Photo: FABRICE COFFRINI, Getty
Hackers are gaining access to frequent flyer accounts and draining them of miles oftentimes without the victim ever noticing until weeks or months later.
We recently spoke with Andy Luten, a Dallas-based frequent flier and travel blogger who recently had his American AAdvantage account targeted by cyber criminals.
Thieves pilfered 138,500 miles from him, and then using the stolen points to redeem a pair of award tickets — a process that took minutes. Luten describes in detail how he became a victim in a timeline on his Andy’s Travel blog.
The first clue that hackers had gained access to his account: An e-mail Luten received from American notifying him someone had changed the email address associated with his account.
Then the thief made the two consecutive award bookings, the latter of which happened as he was on the phone with an airline reservations agent to report the incident. He ended up spending nearly an entire night online and on the phone with American trying to sort the theft out.
“I caught it out of sheer luck,” he told SFGate.
Luten, being an avid American flier, said he checks his mileage balance almost daily. He immediately logged on after the e-mail change message to watch his mileage balance being emptied.
“It’s just crazy to think how easy this is,” Luten said. “I pay that much attention to my account. Many others don’t check their balances as frequently as I do, and they wait three months and then there’s actual value that’s gone.”
American eventually restored the stolen miles and cancelled the award tickets. The airline told Luten to file a police report to document the incident, which he did. American also assisted him in setting up a brand new AAdvantage account.
Luten does not believe the two people who were ticketed using his award miles were responsible for the hacking, but believes the points were illegitimately resold online by the airline account hackers.
Andy Luten, editor of Andy’s Travel Blog, watched thieves steal miles from his AAdvantage account
Andy Luten, editor of Andy’s Travel Blog, watched thieves steal…
So how did this happen in the first place?
Here’s how Luten summarizes what he thinks happened in a post about it on his blog: “Hacker found my email address and a password as part of some data breach (like Marriott’s). They tried that password in a variety of sites and found that the email/password combo worked with American. They then ran a Craigslist ad or something for cheap car rentals and hotels (with a burner phone, of course), someone paid the hacker cash, hacker made award bookings in that person’s name using my miles, and job done. It would be the recipient of the fraudulent award that gets arrested, not the hacker.”
Don’t miss a thing! Sign up for a free bi-weekly travel news and deals emails!
Protect against airline loyalty account hacks
Targeting airline loyalty accounts is a relatively recent phenomenon for cyber criminals, according to Paul Bischoff, editor of UK-based consumer research firm Comparitech.
In 2018, the company found a robust black market for stolen airline miles, with people on the dark web willing to spend hundreds of dollars for tens of thousands of stolen airline miles.
“The stolen miles are usually redeemed for gift cards and other loyalty rewards,” Bischoff said. “They are more difficult to trace than hotel bookings and flights, which usually require proof of identification.”
In this era of Instagram and social media, we know many avid travelers excited about their trips inform friends and followers about the journey ahead by posting boarding pass photos.
Bad idea, Bischoff said.
“Don’t share your frequent flyer account number,” he said. “If you have one, it’s often printed on your boarding pass, so don’t take a picture of your boarding pass and post it to social media.”
Instead, shred the boarding pass, and never include frequent flier numbers on baggage tags. (Or just keep your electronic boarding passes stored on your smartphone to yourself.)
“Be on the lookout for phishing scams that pose as an airline or affiliated company to steal your frequent flyer number and other personal information from you,” Bischoff added.
Luten recommends using unique passwords for each travel account, which he now does. He said recouping losses after mileage accounts have been depleted can be difficult — especially if you don’t catch the crime early.
“This is 100 percent identity theft,” he said. “It’s identity theft that nobody really cares about.”
Get twice-per-week updates from TravelSkills via email! Sign up here
Chris McGinnis is the founder of TravelSkills.com. The author is solely responsible for the content above, and it is used here by permission. You can reach Chris at [email protected] or on Twitter @cjmcginnis.