American consumers love loyalty programs. It’s estimated that the 3.3 billion loyalty program members in the U.S. currently store about $48 billion worth of points and miles in their accounts, according to Chargebacks911. These programs have grown so large in recent years that they’ve become an inviting target for hackers.
“It’s a huge problem and getting bigger,” said Brett Johnson, a former cyber-thief who turned his life around and became a digital security consultant after spending six years in prison. “Rewards points are a goldmine for crooks. They’re easy to access, very easy to use or transfer, and victims rarely check their accounts, so criminals flock to this type of crime without fear of consequences."
While we call them miles or points, loyalty rewards are really a form of digital currency that can be used just like cash. Because they’re so liquid, the hackers don’t have to book flights or hotel stays with them. They can buy gift cards or merchandise to resell online, or they can simply sell the stolen rewards to other criminals.
Electronic gift cards are the favorite way to turn loyalty rewards into cash, said Peter R. Maeder, secretary and cofounder of the Loyalty Security Association.
“The opportunities for criminals in the loyalty area are tremendous,” Maeder told NBC News BETTER from his home-base of Switzerland. “Crooks talk to one another and the word is out that they can make easy money very quickly this way, and there’s not a lot of danger of being caught.”
Scammers always look for soft targets, and loyalty accounts are relatively easy to attack.
“They are incredibly insecure,” said John Breyault at Fraud.org (a public service of the National Consumers League). “Typically, they usually don't have two-factor authentication; they’re only protected by an e-mail address and password. That’s just like leaving your front door unlocked to cyberthieves, who can get in easily and make money off of your miles or points.”
While travel rewards are a prime target for hackers, any loyalty program where the rewards are accessed digitally is at risk. Loyalty programs at McDonald’s, Domino’s and Buffalo Wild Wings have all been hacked, the New York Times reported.
How much are stolen rewards worth?
There’s a vibrant market for stolen miles and points and loyalty reward program login credentials on the 'dark web', the online black market where criminals shop.
“They can just go shopping for what they want,” said Kevin Lee, digital trust and safety architect at Sift, a digital security company. The dark web, Lee says, is “essentially like an Amazon marketplace where you can find rewards for hotel chains and airlines.”
NBC News BETTER asked Lee to check the dark web so he could give us an idea of what these rewards are selling for right now. Turns out, they’re a steal (pun intended). He found:
- 900,000 Marriott points (value $1,125) selling for only $270.
- 44,000 Hilton points (worth $450) selling for just $20.
- 2,000 Jet Blue miles ($75 to buy from the airline) selling for $2.50.
“They’re cheap and you aggregate lots of these different accounts together and then funnel them into one account and buy a plane ticket or redeem them for other rewards,” Lee said.