How hackers could hijack your travel rewards programs and drain your miles

How hackers could hijack your travel rewards programs and drain your miles

For many of us, frequent flyer miles and credit card and hotel loyalty points are valuable. The idea that some of my hard-earned points could be lost or stolen has me leaping to check the app of each program to make sure the balances look right. And there’s good reason to have concern. 

CLICK TO GET KURT’S FREE CYBERGUY NEWSLETTER WITH SECURITY ALERTS, QUICK TIPS, TECH REVIEWS AND EASY HOW-TO’S TO MAKE YOU SMARTER

Some cybersecurity pros have dug up some seriously worrying stuff about the loyalty commerce company Points.com. Recent findings from cybersecurity researchers Ian Carroll, Shubham Shah and Sam Curry have found some upsetting information about the company.

Points.com provides an expansive application programming interface for popular travel rewards programs, including Delta SkyMiles, United MileagePlus, Hilton Honors and Marriott Bonvoy programs.

According to the researcher’s findings, the team reported that certain vulnerabilities to Points.com between March and May 2023 made it attractive to hackers. These vulnerabilities could have been exploited by hackers to steal customers’ travel points, their data and potentially gain control of the Points loyalty programs altogether. Here’s what we know so far and how you can protect yourself.

IS THIS NEW TECH GOING TO COST YOU YOUR JOB? HERE’S PROOF

A key issue that was found in the Points.com system involved easily being able to find details like customer rewards account numbers, addresses, phone numbers, email addresses, and partial credit card numbers. The researchers came across a manipulation in the system which would allow them to move around from one part of the Points API system to another, which gave them access to this information.

HOW TO RESTORE DELETED FILES AND REPAIR CORRUPTED DATA

Although there was a limit in place for how much information a person could receive at one time, the researchers pointed out that a hacker could certainly look up a specific person’s information and retain it without issue. Plus, there was another issue found that would allow a hacker to take a person’s last name and rewards number, which would then let them take over customer accounts and transfer miles or other rewards points to themselves.

For Virgin Red, the researchers found leaked authentication keys that could have allowed an attacker to access the Points.com data for Virgin Atlantic and modify accounts, such as adding or removing points or changing other settings.

For United MileagePlus, the researchers found a vulnerability in the Points.com global administration website in which an encrypted cookie assigned to each user had been encrypted with an easily guessable secret-the word “secret” itself. This could have allowed an attacker to execute malicious code on the website and potentially compromise the entire Points platform.

Points.com has since fixed those vulnerabilities related to Virgin Red and United MileagePlus.

MORE: HOW TO AVOID VACATION RENTAL SCAMS 

Perhaps the biggest issue that was found, however, was one that would allow hackers to get into any points system they want because of a vulnerability that lies within the Points.com global administration system.

What the researchers found was that each user is assigned a cookie that is encrypted. Normally, this would be a good extra layer of security. 

However, these encrypted cookies were encrypted with the word “secret,” which the research team was able to easily guess. And if they can guess it, then a hacker certainly can.

DETECT A CREEP’S UNWANTED BLUETOOTH TRACKER WITH GOOGLE’S NEW SAFETY FEATURE

Once they decrypted their cookie, they were able to reassign themselves permissions that a global administrator would have and then re-encrypt their cookie with something more complicated so that no one could decrypt it again. 

If a hacker were to perform this same process, they would be able to access any Points reward system and grant unlimited miles or other benefits to any accounts they want.

MORE: 10 WAYS TO TRAVEL LIKE A PRO FOR A WORRY-FREE TRIP

According to the researchers, Points.com has fixed all the vulnerabilities they reported, and there is no evidence that any malicious actors have exploited them before. However, they warn that they may be other unknown bugs in the system that could pose a risk to customers and loyalty programs. With that being said, here are some things you can do to be proactive about your rewards accounts.

We reached out to points.com, which was acquired by Plusgrade, in 2022, for a comment on this story but did not hear back before our deadline.

MORE: NEW ONLINE TRAVEL TOOL MAKES IT EASIER TO USE POINTS INSTEAD OF PAYING FOR HOTEL STAYS 

The last thing you want is to have all your hard-earned points that you’ve been saving up for that dream vacation to be taken away from you because of a hacker. Make sure you’re always checking your accounts and pay attention to any notifications you might receive from your designated rewards program about major breaches to your information.

How do you feel about this team of researchers finding vulnerabilities within the Points.com system? Should companies have to be regularly checked for security issues? Let us know by writing us at Cyberguy.com/Contact

For more of my security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Copyright 2023 CyberGuy.com. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *