Hackers Target Rewards Points
Jennifer Billock March 27, 2018
Stealing a credit card through a laptop concept for computer hacker, network security and electronic banking security
If you’ve been racking up rewards points and not using them, you might want to get to spending – cyber criminals are targeting rewards accounts and stealing hundreds of thousands of points at once in order to claim rewards for themselves, either to use or to sell.
Cyber crime is quickly becoming an epidemic, with even our largest social media platforms falling into the fray. But most people don’t realize that one of their biggest accounts online may be a target for hackers: their rewards points accounts. More and more, internet thieves are hacking into peoples’ accounts and stealing upwards of hundreds of thousands of reward points, with the intent to either claim the rewards for themselves or sell the rewards to someone else.
Nancy MacArthur, a Canadian resident, recently fell victim to this crime. She had 390,000 points stolen from a retail rewards account earlier this month; the points were used on retail purchases worth about $390.
“I felt totally victimized,” she told CBC News. “You take it personally. You think someone went in and targeted you.”
The truth is that hackers are just targeting the easiest way to get monetary rewards. Rewards program members often rack up thousands of points and don’t ever remember to use them. Combined with poor-quality passwords, that means those points are ripe for the picking.
“Bad guys generally are looking for the lowest hanging fruit and in a lot of ways, loyalty programs are just that,” Matt Schulz from credit card information site CreditCards.com told CBC News.
In Canada alone, reports show that consumers have about $16 billion worth of unclaimed rewards points.
[Photo: Shutterstock]
I also wonder how they manage to buy tickets or convert to other programs without being caught.
I understand how hackers can gain access to an account, but I do not understand how they can actually utilize the points or miles. Whenever I spend any airline or hotel points, I immediately get a confirmation email. If I received a confirmation for an award reservation that I did not make, I would react immediately. If the hacker attempts to change my email address, or any other profile info, the airline/hotel again sends an email to my old address to verify that I actually made the change. Also, at least for airline awards, you must use a credit card to pay for the fees. AA requires that the credit card be in the name of the account holder, though most airlines are more flexible on that point. Finally, if somebody were to hack into one of my airline accounts and use my miles to book a ticket, it seems it would be easy to track down the offender, as their name (or a co-conspirator's name) would be on the ticket. Obviously criminals have methods that are unknown to me, but I am curious how they work around these most basic safeguards.
I have an IHG account and you have to know my IHG number and my PIN. The only people who know my IHG number are IHG personnel. I've been cyber-banking and collecting points for a long, lond time. Never, ever had an issue. One thing I do, though, is NOT sit on points. Over the years I've earned about 3.5 million miles on AA and now have about 350K. I just spent 100K on a first class ticket to HI, and a return in MCE. I also spent 40K for my spouse to have a seat in MCE. I am about to hit lifetime platinum status with Marriott (2 million points and 750+paid nights), currently have about 100K points, and have obtained at least a couple of months worth of hotel stays on my points. I've also accrued major point levels on IHG and Hilton Honors and now have about 100K each. Our week's vacation on HI is on IHG points. I don't understand why people sit on points. These programs can change benefits and/or go away entirely at any time the sponsor company determines they want to do something that improves their position.. Points are NOT money in the bank. They should be spent fairly quickly.
Additional security, such as two-factor authentication, should be required to spend any points. I worry about my IHG account, which uses only a 4 digit PIN instead of allowing complex a password, the most.
The programs should let us irrevocably choose that points in our accounts can only be used for stays. That would pretty much fix things for those who make that election.