Loyalty fraud is on the rise — here’s what happens when your points are stolen

Oct 31, 2020

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Despite being in the middle of a global pandemic, hackers are still targeting travel loyalty accounts. In fact, loyalty account fraud is on the rise, but not for the reasons you might think.

A recent report out of Akamai — a cybersecurity company in the loyalty space — shows there were over 100 billion credential stuffing attacks between July 2018 and June 2020. These attacks are when a hacker uses stolen passwords to gain access to other accounts owned by the same person. So if someone gets your Marriott password and it’s the same as your Hilton password, they then have access to both accounts.

Of these attacks, 63 billion were targeted at retail, travel and hospitality. Think airline, hotel and retail loyalty programs like Fuel Rewards and Kroger Community Rewards.

The scariest thing about these attacks, though, is why they happen. Hackers want access to your accounts, not just for your points but for your personal data as well. They can then use this data to build a profile about you that they can later sell on the darknet for identity fraud.

I sat down with Steve Ragan — a Security Researcher and Technical Writer at Akamai and one of the report’s co-authors — to discuss the report and how travel loyalty accounts are being affected by fraud during the coronavirus pandemic. Here, I’ll give you a look at why fraud is up, how hackers are taking over accounts and discuss what they do with your data. Then, I’ll give you a few of Ragan’s tips on how to protect your accounts.

Let’s get started!

Sign-up for the TPG daily newsletter to get points and miles coverage like this delivered to your inbox.

In This Post

Loyalty fraud is on the rise — here’s why

(Photo by Thomas Trutschel/Photothek via Getty Images)

The reason why loyalty fraud is on the rise this year is actually pretty simple. Shortly after the coronavirus pandemic started spreading throughout the world, we saw airlines, hotels and other loyalty programs start to extend elite status, point expiration, and other awards. According to Ragan, hackers started to look through their old password lists just to “see what stuck” at the same time. As it turns out, a lot stuck.

One reason hackers chose to get into loyalty accounts during the pandemic because we were all stuck at home. Members weren’t traveling, so they wouldn’t have a huge incentive for these members to check their account balances. This created the perfect time for hackers to access these accounts without getting caught.

The image below shows all of the daily credential stuffing attacks performed between July 2018 and June 2020. As discussed, there were over 100 billion attacks during this time frame, with 63 billion being in the retail, travel and hospitality space. With numbers this high, there’s a good chance your account was targeted by one of these attacks too.

Akamai Report on Daily Credential Stuffing Attacks
(Image courtesy of Akamai)

Related: Marriott has second massive data breach in 2 years; over 5 million guests compromised

How hackers gain access to loyalty accounts

So, how did hackers actually get into these accounts? As discussed in the intro, hackers used credential stuffing to break into accounts. Hackers can buy password lists on the darknet. These may be from massive data leaks or successful brute force attacks. Then, they attempt to use the same credentials to log into other accounts.

In short, this means that if you use the same password for your Marriott Bonvoy and United MileagePlus accounts, a hacker can access both if they find the credential for either.

To me, it’s scary just how easy this is. Many people use the same password for all of their online accounts, opening up all of their accounts to a hacker that can find a single credential pair. Let this be a warning not to use the same password for all your accounts — if you do, you’re setting yourself up to be hacked.

Related: 5 ways to avoid getting hacked when charging your phone at the airport

Hackers sell points and even have their own travel agencies

Hackers could sell your identity with information taken from a hacked loyalty account. (Photo by Luis Alvarez via Getty Images)

Perhaps the scariest part of my conversation with Ragan is what hackers do when accessing your loyalty accounts. According to Ragan, hackers will oftentimes cash out your points or sell them on the darknet. In fact, the study shows examples of listings for Hilton Honors and Fuel Rewards points. Sometimes they’ll use points to book for other people. Other times they’ll cash them out if possible.

In fact, there are even criminal travel agencies out there. Akamai’s report notes that these travel agents will buy stolen accounts and book travel for their clients at a steep discount. The report says: “Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a $2,000 booking on a well-known travel comparison/booking website would cost about $700 on the darknet.”

Sometimes hackers use a mixture of stolen credit cards and loyalty accounts to make these bookings. Because of this, the report says, “the risk is assumed entirely by the person taking the trip.”

Related: You are most likely to be hacked in these U.S. airports

Hackers want more than just your points

But here’s the scarier part: they want your personal information too. Akamai’s report notes that “retail and loyalty profiles contain a wealth of personal information,” like addresses, credit card numbers, and other sensitive things about your life. For example, United asks for your address, gender, date of birth and various other bits of information when you sign up for a new MileagePlus account.

Once a hacker has this information from multiple accounts, he or she can compile a portfolio made up of your personal information. This information can then be sold in whole or in pieces, and someone can effectively buy your identity online. This information could allow hackers to take out loans in your name or otherwise act like you.

Yep, it’s a pretty scary world out there.

Related: Your personal data was potentially exposed by a flaw in 140+ airlines’ software

What you can do to protect yourself

Person Typing on a Laptop
(Photo by Dmytro Tyshchenko/Shutterstock)

Thankfully, you don’t have to stay susceptible to these attacks. Ragan told me that the two biggest ways to prevent your loyalty accounts are using a password manager and enabling two-factor authentication. While not foolproof, these massively reduce your risk of being hacked.

