The Washington Post is reporting on Russian hackers stealing frequent flyer miles from British members. No doubt they’re interested in this story because Russia! Hacking! Elections!
Russian scammers have been living it up at posh resorts by purchasing reward points and air miles that had been lifted from British customers’ hacked accounts and then sold on the dark Web. The problem has become so widespread that an unidentified U.S. bank has “quietly blocked” the purchase of flights in Russia with the banks’ reward points…the scheme is also effective because, rather than using stolen credit card data to buy a flight, the thieves tap reward points because their theft might not be noticed right away by a card’s owner
In fact Delta has imposed restrictions on booking awards originating in Russia (as well as China and Africa) requiring that tickets issued for travel within 72 hours be handled at the airport in person. A lot of fraud by the way originates in China.
Loyalty fraud — and especially stealing miles from hacked accounts — has been a big issue for years.
Airlines will often place restrictions on redeeming miles for travel from these areas, or redeeming points at hotels in these places, wanting to slow down or stop last minute activity especially which is much more likely to be fraudulent: you want to get your redemption done before anyone notices.
Frequent flyer programs have teams in place to deal with fraud but too often they get fixated on members playing by the rules but ‘benefiting too much’ and calling that fraud rather than dealing with the big costs and risks. All you have to do is look at Air France KLM’s Flying Blue. Here’s what to do if your account is audited.
Incidentally this is why I say the single best protective measure against fraud is Award Wallet, the tool that lets you track your miles in one place and update your balances in a single click. That way you immediately see changes in your account balance which will alert you to fraud rather than checking in on an account perhaps once a month or less. I click the button at Award Wallet as one of my first tasks each morning.
Here’s how to protect yourself:
- Don’t set your passwords to 12345
- Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.
- Use a strong password that you vary slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc.
Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probbaly no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).
- Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.
- Use Award Wallet to track your accounts to make it easy to track your miles daily, so you notice right away when anything is amiss.