Points are being stolen by cybercriminals to sell on the Dark Web, warns Forter director of strategic partnerships – airlines & travel, Stuart Barwood
As the US and Europe begins relaxing some of the travel restrictions imposed due to COVID-19, many of our thoughts are turning tentatively towards booking a much-needed break or catch-up with an overseas family. Recent data shows that US citizens believe they will be able to travel in the medium term, with a 150% surge in interest for travel taking place more than 120 days away. Europeans are less confident, but it is likely that, as economies open up across the region, would-be travellers will start to make plans.
Those plans may well involve redeeming loyalty points, particularly as uncertainty around travel, growing financial concerns and the continued presence of the virus could mean there are fewer opportunities to do so in the future. However, customers checking their loyalty account balances might find that they have fewer points than they thought. That’s because those points have been stolen by cybercriminals to sell on the Dark Web.
While the world has been preoccupied with the pandemic, cybercriminals have not been idle. In fact, it appears that while air travel has dropped by as much as 94%, loyalty point theft has increased during the pandemic to such an extent that the dark web market is showing signs of saturation. This is supported by Forter’s recent research, indicating a 72% increase in fraud attacks against airlines, and a 115% increase in loyalty fraud overall.
But why are loyalty points so attractive to cyber criminals, and why is their theft such a concerning issue for consumers and airlines – after all, it’s not real money, is it?
From a hacker’s point of view, loyalty points have real cash value. They are liquid and can be offloaded via a marketplace with minimal communication between seller and buyer, which lowers the risk of detection. They can be exchanged for untraceable items such as gift cards, which also increases their appeal. Security around loyalty points schemes lags behind that around banks and credit cards, so they are an easier attack target, and customers often leave accounts unattended for long periods, meaning thefts regularly go unnoticed. In fact, around 45% of loyalty program accounts are inactive, with users failing to track or use their points, making them attractive to cybercriminals.
The bad news for cybercriminals right now is the fact that the illicit marketplace for stolen loyalty points is so saturated that points are changing hands for around only 6% of their actual value. Research we conducted on the dark web earlier this year found 1.2 billion points for sale with a value of more than $50 million. This is where the problem lies for airlines.
That $50 million is a significant liability sitting on the books of the airline industry. It is in airlines’ best interests for points to be redeemed as quickly as possible, to reduce this outstanding liability, but unattended accounts and lack of urgency to redeem points means cybercriminals have ample opportunity to steal them. If points are redeemed through fraudulent transactions the airline loses money and faces having to compensate customers who have fallen victim. On top of this is the loss of trust and reputational damage suffered when a customer has a bad experience due to fraud.
A further risk connected to hacked loyalty program accounts is that the credentials of associated co-branded credit cards could also be compromised, since consumers are likely to use the same credentials to log in to many accounts. The fraud can subsequently spiral into the partner network, opening further avenues to attack and again leaving the airline liable to further compensation.
As international air travel takes off once more we’re likely to see not only genuine customers looking to redeem their points, but also hackers who have been deprived of the opportunity to convert that glut of stolen points to flights or alternative benefits that have been unavailable during the pandemic. This will put huge pressure on airline anti-fraud systems as they attempt to sift out the bad customers and serve the good.
According to the Loyalty Security Association (LSA), one percent of redeemed miles were fraudulent prior to COVID-19 — a $3.1 billion problem worldwide. Fraudsters have found a multitude of creative ways to realise revenue such as:
Account Takeover (ATO) – Fraudsters access genuine account and redeem members’ points for rewards, such as untraceable gift cards. They purchase tickets for travel in the account holder’s name, and then later change the name to a third party after selling the ticket.
New Account Fraud – Fraudsters liquidate points they’ve stolen from legitimate member accounts. They create multiple fake accounts, occasionally leveraging stolen identities. They also use fake accounts to earn and redeem points tied to stolen credit cards.
Insider Abuse – This is where employees get involved in the action, using any of the above tactics, since they have access to customer accounts and personal details. At the 2019 AFCE Fraud Conference in the Middle East, Amir Mousa of Al Ain Holding Group shared an instance of an employee who created loyalty accounts for customers, but used his own email address for each account, allowing him to accumulate 2.6 million air miles.
With all these attack types being used by fraudsters and the potential for an uptick in fraudulent points redemption as countries come out of lockdown, what can airlines do to minimise fraud risk? Whatever actions they take, they cannot afford to compromise customer service. Keeping customers happy is going to be crucial as the industry tries to rebound from the devastating effects of the pandemic, so anti-fraud measures need to be frictionless.
The most obvious solution is to encourage customers to track and spend accumulated points more frequently, as this removes the liability from the balance sheet and makes the CFO much happier. The shorter the amount of time points spend sitting in customer accounts the less the opportunity there is for hackers to get hold of them.
Encouragement can only go so far, however, and there will always be customers who store up points, so loyalty program protection is important. However, many airlines are using legacy methods that rely on manual review teams and solutions that focus on specific interactions but do not share information. Airlines need an integrated fraud prevention platform that protects customers throughout the customer journey to gain a comprehensive view of all customers, enabling them to distinguish and protect legitimate, loyal customers from fraudsters.This solution must be able to adapt to the airline’s changing business requirements, which right now, are likely to be significant.
As we dare to dream of vacations once again, I would urge customers to check if their loyalty account has the balance of airmiles they expect, and likewise I would urge airlines to prioritise loyalty fraud prevention as part of their rebound strategy.