A couple of times this year, Reddit has blown up with posts from customers in airline loyalty programs who claimed their accounts had been hacked. Either their points were gone, or their airline-related credit cards were charged, or both.
Many of the flights had already happened. Others hadn’t.
This is loyalty program fraud at scale — followed by attempts by fraudsters to bury airline confirmations by sending hundreds of subscription-bombing emails to the account holder. One account holder says he counted 300.
“I logged in today to find that about 10 people who I had never heard of were flying to Florida round trip this week under my account and had used my points and card to do so…” wrote one Reddit user. “I am not sure what the scam is here…Why book a flight a week before and not the day of if you are hoping to jump on a plane before the account holder notices? If these aren’t real people who were never actually going to travel, how do the scammers get the money in their pocket?”
What is Loyalty Program Fraud?
Scammers don’t plan to get on a plane. The goal is to convert those points to cash, airline tickets or products and sell them on the dark web. Points are currency, just like credit cards.
In big data breaches, millions of usernames and passwords are stolen and run through loyalty programs of airlines, hotels and other merchants. Users don’t usually create unique and difficult passwords for loyalty accounts, and often use the same password across several accounts. This helps hackers.
Organized crime rings take the accounts they successfully invade and sell them on the dark web. Then the lower-level fraudsters buy them and proceed to cash them out.
Even loyalty accounts with few airline points are usable, because hackers can pool them into one account to amass hundreds of thousands of points. The bonus from these hacks is the trove of personal data.
“And from there they can do something perhaps more malicious,” said Jeff Wixted, Signifyd’s product lead for travel. “The bad guys can monetize this really, really fast.”
An old practice with new technology
Loyalty program fraud isn’t new– in 2018 hackers stole the personal data of 350 million customers from Marriott’s Starwood hotels — but it’s become more widespread and has grown in sophistication.
In May, Amtrak’s Guest Rewards accounts were hacked and extensive customer data was stolen, including birth dates, payment details and information about transactions and trips. Hackers took over some accounts and changed emails and passwords to lock out the legitimate owners.
Even grocery store loyalty reward programs aren’t immune to hackers, who are probably seeking personal data and not coupons. One customer did complain on Reddit that a hacker actually stole $28 in coupons, to which a user posted, “It’s grocery store rewards points. Make another account and get on with your life.”
What types of loyalty/rewards programs are most susceptible to fraud?
Airline Loyalty Programs are Prime Targets
It’s ironic, but for as much security identification fliers are required to provide when booking flights and at the airport, there’s little security required to log in to airline mileage accounts, which are the most targeted accounts in loyalty program fraud.
Airline travel this year has increased to 2019 levels, a time before the pandemic disrupted the industry, according to the International Air Transport Association (IATA). And this summer, airlines expected more than 271 million passengers worldwide to travel, an increase of 6% from last year.
On July 7 alone, more than 3 million travelers were screened at U.S. airports. So fraudsters are busy. They have kept in step with the intricate advances in technology. It’s the airlines that are behind. Some airlines don’t require more than a username and password to log in to a loyalty account, and that security lapse provides an open invitation for hackers.
Airlines need to step it up
One airline’s account holders say they were alerted to a possible hacking problem this year when they received an email from the airline stating that a two-factor authentication (2FA) requirement had been applied to their accounts. 2FA is a login process requiring an affirmative response from the account holder, similar to what many banks use.
“And that was how essentially they tried to stop this problem with a blanket solution,” Wixted said. “…I think that approach is an overreaction by an airline or hotel, or whoever the provider is, because it’s like, ‘Oh my God, I’m being attacked. I have to take this 180 degrees and stop it.’ Because many airlines don’t have the tools or the ability to mitigate it.”
Authentication security measures are not foolproof either. Whether airlines are using 2FA or even requiring more factors to authenticate, hackers are already finding their way through.
The process of catching these bad actors requires deep insight into the identity and intent behind every transaction. And airlines don’t have that, Wixted says, with legacy or rules-based techniques. That kind of insight takes machine learning that can adapt.
