How to Prevent Your Frequent Flyer Miles From Being Stolen

Loyalty fraud — and especially stealing miles from hacked accounts — has been a big issue for years.

Frequently miles are used to buy gift cards which are immediately redeemed. They may be used to book close-in travel, the goal being to complete travel before anyone notices their account balance has been drained.

Programs have teams in place to deal with fraud but too often they get fixated on members playing by the rules but ‘benefiting too much’ and calling that fraud rather than dealing with the big costs and risks. All you have to do is look at Air France KLM’s Flying Blue. Here’s what to do if your account is audited.

iolaire writes at Inside Flyer,

Today I noticed 20k drop in my Amex Membership Rewards points when I ran a one off update on AwardWallet! All were PAY AT PARTNER debits for Amazon, none show up on my account. Amex chat is looking into it.

Thanks to AwardWallet for showing the drop and also for showing the drop via the weekly email that will come at the end of the week.

The single best protective measure against fraud is Award Wallet, the tool that lets you track your miles in one place and update your balances in a single click. That way you immediately see changes in your account balance which will alert you to fraud rather than checking in on an account perhaps once a month or less. I click the button at Award Wallet as one of my first tasks each morning.

Southwest, Delta, and United don’t allow AwardWallet to track account balances directly. That’s a shame. They treat the data as belonging to the airline, rather than the program member.

People don’t log into their accounts every day. People do click a single button to update all of their accounts, and do notice when they’re told that their balances have changed. Using Award Wallet means noticing fraud quickly, before the trail gets cold and often before there’s financial damage to the loyalty program.

Most programs are good about restoring member points right away. Some programs can be a hassle to deal with in these situations. From the stories I’ve been told that’s my impression of IHG Rewards Club.

Here’s a couple additional strategies to consider.

  • Some people prefer a strong password for their computer, then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. Then enable two factor authentication for extra security.

  • Others may like to use a strong password that varies slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for Honors, etc.

    Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probabaly no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).

I still believe though that there’s no replacement for noticing quickly that an account has been drained, which is why Award Wallet is a loyalty program’s best friend.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. I don’t see how the faster notice helps. When they are gone, they are gone.

    This can easily be prevented if the issuers gave us more options to protect points. As just one example, requiring a 7-day wait to exchange for gift cards.

  2. Can you add the “i” to my name at the end? “iolaire” thanks

  3. But of Award Wallet gets hacked, won’t all my passwords for all my accounts be jeapordized? There’s also a risk of too many eggs in one basket, non?

  4. There are only 2 reasons that this is even remotely an issue:

    1. Extremely weak authentication controls (6 character, numeric only PINs for many programs, if that).
    2. A complete lack of Multi-Factor Authentication (SMS doesn’t count)

    MFA is trivial to implement – there’s no reason to have not done so.

    As for sites like AwardWallet and similar sites, they’re only an issue in that they rely on the same credentials that the actual account owner relies on to redeem points and/or miles. Again, this is trivially solved with OAuth2 and simple, well-defined endpoints that only allow for information to be read.

  5. Do your best to not access public terminals. Most frequent flyers are in a hurry to check in and public access terminals, at hotels for example, are easily hacked with key loggers or by someone simply watching you type in your password.

Leave a Reply

Your email address will not be published.