Loyalty points abuse
A return to normality for travellers will make them targets for hackers
Andy Still, CTO, Netacea
When are we returning to normal again? It’s hard to predict—and perhaps not advisable, given how many premature predictions of normality we’ve seen in the last year. At the time of writing the efficacy of vaccines is cause for hope, but the exact timeline for the reopening of borders and airlines flying again is unknown. One prediction, made by Tim Harford in the Financial Times, is that things will get better gradually, then suddenly. That is, we will get gradual good news for a long time, but the exact day, week, or month that we can say things are approaching normality will be incredibly difficult to predict.
One thing is for sure, once people are able to go on holiday, demand will be high. People will want the holidays that have been denied to them for so long. A struggling travel industry knows that it just needs to hold out until such time as restrictions are lifted—when the demand for vacations will be immense. But this also means that hackers, who have turned their attention away from the travel industry while it’s been quiet, will also be making plans.
Loyalty points as a dark web currency
Stealing from banks is not simple. Whether you’re going in through the front door to rob the safe, or trying to steal from customers’ accounts, security is tight. Financial services providers are heavily regulated and have a great deal of experience in keeping their customers’ money safe. Plus, they have the advantage of customer expectations. We want our bank accounts to be safe and so extra authentication methods that make any transaction slightly more difficult are acceptable—in fact, they’re often welcome.
A cybercriminal looking to steal money from bank accounts has their work cut out. It’s difficult to do and dangerous—any successful theft is likely to be followed by a forensic investigation. No bank wants to get a reputation as being a “soft touch”.
But what if there was something easier to hack? What if there were accounts that most people didn’t check every day, containing something just as valuable as money, that can be traded and exchanged for goods, but without the danger of stealing from a bank account? Loyalty points, especially travel points, have become a dark web currency. Accounts can be stolen, traded, and used to buy flights and hotel stays long before the original owner knows anything about it.
The problem is that we simply don’t treat loyalty points as being as valuable as money. We don’t demand the same level of security and therefore will not put up with the same level of inconvenience when accessing these accounts. Travel businesses have a choice. They can make these accounts as secure as possible, or risk business going elsewhere when a customer finds the login process too arduous.
The risks of a return to normal business
Hackers, like anyone else, take the route of least resistance. When certain sectors start to push back against their activity, they will look elsewhere for easy pickings. The travel industry, having been in the doldrums for most of the pandemic, has not been a prime target for hackers—there’s little value in a currency that cannot be used. But a return to normal trading will also mean a return to being a target for hackers.
A year can be a long time in hacking. That’s a whole year of leaked combo lists that are now available—lists of stolen usernames and passwords that can be checked for validity on other sites. The tendency for people to reuse passwords means that a criminal can buy a combo list and check these passwords for validity on other sites. This is an impossible task to do manually, but bots can make it simple. Hundreds of passwords can be checked every minute, making it possible to take over accounts and either drain them of loyalty points or sell them on.
The amounts held in these accounts are often much higher than many realise. Air Miles and similar accounts can be worth thousands or even tens of thousands of dollars, and it’s all up for grabs for those who know how. This often results in the travel business paying for the stolen points twice—the points are stolen and used by someone in exchange for expensive services, and the customer will often demand the points are refunded, or it may be prudent to do so in order to keep the customer’s loyalty.
How serious is this threat? On average, at least 50% of web traffic is generated by bots, and 9 out of 10 login attempts are made by malicious bots. Around 80% of travel businesses are worried that attacks on their business will harm their reputation and lead to losing customers. They could be right, but they may be looking for threats in the wrong place. Travel businesses need to take this threat as seriously as a bank would treat the theft of funds—protecting their loyalty schemes, their customers, and ultimately their profitability.
