Loyalty points abuse

data protection day

A return to normality for travellers will make them targets for hackers

Andy Still, CTO, Netacea

When are we returning to normal again? It’s hard to predict—and perhaps not advisable, given how many premature predictions of normality we’ve seen in the last year. At the time of writing the efficacy of vaccines is cause for hope, but the exact timeline for the reopening of borders and airlines flying again is unknown. One prediction, made by Tim Harford in the Financial Times, is that things will get better gradually, then suddenly. That is, we will get gradual good news for a long time, but the exact day, week, or month that we can say things are approaching normality will be incredibly difficult to predict.

One thing is for sure, once people are able to go on holiday, demand will be high. People will want the holidays that have been denied to them for so long. A struggling travel industry knows that it just needs to hold out until such time as restrictions are lifted—when the demand for vacations will be immense. But this also means that hackers, who have turned their attention away from the travel industry while it’s been quiet, will also be making plans.

Loyalty points as a dark web currency

Stealing from banks is not simple. Whether you’re going in through the front door to rob the safe, or trying to steal from customers’ accounts, security is tight. Financial services providers are heavily regulated and have a great deal of experience in keeping their customers’ money safe. Plus, they have the advantage of customer expectations. We want our bank accounts to be safe and so extra authentication methods that make any transaction slightly more difficult are acceptable—in fact, they’re often welcome.

A cybercriminal looking to steal money from bank accounts has their work cut out. It’s difficult to do and dangerous—any successful theft is likely to be followed by a forensic investigation. No bank wants to get a reputation as being a “soft touch”.

But what if there was something easier to hack? What if there were accounts that most people didn’t check every day, containing something just as valuable as money, that can be traded and exchanged for goods, but without the danger of stealing from a bank account? Loyalty points, especially travel points, have become a dark web currency. Accounts can be stolen, traded, and used to buy flights and hotel stays long before the original owner knows anything about it.

The problem is that we simply don’t treat loyalty points as being as valuable as money. We don’t demand the same level of security and therefore will not put up with the same level of inconvenience when accessing these accounts. Travel businesses have a choice. They can make these accounts as secure as possible, or risk business going elsewhere when a customer finds the login process too arduous.

The risks of a return to normal business

Hackers, like anyone else, take the route of least resistance. When certain sectors start to push back against their activity, they will look elsewhere for easy pickings. The travel industry, having been in the doldrums for most of the pandemic, has not been a prime target for hackers—there’s little value in a currency that cannot be used. But a return to normal trading will also mean a return to being a target for hackers.

A year can be a long time in hacking. That’s a whole year of leaked combo lists that are now available—lists of stolen usernames and passwords that can be checked for validity on other sites. The tendency for people to reuse passwords means that a criminal can buy a combo list and check these passwords for validity on other sites. This is an impossible task to do manually, but bots can make it simple. Hundreds of passwords can be checked every minute, making it possible to take over accounts and either drain them of loyalty points or sell them on.

The amounts held in these accounts are often much higher than many realise. Air Miles and similar accounts can be worth thousands or even tens of thousands of dollars, and it’s all up for grabs for those who know how. This often results in the travel business paying for the stolen points twice—the points are stolen and used by someone in exchange for expensive services, and the customer will often demand the points are refunded, or it may be prudent to do so in order to keep the customer’s loyalty.

How serious is this threat? On average, at least 50% of web traffic is generated by bots, and 9 out of 10 login attempts are made by malicious bots. Around 80% of travel businesses are worried that attacks on their business will harm their reputation and lead to losing customers. They could be right, but they may be looking for threats in the wrong place. Travel businesses need to take this threat as seriously as a bank would treat the theft of funds—protecting their loyalty schemes, their customers, and ultimately their profitability.

Listen to this article
Listen to
this article
Text to speech by Listencat
Text to speech
by Listencat
Loyalty Points, News, Loyalty points abuse

Matthew Hughes

Digital marketing lecturer, and previously creative director at Aurora Demand. A fan of all things marketing, tech and mindful.

2021, the year the business automation gap is closed?

Neil Redwood • 01st April 2021

Most businesses would agree that Covid brought heavy process and cost implications along with it. And select British industries like hospitality have suffered substantial blows to their bottom line over the last 12 months. But is 2021, the year the business automation gap closed?

Data and AI in Sport

Matthew Hughes • 17th February 2021

Data & AI increase in Sports The increased use and controversy of VAR in football has been the subject of much debate in recent times, however many athletes across all sports – and officials, have used artificial intelligence (AI) to improve their performance, in a number of different ways.