How hackers could hijack your travel rewards programs and drain your miles

For many of us, frequent flyer miles and credit card and hotel loyalty points are valuable. The idea that some of my hard-earned points could be lost or stolen has me leaping to check the app of each program to make sure the balances look right.  And there’s good reason to have concern.

Some cybersecurity pros have dug up some seriously worrying stuff about the loyalty commerce company Points.com. Recent findings from cybersecurity researchers Ian Carroll, Shubham Shah, and Sam Curry have found some upsetting information about the company.

Points.com provides an expansive application programming interface for popular travel rewards programs, including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy programs.

According to the researcher’s findings, the team reported that certain vulnerabilities to Points.com between March and May 2023 made it attractive to hackers. These vulnerabilities could have been exploited by hackers to steal customers’ travel points, their data and potentially gain control of the Points loyalty programs altogether.  Here’s what we know so far and how you can protect yourself.

What vulnerabilities did the research team find?

A key issue that was found in the Points.com system involved easily being able to find details like customer rewards account numbers, addresses, phone numbers, email addresses, and partial credit card numbers. The researchers came across a manipulation in the system which would allow them to move around from one part of the Points API system to another, which gave them access to this information.

Although there was a limit in place for how much information a person could receive at one time, the researchers pointed out that a hacker could certainly look up a specific person’s information and retain it without issue. Plus, there was another issue found that would allow a hacker to take a person’s last name and rewards number, which would then let them take over customer accounts and transfer miles or other rewards points to themselves.

For Virgin Red, the researchers found leaked authentication keys that could have allowed an attacker to access Points.com’s page for Virgin Atlantic and modify accounts, such as adding or removing points or changing other settings.

For United MileagePlus, the researchers found a vulnerability in the Points.com global administration website in which an encrypted cookie assigned to each user had been encrypted with an easily guessable secret-the word “secret” itself. This could have allowed an attacker to execute malicious code on the website and potentially compromise the entire Points platform.

Points.com has since fixed those vulnerabilities related to Virgin Red and United MileagePlus.

MORE: HOW TO AVOID VACATION RENTAL SCAMS 

What was the biggest issue that was found?

Perhaps the biggest issue that was found, however, was one that would allow hackers to get into any points system they want because of a vulnerability that lies within the Points.com global administration system.

What the researchers found was that each user is assigned a cookie that is encrypted. Normally, this would be a good extra layer of security. However, these encrypted cookies were encrypted with the word “secret,” which the research team was able to easily guess. And if they can guess it, then a hacker certainly can.

Once they decrypted their cookie, they were able to reassign themselves permissions that a global administrator would have and then re-encrypt their cookie with something more complicated so that no one could decrypt it again. If a hacker were to perform this same process, they would be able to access any Points reward system and grant unlimited miles or other benefits to any accounts they want.

MORE: 10 WAYS TO TRAVEL LIKE A PRO FOR A WORRY-FREE TRIP

 

What can I do to protect my points?

According to the researchers, Points.com has fixed all the vulnerabilities they reported, and there is no evidence that any malicious actors have exploited them before. However, they warn that they may be other unknown bugs in the system that could pose a risk to customers and loyalty programs. With that being said, here are some things you can do to be proactive about your rewards accounts.

  • Monitor your accounts: Keep an eye on your rewards accounts for any unusual activity to see if any significant changes have been made, like a large deduction in your points or rewards.
  • Report any suspicious transactions or changes: If you notice any changes that you know you didn’t make to your loyalty account, contact your rewards program, report any suspicious transactions or changes, and see what they can do to help you.
  • Change your passwords: Update passwords for all rewards accounts. Make them complex and unique. Think about using a password manager to help you out, like 1PasswordRead more of my review here.
  • Activate two-factor authentication (2FA): It’s an extra layer of security that will stop hackers from accessing your accounts, even if they crack your password.

Points.com responds to security breach report 

We reached out to points.com, which was acquired by Plusgrade, in 2022, for a comment on this story, and this is the statement they provided to us in part:

“Points believes that collaborating with ethical security researchers helps us maintain a high standard of data security for our partners and users. As part of our ongoing data security activities, Points recently worked with a group of skilled security researchers concerning a potential cybersecurity vulnerability in our system. We sincerely appreciate the group’s diligence and assistance in identifying this potential vulnerability.

 

During this assessment, low-risk information pertaining to a small number of members — approximately 50 — was briefly accessible to the group of security researchers. There was no evidence of malice or misuse of this information, and all data accessed by the group has been destroyed.

 

As with any responsible disclosure, upon learning of the vulnerability, Points acted immediately to address and remediate the reported issue. Our remediation efforts have been vetted and verified by third-party cybersecurity experts.”

 

 

Kurt’s key takeaways

The last thing you want is to have all your hard-earned points that you’ve been saving up for that dream vacation to be taken away from you because of a hacker. Make sure you’re always checking your accounts, and pay attention to any notifications you might receive from your designated rewards program about major breaches to your information.

How do you feel about this team of researchers finding vulnerabilities within the Points.com system? Should companies have to be regularly checked for security issues? Let us know by commenting below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

MORE: NEW ONLINE TRAVEL TOOL MAKES IT EASIER TO USE POINTS INSTEAD OF PAYING FOR HOTEL STAYS 

Related posts

Best last minute holiday gifts

Understanding brushing scams and how to protect yourself

From TikTok to trouble: How your online data can be weaponized against you