Cybercriminals are using bots to test compromised passwords, helping them clean out accounts that hold millions of dollars worth of rewards.
By Jeremy Bogaisky, Forbes Staff
Most people don’t check their hotel or airline points accounts very often. That makes them a fat target for thieves.
Security experts say there’s been a surge in hacking of hotel and airline loyalty accounts over the past year, driven by two factors: Better protections against credit card fraud means criminals are looking for easier targets, and cybercrime rings have been selling tools to carry out attacks, enabling people without coding skills to break into accounts.
The shift from credit card fraud to loyalty account takeovers has caught airlines “flat-footed,” said Christopher Staab, cofounder of the Loyalty Security Alliance, a travel industry group. “They don’t have the tools, the processes, the people that understand this.” Airlines held initial meetings this week of a new working group to coordinate a response, he said.
With billions of dollars in points flowing in and out of mileage programs every year, “they’re essentially like bank accounts,” said Nik Laming, a Singapore-based loyalty program consultant to airlines and retailers. But loyalty programs “aren’t compelled to protect these accounts like a bank.”
Loyalty accounts have been hacked in lower volumes for years through techniques like phishing and malware that steals passwords. But now, cybercriminals are taking databases of login credentials exposed in website breaches and using bots to test them en masse on airline and hotel loyalty accounts. They’re taking advantage of one of the most common security mistakes people make online: using the same password in multiple places, said Kevin Gosschalk, founder and CEO of the cybersecurity firm Arkose Labs, which protects companies against online fraud.
Between the fourth quarter of 2023 and the first quarter of 2024, bot attacks on airline accounts Arkose protects increased 166%, the company said. The San Mateo, California-based company’s customers include Singapore Airlines and Japanese discount carrier Zipair, as well as other airlines it said it can’t disclose. (The two airlines did not respond to a comment request.)
There’s been a 30% to 40% increase in accounts successfully hacked, Staab estimates, based on discussions with members of his industry group.
Tools to carry out so-called credential-stuffing attacks are being sold by bad actors in Vietnam, China and Russia, said Gosschalk, and they’re offering tech support for buyers. “You don’t need to be a developer anymore,” said Gosschalk. “The accessibility to commit the crime has come way down thanks to this infrastructure now being available to make these attacks.”
Cybercriminals using those tools are selling access to accounts they’ve compromised, often through Telegram and WhatsApp groups, with the number of points listed. Accounts are often priced at 80% of the value of the points or less, said Gosschalk. Some offer guarantees that the buyer will have access for a minimum number of minutes. If account security boots them out before then, they’ll get a similar value substitute or their money back.
The buyers cash out by redeeming the points as gift cards or by purchasing airline tickets. Some of the hacked accounts are used to sell steeply discounted airline tickets to the public on websites that look legitimate travel agencies, said Staab.
Roughly 1% of airline points redemptions are fraudulent, Staab estimates, with total losses amounting to about 3% when associated costs are included, including staff time and refunding of points to some customers. The International Airline Transport Association estimated in 2020 that the industry lost upward of $1 billion a year to payment fraud.
Staab thinks the total volume of fraud hasn’t risen, but has shifted from credit card fraud to account takeovers.
Loyalty accounts have become more valuable targets thanks to airlines’ success hawking co-branded credit cards that give customers air miles as a reward for using them. The leader has been Delta Air Lines, which should earn about $7 billion from its American Express card partnership this year, according to analysts at TD Cowen, up from $1 billion in 2009. Delta has 25 million active SkyMiles members. A spokesperson for Delta, Drake Castaneda, said he wasn’t aware of an uptick in hacked rewards accounts.
Roughly 70% of points earned by customers of Delta, American and United airlines now come from rewards from credit cards and other partners, according to a report from IdeaWorks. Hotel chains have also jumped on the credit card train.
But airlines’ security measures haven’t kept up: Most hotel and airline chains don’t require multi-factor authentication because they’re loath to add friction to the transaction process for customers, Laming said.
That makes these accounts an easier target. Compared to hacking a bank account, there’s also a much lower risk of criminal charges, Staab said. One reason: it’s more difficult for prosecutors to connect large numbers of hacks to a single suspect, necessary to show a high enough dollar value loss to justify spending time on the case.
In a rare prosecution, in 2021, five men pled guilty in federal court in Texas to fraud charges over the theft of millions of airline miles from hacked accounts and the sale of tickets purchased with them.
This type of hacking can be a launchpad to more serious crimes, said Gosschalk. Arkose has tracked some hackers who got started in their teens taking over video game accounts to steal virtual currency, and then used the skills they developed to go after hotel and airline accounts.
“It’s a bit of a gateway drug in the sense that it’s a pretty easy crime to do,” said Gosschalk. Hackers can move on to money laundering, ransomware and credential-stuffing attacks on bank accounts.
Three hotel chains and four airlines contacted by Forbes declined to say whether they were experiencing an increase in hacking of loyalty accounts. But behind the scenes, Staab said there has been rising concern. Many hotels and airlines are biting the bullet and moving to require some form of multifactor authentication – for instance, in the case of redemptions of points above a certain value, Staab said.
United Airlines’ online security chief, Deneen DeFiore, said in a presentation at a conference last month that the airline was moving away from security questions, which, like passwords, have been leaked and are often reused, and is looking at new forms of account authentication entirely, according to Gosschalk.
DeFiore and United did not respond to questions from Forbes.
There are also AI-enabled tools coming into use that can detect anomalies and patterns in transactions and trigger alerts, said Laming.
Ultimately, educating people to stop recycling their passwords would have the greatest impact, he said.
“You can put all the controls you want in place, but if the member is using the same credentials … then it makes it very hard for you to combat it.”
MORE FROM FORBES
Read the full article here