The largest expert travel community:
  • 732,322 Total members
  • 7,189 Users online now
  • 1,669,108 Threads
  • 29,977,623 Posts

Hackers Are Now Stealing Rewards Points for Lavish Vacations

Hackers Are Now Stealing Rewards Points for Lavish Vacations
Jackie Reddy

Cybersecurity firm Flashpoint says that rewards points make an all-too tempting target for criminals looking to turn a profit.

No longer content with stealing bank account details or personal information, it seems that fraudsters are now angling for passengers’ travel rewards points. In a recent blog post, cybersecurity firm Flashpoint says that it has “observed Deep & Dark Web chatter pertaining to the exploitation of rewards points programs, especially those associated with travel.”

It adds that, “This chatter aligns with cybercriminals’ interest in fraudulent booking services for hotels, airline tickets, and car rentals—all of which have proliferated in various underground communities over the past several years.” Scammers, says the firm, are normally able to access passengers’ rewards points via an account that has been compromised.

As an additional advisory, Flashpoint explains that, “Cybercriminal abuse of rewards points has also been facilitated by the development of brute forcing software, which can be used to systematically check a large number of possible password combinations until the correct one is determined. After obtaining a user’s password through brute forcing, cybercriminals can potentially access any rewards points associated with the compromised accounts.”

Once they have access, criminals then steal rewards points and, in order to make money, set up bogus travel sites that offer deeply discounted hotels, flights and services.

These kinds of scams are known to be widespread among certain English, Spanish and Russian-speaking cybercriminals, but despite the authorities attempting to crack down on darknet vendor sites such as Alphabay and Hansa, it is likely that this kind of illicit activity will continue.

Those looking to protect themselves, says Flashpoint, should practice what it calls “stringent password hygiene”. “Since brute forcing tools often used to access rewards points automatically test countless combinations of characters with the goal of identifying and entering the correct password, the difficulty of guessing a password increases exponentially along with its character length and complexity,” it advises.

View Comments (8)


  1. Asiaflyguy

    November 29, 2017 at 1:20 pm

    This is not new news, this has been going on for years

  2. UncleDude

    November 29, 2017 at 1:52 pm

    Its not the Hackers that are the Problem, Its Airline Managements constant Devaluation and Changes in Rules etc.which is the real Fraud.

  3. htb

    November 29, 2017 at 3:45 pm

    IHG really makes it easy: mandatory 4 digit numerical password, sometimes sent out in plain text in email communications.


  4. rovinmoses

    November 30, 2017 at 7:36 am

    My Amtrak account was hacked and 100,000 points were stolen to purchase a CVS gift card. Fortunately, Amtrak called to ask about ‘suspicious’ activity. They had already cancelled the transaction and proceeded to restore my points. I opted to keep the same account and created a new, stronger password.

  5. 1StRanger

    November 30, 2017 at 8:25 am

    One of the problems that each airline and each hotel chain makes their own “home-grown” solutions for password schemes and requirements, instead of following the industry-wide de facto standards. (There is an ~1-y.o. thread on UA forum here about UA’s stupid “fixed” set of answers to “secondary” questions for the 2-factor authentication .)

    There is research that tells what works better.
    Read, e.g. this digest about NIST’s recommendation (and the link therein):
    Smarter businesses listen to that (e.g. Google has recently changed their password requirements, seemingly in response to this NIST’s recommendation), while stone-edge giants like AA, UA, Hilton, Marriott do not seem to.

  6. JackE

    December 1, 2017 at 9:43 pm

    This is trivially easy for airlines and hotels to protect against. Just create a log-in waiting period after 5 brute force attempts.

    If someone knocked on your door and misidentified himself, you wouldn’t wait for him to try it millions of times and then open the door when he finally got to a name you recognize.

  7. alben

    December 2, 2017 at 8:08 pm

    IHG only requires a 4 digit PIN to access the rewards account. No wonder why the “my account was hacked and all points drained” are the most active threads in the IHG forum. IHG is negligent with their lack of account security.

  8. htb

    December 5, 2017 at 1:41 am

    @JackE: a waiting period doesn’t help with IHG’s four digit pin if you have a bot net. Each computer of yours tries two pins of a given account per day. If you have 10000 bots in your net you will get two hits per day just by chance.

You must be logged in on the FORUM to post a comment Login

Leave a Reply


More in News

Another Airline Made Someone Sit in Pee for Hours

Ryan BoydDecember 11, 2018

“Wait. How Much Baggage Can I Take on This Flight (For Free)?” Google Has the Answer

Jackie ReddyDecember 10, 2018

The Wall Street Journal Thinks This Airport Is the Nation’s Best

Scott DylanDecember 10, 2018

Copyright © 2014 Top News Theme. Theme by MVP Themes, powered by Wordpress.