Cybercriminals are increasingly targeting hotel and airline loyalty accounts, taking advantage of the common security mistake of using the same password for multiple accounts. These criminals are using bots to test login credentials obtained from website breaches on loyalty accounts, leading to a surge in account takeovers. The shift from credit card fraud to loyalty account hacking has caught airlines off guard, as they lack the necessary tools, processes, and expertise to combat these attacks.
According to cybersecurity experts, the increase in loyalty account hacking is driven by the availability of tools sold by cybercrime rings in countries like Vietnam, China, and Russia. These tools make it easier for individuals without coding skills to carry out credential-stuffing attacks on accounts. Hackers are now selling access to compromised accounts, often through messaging platforms like Telegram and WhatsApp, at discounted prices. The buyers of these accounts cash out by redeeming points for gift cards or purchasing airline tickets, with some using the hacked accounts to sell discounted tickets to the public.
The value of loyalty accounts has risen due to airlines’ success in promoting co-branded credit cards that offer air miles as rewards. However, security measures for these accounts have not kept pace with the increased value, with most airlines and hotels failing to implement multi-factor authentication due to concerns about customer friction. This lack of security measures makes loyalty accounts an easier target for hackers, with airlines losing an estimated $1 billion annually to payment fraud. Security experts stress the importance of educating users to stop using the same passwords for multiple accounts to prevent account takeovers.
While airlines and hotels have been reluctant to disclose information on the increase in loyalty account hacking, there is growing concern behind the scenes. Some companies, like United Airlines, are taking steps to improve account authentication by moving away from security questions and exploring new forms of authentication. AI-enabled tools are also being utilized to detect anomalies and patterns in transactions to trigger alerts for potential fraudulent activity. Ultimately, cybersecurity experts believe that educating users on password security practices will have the greatest impact in preventing account takeovers and fraud.
The surge in loyalty account hacking serves as a gateway to more serious cybercrimes, according to experts. Hackers who start by targeting video game accounts or loyalty programs can escalate their criminal activities to money laundering, ransomware, and attacks on bank accounts. As cybercriminals continue to evolve their tactics, it is crucial for companies in the travel industry to enhance their security measures and educate customers on best practices for protecting their accounts.
