Putting a price on loyalty

Travel loyalty programs have long been a soft target for opportunist fraud, but airlines and hospitality groups are finally fighting back. writes TravelMole’s Ray Montgomery. 

Card fraud in the travel sector is as prevalent as in any industry, but when it does occur it is at least a quantifiable loss with a cash value. Not so in the case of loyalty program fraud – when something with no discernible monetary value has been stolen, is it a crime in the eyes of the law? A frequent flier or hotel loyalty points program is effectively an alt currency in its own right redeemable for all kinds of goods and services.

The global loyalty program market is huge and a very appealing (and comparatively softer) target for the committed fraudster. In the airline industry alone there are about 70 frequent flyer programs with more than 300 million members. Because a loyalty point or air mile is supposedly less valuable than a dollar bill, it has been treated with less importance from a security perspective by both the companies that administer the programs and loyalty members themselves.  

Of course loyalty program fraud is nothing new; airline staff and travel agents have been known to syphon off points into their personal accounts, and there are a number of ways loyalty members themselves can game the system. What is a relatively new phenomenon is the widespread hacking of multiple accounts by criminal gangs. Since late last year, loyalty member accounts of American Airlines, United Airlines and Hilton Hotels have been cashed out with the click of a mouse. In the case of the two airlines, customers using the same email address and password combination on other websites have been blamed, but this is little comfort to members who have a credit or debit card assigned to their loyalty account along with other personal credentials.

Hijacked loyalty points are being used by criminals in the conventional way – to book reward flights, and upgrades, or increasingly being sold for hard cash on black market websites and presumably still on the traditional outlets of Craigslist and Ebay. Companies are now starting to get the message.

Following the breach, Hilton beefed up member log in protocol with a CAPTCHA firewall that protects a website against bots running account/password combinations, but more robust fraud mitigation solutions can and should also be applied. Device recognition software can highlight if multiple accounts are being accessed from a single location in quick succession while multi-factor authentication could include cellphone, credit card or passport verification as an additional measure.

Airlines in particular are taking a much closer look at account activity to highlight potentially suspicious transactions such as a sudden influx of miles into a normally low volume account. A whole raft of very different solutions are being tested but there is an overwhelming consensus across the industry – miles and points are currency and  loyalty accounts and the personal data within them should be managed with as much care as a personal bank account.