Hackers Now Targeting Loyalty Programs To Drain Rewards
By Christine Kern, contributing writer
Daily Finance reported that the latest target for hackers has become loyalty programs, with Hilton Honors coming under attack. In a new twist on data theft, hackers apparently hit the HHonors program and drained accumulated points from select accounts. This means that loyalty solutions providers need to pay more attention to authentication and security levels for their clients.
Security blogger Brian Krebs reported that one HHonors member lost more than 250,000 points earned through trips from Newfoundland, Canada. The hackers not only used the stolen points to book rooms, but they also used the credit card details associated with the account to purchase additional points.
While the breach of loyalty program information is not the same as a credit card breach, which can release a multitude of sensitive data, this new type of hacking does have potential to be dangerous. In the HHonors hack, it was the account number and login that are being sold, which can then be translated into goods via online purchases.
Each point has a cash value of 1/2 of a cent, and they can be redeemed as cash for items around the Internet. Recently, travel brands have expanded locations where loyalty points can be used as cash, creating a lucrative opportunity for hackers, who can sell account access.
New black market websites are emerging for the sale of hacked credentials, and loyalty account information is now among data for sale. The recent hacking of the HHonors program should serve as call to action for program managers across the travel industry.
In a bid to prevent unauthorized access, Hilton has been actively improving the security on site. This includes a new CAPTCHA (completely automated public Turing test to tell computers and humans apart) that aims to prevent bots from running account/password combinations in an effort to make it more difficult to hack into member accounts. A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot, as explained on the CAPTCHA website.
The next logical step in protecting loyalty program accounts, according to TNOOZ, would be to institute multifactor authentication to replace the common username/PIN combination for account access. PIN numbers are relatively easy to hack via bots once the username has been uncovered via a separate database hack.
Another solution, offered by Townsend Security, is for businesses to send an SMS or voice message that contains a one-time authentication code to the individual user’s phone. Adopting two factor authentication (2FA) provides an added layer of security beyond username and password credentials, and protecting access with two-factor authentication adds identity assurance and significantly reduces risk of unauthorized access.