Crooks' new target: your rewards points

Cyberthieves empty out poorly secured hotel, airline accounts

By Daniel Workman

Love loyalty rewards programs? So do black hat hackers, and they're becoming increasingly interested in stealing them from consumers, imperiling not only your rewards points but your identity.

Rewards-related attacks have been mounting. In November 2014, reports began emerging about millions of stolen Hilton HHonors points, followed by news in early 2015 that thieves had stolen American Airlines and United Airlines frequent flier miles after getting hold of account holders' usernames and passwords. Last September, Japan Airlines announced a breach in which personal information for thousands of JAL Mileage Bank members was compromised.

Rewards plan cybercrime imperils more than points

No points were reported stolen in the JAL case, but that doesn't mean nothing of value was taken. The security risks of loyalty programs include  their treasure trove of data. Besides point balances, program websites typically store members' names, birthdates, email addresses, mailing addresses, telephone numbers and payment method details (usually credit cards). Optional information includes marital status, household size and annual income. "In some sense, reward program websites are a 'one-stop shop' for criminals, says Hal Pomeranz, founder of computer forensic firm Deer Run Associates. "All of this information has value and can be converted to cash in the underground economy."

Hotel and airline loyalty rewards programs are particularly vulnerable. Although there have been reported cases of credit card rewards theft, banks tend to have some of the most robust security in the business world and those protections cover rewards accounts, too. For example, Capital One cardholders access their rewards accounts via Capital One's online banking system, according to spokeswoman Amanda Landers. Rewards redemptions are subject to security and authentication procedures similar to those applied to other bank transactions, such as withdrawals.

Points worth billions
"For several years, I've been telling anyone who will listen that they should think of their points and miles as money," says Michael Smith, industry analyst and managing partner of Airline Information, a firm that conducts research into airlines' loyalty and merchandising programs.

Make that a lot of money. Colloquy's 2011 Forecast of U.S. Consumer Loyalty Program Points Value estimated the fair market value of travel and hospitality rewards issued in the U.S. at $17 billion a year. Financial services issued even more points -- worth an estimated $18 billion annually, according to the report.

Loyalty plan earnings are compelling targets because thieves can monetize them in different ways. One shady seller on the underground forum Darknet Markets advertises American Airlines miles and Hilton points, which, the seller explains, buyers can:

  • Sell to online mileage brokers;
  • Redeem for physical gift cards, electronics and other merchandise through the issuers' online shopping malls;
  • Use to book flights and hotel stays; and
  • Exchange via points exchange site for different program miles or points.

Lillian Ablon, a Rand Corporation researcher, says reward points are more anonymous and involve less risk than stolen credit cards because once you "flip" them into tangibles such as gift cards or electronics, they are harder to digitally trace. Gift cards can be turned into cash through legitimate secondary markets that make it difficult to distinguish which cards were bought with pilfered points.

Multiple account attacks
The Achilles' heel of loyalty websites are user IDs and passwords selected for accessing member accounts, says computer security adjunct professor Samuel Carter at North Carolina State University.

  • Ask for two-factor authentication (e.g., password + verification codes).
  • Use strong, unique passwords for each account.
  • Change passwords at least semiannually.
  • Close unused accounts.
  • Frequently monitor active accounts.
  • Enable account activity notifications.
  • Don't save credit card information on loyalty sites.
  • Respond promptly to alerts or other messages.
  • Immediately report suspicious activity.
  • Protect points as you would your bank account. reviewed 10 frequent flier and 17 hotel loyalty websites and found that half relied on a four-digit PIN or a password with six characters or less. Only a third provided two-factor authentication such as challenge questions or verification codes sent to the accountholder's smartphone -- a service that is becoming more common with financial accounts.

"Two-factor authentication is not common among loyalty programs because it is expensive to implement and maintain, and is seen as an inconvenient burden to users," says Carter.

