Skip to content

Loyalty fraud is on the rise — here's what happens when your points are stolen

Oct. 31, 2020
10 min read
Stack of Frequent Flyer Cards
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Despite being in the middle of a global pandemic, hackers are still targeting travel loyalty accounts. In fact, loyalty account fraud is on the rise, but not for the reasons you might think.

A recent report out of Akamai — a cybersecurity company in the loyalty space — shows there were over 100 billion credential stuffing attacks between July 2018 and June 2020. These attacks are when a hacker uses stolen passwords to gain access to other accounts owned by the same person. So if someone gets your Marriott password and it's the same as your Hilton password, they then have access to both accounts.

Of these attacks, 63 billion were targeted at retail, travel and hospitality. Think airline, hotel and retail loyalty programs like Fuel Rewards and Kroger Community Rewards.

The scariest thing about these attacks, though, is why they happen. Hackers want access to your accounts, not just for your points but for your personal data as well. They can then use this data to build a profile about you that they can later sell on the darknet for identity fraud.

I sat down with Steve Ragan — a Security Researcher and Technical Writer at Akamai and one of the report's co-authors — to discuss the report and how travel loyalty accounts are being affected by fraud during the coronavirus pandemic. Here, I'll give you a look at why fraud is up, how hackers are taking over accounts and discuss what they do with your data. Then, I'll give you a few of Ragan's tips on how to protect your accounts.

Let's get started!

Sign-up for the TPG daily newsletter to get points and miles coverage like this delivered to your inbox.

Loyalty fraud is on the rise — here's why

(Photo by Thomas Trutschel/Photothek via Getty Images)

The reason why loyalty fraud is on the rise this year is actually pretty simple. Shortly after the coronavirus pandemic started spreading throughout the world, we saw airlines, hotels and other loyalty programs start to extend elite status, point expiration, and other awards. According to Ragan, hackers started to look through their old password lists just to "see what stuck" at the same time. As it turns out, a lot stuck.

One reason hackers chose to get into loyalty accounts during the pandemic because we were all stuck at home. Members weren't traveling, so they wouldn't have a huge incentive for these members to check their account balances. This created the perfect time for hackers to access these accounts without getting caught.

Sign up for our daily newsletter

The image below shows all of the daily credential stuffing attacks performed between July 2018 and June 2020. As discussed, there were over 100 billion attacks during this time frame, with 63 billion being in the retail, travel and hospitality space. With numbers this high, there's a good chance your account was targeted by one of these attacks too.

(Image courtesy of Akamai)

Related: Marriott has second massive data breach in 2 years; over 5 million guests compromised

How hackers gain access to loyalty accounts

So, how did hackers actually get into these accounts? As discussed in the intro, hackers used credential stuffing to break into accounts. Hackers can buy password lists on the darknet. These may be from massive data leaks or successful brute force attacks. Then, they attempt to use the same credentials to log into other accounts.

In short, this means that if you use the same password for your Marriott Bonvoy and United MileagePlus accounts, a hacker can access both if they find the credential for either.

To me, it's scary just how easy this is. Many people use the same password for all of their online accounts, opening up all of their accounts to a hacker that can find a single credential pair. Let this be a warning not to use the same password for all your accounts — if you do, you're setting yourself up to be hacked.

Related: 5 ways to avoid getting hacked when charging your phone at the airport

Hackers sell points and even have their own travel agencies

Hackers could sell your identity with information taken from a hacked loyalty account. (Photo by Luis Alvarez via Getty Images)

Perhaps the scariest part of my conversation with Ragan is what hackers do when accessing your loyalty accounts. According to Ragan, hackers will oftentimes cash out your points or sell them on the darknet. In fact, the study shows examples of listings for Hilton Honors and Fuel Rewards points. Sometimes they'll use points to book for other people. Other times they'll cash them out if possible.

In fact, there are even criminal travel agencies out there. Akamai's report notes that these travel agents will buy stolen accounts and book travel for their clients at a steep discount. The report says: "Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a $2,000 booking on a well-known travel comparison/booking website would cost about $700 on the darknet."

Sometimes hackers use a mixture of stolen credit cards and loyalty accounts to make these bookings. Because of this, the report says, "the risk is assumed entirely by the person taking the trip."

