Thieves are stealing miles and points and turning them into cash. Criminals gain access to your account and either sell or barter your miles and points online or redeem them for tickets, merchandise or gift cards. United changed its login procedures in August after some thefts around the industry. Other airlines say they are studying possible security enhancements.
Many consumers don’t protect their accounts with complicated passwords, or they use the same password at multiple sites. Airlines, hotels and others with loyalty programs have simple sign-in processes that experts say can be hacked.
Perhaps most important, lots of people don’t check their accounts very often, giving thieves a head start before anyone notices unauthorized withdrawals. Most airlines no longer mail out monthly account statements. They send electronic updates that are often ignored.
Thieves stole miles from thousands of accounts last year, including those belonging to United and American customers, after obtaining passwords from a chat-room site and using the same passwords to get into mileage accounts.
Miami computer programmer Milad Avazdavani was charged earlier this year with siphoning miles from at least six American accounts to steal $260,000 worth of airline tickets and fancy car rentals. The man, currently awaiting trial, told the Miami Herald he bought the miles from a third party. His lawyer didn't return requests for comment.
Some security experts expect a rise in mileage theft now that embedded chips have made credit card fraud harder. “It’s always going to be a cat-and-mouse game,” says Arlan McMillan, United’s chief information security officer.
Account thefts come in different ways. Some thieves email authentic-looking notices to consumers, “phishing” to lure them into uploading account information or clicking on a link that will surrender access to your computer. Other breaches have come from identity thieves who steal passwords from other sources and see if they can use the same password to log in to frequent-flier accounts, since many people use the same password over and over.
With most loyalty program accounts, you log in with an email address—unlikely to be a secret—and a password. If the password is very weak, then so is the security, experts say. And besides miles, airlines have lots of valuable data about you that thieves might want: full names, birth dates, addresses, phone numbers, family members and credit card and passport numbers.
“The risk is pretty significant. There are multiple vulnerabilities to frequent-flier accounts,” says Michael Kaiser, executive director of the National Cyber Security Alliance, a nonprofit consortium working on security and privacy education that is backed by major corporations.
Airlines say they replace miles for consumers who have been hacked after they file police reports and have worked with authorities on prosecutions. They also say they have many security measures in place.
Like many businesses, airlines say they have to balance security with convenience. If they make it too complicated to log in, customers could lose interest or get frustrated.
United had used four-digit PINs instead of passwords, but found those could be guessed, since many people use obvious numbers like birth year. The airline went to passwords, along with a series of questions account holders set up, then have to answer when logging in from a new device.
“It’s security and usability that we have to plan for. We can’t make this so difficult that people can’t get in,” United’s Mr. McMillan says.
United opted to use pull-down menus of possible answers rather than have members type in answers. The questions ask for things like favorite sports or favorite types of reading. Having consumers type in answers turns out to be frustrating for some—they forget how they answered a question.
In addition, Mr. McMillan says, United has the challenge of 93 million MileagePlus members around the world using different languages, different access to technology and different devices.
Some financial institutions have gone to two-step authentication, where a code is sent to your phone when you log in from an unrecognized machine. But that doesn’t work for many frequent fliers—on an aircraft, for example, where they can’t get a text message but might want account access, Mr. McMillan notes.
Some bloggers have ripped the new procedures as easily defeated, and the questions odd. On United’s favorite sport question, for example, the 10 choices include field hockey, curling, snowboarding, bowling, climbing and wrestling, along with football and basketball. (There’s no baseball, soccer, tennis, golf, sailing or skiing.) For a U.S. fan, the correct answer is far more likely to be football than field hockey.
Mr. McMillan says some choices might seem strange to a particular audience but reflect a geographically diverse customer base. Cricket is huge in some other countries, for example. “You have to know the MileagePlus number and password and guess two questions correctly. If you start breaking that down, the likelihood of success is very low,” he says.
He also notes that with any change in usage, an email is sent to the account holder’s email address. That’s not always foolproof, however, since emails are sometimes ignored, deleted, blocked by spam filters or sent to old addresses.
Bloggers complained United labeled its new security as two-factor authentication when the new requirements don’t have a second-device backstop check. Mr. McMillan says United’s protocol doesn't satisfy a strict definition of two-factor authentication, but the airline used the term as shorthand for added login requirements. He says United is looking at implementing something closer to what’s more widely regarded as two-factor verification.
In addition, like many security experts, Mr. McMillan strongly advocates use of a password manager—a program that captures all your passwords securely and populates them when you next log on so you can easily have different, complex passwords for different sites. The only one you have to remember is the one to access your password manager.
American says it has seen an increase in the number of theft attempts, though a lot of the uptick comes from expanding AAdvantage with US Airways accounts. Once problems are identified, the airline can cancel tickets or reverse mileage transfers. It is working on a system that would enable it to undo gift card purchases with miles.
Emailing account holders immediately with any redemption or account change request is strong protection, American says. One email tipped off a member to a mileage withdrawal and led to the Miami arrest, says Debora Simmons, senior manager of corporate security at American.
“We do what we can. Some of the onus is on the member to identify anything happening with their account,” Ms. Simmons says. “Nothing is 100% foolproof.”