How Air Mile and Loyalty Point Theft Threatens the Travel Industry Recent research has found that the travel industry is now the second most targeted industry for those looking to take over or hack customer accounts. One of the most common methods cybercriminals use to perform account takeovers is known as credential stuffing. Credential stuffing is an automated process that involves continuously inputting credentials into a login form until there is a match.
Over 60% of credential stuffing attacks detected over the past two years have been targeted at retail, travel and hospitality businesses. Rewards points – such as air miles – are popular among these types of attackers. They are often easily used or transferable, and unlike bank accounts, customers generally do not keep a close eye on such account valuables.
Frequent flyer miles can be used for
Free travel
Access to exclusive airport lounges
Free or heavily discounted upgrades to business and first-class seats on flights
Additional purchases such as gift cards
A batch of air miles can be purchased on the dark web for as little as
$31
Between July 2018 and June 2020 there were over 100 billion detected credential stuffing attacks – almost 64 billion of these were aimed at retail, travel and hospitality alone
200,000 British Airways points (worth
approximately £2000) can sell on the dark web for just $45 On average, air miles are sold on the dark web for
50% of their value