Cybercriminals are increasingly targeting loyalty accounts in hotels and airlines, taking advantage of the lax security measures in place. The shift from credit card fraud to loyalty account takeovers has caught airlines off guard, as they lack the necessary tools and processes to combat this type of cybercrime. Loyalty accounts, which hold billions of dollars worth of points, are essentially like bank accounts but are not protected as such.
Cybercriminals are using bots to test compromised passwords on airline and hotel loyalty accounts en masse, taking advantage of the common mistake of using the same password in multiple places. This has led to a significant increase in successful hacks, with tools for credential-stuffing attacks being sold by bad actors in various countries. These tools make it easier for individuals without coding skills to carry out attacks, contributing to the accessibility of cybercrime.
Accounts compromised by cybercriminals are being sold on various platforms, with buyers cashing out by redeeming the points as gift cards or purchasing airline tickets. Some hacked accounts are also used to sell discounted airline tickets to the public on legitimate-looking travel agency websites. The total volume of fraud in loyalty accounts may not have increased but has shifted from credit card fraud to account takeovers.
The growing value of loyalty accounts, especially due to the success of co-branded credit cards, has made them more attractive targets for cybercriminals. Airlines’ security measures have not kept up with this trend, with most chains not requiring multi-factor authentication to avoid adding friction for customers. This lack of security measures makes loyalty accounts an easy target for cybercriminals, with a lower risk of criminal charges compared to hacking a bank account.
Some airlines and hotels are starting to implement multifactor authentication and AI-enabled tools to detect anomalies and patterns in transactions. Educating people to stop recycling their passwords is seen as a key solution to combatting cybercrime in loyalty accounts. Ultimately, the rise in hacking of loyalty accounts highlights the need for improved security measures in the airline and hotel industry to protect customer data and prevent financial losses.
