Comparitech searched the darkweb to find out how much frequent flyer miles from hacked accounts are being sold for.
US dollar prices fluctuate wildly because miles are most frequently sold in cryptocurrency. Bitcoin is worth a lot more or less on any given day. Sadly the person selling the most miles has appropriated the name @UpInTheAir, taking from us that movie where George Clooney plays all of us as road warriors in search of padding his mileage account.
Delta SkyMiles and British Airways were the most frequent currencies for sale. Now we know where Delta’s rules requiring customers to ticket awards in person for travel within 72 hours from several countries comes from. When you steal miles you need to use them right away before the accountholder catches on.
Comparitech is looking at airline miles, because in past years when I’ve looked at this it was hard to beat the frequency of hacked Hilton points for sale.
Here are the results from a survey of Berlusconi Market, Dream Market, and Olympus Market. Where they present more than one data point I average them for this chart. It’s important to note that these are asking prices. The people selling miles may or may not have a good idea of what they’re worth, and in some cases may be looking for a sucker (buying 500 Expedia points?).
| Program | Miles | Price | Cost/Mile | |||
| AeroMexico | 100,000 | $884.00 | $0.0088 | |||
| Aeroplan | 100,000 | $884.00 | $0.0088 | |||
| Alaska | 50,000 | $95.11 | $0.0019 | |||
| Alitalia | 100,000 | $884.00 | $0.0088 | |||
| ANA | 100,000 | $884.00 | $0.0088 | |||
| Asia Miles | 100,000 | $884.00 | $0.0088 | |||
| British Airways | 1,050,000 | $1,438.00 | $0.0014 | |||
| Delta | 92,000 | $1,016.00 | $0.0110 | |||
| El Al | 100,000 | $884.00 | $0.0088 | |||
| Emirates | 200,000 | $1,404.00 | $0.0070 | |||
| Etihad | 100,000 | $884.00 | $0.0088 | |||
| Expedia | 500 | $8.18 | $0.0164 | |||
| Flying Blue | 100,000 | $884.00 | $0.0088 | |||
| Hawaiian | 100,000 | $884.00 | $0.0088 | |||
| Iberia | 100,000 | $884.00 | $0.0088 | |||
| Singapore | 100,000 | $884.00 | $0.0088 | |||
| JetBlue | 70,000 | $140.28 | $0.0020 | |||
| Virgin Atlantic | 100,000 | $884.00 | $0.0088 |
Frequent flyer programs have teams in place to deal with fraud but too often they get fixated on members playing by the rules but ‘benefiting too much’ and calling that fraud rather than dealing with the big costs and risks. All you have to do is look at Air France KLM’s Flying Blue. Here’s what to do if your account is audited.
The single best protective measure against fraud is Award Wallet, the tool that lets you track your miles in one place and update your balances in a single click. That way you immediately see changes in your account balance which will alert you to fraud rather than checking in on an account perhaps once a month or less. I click the button at Award Wallet as one of my first tasks each morning.
Here are other things you can do to protect yourself:
- Don’t set your passwords to 12345
- Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.
- Use a strong password that you vary slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc.
Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probably no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).
- Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.
Everyone says ‘use a different password for every website’ and ‘change your password frequently’ but the truth is that your passwords need to be manageable. At work I definitely don’t want employees writing down their network passwords which is what they’ll do.
If hackers steal passwords from one site odds on a majority of people are using the same password across multiple sites. So unique passwords matter, but use those for accounts you are worried about and as I say a middle ground compromise is to take a complex password and modify it for each account though ideally in a non-obvious way.
As good as AwardWallet is, it relies on having the full credentials to each account it is tasked with managing, meaning that any number of different passwords being in use becomes irrelevant and subject to the security posture of AwardWallet – the passwords need to be stored in a way that can be decrypted (which simply won’t fly in the vast majority of organisations).
There are 2 issues here:
1. Loyalty programs provide an all-or-nothing access mechanism. Providing a read-only endpoint that relies on OAuth2 for authentication and authorisation for services such as AwardWallet would make sites like AwardWallet faster potentially, whilst reducing the attack surface they present.
2. Multi-factor authentication is trivial (SMS is not an example of this – it’s easily worked around). There is precisely zero reason for this to not be implemented by all loyalty programs.
@Chris – trivial means unimportant. Do you mean easy/simple?
nice, DL is up at the top of the cost list!
Man, these thieves are a bunch of noobs. Who sells 50k Alaska for 1/10 the price of SkyPesos?
Can I get a link to where I can buy 50K Alaska miles for $95 please? 🙂
notably absent from the list are aadvantage miles, which the dark web has figured out, like everyone else, are essentially worthless
The easiest solution for airlines is to only allow reward tickets to be issued in a family name. This would make it a lot more difficult to sell points. If you want someone else accompanying you, just transfer points to their account.
Juan,
A growing proportion of even married couples don’t have all family members sharing the same family name in full. From the heightened likelihood of people maintaining their pre-marriage family name(s) to the higher proportion of family households that include children from previous relationships and so on, the idea that all members of a family share a particular name is rather culturally retrograded and parochial.
Gary that is terrible password advice. Having a short password like that is just as trivial for today’s brute force attackers to guess as “password”.
Likewise for common character substitutions like p4ssw0rd. It’s not fooling anyone and trivial to build into an attacking system.
If you want security, use a pass phrase like “I like 3 airplanes!”. Password length is the best determining factor for how secure your password is not silly substitutions or things people aren’t going to remember like &;@+$-spghotel. Bonus: passpharses are easy to remember and type.
@Daniel – good catch. I clearly failed to finish my sentence – “trivial to implement” is what I was going for.
Today’s real threat surface to the average Joe isn’t a brute-force password crack, but a malware or social engineering approach. This would necessitate building technology literacy in combination with “safe” processes to securely access sensitive information – we can’t innovate away ignorance.
Alaska miles for $95 ! I’ll take a million please .