US dollar prices fluctuate wildly because miles are most frequently sold in cryptocurrency. Bitcoin is worth a lot more or less on any given day. Sadly the person selling the most miles has appropriated the name @UpInTheAir, taking from us that movie where George Clooney plays all of us as road warriors in search of padding his mileage account.
Delta SkyMiles and British Airways were the most frequent currencies for sale. Now we know where Delta’s rules requiring customers to ticket awards in person for travel within 72 hours from several countries comes from. When you steal miles you need to use them right away before the accountholder catches on.
Comparitech is looking at airline miles, because in past years when I’ve looked at this it was hard to beat the frequency of hacked Hilton points for sale.
Here are the results from a survey of Berlusconi Market, Dream Market, and Olympus Market. Where they present more than one data point I average them for this chart. It’s important to note that these are asking prices. The people selling miles may or may not have a good idea of what they’re worth, and in some cases may be looking for a sucker (buying 500 Expedia points?).
Frequent flyer programs have teams in place to deal with fraud but too often they get fixated on members playing by the rules but ‘benefiting too much’ and calling that fraud rather than dealing with the big costs and risks. All you have to do is look at Air France KLM’s Flying Blue. Here’s what to do if your account is audited.
The single best protective measure against fraud is Award Wallet, the tool that lets you track your miles in one place and update your balances in a single click. That way you immediately see changes in your account balance which will alert you to fraud rather than checking in on an account perhaps once a month or less. I click the button at Award Wallet as one of my first tasks each morning.
Here are other things you can do to protect yourself:
- Don’t set your passwords to 12345
- Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.
- Use a strong password that you vary slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc.
Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probably no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).
- Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.
Everyone says ‘use a different password for every website’ and ‘change your password frequently’ but the truth is that your passwords need to be manageable. At work I definitely don’t want employees writing down their network passwords which is what they’ll do.
If hackers steal passwords from one site odds on a majority of people are using the same password across multiple sites. So unique passwords matter, but use those for accounts you are worried about and as I say a middle ground compromise is to take a complex password and modify it for each account though ideally in a non-obvious way.