Check Out This Price List for Stolen Frequent Flyer Miles

Comparitech searched the darkweb to find out how much frequent flyer miles from hacked accounts are being sold for.

US dollar prices fluctuate wildly because miles are most frequently sold in cryptocurrency. Bitcoin is worth a lot more or less on any given day. Sadly the person selling the most miles has appropriated the name @UpInTheAir, taking from us that movie where George Clooney plays all of us as road warriors in search of padding his mileage account.

Delta SkyMiles and British Airways were the most frequent currencies for sale. Now we know where Delta’s rules requiring customers to ticket awards in person for travel within 72 hours from several countries comes from. When you steal miles you need to use them right away before the accountholder catches on.

Comparitech is looking at airline miles, because in past years when I’ve looked at this it was hard to beat the frequency of hacked Hilton points for sale.

Here are the results from a survey of Berlusconi Market, Dream Market, and Olympus Market. Where they present more than one data point I average them for this chart.  It’s important to note that these are asking prices.  The people selling miles may or may not have a good idea of what they’re worth, and in some cases may be looking for a sucker (buying 500 Expedia points?).

Program Miles Price Cost/Mile
AeroMexico       100,000 $884.00 $0.0088
Aeroplan       100,000 $884.00 $0.0088
Alaska          50,000 $95.11 $0.0019
Alitalia       100,000 $884.00 $0.0088
ANA       100,000 $884.00 $0.0088
Asia Miles       100,000 $884.00 $0.0088
British Airways    1,050,000 $1,438.00 $0.0014
Delta          92,000 $1,016.00 $0.0110
El Al       100,000 $884.00 $0.0088
Emirates       200,000 $1,404.00 $0.0070
Etihad       100,000 $884.00 $0.0088
Expedia               500 $8.18 $0.0164
Flying Blue       100,000 $884.00 $0.0088
Hawaiian       100,000 $884.00 $0.0088
Iberia       100,000 $884.00 $0.0088
Singapore       100,000 $884.00 $0.0088
JetBlue          70,000 $140.28 $0.0020
Virgin Atlantic       100,000 $884.00 $0.0088

Frequent flyer programs have teams in place to deal with fraud but too often they get fixated on members playing by the rules but ‘benefiting too much’ and calling that fraud rather than dealing with the big costs and risks. All you have to do is look at Air France KLM’s Flying Blue. Here’s what to do if your account is audited.

The single best protective measure against fraud is Award Wallet, the tool that lets you track your miles in one place and update your balances in a single click. That way you immediately see changes in your account balance which will alert you to fraud rather than checking in on an account perhaps once a month or less. I click the button at Award Wallet as one of my first tasks each morning.

Here are other things you can do to protect yourself:

  1. Don’t set your passwords to 12345

  2. Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.

  3. Use a strong password that you vary slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc.

    Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probably no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).

  4. Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.

Everyone says ‘use a different password for every website’ and ‘change your password frequently’ but the truth is that your passwords need to be manageable. At work I definitely don’t want employees writing down their network passwords which is what they’ll do.

If hackers steal passwords from one site odds on a majority of people are using the same password across multiple sites. So unique passwords matter, but use those for accounts you are worried about and as I say a middle ground compromise is to take a complex password and modify it for each account though ideally in a non-obvious way.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

Comments

  1. As good as AwardWallet is, it relies on having the full credentials to each account it is tasked with managing, meaning that any number of different passwords being in use becomes irrelevant and subject to the security posture of AwardWallet – the passwords need to be stored in a way that can be decrypted (which simply won’t fly in the vast majority of organisations).

    There are 2 issues here:

    1. Loyalty programs provide an all-or-nothing access mechanism. Providing a read-only endpoint that relies on OAuth2 for authentication and authorisation for services such as AwardWallet would make sites like AwardWallet faster potentially, whilst reducing the attack surface they present.
    2. Multi-factor authentication is trivial (SMS is not an example of this – it’s easily worked around). There is precisely zero reason for this to not be implemented by all loyalty programs.

  2. notably absent from the list are aadvantage miles, which the dark web has figured out, like everyone else, are essentially worthless

  3. The easiest solution for airlines is to only allow reward tickets to be issued in a family name. This would make it a lot more difficult to sell points. If you want someone else accompanying you, just transfer points to their account.

  4. Juan,

    A growing proportion of even married couples don’t have all family members sharing the same family name in full. From the heightened likelihood of people maintaining their pre-marriage family name(s) to the higher proportion of family households that include children from previous relationships and so on, the idea that all members of a family share a particular name is rather culturally retrograded and parochial.

  5. Gary that is terrible password advice. Having a short password like that is just as trivial for today’s brute force attackers to guess as “password”.

    Likewise for common character substitutions like p4ssw0rd. It’s not fooling anyone and trivial to build into an attacking system.

    If you want security, use a pass phrase like “I like 3 airplanes!”. Password length is the best determining factor for how secure your password is not silly substitutions or things people aren’t going to remember like &;@+$-spghotel. Bonus: passpharses are easy to remember and type.

  6. @Daniel – good catch. I clearly failed to finish my sentence – “trivial to implement” is what I was going for.

  7. Today’s real threat surface to the average Joe isn’t a brute-force password crack, but a malware or social engineering approach. This would necessitate building technology literacy in combination with “safe” processes to securely access sensitive information – we can’t innovate away ignorance.

Leave a Reply

Your email address will not be published. Required fields are marked *