September 26, 2016 By Douglas Bonderud 2 min read

Most cybercriminals aren’t looking to make things complicated or cumbersome. Sure, some want the attention that comes with cracking a new system or developing a new attack vector, but most attackers are just in the market for easy money.

Users are getting wise to common patterns, however, and keeping closer tabs on their bank accounts and health information. Still, as noted by The Wall Street Journal, many consumers don’t pay attention to another potential cybercrime target: frequent flier miles and hotel points. Here’s a look at the growing problem of loyalty program theft.

Unregulated Currency

Brain Kelly, the creator of The Points Guy website, was recently interviewed by Today for a segment on loyalty program theft. He said miles and points are effectively an “unregulated currency” that can add up to more than the GDP of some small nations in monetary terms.

It’s an ideal situation for cybercriminals: Weak passwords or phishing emails get them access to flier miles, hotel points accounts or both, since users tend to reuse passwords. From there, they spend points by redeeming them for gift cards and high-end electronics. On the way out of user accounts, they change the password and personal details, then sit back and wait for their windfall to arrive.

It gets worse. Most consumers don’t check the balance of their loyalty accounts on a regular basis, instead preferring to accumulate large sums of points or miles over time. It’s likely that these consumers won’t notice immediately if their accounts are compromised, giving cybercriminals a head start with any data. What’s more, many accounts linked to airlines include high-value personal data, such as passport information, making them prime targets for identity theft.

The shift in tactics makes sense, since increased consumer savvy and the adoption of chip-and-PIN cards has reduced the potential revenue to be gained from more obvious attack angles. Points are largely unprotected, making them more than worth the minimal effort required to grab and go.

Speed Versus Security

So how do users keep miles and points from disappearing? Airlines are taking steps to make accounts more secure. United Airlines, for example, moved from four-digit PINs to a password/security question system. Even that isn’t foolproof, however, since many users provide easily guessed answers.

Companies have to find the balance between speed and security. If accounts are too complicated to access, users simply won’t bother signing up. If they’re too easy, businesses are stuck replacing points when thefts are reported.

As noted by Motherboard, more outlandish suggestions are also making the rounds. A new cryptocurrency known as SolarCoin has plans to put a secure satellite in orbit to keep critical data out of cybercriminal hands. Why not bury airline account servers in the desert or deep-six point stacks in the sea? But those are not exactly likely outcomes.

Preventing Loyalty Program Theft

According to American Banker, however, there are ways for consumers to avoid loyalty program theft. The basics always apply: Use solid passwords, change them regularly and don’t follow any email links that demand immediate action.

More generally, consumers should think like cybercriminals to protect their loyalty points. Fraudsters go where the money is, and right now it’s in hotel points and airline miles that they can convert to cash. To stay safe, users should loop these accounts into their secure rotation. Treat them like banking details or credit card data, and cybercriminals will quickly wise up and buzz off.

More from

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today