The Latest Hack: Your Air Miles

The Latest Hack: Your Air Miles

• Updated: September 28, 2016
Around the world people use their credit card’s rewards programs to accumulate not millions, but billions of dollars’ worth of air miles and points every year. Chances are you’ve accumulated some of these points yourself. Even though they’re protected by online passwords and other security features they are susceptible to getting hacked and stolen. That’s right folks, thieves are now targeting air miles and credit card rewards points at an alarming rate. We know you have enough to worry about, so we’ll take you through what we’ve learned about these hacks, what the airlines are doing about it, and what steps to take to keep this from happening to you.

Why are hackers targeting air miles and reward points?

Testimonials and instances of this kind of theft are becoming more common, and some airlines feel compelled to do something about it. They better, because these hackers are turning your air miles and reward points into extravagant vacations, flashy car rentals, or trading them for merchandise or cash. Let’s take a look at why this is happening.

Credit cards are too secure – Credit card technology has advanced a great deal since credit card theft became a near epidemic. Either your credit card has been replaced with new chip technology, or it’s on the way. Fraudsters despise the chip, and just as one door closes, another opens for them. Getting at your credit lines is difficult for criminals, but your air miles and reward points are much more vulnerable.

Your information – Your air miles account contains a lot of sensitive information about you. Basic information like your birthdate and address can be stolen. What’s more frightening is information like your passport number, or even your children’s passport number are vulnerable to hackers too.
So what can you do to protect yourself? There are many steps you can take to stave off this criminal enterprise, and we’re happy to report that you’re not alone in this fight.
What are the airlines doing about it?
In 2015 American and United Airlines were targeted by hackers who stole information about millions of their account holders. It was an expensive interruption of business and major breach of privacy. They’re taking measures to combat this threat to make sure it doesn’t happen again.

Securing the website – In August of this year United Airlines adopted a number of new security measures on their website. When logging in from a device that you never used to log in before, the website requires you to answer preselected challenge questions in addition to entering your password. Sound familiar? It is likely that we’ll see reward accounts become more like your bank’s login page. Unfortunately, that can be a pain for a lot of users, and United has received the message.

This security process is new for airlines, so we are seeing plenty of kinks twisting already. For example, United has preselected questions and answers. If they ask, “What’s your favorite sport?” and they only give you ten sports to respond with, what will you do if your sport isn’t among the answers? To further complicate matters United has over 93 million rewards users worldwide. The ten most popular sports for a user in the United States may be far different than a user in South Africa.

What other security features are there? Other security features that are typical of banks are also being considered. United is considering sending an email confirmation anytime something in your account is changed. That sounds great but the problem is that many of their users will be in an airport or airplane when accessing their account. By the time users get a chance to check their account it could be too late.
It’s good to see airlines working on security by adding more features, but presently there is still more to be done. Security is just not as scrutinized on airline websites. They want to maintain the ease of access users experience while protecting them at the same time. It will take a while to find the happy medium. For now the best means to deter hackers are your own efforts, and we have some suggestions for you.


What can I do to avoid/fight this problem?

Protect your password – Whether you’ve been schooled in password security or not, it is necessary to (re)visit this issue. Too many passwords for rewards accounts are discovered by hackers making an educated guess. Don’t do them a favor by making it easy. United use to require a four digit password for login. They had to change this because they found out too many people used their birth year, a piece of information that is very easy to find.
I used the same or similar password on many sites where I held accounts.  What I didn’t know is, had hackers targeted me on just one site, I was making it easier for them to access my accounts on other sites. The hack on United and American Airlines accounts happened in this fashion. Hackers broke into a chat room site, stole every username and password, and used them on the Airlines rewards websites.  

We understand that the more complicated you make your passwords the more difficult it is to remember them. That’s why authorities and experts recommend using a password manager. It is a secure program that populates your passwords as you visit different sites. You’ll still have to remember the password for the password manager, but at least now you only have to remember one password, as opposed to 10, 20, or even 30+ passwords. 
FYI: Password Manager Software can cost upwards of $39.99, but there are plenty of free Password Managers out there too.
Phishing – Phishing scams are rampant on the internet and now thieves are using them to steal air miles. Official looking, but nonetheless fake emails usually require you to type in information, or follow a link to a fake website. If you follow the instructions they’ll have all the information you just typed in (like username and password). If an email is asking you for sensitive information, like a password, don’t give it. And instead of using the link provided open another browser window and do a Google search to find the page.

Check your account activity – If it seems a bit cavalier to hack someone’s air miles account, book a ticket, and then get on an airplane, that’s because it is. To get away with it hackers are counting on your apathy when it comes to staying on top of account activity. Most of us have been schooled to check our monthly statements and online banking for our bank accounts and credit cards, but do you really pay attention to air miles account activity?
Most of us do not, and the last thing you want is to try and book a vacation only to find that a month ago someone else took a trip to Tahiti with your hard earned miles. If a theft occurs noticing it quickly and contacting the airlines might make that hacker’s destination a jail cell instead of Tahiti. So do yourself a favor and log on a couple of times a month. It just might save you a lot of trouble.
Here’s the rub:
Okay, enough doom and gloom. Here’s the good news: most people who have their air miles or rewards points stolen get them back or reimbursed. That could change in the future, but for now airlines have your back. They know we love our air miles and rewards programs, so it’s in their interest to keep us happy.

Right now the best thing you can do is take the steps mentioned above while airlines continue to figure out what’s best. I just changed my weak password for my mileage account. I certainly sleep better at night knowing my password is far more complicated now than my old one, which was my initials repeated three times. 

We think you'll also enjoy
Is Mobile Banking Safe?
5 Credit Card Tips for International Travel
What To Do Once Your Identity Has Been Stolen


We want to hear from you and encourage a lively discussion among our users. Please help our site stay clean and safe by following our posting guidelines, and avoid disclosing any personal information such as phone numbers or bank account information.

The comments posted below are not provided, reviewed or approved by the card issuers or advertisers. Additionally the card issuer does not assume responsibility to ensure that all posts and/or questions are answered.

Browse by Category