Reports of a massive breach of Hilton's HHonors loyalty program emerged on loyalty blogs early last month, as dozens of users posted claims of unauthorized access that led to loss of points.
The hackers allegedly gained access to loyalty program accounts, and then began to sell access to those accounts online.
Granted this is not like a credit card number breach, where the numbers can be used for purchases; rather, it's the account number and login that are being sold, which can then be translated into goods via online purchases.
With a value of 1/2 of a cent, the points can be redeemed as cash for items around the internet. In a bid to diversify points redemptions, travel brands expanded locations where loyalty points can be used as cash. This created a lucrative opportunity for hackers, as they could now sell account access with greater appeal.
Forums are now teeming with HHonors accounts for sale. This week, respected security expert Brian Krebs shed his bright light on the issue, speaking with one victim who had his entire account cleared of hundreds of thousands of accumulated points:
Brendan Brothers, a frequent traveler from St. John’s in Newfoundland, Canada, discovered a few days ago that his Hilton Honors account had been relieved of more than a quarter-million points, rewards that he’d accumulated using a credit card associated with the account. Brothers said the fraudsters were brazen in their theft, using his account to redeem a half-dozen hotel stays in the last week of September, booking rooms all along the East Coast of the United States, from Atlanta, GA to Charlotte, N.C. all the way up to Stamford, CT.
The prices for these accounts are ridiculously low, with some going for as little as $4.50 with 100,000 points. That's an enormous devaluation - less than 1% of the redeemable value - as that many points should be worth around $500.
The rise of loyalty account hacking is an urgent call to action for program managers across the travel industry, especially as new black market websites are popping up to provide easy access to hacked credentials.
For example, according to a Wired article, ten percent of sales listings on emerging website Evolution are for credit card numbers and other hacked accounts. Once hackers realize how soft the protections are for some loyalty programs - and demand increases alongside press coverage - the travel industry could be a much larger, more lucrative target in the coming months.
In a bid to prevent unauthorized access, Hilton has been actively improving the security on site. This includes a new Captcha that aims to prevent bots from running account/password combinations:
Multi-factor authentication would be the next step in the chain to securing loyalty accounts, and should be considered by all travel brands still using a username/PIN combination for account access. With only 4 or 5 digits, bots can eventually determine the correct PIN once the username has been uncovered via a separate database hack.
As with all hacks, now is a good time to change any passwords associated with loyalty accounts. It's also important to note that many travelers are not securing loyalty accounts with strong passwords, perhaps because they aren't seen to have a strong cash value.
However, loyalty accounts are now especially vulnerable as hackers have shifted much of their attention to gaining access to loyalty programs, which are traditionally not as strongly secured as more mission-critical e-Commerce areas of travel websites. Loyalty accounts must be treated like bank accounts, and no password should be repeated in order to limit vulnerability in case of breach.
A request for comment to Hilton has not yet been answered.
NB: Hilton image courtesy Shutterstock.