Loyalty fraud — and especially stealing miles from hacked accounts — has been a big issue for years.
- American AAdvantage has been hacked before.
- So has British Airways Executive Club.
- And Starwood. And every other program, too.
- Miles in large quantities are for sale on the Darknet.
- Russian hackers are stealing miles.
Frequently miles are used to buy gift cards which are immediately redeemed. They may be used to book close-in travel, the goal being to complete travel before anyone notices their account balance has been drained.
Programs have teams in place to deal with fraud but too often they get fixated on members playing by the rules but ‘benefiting too much’ and calling that fraud rather than dealing with the big costs and risks. All you have to do is look at Air France KLM’s Flying Blue. Here’s what to do if your account is audited.
iolaire writes at Inside Flyer,
Today I noticed 20k drop in my Amex Membership Rewards points when I ran a one off update on AwardWallet! All were PAY AT PARTNER debits for Amazon, none show up on my Amazon.com account. Amex chat is looking into it.
Thanks to AwardWallet for showing the drop and also for showing the drop via the weekly email that will come at the end of the week.
The single best protective measure against fraud is Award Wallet, the tool that lets you track your miles in one place and update your balances in a single click. That way you immediately see changes in your account balance which will alert you to fraud rather than checking in on an account perhaps once a month or less. I click the button at Award Wallet as one of my first tasks each morning.
Southwest, Delta, and United don’t allow AwardWallet to track account balances directly. That’s a shame. They treat the data as belonging to the airline, rather than the program member.
People don’t log into their accounts every day. People do click a single button to update all of their accounts, and do notice when they’re told that their balances have changed. Using Award Wallet means noticing fraud quickly, before the trail gets cold and often before there’s financial damage to the loyalty program.
Most programs are good about restoring member points right away. Some programs can be a hassle to deal with in these situations. From the stories I’ve been told that’s my impression of IHG Rewards Club.
Here’s a couple additional strategies to consider.
- Some people prefer a strong password for their computer, then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. Then enable two factor authentication for extra security.
- Others may like to use a strong password that varies slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for Honors, etc.
Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probabaly no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).
I still believe though that there’s no replacement for noticing quickly that an account has been drained, which is why Award Wallet is a loyalty program’s best friend.