Hard on the heels of the news that airport hotspots are a favored hunting ground of cybercriminals comes this unsettling bulletin: frequent flier miles are a hot commodity among those same criminals.
According to consumer and business credit reporting giant Experian, hackers have now started infiltrating frequent flyer accounts and are selling stolen reward miles on the dark web, according to a report by Comparitech.
(Primer for the uninitiated: the dark web is a hidden network of websites where visitors use encryption and virtual private networks to remain anonymous. It's host to various black market sites that are known to sell illicit goods — including sensitive personal information like credit card and Social Security numbers — to unknown buyers using untraceable payments made through cryptocurrency.)
In general, hackers gain access to airline loyalty accounts through phishing scams and drain them of their points. Thieves can then either sell access to the account or transfer the points directly to another account. Payments are made by buyers using (no surprise) cryptocurrency.
Comparitech’s research of various marketplaces on the dark web is detailed here. It found the following:
“In Dream Market, one of the largest black markets on the dark web, a single vendor sells reward points from over a dozen different airline reward programs, including Emirates Skywards, SkyMiles and Asia Miles. Going by the handle @UpInTheAir, they sell a minimum of 100,000 points for the reward program of your choice, starting out at $884 as of time of writing (this was probably $1,000 originally, but Bitcoin price fluctuations caused it to go down).
Across all vendors and marketplaces, Delta SkyMiles and British Airways were the most commonly listed. Prices are not consistent across vendors and seem to be based more on the vendor’s preference than supply and demand.”
Comparitech’s article includes a comprehensive chart listing the goods available – and their costs. Note: you may be unsettled. You may be infuriated. Just be warned and be aware as well.
So why is it seemingly so easy to steal reward miles? Because it’s not something people generally check. Most individuals, for example, will check their bank balance and their credit card statement – and sometimes their credit score – to make sure all is well, but largely, consumers don’t think to check their frequent flier accounts for fraud. Consequently, it may be months before the theft is known.
Comparitech also gives advice on how to avoid having your frequent flier miles hijacked:
- Shred (not throw out, not recycle) your boarding pass after a flight.
- Don’t put your frequent flier number on your baggage tag (don’t shake your head; people do it all the time)
- Never post a photo of your boarding pass online (“Look! We’re on our way to the championships!”)
- Use a strong and unique password for your frequent flier account (this means not the same password you have on all your other accounts, or even any of your other accounts)
- Monitor your account for suspicious activity. If you’re a member of more than one award program, an app like AwardWallet can help you manage all your accounts in one place
- Avoid using public Wi-Fi to access your account
- If you must use airport Wi-Fi, protect yourself using the tips in this article
- Use Experian’s Dark Web Scanner to search illicit marketplaces for your phone number, e-mail address and Social Security Number (if any of those can be found, it’s likely your frequent flier miles can be too)
If you find your miles have been stolen, call your airline (and any other airline you have an account with). An it-happened-to-me story can be found here.
SDMwill continue to report on this developing issue.