Hackers are stealing loyalty rewards. Are your air miles or hotel points at risk?

Loyalty programs have become a goldmine for hackers. Here are six ways to protect your hard-earned rewards and points.
Image:
Since loyalty accounts are typically only protected by an e-mail address and password, they are an easy target for hackers.Jasper James / Getty Images
Get the Better newsletter.
SUBSCRIBE
By Herb Weisbaum

American consumers love loyalty programs. It’s estimated that the 3.3 billion loyalty program members in the U.S. currently store about $48 billion worth of points and miles in their accounts, according to Chargebacks911. These programs have grown so large in recent years that they’ve become an inviting target for hackers.

“It’s a huge problem and getting bigger,” said Brett Johnson, a former cyber-thief who turned his life around and became a digital security consultant after spending six years in prison. “Rewards points are a goldmine for crooks. They’re easy to access, very easy to use or transfer, and victims rarely check their accounts, so criminals flock to this type of crime without fear of consequences."

While we call them miles or points, loyalty rewards are really a form of digital currency that can be used just like cash. Because they’re so liquid, the hackers don’t have to book flights or hotel stays with them. They can buy gift cards or merchandise to resell online, or they can simply sell the stolen rewards to other criminals.

Electronic gift cards are the favorite way to turn loyalty rewards into cash, said Peter R. Maeder, secretary and cofounder of the Loyalty Security Association.

“The opportunities for criminals in the loyalty area are tremendous,” Maeder told NBC News BETTER from his home-base of Switzerland. “Crooks talk to one another and the word is out that they can make easy money very quickly this way, and there’s not a lot of danger of being caught.”

Scammers always look for soft targets, and loyalty accounts are relatively easy to attack.

“They are incredibly insecure,” said John Breyault at Fraud.org (a public service of the National Consumers League). “Typically, they usually don't have two-factor authentication; they’re only protected by an e-mail address and password. That’s just like leaving your front door unlocked to cyberthieves, who can get in easily and make money off of your miles or points.”

While travel rewards are a prime target for hackers, any loyalty program where the rewards are accessed digitally is at risk. Loyalty programs at McDonald’s, Domino’s and Buffalo Wild Wings have all been hacked, the New York Times reported.

How much are stolen rewards worth?

There’s a vibrant market for stolen miles and points and loyalty reward program login credentials on the 'dark web', the online black market where criminals shop.

“They can just go shopping for what they want,” said Kevin Lee, digital trust and safety architect at Sift, a digital security company. The dark web, Lee says, is “essentially like an Amazon marketplace where you can find rewards for hotel chains and airlines.”

NBC News BETTER asked Lee to check the dark web so he could give us an idea of what these rewards are selling for right now. Turns out, they’re a steal (pun intended). He found:

  • 900,000 Marriott points (value $1,125) selling for only $270.
  • 44,000 Hilton points (worth $450) selling for just $20.
  • 2,000 Jet Blue miles ($75 to buy from the airline) selling for $2.50.

“They’re cheap and you aggregate lots of these different accounts together and then funnel them into one account and buy a plane ticket or redeem them for other rewards,” Lee said.

Hackers are stealing loyalty rewards for airlines and hotels.Brett Johnson / AnglerPhish Security

How one woman (who works in fraud support) got burned

Imagine how you’d feel if a hacker broke into your account and stole your hard-earned miles or points.

Amy Nofziger, a road warrior who values her travel rewards, was “really, really mad,” when it happened to her. She had 140,000 points stolen from her hotel rewards account.

“We get excited thinking about what we can do with these points, the trips we can take and the upgrades we can get,” she said. “And when somebody stole my hard work of collecting those points and the time away from my family, and used it to buy what I eventually found out was a large flat screen TV, I was really mad.”

If they can do it to Nofziger, the director of fraud victim support at AARP, they can do it to anyone.

“People need to know that this is happening, so they can protect themselves,” she told NBC News BETTER.

How to protect yourself from hackers

You work hard to earn those loyalty rewards; you need to protect your accounts to prevent hackers from breaking in. Here are six things you should do to reduce your chances of being robbed:

  • Use strong passwords. Secure your points the same way you would your bank accounts with long and strong passwords that are unique and not easy to guess. If you reuse a password for multiple accounts and one of the them is breached, other accounts with the same passcode are extremely vulnerable. A password manager makes it easy to create and use secure passwords.
  • Use two-factor authentication when offered. Yes, it takes a little more effort to login to your accounts this way, but it’s a small trade-off to stop criminals from getting in. Find out which programs offer two-factor authorization at Two Factor Auth (2FA).
  • Safeguard your frequent flier or loyalty account number. Remember, boarding passes and hotel invoices usually have your rewards account number printed on them. Always shred these documents after your trip. And don’t put your frequent flier number on your luggage tags.
  • Watch out for phishing attacks. That email may look like it’s from your airline, hotel or other rewards program. But if it’s asking for personal information about your account, it was sent by a fraudster. Remember, any company that needs this information already has it and will never ask for it in an email.
  • Monitor your accounts. It’s easy to ignore a loyalty account until you need to use the rewards. But it’s important to check from time to time to look for unauthorized withdrawals. If you spot something suspicious, report it to the company immediately.
  • Use your points. They aren’t worth anything until you spend them.

What to do if you get burned

Despite your best efforts, a clever hacker may still be able to rob you. If this happens, contact the company that issued the rewards. There’s no guarantee they’ll help you, but they might.

It took about four weeks, but working with her credit card company, Nofziger was able to get those 140,000 stolen points restored to her hotel account.

Also, file a complaint with Fraud.org via its secure online complaint form. These fraud complaints are shared with a network of nearly 200 law enforcement and consumer protection agencies across the country.

More ways to protect yourself from hackers

Want more tips like these? NBC News BETTER is obsessed with finding easier, healthier and smarter ways to live. Sign up for our newsletter and follow us on Facebook, Twitter and Instagram