Related: You are most likely to be hacked in these U.S. airports

Hackers want more than just your points

But here's the scarier part: they want your personal information too. Akamai's report notes that "retail and loyalty profiles contain a wealth of personal information," like addresses, credit card numbers, and other sensitive things about your life. For example, United asks for your address, gender, date of birth and various other bits of information when you sign up for a new MileagePlus account.

Once a hacker has this information from multiple accounts, he or she can compile a portfolio made up of your personal information. This information can then be sold in whole or in pieces, and someone can effectively buy your identity online. This information could allow hackers to take out loans in your name or otherwise act like you.

Yep, it's a pretty scary world out there.

Related: Your personal data was potentially exposed by a flaw in 140+ airlines’ software

What you can do to protect yourself

(Photo by Dmytro Tyshchenko/Shutterstock)

Thankfully, you don't have to stay susceptible to these attacks. Ragan told me that the two biggest ways to prevent your loyalty accounts are using a password manager and enabling two-factor authentication. While not foolproof, these massively reduce your risk of being hacked.

Related: Scammers took 309,000 of my Hilton points — here’s how to get them back

Password managers are a great first line of defense

Use a password manager to create random passwords that are unique for each of your loyalty accounts. (Image courtesy of 1Password)

You may have heard of popular password management tools like 1Password and LastPass. In short, these let you generate random passwords for each of your accounts. Then, you can use the tool to fill in your passwords automatically. This means it's easy to make hard-to-guess passwords that are unique for each of your accounts without having to remember a bunch of random characters.

In doing this, you will never have to use the same password on multiple accounts. Instead, you'll use a unique password that's hard to crack for each account. If one account is leaked, a hacker won't have access to all of your accounts at once. Instead, you can simply change a single password and rest assured that the rest of your accounts are secure.

There's another added benefit too. Ragan noted that most password managers have autofill features that will pop up when you visit a website and offer to fill in your passwords. For example, your password manager will offer to fill in your Delta username and password when you go to Delta.com. These won't appear on other URLs, which is important in a phishing attack.

These attacks are where a hacker sends you an email pretending to be a major company. Within this email is a link to a fake website that looks just like the real one. You'll be prompted to sign in using a fake form. Then instead of logging into your account, your credentials are sent to the hacker in question. The hacker then has your data. A password manager won't prompt you to enter your credentials on these pages, so you'll immediately know something is wrong.

Related: 1Password adds “Travel Mode” to keep accounts private while traveling

Enable multi-factor authentication wherever possible

Ragan says multi-factor authentication is another important part of preventing your loyalty accounts from being hacked. Simply put, multi-factor authentication is a secondary one-time password needed to access any given account. You're sent this password in real-time via text message or a third-party app like Google Authenticator. Ragan recommends using the ladder as hackers may be able to clone your SIM card and then access your account.

"Multi-factor authentication single-handedly causes the most frustration to criminals that do credential stuffing attacks," says Ragan, "when they come across accounts that have multi-factor authentication, they walk away."

And this makes sense. It's hard to crack these passwords, so criminals are more inclined to simply move onto their next victim instead of waste time on your account. That said, Ragan said a determined criminal could get past these, but it's not common for simple account takeovers.

Related: How I learned that my credit card number was stolen

Other ways to keep your points safe

Of course, you should also follow common sense things like not writing your password on a piece of paper and not using common words in your passwords. Likewise, you should perform regular loyalty account audits and only give loyalty programs a minimal amount of your personal information. Take a look at TPG's complete guide to protecting yourself against loyalty data breaches for more tips.

Related: How do you keep track of your points and miles?

Bottom line

You need to take loyalty fraud seriously in this day and age. Cybercrime is on the rise and — not only are your points at risk — but your identity is too. Use the tips outlined here to protect yourself against a growing threat.

