Considering how hard it can be to redeem your miles and points for a good value, you might think nobody would be interested in stealing them. You’d be wrong.
In November 2014, cyber thieves helped themselves to Hilton HHonors members’ rewards points. In early 2015, members of United’s and American Airlines’ frequent flier programs saw their miles similarly siphoned off by hackers.
Because large rewards balances can have significant monetary value, it’s important to understand why thieves want them – and what you can do to protect them.
More than just funny money
Rewards may not be hard cash, but thieves can use them for the following:
- Booking travel: Once inside your account, thieves can transfer your miles into their own accounts. Or, they can use them to book travel directly.
“Typically, you can use miles to book travel or use other benefits without actually being the owner of those miles,” says Steve Manzuik, director of security research at Duo Security, which develops security software for online companies.
In fact, miles are relatively low-hanging fruit for thieves. While you’re probably (hopefully) vigilant about your bank account and credit card balances, when was the last time you logged in and checked all your airline rewards balances?
“By the time the owner notices, if they even do notice, the miles have been spent and the trip has been used,” Manzuik says. “It has a lower risk of being caught than stealing actual credit cards or money.”
- Buying gift cards: Many rewards programs allow you to convert points and miles into gift cards, “which of course makes stealing them very attractive,” Manzuik says.
- Reselling: Some thieves may try to sell high-value accounts to other thieves, Manzuik says.
In addition to stealing your rewards, once thieves are inside your account, they might find other valuable things – including your personal information. Organizations compliant with requisite security standards won’t make an affiliated card number directly accessible from your rewards account, Manzuik says. But home address, phone number and answers to password re-set questions may be accessible – and can be used in phishing attacks or to hack into other accounts you have.
How thieves get in
One way thieves can get in is by hacking the rewards program itself. However, while this strategy has the advantage of hitting lots of accounts at once, it’s also the easiest to detect, Manzuik says.
“Application security, secure development practices, and other security technology have made these types of attacks less common,” he says.
A more likely plan of attack is social engineering (for example, phishing) attacks. If thieves manage to get some of your information, they can call or email you and try to trick you into surrendering the rest (including the password to your account).
“It is far easier and stealthier for an attacker to go after individual users versus the entire site itself,” Manzuik says.
Thieves may also take advantage of the fact that many people use the same password across multiple accounts. If they manage to get your password to, say, a social media account or photo-sharing site, you could be in trouble if that same password also unlocks your rewards account.
Safeguarding your rewards
While cards’ zero liability policies will almost always reimburse you for charges made by a thief, there’s no such protection for your rewards — although loyalty programs can and do reimburse stolen rewards, as evidenced by the United and American Airlines hacks. However, even if your program may eventually reimburse your miles, it’s less of a hassle to prevent theft from the outset.
Don’t underestimate the importance of a strong, hard-to-guess password. Manzuik recommends using a password manager that can generate strong passwords and store them for you. This also allows you to easily have a unique, strong password for each account, so, if a hacker manages to get the password to one, he doesn’t end up with a master key that unlocks all your accounts.
However, no password is good enough if you fall for phishing scams and surrender it. So be wary of opening email attachments and clicking on links in emails, and don’t ever give account information to anyone who contacts you. Because everyone makes gullible mistakes, if your rewards site offers two-factor authentication, use it Manzuik says.
Two-factor authentication works in a variety of ways. One example: If you log in from an unfamiliar device, after entering your password, the program might require you to also enter a security code (which will be sent to your mobile device). So even if a thief tricked you into giving up your password, if he doesn’t have your phone, he can’t break into your account.
“As sites in general become more secure, … phishing and direct attacks on users will become more popular,” Manzuik says. “This is why leveraging two-factor authentication is so important.”