• 5 months ago
Cybercriminals are using bots to exploit a common security mistake that travelers make, cleaning out accounts that hold millions of dollars worth of rewards.

Read the full story on Forbes: https://www.forbes.com/sites/jeremybogaisky/2024/06/28/airline-miles-hotel-points-hacking/#:~:text=Security%20experts%20say%20there's%20been,out%20attacks%2C%20enabling%20people%20without

Subscribe to FORBES: https://www.youtube.com/user/Forbes?sub_confirmation=1

Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:

https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript

Stay Connected
Forbes newsletters: https://newsletters.editorial.forbes.com
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com

Forbes covers the intersection of entrepreneurship, wealth, technology, business and lifestyle with a focus on people and success.
Transcript
00:00Today on Forbes, hackers are now coming for your airline miles and hotel points.
00:07Most people don't check their hotel or airline points accounts very often.
00:11That makes them a fat target for thieves.
00:15Security experts say there's been a surge in hacking of hotel and airline loyalty accounts over the past year,
00:21driven by two factors.
00:23Better protections against credit card fraud means criminals are looking for easier targets.
00:28And cybercrime rings have been selling tools to carry out attacks,
00:32enabling people without coding skills to break into accounts.
00:36Christopher Staab, co-founder of the Loyalty Security Alliance, a travel industry group,
00:42said that the shift from credit card fraud to loyalty account takeovers has caught airlines, quote, flatfooted.
00:49He said, quote, they don't have the tools, the processes, the people that understand this.
00:55He added that airlines held initial meetings this past week of a new working group to coordinate a response.
01:02Nick Lamming, a Singapore-based loyalty program consultant to airlines and retailers,
01:07said that with billions of dollars in points flowing in and out of the mileage programs every year,
01:12quote, they're essentially like bank accounts.
01:15He added, however, that loyalty programs, quote, aren't compelled to protect these accounts like a bank.
01:23Loyalty accounts have been hacked in lower volumes for years
01:26through techniques like phishing and malware that steals passwords.
01:30But now, cybercriminals are taking databases of login credentials exposed in website breaches
01:36and using bots to test them en masse on airline and hotel loyalty accounts.
01:41Kevin Goschok, founder and CEO of the cybersecurity firm Arcos Labs,
01:46which protects companies against online fraud,
01:49said that cybercriminals are taking advantage of one of the most common security mistakes people make online,
01:55using the same password in multiple places.
01:58Between the fourth quarter of 2023 and the first quarter of 2024,
02:02bot attacks on airline accounts Arcos protects increased 166%, the company said.
02:10The San Mateo, California-based company's customers include Singapore Airlines
02:14and Japanese discount carrier ZipAir, as well as other airlines it said it can't disclose.
02:20Staab, based on discussions with members of his industry group Loyalty Security Alliance,
02:25estimates that there's been a 30% to 40% increase in accounts successfully hacked.
02:31Goschok said that tools to carry out so-called credential stuffing attacks
02:35are being sold by bad actors in Vietnam, China and Russia,
02:39and they're offering tech support for buyers.
02:42He said, quote,
02:52Goschok said that cybercriminals using those tools are selling access to accounts they've compromised,
02:58often through Telegram and WhatsApp groups, with the number of points listed.
03:03Accounts are often priced at 80% of the value of the points or less.
03:07Some offer guarantees that the buyer will have access for a minimum number of minutes.
03:11If account security boots them out before then,
03:14they'll get a similar value substitute or their money back.
03:18The buyers cash out by redeeming the points as gift cards or by purchasing airline tickets.
03:23Staab said that some of the hacked accounts are used to sell steeply discounted airline tickets
03:28to the public on websites that look like legitimate travel agencies.
03:33Loyalty accounts have become more valuable targets thanks to airline success
03:37hawking co-branded credit cards that give customers air miles as a reward for using them.
03:42The leader has been Delta Airlines,
03:44which should earn about $7 billion from its American Express card partnership this year,
03:49according to analysts at TD Cowan, up from $1 billion in 2009.
03:55Roughly 70% of points earned by customers of Delta, American and United Airlines
04:00now come from rewards from credit cards and other partners,
04:03according to a report from IdeaWorks.
04:06Hotel chains have also jumped on the credit card train.
04:09But airline security measures haven't kept up.
04:12Most hotel and airline chains don't require multi-factor authentication
04:16because they're loathe to add friction to the transaction process for customers.
04:21For full coverage, check out Jeremy Bogaski's piece on Forbes.com.
04:27This is Kieran Meadows from Forbes. Thanks for tuning in.

Recommended