Signifyd’s Commerce Protection Platform monitors account takeover trends across its Commerce Network to derail the attacks. It relies on valuable signals when an account is accessed, such as device ID, IP address, speed of checkout, time of day, successive purchase patterns and order value. Then it compares this data to signals present in a consumer’s other transactions across the network to detect anomalies.
Last year, U.S. airlines spent $7.4 billion on technology, including website and mobile app development. But fraud prevention experts say they need to do more.
“Airlines need to recognize — and are starting to look at — who is creating these loyalty accounts; where the account was created and what device was used,” Wixted said. “Was the information typed in or did they cut and paste it onto the form when it asks for name and address? Did they use autofill? And the second aspect of this is, who is logging in?”
If an account is created using autofill, that’s a positive sign that can indicate the device recognizes the person. But a cut-and-paste job is a little suspicious. With machine learning, if the login method or characteristics differ from that customer’s normal process, the airline might put a second factor on the login attempt. It’s all about finding out who is creating or accessing the account.
“Fraudsters know you are looking for specific behaviors and what they do is increasingly resembling legitimate clients,” said Carlos Madrona, Mango’s managing payments method and fraud director.
“If you only know what a shopper does within your business, you are missing a part of the movie. And to see the full movie, machine learning tools and agile providers like Signifyd constantly monitoring this data is key.”
Sleepy accounts are ripe targets for loyalty fraud
U.S. consumers belong to 16.6 loyalty programs on average, but actively use a little less than half of them, according to a 2022 survey. Those ignored accounts are prime for account takeover by fraudsters, who had a heyday during the pandemic when most consumers weren’t going anywhere except to maybe a grocery store pick-up parking space.
Bad actors had a lot of time on their hands to infiltrate. And even if accounts had little money or few points to steal, they got a lot of personal information.
In 2020, a European aviation investigation team alerted 30 airlines that it had discovered 15,493 passenger loyalty accounts worth nearly $500,000 for sale on the dark web. Meanwhile, the International Air Transport Association (IATA) estimated the overall market value of unredeemed miles was $238 billion, according to Gulf Times.
But another big win for fraudsters are the accounts of long-time loyal customers, because merchants generally want to please them by making exceptions and not saddle them with a lot of rules. In a 2022 survey, seven of 10 U.S. consumers said that loyalty toward their favorite brands is a top reason they sign up for programs. Fraudsters try to play off that mutual bond of loyalty.
“An interesting scam now is for a fraudster to get unauthorized access to a trusted account and purchase a refundable ticket using the account holder’s card on file. Next, they will make a small ancillary purchase – a seat upgrade, checked baggage, or similar using a debit card in their name,” Wixted said. “Then, shortly thereafter they go to the airline and cancel it. And they’ll social engineer this over the telephone with an agent to say, ‘Can you just credit the entire value of this ticket back to my debit card?’”
The cost of loyalty program fraud: reputation, reputation, reputation…and the financial loss
For the airlines, fraud comes with a financial cost and a cost to their reputation. Most airlines restore customers’ stolen points and they’re required to repay the banks who repay the credit card holder in cases of fraud. But even though the victimized customer is made whole, the damage is done to the relationship between the customer and the airline.”
And with social media, these fraud attacks don’t stay quiet — doing further damage in the eyes of consumers and opening the eyes of fraudsters to the fact that the airline has lax security when it comes to accounts.
It’s a two-edged sword for airlines, or at least they think so. Some airlines don’t want to encumber loyal customers with lengthy login processes, and that reasoning has, in part, held them back from implementing necessary security technology.
But loyal customers don’t want to be hacked, either. When airlines create a seamless experience for loyal customers, hackers have an easier time accessing the account. And once they’re in, they become the customer.
“Rather than me stealing your credit card, it’s much easier for me to hack into your account and buy on your goodwill – I look like you,” Wixted says. “The last thing [an airline] wants to do is add friction. At the same time, it’s a hard problem.”
What to stop loyalty program fraud? Let’s talk.