We at Saverocity view our miles and points as a currency like any other, they offer us incredible value and we go to great means to acquire them as cheaply as possible. Not everyone thinks like us about these. Importantly, the controllers of the programs, and their governing bodies don’t. Even more importantly, criminals both realize the value and know that the security protecting them is lower than bank level security.
I had wondered for some time how a hacker would be able to cash out the miles, since it would be a rather brazen person who broke into your account and attempted to fly, or stay in a hotel with them, and whilst they could theoretically use them to book for someone else in some sort of nefarious underworld travel agency, I think they are looking for easier options.
JAL this morning confirmed my suspicion that the most popular manner in which these hackers will use your points is to cash them in for products.
Due to the high importance of this notice, this email is also being
sent to JMB members who are not subscribes to receive announcements.Several cases of unauthorized redemption of the JAL Mileage Bank
(hereinafter, “JMB”) Amazon Gift Certificate Award through the JAL
website have been reported.
In light of this situation, JAL has suspended the exchange of JMB
miles to the Amazon Gift Certificate Award effective from 16:00 on
February 2, 2014 (Japan time).As of this moment, no other incident has been reported for other award
redemption programs, and details are under investigation.
For better security, JAL recommends changing your JMB PIN.Your JMB PIN can be changed through the JAL website. Please log in to
your JMB account and change your PIN.
If you forgot your JMB membership number or PIN, please retrieve your
membership number or PIN through the JAL website.How to change your PIN
Please log in to your JMB account and select “PIN change”.
http://info.jal.com/[REDACTED]How to request your JMB membership number or PIN
Please access the following URL and recover your membership number or
PIN.
http://info.jal.com/[REDACTED]Further investigation into the unauthorized JMB login activities is
currently ongoing.
We are cooperating with the relevant authorities for the elucidation
of facts as soon as possible.We sincerely apologize to all of our customers and other parties
concerned for the significant inconvenience and concern that this
situation might cause.
In the case of JAL they were allowing members to cash out points in the form of Amazon Gift Cards, which made them a target for hackers to break into the lower level security and cash out.
Another airline that has an easy cash out option is Etihad, last year I gave my free 5,000 miles to charity using their mall, and whilst a criminal is less likely to do that (unless you were hacked by Robin Hood) they have many options for high value goods.
A quick check of the major airlines in the US showed me that:
- American seems to have no mall or way to shop with points
- United does have a shopping mall
- Delta does have a shopping mall
So, of the three major players in the US I would say AA seems less risky in that the criminals have less options to spend your miles, though that doesn’t mean that there aren’t other outlets for them, such as selling the points/miles to a third party.
Quick look at Hotel Programs
- Hilton does have a shopping mall
- Club Carlson does have a shopping mall
- Marriot does have a shopping mall
- Hyatt does not have a shopping mall
- Starwood does not have a shopping mall
To Track or not to track?
I personally use AwardWallet to track my points, it sends me a weekly email of changes automatically, and I can log in whenever I like. On the one hand this does mean storing your loyalty program login information in a third party, which again isn’t as secure as a bank I imagine, so it would certainly make it a target for criminals, but at the same time, if you aren’t able to manually track your programs having the alerts sent to you will be very useful in identifying fraud.
It has been my experience that when fraud is identified (and especially when done so early) that the fraudulent transaction is cancelled and your points are returned to your account. It is a lot easier to catch it at the time and get the points back into your account than be oblivious and not find out until you need those points to book a trip.
AwardWallet Pro membership is retained for 6 months on a paid subscription basis (requiring a manual agreement each time) with a pay what you want model, starting at $5. Here is a code I have for free upgrades to Pro for the first 10 people (it seems to imply I get something in return, perhaps a period of free Pro membership myself) Link with code free-trkhcz
I don’t think that a programs lack of a shopping option means it is safe from fraud and hacking, but I think having such a program certainly would make it more of a desirable target to criminals, and it is something you should be aware of. I’d also log into JAL when you have time and change your passwords as they suggest.
One important note – Don’t click on the links in an email from someone like JAL – that could well be phishing, a cyber crime that steals your information for future criminal activity. If you receive an email like the one I posted above, don’t click any of it, type the URL directly into the browser and update accordingly, that way you know you are on a genuine site and not being scammed! I broke the links on this email for that reason in this post.
Do you know of any other programs that have the shopping option? If so leave a comment and I will update the lists.
MarkD says
Thanks Matt! I just worry about my AwardWallet account getting hacked. The other day I logged in and my point balance had dropped by about 300K. It set off a brief panic until I realized that I had clicked on just my account instead of both my wife’s and mine combined.
American has a shopping mall: https://www.aadvantageeshopping.com/
Matt says
Hey Mark,
American’s shopping mall is for earning points – can you redeem them there too? I thought not but maybe I am wrong. The target for the criminals is a marketplace where they can redeem your points for a tangible product.
Better By Design says
Nice! Appreciate code and the posts!
As above, with Award Wallet (or Mint, or any other aggregation site) it’s a concern that they get hacked.
I still haven’t committed to a serious password storage solution though, and just keep on hashing…