Most cybercriminals aren’t looking to make things complicated or cumbersome. Sure, some want the attention that comes with cracking a new system or developing a new attack vector, but most attackers are just in the market for easy money.
Users are getting wise to common patterns, however, and keeping closer tabs on their bank accounts and health information. Still, as noted by The Wall Street Journal, many consumers don’t pay attention to another potential cybercrime target: frequent flier miles and hotel points. Here’s a look at the growing problem of loyalty program theft.
Brain Kelly, the creator of The Points Guy website, was recently interviewed by Today for a segment on loyalty program theft. He said miles and points are effectively an “unregulated currency” that can add up to more than the GDP of some small nations in monetary terms.
It’s an ideal situation for cybercriminals: Weak passwords or phishing emails get them access to flier miles, hotel points accounts or both, since users tend to reuse passwords. From there, they spend points by redeeming them for gift cards and high-end electronics. On the way out of user accounts, they change the password and personal details, then sit back and wait for their windfall to arrive.
It gets worse. Most consumers don’t check the balance of their loyalty accounts on a regular basis, instead preferring to accumulate large sums of points or miles over time. It’s likely that these consumers won’t notice immediately if their accounts are compromised, giving cybercriminals a head start with any data. What’s more, many accounts linked to airlines include high-value personal data, such as passport information, making them prime targets for identity theft.
The shift in tactics makes sense, since increased consumer savvy and the adoption of chip-and-PIN cards has reduced the potential revenue to be gained from more obvious attack angles. Points are largely unprotected, making them more than worth the minimal effort required to grab and go.
Speed Versus Security
So how do users keep miles and points from disappearing? Airlines are taking steps to make accounts more secure. United Airlines, for example, moved from four-digit PINs to a password/security question system. Even that isn’t foolproof, however, since many users provide easily guessed answers.
Companies have to find the balance between speed and security. If accounts are too complicated to access, users simply won’t bother signing up. If they’re too easy, businesses are stuck replacing points when thefts are reported.
As noted by Motherboard, more outlandish suggestions are also making the rounds. A new cryptocurrency known as SolarCoin has plans to put a secure satellite in orbit to keep critical data out of cybercriminal hands. Why not bury airline account servers in the desert or deep-six point stacks in the sea? But those are not exactly likely outcomes.
Preventing Loyalty Program Theft
According to American Banker, however, there are ways for consumers to avoid loyalty program theft. The basics always apply: Use solid passwords, change them regularly and don’t follow any email links that demand immediate action.
More generally, consumers should think like cybercriminals to protect their loyalty points. Fraudsters go where the money is, and right now it’s in hotel points and airline miles that they can convert to cash. To stay safe, users should loop these accounts into their secure rotation. Treat them like banking details or credit card data, and cybercriminals will quickly wise up and buzz off.