyond 1 cent per point).
- Earn 10,000 bonus points after spending $1,000 on eligible purchases in the first 90 days and redeem for a $100 statement credit, gift cards, or travel
- Earn 10x points on eligible hotels and car rentals booked through the Credit One Bank travel site
- Earn 5x points on eligible travel, dining, and gas
- Earn 1x points on all other purchases
- Redeem your reward points for statement credits, gift cards, merchandise, flights, hotels, and more
- With $0 Fraud Liability, you won’t be responsible for unauthorized charges
- Free Online Credit Score and Credit Report summary, terms apply
- If you are a Covered Borrower under the Military Lending Act, you may get a different offer
- See Rates & Fees
Rewards Rate
10X | Earn 10x points on eligible hotels and car rentals booked through the Credit One Bank travel partner site |
5X | Earn 5x points on eligible travel, dining, and gas |
1X | Earn 1x points on all other purchases |
Intro Offer
Earn 10,000 bonus points after spending $1,000 on eligible purchases in the first 90 days and redeem for a $100 statement credit, gift cards, or travelEarn 10,000 Bonus PointsAnnual Fee
$95Recommended Credit
Credit ranges are a variation of FICO© Score 8, one of many types of credit scores lenders may use when considering your credit card application.Fair/Good
Why We Chose It
The revamped Wander Card from Credit One Bank earns cardmembers up to 10 points per dollar spent on eligible travel purchases. With no foreign transaction fees, the card is also great for international travel. However, points earned from this card can only be used at a fixed value, so it may not be the best option for those striving to get maximum value from their rewards.Pros
- This card has no foreign transaction fees and earns up to 10 points per dollar on travel purchases through the Credit One Bank travel partner site.
Cons
- While cardholders can earn a significant amount of points on travel purchases, there isn't any way to redeem points from the Wander Card for maximum value (beyond 1 cent per point).
- Earn 10,000 bonus points after spending $1,000 on eligible purchases in the first 90 days and redeem for a $100 statement credit, gift cards, or travel
- Earn 10x points on eligible hotels and car rentals booked through the Credit One Bank travel site
- Earn 5x points on eligible travel, dining, and gas
- Earn 1x points on all other purchases
- Redeem your reward points for statement credits, gift cards, merchandise, flights, hotels, and more
- With $0 Fraud Liability, you won’t be responsible for unauthorized charges
- Free Online Credit Score and Credit Report summary, terms apply
- If you are a Covered Borrower under the Military Lending Act, you may get a different offer
- See Rates & Fees