Where Have My Points Gone? When Phishers Harvest the Bounty of Travel
Many travelers this holiday season will cash in on their loyalty travel programs. Accrued travel points will buy them tickets to exotic getaways, free nights at top hotels, and much more. But travelers are not the only ones who will benefit from such rewards—travel points are also coveted by cybercriminals.
Why are travel points so attractive to cybercriminals?
Cybercriminals phish for travel points for two key reasons: their anonymity and their relaxed authentication standards.
Anonymity: The anonymity of travel points is appealing because fraudsters can cover their tracks. Lillian Ablon, a Rand Corporation researcher, says reward points involve significantly less risk than stolen credit cards because once you “flip” them into gift cards or electronics, they are harder to digitally trace. Gift cards, for example, can be exchanged for cash and it’s extremely difficult to distinguish which cards were bought with stolen points.
“Reward points involve significantly less risk than stolen credit cards because once you “flip” them into gift cards or electronics, they are harder to digitally trace.” — Lillian Ablon, Rand Corporation Researcher
Relaxed authentication: In addition to anonymity, many online travel and loyalty websites do not have strict security measures. CreditCards.com reviewed 10 frequent flier and 17 hotel loyalty websites and found that half relied on a four-digit PIN or a password with six characters or less. Only a third provided two-factor authentication such as challenge questions or verification codes sent to the account holder’s smartphone—a service that is becoming more common with financial accounts.
To make matters worse, many consumers re-use the same username/password combination for multiple reward programs. Fraudsters phishing one account can then try those login credentials on all accounts belonging to the member. The Aite Group’s July 2014 report estimates that Americans maintain, on average, 15 to 20 usernames and passwords and that 55 percent of users apply the same login credential combination on all accounts.
Cybercriminals who steal information from one place are often successful in stealing from another. Travel consumers can decrease the chance of being a victim by not using the same password across multiple accounts.
What can travel brands do to protect their customers?
Email is the attack vector of choice for cybercriminals hunting for reward points because it is inherently insecure. When email was created over 40 years ago, security was not part of the design. And travel companies have been paying the price ever since. It is extremely easy for fraudsters to send a legitimate looking email on behalf of a travel brand and extremely difficult for recipients to detect that email’s malicious origin.
The best way for brands to fight back is to gain full visibility into the email ecosystem and to block malicious content before it reaches customers. Implementing the email authentication standard DMARC (Domain-based Authentication Reporting and Conformance) is the critical first step in protecting the email channel and defending your company’s brand and reputation.
For a complete list of email fraud-fighting practices that will protect your customers, your brand, and your business this holiday season, download our Travel Guide to Email Fraud.