Airlines miles can be used to launder purchases on the dark web.
If you go on air flights frequently, you know the value of airline miles, the point rewards airlines give their return customers for each trip they make. Frequent-flier miles can earn you free flights, upgrades to your flight seat, gift cards at affiliate retailers, and more.
But like everything else that has monetary value, unprotected air miles also attract hackers and cybercriminals, who steal them to sell them for profit on illicit online markets, a recent study by research firm Comparitech has found.
And unless you take protective measures, you can be their next victim.
How do hackers steal airline miles?
In most cases, hackers gain access to frequent-flier miles by hijacking the online accounts of their victims through phishing attacks. Phishing attacks dupe users into revealing the password or PIN to their frequent-flier account. For instance, an unsuspecting user might receive an email that seems to come from their airline company and invites them to browse to a website and log into their account to register for a reward program. But the real intention of the bogus site is to steal the victim’s credentials and gain access to their frequent-flier account.
In other cases, hackers have been able to gain access to thousands of frequent-flier accounts by breaking into the server of the airline company that hosts them. An example is the data breach at the British Airways, in which hackers accessed tens of thousands of frequent-flier accounts with millions of air miles.
What do hackers do with stolen accounts?
Thieves put the stolen accounts for sale in dark web black markets. The dark web is a secure network in which users enjoy maximum anonymity. It’s not a malicious tool per se, but it has become a favored environment for cybercriminals who want to cover their tracks
“On Dream Market, one of the largest black markets on the dark web, a single vendor sells reward points from over a dozen different airline reward programs, including Emirates Skywards, SkyMiles, and Asia Miles,” observes Paul Bischoff, the writer of the Comparitech report.
Bischoff has also found that Delta SkyMiles and British Airways were the most commonly listed frequent-flier services across different markets.
Cybercriminals also make their deals in bitcoin and other cryptocurrencies, because they enable to them to receive payments without revealing their identity.
According to Bischoff, prices are not consistent across vendors and seem to be based on the vendor’s preference, but cybercriminals usually sell them at a fraction of their actual value to make the bargain worth the risk for the customer (based on the flight ticket prices, air miles are typically worth 1-2 cents).
There have also been cases where hackers have spent the stolen air miles to buy luxury goods and then sell those on dark web markets at great discounts.
What do the buyers do with the stolen airline miles?
“With a working frequent flyer account in hand, the hacker now has two options: sell the hacked account or transfer the miles into another account,” says Bischoff.
Selling accounts is more common and cheaper. “A typical listing on the dark net offers the necessary login information,” Bischoff says.
But the problem with stolen frequent-flier account is that the purchaser has limited options in using it. For instance, they can’t spend the air miles on airfare or hotel bookings, because that would require the customer to provide identification documents that match with the account. However, they can use them at retailers that allow frequent-fliers to redeem their air miles as gift cards, where the rules are less strict.
“Members aren’t required to enter a password or PIN number when spending points, and retail staff often don’t ask for an ID,” Bischoff says.
For instance, at a website such as Points.com, users only need to enter their usernames and passwords to connect their frequent-flier account to the service and spend their air miles to buy gift cards from a long list of retailers.
Lax security measures have made frequent-flier miles a profitable target for hackers and thieves. And since users don’t check their frequent-flier accounts often, a black-market purchaser might be able to use it on several occasions without the victim becoming aware.
Buyers can also transfer their stolen air miles to their own account if they want to use it to purchase flight tickets or rent a hotel room. In case the buyer doesn’t have an account, the hacker will create a generic account for them and transfer the air miles to it. They can then redeem their air miles at their retailers of choice.
This method is safer, because it doesn’t require the buyer to log into a stolen account. After making the transfer, the buyer can spend the points without worrying about the original account holder becoming aware.
However, transferrable air miles are usually sold at higher prices in dark web markets. This is because airlines usually charge transaction fees when transferring air miles between accounts.
Also, this method is not risk-free. Airlines explicitly prohibit buying and selling air miles, and transfers are meant to be as gifts. While hackers will tell you that stolen accounts are safe, that is not always the case.
“If you get caught with stolen airline miles or selling your own miles, the airline can wipe out your account and leave you with nothing,” warns Bischoff, adding that airlines can also cancel your bookings if they find you in violation of their terms.
How to protect your airline miles
Protecting your air miles from hackers is pretty much like securing any other online account, which starts with choosing a strong password. This means your passwords should be long enough, comprised of characters, digits, and symbols. And avoid using dumb, well-known passwords.
Bischoff underlines the importance of choosing unique passwords and avoiding reusing passwords across several accounts. “If you have an account with Yahoo and a frequent flyer account that both use the same password, and Yahoo gets breached, smart hackers will know how to put two and two together and try your Yahoo password on your frequent flyer account,” Bischoff warns. And yes, Yahoo can get breached.
Also important is the use of two-factor authentication where applicable. Two-factor authentication enables users to link their accounts to a device such as their smartphone. Therefore, in case a hacker steals to their username and password, they still won’t be able to access their account without being in possession of the associated device.
“2FA is available with some frequent flyer programs, and people should absolutely take advantage of 2FA wherever it is offered,” Bischoff recommends. “Unfortunately, not all frequent flyer programs have implemented 2FA yet, or don’t require it.”
If you’re traveling, avoid using free public wi-fi networks to access your frequent flier account, because they’re notorious for security threats. If you absolutely must, make sure you take the necessary security precautions
Bischoff also offers some recommendations that are specific to frequent-flier programs. Most important among them is to keep your boarding pass safe even after your flight because “boarding passes often have the passenger’s frequent flyer number printed on them,” Bischoff says.
The best thing to do is to shred your boarding pass after your flight to make sure no one can retrieve its sensitive information. Also, never post a photo of your boarding pass online, Bischoff adds, and don’t put your airline account number on a baggage tag.
And make sure to frequently check your account for suspicious activity.
You might already be a victim and not know it.