New York Times: “Why Rewards for Loyal Spenders Are ‘a Honey Pot for Hackers’”


New York Times yesterday run an article about an issue that we have covered here on LoyaltyLobby for several years.

Hilton Honors Amazon

Hackers are now targeting loyalty program accounts that often allow turning of points and miles to merchandise via Amazon and other venues. Members don’t often guard their points and miles accounts as carefully as they do their financial ones.

You can access the New York Times piece here of which below is an excerpt:

One loyalty-fraud prevention group estimates, conservatively, that $1 billion a year is lost to crime related to the programs. As a share of fraud not involving a physical payment card, such schemes more than doubled from 2017 to 2018, according to the Javelin Strategy & Research firm.

Some criminals use stolen credentials to impersonate customers, breach loyalty profiles and then tap into separate accounts. Others deplete balances or sell points on dark web marketplaces. One hacked Southwest Airlines rewards account with at least 50,000 miles was advertised for $98.88, according to the cloud security company Armor.

The piece then deals with Hilton Honors points that were drained using Amazon for merchandise. We covered this issue most recently back in late April:

Fraudster Cleaning Out Hilton Honors Accounts Via Amazon

We have covered this same issue few times previously:

Hackers Selling Compromised Hilton HHonors Accounts Online

Hilton Honors Account Hacked, Conrad Bora Bora Award Reservation Canceled & Customer Service Of Limited Help

Compensation Clinic: Hilton Honors Account Breach, Reservation Cancellation & Unhelpful Fraud Department/Guest Assistance


Perhaps programs and members together haven’t done enough to safeguards accounts. It is practically impossible to remember unique password for every website and thus likely many members recycle them.

At the same time, you cannot make the signing or redemption process too complicated security wise or it will anger members.

Many programs assume that you will always have access to the text messages under the number that you have on file with them. This is especially problematic with travel loyalty programs as members are often on the road. Not everyone has global roaming and not all operators have roaming agreements with each other

I am not sure what the preferable solution would be for this unfortunate dark side of loyalty program redemptions?