Related: Scammers took 309,000 of my Hilton points — here’s how to get them back

Password managers are a great first line of defense

Using 1Password on a Mac
Use a password manager to create random passwords that are unique for each of your loyalty accounts. (Image courtesy of 1Password)

You may have heard of popular password management tools like 1Password and LastPass. In short, these let you generate random passwords for each of your accounts. Then, you can use the tool to fill in your passwords automatically. This means it’s easy to make hard-to-guess passwords that are unique for each of your accounts without having to remember a bunch of random characters.

In doing this, you will never have to use the same password on multiple accounts. Instead, you’ll use a unique password that’s hard to crack for each account. If one account is leaked, a hacker won’t have access to all of your accounts at once. Instead, you can simply change a single password and rest assured that the rest of your accounts are secure.

There’s another added benefit too. Ragan noted that most password managers have autofill features that will pop up when you visit a website and offer to fill in your passwords. For example, your password manager will offer to fill in your Delta username and password when you go to Delta.com. These won’t appear on other URLs, which is important in a phishing attack.

These attacks are where a hacker sends you an email pretending to be a major company. Within this email is a link to a fake website that looks just like the real one. You’ll be prompted to sign in using a fake form. Then instead of logging into your account, your credentials are sent to the hacker in question. The hacker then has your data. A password manager won’t prompt you to enter your credentials on these pages, so you’ll immediately know something is wrong.

Related: 1Password adds “Travel Mode” to keep accounts private while traveling

Enable multi-factor authentication wherever possible

Ragan says multi-factor authentication is another important part of preventing your loyalty accounts from being hacked. Simply put, multi-factor authentication is a secondary one-time password needed to access any given account. You’re sent this password in real-time via text message or a third-party app like Google Authenticator. Ragan recommends using the ladder as hackers may be able to clone your SIM card and then access your account.

“Multi-factor authentication single-handedly causes the most frustration to criminals that do credential stuffing attacks,” says Ragan, “when they come across accounts that have multi-factor authentication, they walk away.”

And this makes sense. It’s hard to crack these passwords, so criminals are more inclined to simply move onto their next victim instead of waste time on your account. That said, Ragan said a determined criminal could get past these, but it’s not common for simple account takeovers.

Related: How I learned that my credit card number was stolen

Other ways to keep your points safe

Of course, you should also follow common sense things like not writing your password on a piece of paper and not using common words in your passwords. Likewise, you should perform regular loyalty account audits and only give loyalty programs a minimal amount of your personal information. Take a look at TPG’s complete guide to protecting yourself against loyalty data breaches for more tips.

Related: How do you keep track of your points and miles?

Bottom line

You need to take loyalty fraud seriously in this day and age. Cybercrime is on the rise and — not only are your points at risk — but your identity is too. Use the tips outlined here to protect yourself against a growing threat.

Feature photo by ribeiroantonio/Shutterstock

Delta SkyMiles® Platinum American Express Card

Earn 90,000 bonus miles after you spend $3,000 in purchases on your new Card in your first 3 months. Offer ends 8/3/2022.

With Status Boost™, earn 10,000 Medallion Qualification Miles (MQMs) after you spend $25,000 in purchases on your Card in a calendar year, up to two times per year getting you closer to Medallion Status. Earn 3X Miles on Delta purchases and purchases made directly with hotels, 2X Miles at restaurants and at U.S. supermarkets and earn 1X Mile on all other eligible purchases. Terms Apply.

Apply Now
More Things to Know
  • Limited Time Offer: Earn 90,000 bonus miles after you spend $3,000 in purchases on your new Card in your first 3 months. Offer ends 8/3/2022.
  • Earn up to 20,000 Medallion® Qualification Miles (MQMs) with Status Boost® per year. After you spend $25,000 in purchases on your Card in a calendar year, you can earn 10,000 MQMs up to two times per year, getting you closer to Medallion® Status. MQMs are used to determine Medallion® Status and are different than miles you earn toward flights.
  • Earn 3X Miles on Delta purchases and purchases made directly with hotels.
  • Earn 2X Miles at restaurants worldwide including takeout and delivery in the U.S., and at U.S. supermarkets.
  • Earn 1X Miles on all other eligible purchases.
  • Receive a Domestic Main Cabin round-trip companion certificate each year upon renewal of your Card. Payment of the government imposed taxes and fees of no more than $80 for roundtrip domestic flights (for itineraries with up to four flight segments) is required. Baggage charges and other restrictions apply. See terms and conditions for details.
  • Enjoy your first checked bag free on Delta flights.
  • Fee Credit for Global Entry or TSA PreCheck® after you apply through any Authorized Enrollment Provider. If approved for Global Entry, at no additional charge, you will receive access to TSA PreCheck.
  • Enjoy an exclusive rate of $39 per person per visit to enter the Delta Sky Club® for you and up to two guests when traveling on a Delta flight.
  • No Foreign Transaction Fees.
  • $250 Annual Fee.
  • Terms Apply.
  • See Rates & Fees
Regular APR
17.24%-26.24% Variable
Annual Fee
Balance Transfer Fee
Recommended Credit
Terms and restrictions apply. See rates & fees.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.