Skip navigation
Two economy-class airline tickets lie beneath a credit card and over a keyboard.
industry news

Airline Fraud Highlights Loyalty Reward Program Security Problems

Ten thousand American Airlines and three dozen United Airline accounts were targets of fraud, with criminals reusing credentials to access customer loyalty reward points and use them to book or upgrade flights late last month, as reports.

The loyalty program accounts breach, American’s AAdvantage and United’s MileagePlus, is reminiscent of a similar attack against Hilton’s Honor app that logged loyalty points whenever a customer booked a Hilton hotel room. While credit card numbers weren’t stolen in the airline incident, credit cards tied to Hilton accounts were sometimes used to buy even more reward points after existing points were exhausted. Find out more in Preferred Hotel Guest Programs: Keyless Entry & Security.

This is a good reminder that loyalty rewards accounts are good as gold; at the very least, should be treated like cash or a debit card account from which anyone with your password can access and drain. Yet, not many companies managing the reward apps or accounts give users the option to protect their money with strong authentication. A Tripwire security analyst agrees:

Although air miles and points can be used as a form of currency to purchase trips, hotel stays and other goods and services, they generally lack the security controls you would usually see with traditional forms of currency, such as with credit card transactions.

For example, the Hilton Honor app only required a 4-digit PIN for access, making it easy for criminals to brute force using password-guessing algorithms; particularly easy if passwords are limited to both numerics and a specific character length. Since there’s only 10,000 possible combinations for 4 digit sequences, it wouldn’t take long to guess correctly. The hotel chain has since added a CAPTCHA to help combat automated password tools, but it’s still not secure enough to be considered a second factor of authentication.

Password Reuse Across Different Web-Based Services

Another broader security issue this incident emphasizes is the pitfalls of reusing passwords across many different logins, applications and web services. Back in October 2014, hackers claimed to have breached Dropbox, dumping seven million credentials on

But what really happened was attackers stole usernames and passwords from other unrelated services, and then tried them on a number of sites, including Dropbox. And as the Wall Street Journal reported, Dropbox recommended users enable two-factor authentication as a protection against theft by requiring another layer of protection via their smartphones, as push notifications, SMS codes, tokens or phone calls.

As an extra precaution, Facebook urged its users to change their passwords after over 150 million email addresses and passwords were stolen from Adobe in 2013 in attempts to protect any users that may have reused their Adobe password on the social media website. But adding two-factor authentication to your logins means you can rely less on the power of just one password, and more on your own personal devices.

A final word from Duo’s CTO Jon Oberheide on authentication security and airlines:

For the affected airlines and customers, there's sure to be some turbulent times ahead. It's unclear how much runway the attackers will have before airlines land some strong authentication options for their most valued flyers. While these breaches create a lot of baggage for the airlines to deal with, it's important for them to ground these attacks before they really take off.