Starwood got hacked. This came shortly after American, United, and Hilton got hacked. Points are advertised for sale cheap online.
Data security is big business, consulting firms have identified a huge mark business opportunity in working with loyalty programs.
There’s no way to be perfectly secure, and programs don’t often admit what’s really going on — plenty of blame shifting, talk about the need for strong passwords and changing passwords (blame the customer), talk about third parties getting hacked (blame the partners).
Truth is that some amount of hacking risk is a cost of doing business, you don’t want to be ‘too secure’ or you’ll be too difficult to do business with. Customers who have to constantly change passwords that they can’t remember are customers who will be frustrated and won’t engage with the program online. And complex unique passwords are passwords that members have to write down or store in an unencrypted file on their computer which introduces its own albeit different security issue.
What’s more, shifting responsibility for security onto members doesn’t work when the programs effectively indemnify members against any consequences of a hack by restoring points in full. Why should members invest effort in hack prevention, when a hack doesn’t actually cost them anything?
But there are basic things that a program can do, and things that members can do, to keep their accounts more secure. And relative security is all they need – you don’t need to be hack-proof, just more difficult to hack than the next program and next member down the digital ‘street’.
How Hackers Use Points
Stolen points rarely get used for travel.
It’s too easy for airlines to find fraudulent bookings. Account hacks get noticed anyway and programs will cancel future travel reservations. There’s too much risk anyway because flagging where a person will be going, with their real name, allows the opportunity to intercept that person or at least track them down later. There’s not even really enough time to sell the tickets retail, necessarily, anyway.
A couple of years ago Priority Club (now IHG Rewards Club) had a glitch where you could click a link over and over for 300 points at a time ostensibly to download their shopping bar tool (and should have only been able to do this once). People scripted the process, earned millions of points.
- Those who redeemed for future hotel stays got those reservations cancelled.
- Those who redeemed for airline tickets, thinking the program had to buy those so they were safe, had their tickets voided.
- Those who redeemed for e-gift cards, such as to Amazon, and immediately used those e-gift cards for items that shipped same-day made out with thousands of dollars in merchandise.
The Easy and Low Cost Way That Programs Can Combat Hackers
The key to these successful frauds is the instant cash out. Which is why I’m surprised that programs continue to offer electronic gift cards with instant cashouts.
The easiest way to combat fraud, it seems to me, would be to slow down the redemption process for cash equivalents that are outside the core merchandise category of the program.
An airline can continue to allow travel up to departure, leveraging the government’s ID check procedures to know that only a small number of people will fake those documents and most will therefore be traceable if they redeem for actual tickets. But e-gift cards are sufficiently outside the core functionality of the program, and generally a poor value use of points anyway, that requiring a secondary verification or small wait before distributing could make liquidation too inconvenient.
A program doesn’t have to be perfectly secure to deter hackers, they just have to be less convenient to hack than other sites!
Right now loyalty programs which offer cash equivalent instant redemptions are tempting because bank and credit card security has improved though is far from perfect. So loyalty programs is, as Willie Sutton said, “where the money is” but are also easy marks.
How Members Can Protect Their Accounts from Hackers
Readers on my post about the Starwood hack had some good suggestions.
- Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.
- Use a strong password that you vary slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc. Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probbaly no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).
Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.
You should use a service like AwardWallet to track your accounts. You’re giving your passwords to a third party (although they offer the option of leaving your passwords resident on your computer rather than their servers). They’ve always seemed reasonably secure to me, here are details, and I like that they participate in a bounty program for hackers to identify flaws and also their encryption methods.
You won’t check all of your account balances every day without a service like this and the best thing you can to do protect yourself (for your own benefit rather than the program’s) is to be aware of any fraudulent draining of your account quickly.
I know there are security experts among my readers: what approach would you take?
- You can join the 40,000+ people who see these deals and analysis every day — sign up to receive posts by email (just one e-mail per day) or subscribe to the RSS feed. It’s free. You can also follow me on Twitter for the latest deals. Don’t miss out!
anyone who uses the internet should be using a good password manager like lastpass or 1password. Otherwise it’s just a matter of time before you experience a hack or loss. Even if the loss is covered by the company, you can save yourself a lot of trouble by doing this.
Nothing is going to be perfect, but you have the gist of it, really the things you can do to prevent the attack are:
1) Use a password manager/password safe to make each password completely unique.
2) Password “recovery” questions such as “college you attended”, etc are a *second* password. Treat them that way, don’t put real information in them, or the same information in two sites, and store your answers in your password manager.
The recovery questions are rarely used in attacks like this one specifically, but if you are targeted for some reason those are often how people get in. (like the celebrity nude photos hacks, or by say a spurned ex)
These two comics sum things up well:
http://xkcd.com/936/
http://xkcd.com/792/
The first is password entropy – use long passwords, not short complex passwords. English words are fine if you have a lot of characters. And don’t re-use password unless somehow you trust every web site (ha ha, right?).
The best way to not be hacked is to stop using smartphones and go back to only PC’s and Notebooks. You’ll notice many websites are starting to conform to smartphones, from which the PC version looks like everyone has bad eyesight.
REALLY: Would you use a car in which you couldn’t open the hood? Then why is everyone using smartphones and tablets that don’t allow anyone to open those?
Lastly, the idea of a “Password Manager” is how accounts do get hacked. I recommend people put your passwords written on a piece of paper and stick it in your wallet. You’re not going to lose your wallet, right? Oh, but you’ll use a device that you can’t open.
Smartphones don’t allow an MS-DOS prompt (i.e.: c:\>), a Linux system prompt, a UNIX prompt, etc. Instead you’re at the mercy of pricks like Mark Zuckerberg, Eric Schmidt, BitCoin nose pickers, etc…..
….therefore smartphones should not be trusted, they should be regulated, in fact, they should be classified as munitions.
Have a nice day!
ED
bode, while the logic is probably sound, the reality is that most websites wouldn’t let you use correcthorsebatterystaple as your password these days. It’s probably too long, doesn’t have an uppercase letter…and most annoyingly now, lacks a special character.
Any suggestions for a good password manager?
My Hilton account didn’t ask me to change passwords. Even when logged in, there was still no indication that anything needed to be done to user accounts. What’s up with the false-alert headline?