We are featuring Pointshogger contributor Paul Bischoff, who is a consumer privacy expert and the editor of Comparitech, a security-focused tech services review site. He’s been covering IT-related subjects for multiple outlets since 2012 and is passionate about privacy, free speech, and net neutrality. Today, he will share his thoughts on how points are being stolen and sold on the dark web, as well as provide his suggestions on how to protect against it. Thank you Paul for taking the time to share your expertise with us!
Cybercriminals are selling frequent flyer miles and rewards points in resale markets on the dark web. A recent Comparitech study uncovered an alarming number of related illicit goods marketplaces and combed through them to find out more about this surprising industry.
Let’s take a look at some of the findings and discuss what you can do to ensure your miles and points don’t end up for resale.
The Black Market for Frequent Flyer Miles and Rewards Points
With the number of marketplaces selling these miles, it’s clear that there’s some profit to be made. It’s not just one or two people selling a few thousand of miles here and there, but rather multiple vendors, each offering hundreds of thousands of miles from a variety of rewards programs. The most commonly available are Delta Skymiles and British Airways, as of August when these sites were accessed, but you can also find Emirates Skywards, Asia Miles, and more.
So what’s the going rate for these miles? The study found a broad range of prices in various cryptocurrencies, mainly bitcoin and monero. A large number of points bundles were priced at $884 (converted from bitcoin at the time) for 100,000 points, but other bundles were priced much lower.
Of course, it’s difficult to put a specific value on an airline point, as it depends how you use them and what program you’re part of. But assuming a value of $0.15 per mile, buyers are looking at about a 45 percent saving on those bundles. You can check out the table in the Comparitech study for more info about the prices vendors are charging for specific programs.
How Miles and Points End Up on the Black Market
You might be able to guess how criminals get their hands on the miles in the first place. Hacking? You bet. Fraudsters will hack into an account, often using information gleaned from a data breach or phishing attempt. Then they can take it over and either sell it as is or transfer the points to another account. Indeed, buyers on the black market often have the option to either buy the hacked account and transfer the points themselves or have a vendor create a new account for them.
One of the findings of the study is that the latter option was less common and more expensive, probably due to the fees that airlines typically charge when transferring points from one account to another.
Airlines often allow gifting of points, and their resale is sometimes a legal gray area. So it’s unlikely the airline is going to spot something amiss.
Once sold, the points probably won’t be used to buy flights and hotel stays, as these purchases will require ID. However, the points can be used to buy products and gift cards at retailers where there is no verification is required. As you can see, with the lack of policing, there’s no wonder that this is such a popular black market product.
How to Ensure Your Miles Stay Protected
Let’s face it, most of us don’t keep tabs on our frequent flyer accounts as much as we would our bank accounts. This makes it easy for account takeovers to go unnoticed for long periods of time. Let’s take a look at what you can do do make sure all of those Aeroplan or WestJet Rewards points don’t go to waste.
First and foremost, you need to protect your account credentials, including your frequent flyer number. While it’s useless without the password, giving criminals one piece of the puzzle makes it that much easier to break into your account. Always shred your boarding pass and never post a picture of it to social media.
You probably hear it all the time, but it’s crucial to use a strong password (one that’s longer than eight characters and made up of alphanumeric and symbols). Plus, you should keep an eye on your account as you would your bank account, and avoid accessing it over public Wi-Fi if possible.