To more easily manage multiple accounts, many consumers re-use the same username/password combination. Intruders able to penetrate one loyalty account will then try those login credentials on all accounts belonging to the member. Aite Group's July 2014 report Merchants and Cybercriminals Duke It Out: No Signs of Slowing estimates that Americans maintain on average from 15 to 20 usernames and passwords, and that 55 percent of users apply the same login credential combination on all accounts.

Global identity protection firm CSID has detected an uptick in online black market interest for stolen login IDs and passwords. Spokeswoman Morgan Grevey says the value of re-used Web credentials is one of the suspected reasons. "If a consumer has protected a rewards account with a login ID and password that is used across multiple high-value sites, such as Amazon or a banking site, then all those sites are at risk for breach and misuse," adds Grevey.

Phishing for financial information
One way that hackers may gain access to at least one set of login credentials from loyalty program customers is through email phishing attacks, which are an increasingly easy crime to commit. Rand's Ablon, lead author of the report Markets for Cybercrime Tools and Stolen Data -- Hackers' Bazaar, says that support products and services to facilitate the full lifecycle of a phishing attack against loyalty members are accessible online.

In some sense, reward program websites are a 'one-stop shop' for criminals. All of this information has value and can be converted to cash in the underground economy.

-- Hal Pomeranz
Deer Run Associates

Available tools include malware, often a key component of phishing attacks. For instance, if an unsuspecting consumer clicks on a link in a phishing email, malicious software may download onto their computer, where it can capture banking, credit card and other sensitive financial information.

"Malware kits like Zeus, Citadel and SpyEye can be bought from underground sites for as little as a few thousand dollars or up to tens of thousands of dollars depending on program functionality," says Pomeranz. Malware kits may even come with a support contract or be sold on a "software as a service" basis, which allows cybercriminals to lease a pre-installed instance of the malware for a monthly fee, freeing the thief from having to set up the harmful software.

Most dangerous loyalty threat: identity theft
While losing your rewards points may be a hassle, they can be restored (American Airlines confirmed that it credited the unauthorized mileage transfers back to the breached accounts and United Airlines reportedly did the same). Identity theft, on the other hand, can ruin your credit and take years to recover from.

"I've known people who live 'off the grid' now for fear of being victimized by identity theft again," says Walter McLaughlin, a senior banker and finance columnist for Decoded Science.

Being enrolled in loyalty plans can heighten the risk of identity theft. Based on the 2015 Colloquy Loyalty Census, the average American household belonged to 29 loyalty programs in 2014 spanning travel, hospitality, retail and financial services industries. On average 17 of those accounts were inactive, leaving rich collections of unattended online information for identity thieves to harvest.

For several years, I've been telling anyone who will listen that they should think of their points and miles as money.

-- Michael Smith
Airline Information

The vast amount of loyalty member data enables cybercriminals to develop comprehensive dossiers on their targets, says John Pironti, a risk and security adviser with the information security association ISACA and president of the consultancy IP Architects.

Members with higher reward levels often have identifiable travel patterns that can be used to predict their activities. Identity thieves gain insights into family and business travel plans, and track other websites visited, including those for dining establishments and car rental agencies. "Loyalty account data can be pieced together like a puzzle and then used to impersonate an individual," Pironti says.

When to contact authorities
Lindsay G. Ram, public affairs specialist with the FBI Washington, D.C., field office, advises victims of loyalty program cybercrime to immediately contact their program provider, their credit card issuer if credit cards are involved and local law enforcement.

He acknowledges that law enforcement may not take direct action, but points out that after reporting the fraud or theft, a consumer can also file a complaint with the FBI's Internet Crime Complaint Center (IC3).

If IC3 can match several victims of the same type of crime, a referral will be sent to the appropriate law enforcement agency to investigate.

See related: Don't be fooled by these 6 data breach myths, New industry tools fight credit card fraud

Published: March 25, 2015

Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Follow Us

Updated: 10-24-2016

Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.