Hackers Are Now Stealing Rewards Points for Lavish Vacations
Jackie Reddy November 29, 2017
Cybersecurity firm Flashpoint says that rewards points make an all-too tempting target for criminals looking to turn a profit.
No longer content with stealing bank account details or personal information, it seems that fraudsters are now angling for passengers’ travel rewards points. In a recent blog post, cybersecurity firm Flashpoint says that it has “observed Deep & Dark Web chatter pertaining to the exploitation of rewards points programs, especially those associated with travel.”
It adds that, “This chatter aligns with cybercriminals’ interest in fraudulent booking services for hotels, airline tickets, and car rentals—all of which have proliferated in various underground communities over the past several years.” Scammers, says the firm, are normally able to access passengers’ rewards points via an account that has been compromised.
As an additional advisory, Flashpoint explains that, “Cybercriminal abuse of rewards points has also been facilitated by the development of brute forcing software, which can be used to systematically check a large number of possible password combinations until the correct one is determined. After obtaining a user’s password through brute forcing, cybercriminals can potentially access any rewards points associated with the compromised accounts.”
Once they have access, criminals then steal rewards points and, in order to make money, set up bogus travel sites that offer deeply discounted hotels, flights and services.
These kinds of scams are known to be widespread among certain English, Spanish and Russian-speaking cybercriminals, but despite the authorities attempting to crack down on darknet vendor sites such as Alphabay and Hansa, it is likely that this kind of illicit activity will continue.
Those looking to protect themselves, says Flashpoint, should practice what it calls “stringent password hygiene”. “Since brute forcing tools often used to access rewards points automatically test countless combinations of characters with the goal of identifying and entering the correct password, the difficulty of guessing a password increases exponentially along with its character length and complexity,” it advises.
@JackE: a waiting period doesn't help with IHG's four digit pin if you have a bot net. Each computer of yours tries two pins of a given account per day. If you have 10000 bots in your net you will get two hits per day just by chance.
IHG only requires a 4 digit PIN to access the rewards account. No wonder why the "my account was hacked and all points drained" are the most active threads in the IHG forum. IHG is negligent with their lack of account security.
This is trivially easy for airlines and hotels to protect against. Just create a log-in waiting period after 5 brute force attempts. If someone knocked on your door and misidentified himself, you wouldn't wait for him to try it millions of times and then open the door when he finally got to a name you recognize.
One of the problems that each airline and each hotel chain makes their own "home-grown" solutions for password schemes and requirements, instead of following the industry-wide de facto standards. (There is an ~1-y.o. thread on UA forum here about UA's stupid "fixed" set of answers to "secondary" questions for the 2-factor authentication https://www.flyertalk.com/forum/united-airlines-mileageplus/1745669-ua-initiates-mileageplus-account-security-update-new-2-factor-authentication-added-3.html .) There is research that tells what works better. Read, e.g. this digest about NIST's recommendation (and the link therein): https://spectrum.ieee.org/tech-talk/telecom/security/qa-paul-grassi-of-nist-on-what-makes-a-strong-password Smarter businesses listen to that (e.g. Google has recently changed their password requirements, seemingly in response to this NIST's recommendation), while stone-edge giants like AA, UA, Hilton, Marriott do not seem to.
My Amtrak account was hacked and 100,000 points were stolen to purchase a CVS gift card. Fortunately, Amtrak called to ask about 'suspicious' activity. They had already cancelled the transaction and proceeded to restore my points. I opted to keep the same account and created a new, stronger password.