Feature photo by ribeiroantonio/Shutterstock

Featured image by (Photo by ribeiroantonio/Shutterstock)

Top offers from our partners

How we chose these cards

Our points-obsessed staff uses a plethora of credit cards on a daily basis. If anyone on our team wouldn’t recommend it to a friend or a family member, we wouldn’t recommend it on The Points Guy either. Our opinions are our own, and have not been reviewed, approved, or endorsed by our advertising partners.
See all best card offers

TPG featured card

Best for earning alternative rewards for travel purchases
TPG Editor‘s Rating
Card Rating is based on the opinion of TPG‘s editors and is not influenced by the card issuer.
3 / 5
Go to review
Apply for Credit One Bank Wander® Card
at Credit One Bank's secure site

Rewards

1 - 10X points
10XEarn 10x points on eligible hotels and car rentals booked through the Credit One Bank travel partner site
5XEarn 5x points on eligible travel, dining, and gas
1XEarn 1x points on all other purchases

Intro offer

Earn 10,000 Bonus Points
Earn 10,000 bonus points after spending $1,000 on eligible purchases in the first 90 days and redeem for a $100 statement credit, gift cards, or travel

Annual Fee

$95

Recommended Credit

Fair/Good
Credit ranges are a variation of FICO© Score 8, one of many types of credit scores lenders may use when considering your credit card application.

Why We Chose It

The revamped Wander Card from Credit One Bank earns cardmembers up to 10 points per dollar spent on eligible travel purchases. With no foreign transaction fees, the card is also great for international travel. However, points earned from this card can only be used at a fixed value, so it may not be the best option for those striving to get maximum value from their rewards.

Pros

  • This card has no foreign transaction fees and earns up to 10 points per dollar on travel purchases through the Credit One Bank travel partner site.

Cons

  • While cardholders can earn a significant amount of points on travel purchases, there isn't any way to redeem points from the Wander Card for maximum value (beyond 1 cent per point).
  • Earn 10,000 bonus points after spending $1,000 on eligible purchases in the first 90 days and redeem for a $100 statement credit, gift cards, or travel
  • Earn 10x points on eligible hotels and car rentals booked through the Credit One Bank travel site
  • Earn 5x points on eligible travel, dining, and gas
  • Earn 1x points on all other purchases
  • Redeem your reward points for statement credits, gift cards, merchandise, flights, hotels, and more
  • With $0 Fraud Liability, you won’t be responsible for unauthorized charges
  • Free Online Credit Score and Credit Report summary, terms apply
  • If you are a Covered Borrower under the Military Lending Act, you may get a different offer
  • See Rates & Fees
Apply for Credit One Bank Wander® Card
at Credit One Bank's secure site
Terms & restrictions apply. See rates & fees
Best for earning alternative rewards for travel purchases
TPG Editor‘s Rating
Card Rating is based on the opinion of TPG‘s editors and is not influenced by the card issuer.
3 / 5
Go to review

Rewards Rate

10XEarn 10x points on eligible hotels and car rentals booked through the Credit One Bank travel partner site
5XEarn 5x points on eligible travel, dining, and gas
1XEarn 1x points on all other purchases
  • Intro Offer
    Earn 10,000 bonus points after spending $1,000 on eligible purchases in the first 90 days and redeem for a $100 statement credit, gift cards, or travel

    Earn 10,000 Bonus Points
  • Annual Fee

    $95
  • Recommended Credit
    Credit ranges are a variation of FICO© Score 8, one of many types of credit scores lenders may use when considering your credit card application.

    Fair/Good

Why We Chose It

The revamped Wander Card from Credit One Bank earns cardmembers up to 10 points per dollar spent on eligible travel purchases. With no foreign transaction fees, the card is also great for international travel. However, points earned from this card can only be used at a fixed value, so it may not be the best option for those striving to get maximum value from their rewards.

Pros

  • This card has no foreign transaction fees and earns up to 10 points per dollar on travel purchases through the Credit One Bank travel partner site.

Cons

  • While cardholders can earn a significant amount of points on travel purchases, there isn't any way to redeem points from the Wander Card for maximum value (beyond 1 cent per point).
  • Earn 10,000 bonus points after spending $1,000 on eligible purchases in the first 90 days and redeem for a $100 statement credit, gift cards, or travel
  • Earn 10x points on eligible hotels and car rentals booked through the Credit One Bank travel site
  • Earn 5x points on eligible travel, dining, and gas
  • Earn 1x points on all other purchases
  • Redeem your reward points for statement credits, gift cards, merchandise, flights, hotels, and more
  • With $0 Fraud Liability, you won’t be responsible for unauthorized charges
  • Free Online Credit Score and Credit Report summary, terms apply
  • If you are a Covered Borrower under the Military Lending Act, you may get a different offer
  • See Rates & Fees