Abu Dhabi, UAEMonday 20 January 2020

Hackers are now after your air miles to sell on the dark web

A recent study found air miles - from frequent flyer schemes across the globe - being sold for around $884 for 100,000 miles

Illustration by Alvaro Sanmarti
Illustration by Alvaro Sanmarti

For the many frequent flyers in the UAE who work hard to build up their air miles collection - beware the dark web, where a racket to steal and sell on personal air miles has been uncovered.

An investigation by British technology consumer site comparitech.com found points from nearly 20 airline reward programmes - including Etihad and Emirates - were being sold for a fraction of their value.

It comes hot on the heels of a British Airways data hack in which some 380,000 payments made over a two-week period were compromised in August, although no travel or passport details were taken.

"We constantly monitor the system for abuse, and when it's spotted we immediately take the appropriate action," says BA.

"We encourage customers to keep each of their online accounts safe, by using unique passwords for each account they have and changing those passwords frequently."

Last year, Air Miles Canada, Canada's largest coalition loyalty programme, owned by LoyaltyOne, discovered the theft of miles in a “small number of cases”, when points were used to buy products in stores, although it said members’ personal information was not compromised.

Reward miles are being sold for around $884 for 100,000 miles in cryptocurrency such as Bitcoin, Comparitech.com found, with Delta SkyMiles and British Airways Executive Club the most commonly listed. Comparitech.com says the real-world value of frequent flyer miles varies between airline programmes. However, with points typically worth between $0.01 or $0.02 each, 100,000 miles (valued at $0.015 each) are worth $1,500, meaning that dark net prices are significantly cheaper.

Comparitech.com’s writer, Paul Bischoff, told The National that points were typically redeemed for rewards such as discounts at retailers and gift cards “because these transactions are difficult to trace”, although they might also be spent on an upgrade to business or first class. “Thieves generally don’t spend stolen miles on actual airfare or hotels because those tractions require proof of identity.”

He says a buyer may purchase an account number and password and then have to log in themselves to redeem or transfer the miles from the victim’s account, or might be moved to a “clean account” by the seller on the buyer’s behalf.

One single vendor, @UpInTheAir, alone was selling reward points from over a dozen schemes, Mr Bischoff writes – including, he tells us, Etihad and Emirates on two marketplaces.

An Etihad spokesperson says: “We have a dedicated fraud prevention team that works to address fraud-related issues, actively prevent suspicious transactions from being processed as well as notify our members as required.

“We recommend our members choose secure passwords containing a combination of letters, numbers and special characters, have unique passwords for every account, and change passwords regularly to prevent such incidents on their personal email address and any affiliated accounts.”


Read more:

FAB credit card offers 110,000 'welcome bonus' air miles

Emirates and flydubai to share Skywards loyalty scheme from August

Emirates launches pooled family Skywards scheme


A spokesperson for Emirates says: “Emirates has a number of measures in place that protect Skywards member accounts. In the event that Emirates suspects that an account is being fraudulently used, we will suspend all activity on the account in order to conduct a thorough audit and investigation.

“Emirates Skywards assists members in recovering any lost or stolen miles once fraudulent use has been confirmed. In addition, Emirates will proactively request that members reset their passwords immediately if they believe that their Skywards accounts have been compromised in any way."

The Emirates Skywards scheme allows its members to transfer and gift miles to friends and family, and to purchase mile online, only “under specific terms and conditions,” the spokesperson adds.

Any mileage theft can cause “trouble” for customers while investigations take place, says Saj Ahmad, chief analyst for StrategicAero Research. “It’s very similar to having your bank account hacked and then frozen.”

Airlines have indemnity against this activity, he says - but “the reality is that this sort of illegal activity will become more, not less prevalent”. Hackers have “further ammunition” with airline apps now available on Google and Apple smartphones, he adds.

Airlines are “continually” backing up customer records, he adds, but customers are making themselves more vulnerable as targets by “spreading personal details over multiple platforms”.

Gaurav Sinha, chief executive and founder of Insignia Worldwide, says users should frequently change passwords and use two-device validations to protect their personal information.

Loyalty programmes need to be “bullet-proof” when it comes to online security, he adds - yet large corporations often use third-party solutions or software that compromise data protection, and they need to invest in technology platforms that protect customer data.

“Banks, airlines, hotels and online retailers are at the frontline of pioneering innovations in loyalty schemes, but it cannot come at the expense of the customer,” Mr Sinha warns.

Mr Ahmad agrees, saying the “real onus” lies with airlines to “employ more technological hurdles to prevent data breaches in the first place”.

“Given that airlines invest heavily in new airplanes, products and services, investing in IT infrastructure too has become a key area where security is also needed to ensure data compliance, conformity and safety of information,” he adds.

Comparitech.com has some specific security advice for travellers. It advises flyers to shred their boarding passes after a flight, to never post a photo of a boarding pass online and never to put an airline account number on a luggage tag. Additionally, the site warns against using public Wi-Fi to access an air miles account and to monitor it for any suspicious activity - using an app such as AwardWallet to manage and monitor multiple award programmes.

And, it warns, think twice before purchasing stolen miles or selling your own: airlines can close your account or even cancel your flight booking if they discover you have broken the terms of service.


Read more:

The hotel loyalty programmes that help you save on your travels

How crypto coins could revolutionise air miles and reward schemes


The dark web explained

The internet as most people know it is actually a small place. Google only indexes a tiny fraction of the full World Wide Web - the portion known as the ‘surface web’; the rest is the deep web. Much of the many billions of pages of content here is benign - for instance, the private contents of smartphone apps, the files in cloud storage accounts, court records, private social media profiles and content that sits behind paywalls. It simply isn’t indexed.

People often confuse the deep web for the dark web. The dark web is a small part of the deep web, intentionally hidden and inaccessible through standard web browsers.

Accessing the dark web requires the use of an anonymous browser, the most popular of which is Tor (The Onion Router). Tor grants access to dark web sites with .onion - rather than .ae or .com - domain names.

In 2015 researchers Daniel Moore and Thomas Rid, of King’s College in London, crawled more than 5,000 sites on the dark web and found that almost a third were conducting illicit activities, including drugs and firearms trade, money laundering and hitmen for hire.

UAE cybercrime laws make it illegal to mask your computer network protocol (IP) address, and thereby hide your identity and geo-location, by using a proxy, a virtual private network (VPN) or Tor browser.

Updated: October 8, 2018 09:54 AM