With the summer travel season coming quickly, airlines and hotels are bracing for a big spike in traffic — bot traffic, that is. Travel sites are the new target of choice for cybercriminals looking to take over users accounts — called account takeover, or ATO attacks — and steal loyalty points. It’s a big business, with huge sums of money exchanged annually. According to our most recent data looking at tens of billions of daily interactions with websites and mobile apps, ATO attacks are up 65% year-over-year in 2019. That is off of an already large increase from 2017 to 2018.
Loyalty Points For Sale On The Dark Web
Loyalty points from frequent flyer or hotel accounts are in high demand on the dark web. Cybercriminals use the points to make illicit purchases of drugs and stolen goods, as well as hack accounts of unsuspecting victims who don’t realize their email and password are for sale online. It is increasingly clear that loyalty points are gaining a more prominent place as a dark web currency, alongside cryptocurrencies such as Bitcoin.
These ATO attacks aim to drain points from accounts of legitimate users. The attackers try to break in through hospitality companies’ login pages on their web sites or mobile sites — or via the companies’ native mobile application APIs. ATOs often make millions or billions of attempts to gain access using password and email or username credentials lifted from the dark web. These attacks deploy massive bot networks with thousands, and up to millions, of nodes. The nodes might be hacked internet of things (IoT) devices, compromised browsers of real users or spoofed browsers on devices operating out of a cloud server.
Why Loyalty Points Are Becoming More Popular
What’s driving this shift? Cryptocurrencies are coming under increasing scrutiny and regulation by governments. This has made them less attractive to criminals using crypto for hard-to-track purchases. Obscuring transactions of any real value is harder.
In contrast, points transactions are lightly policed. Criminals can transfer points from one account to another easily. No special wallet software is required. Airlines and hotels are not required to disclose points transactions to the government. Internal controls on points that are transacted out of hacked accounts and into other accounts are exceptionally lax. Hospitality companies generally do not require basic security measures such as two-factor authentication (2FA) to access these accounts, even when they may hold tens or hundreds of thousands of dollars in points.
Points not only act as a currency on the dark web, but they also allow criminals to easily make high-value purchases out in the open. Many airline and hotel loyalty programs provide marketplaces that allow customers to purchase a wide variety of real-world goods and services — from consumer electronics to Amazon and Starbucks gift cards. In essence, loyalty programs have become a type of bank account, but with no guards or alarms and locks on the vault doors that are incredibly easy to pick.
Simultaneously, the available pool of stolen email and password combinations has ballooned, driven by larger and larger security breaches. For example, in January 2019, security researcher Troy Hunt reported an online trove of emails and passwords that included over 700 million records stored in clear text on a dark web site. Each year, we see one or more of these massive breaches culminating.
Despite the increase in breaches, user behavior has not changed to improve security. Even though 91% of users know the risks of reusing passwords on multiple sites, 59% do so, according to a May 2018 survey by LogMeIn. Add to this is the fact the email updates from airlines and hotel chains likely are filtered or, even worse, put into spam folders, and the likelihood is fairly high that ATOs can go undetected for weeks, months or years. Users whose accounts are breached wouldn’t even know the difference until they went to their accounts to withdraw and use points, only to find a zero where, once, a fat balance remained.
How Travel Sites Must Fight Back
The risks to travel sites go beyond monetary losses they must restore to wronged users. The average breach cost is increasing each year, according to a study by the Ponemon Institute. The average in 2018 was nearly $4 million. But the cost of what the study calls “mega-breaches,” where accounts stolen range from 1 million to 50 million, can cost between $40 million and $350 million. These costs include remediation of infrastructure, extra time spent by personnel and lost business due to reputation risk. The travel business does not enjoy fat margins, and brand equity is a significant part of the value of any travel firm. To protect themselves, their bottom lines, their shareholders and their customers, travel companies need to do a better job of fighting off these bot attacks and ATOs.
Basic steps include enhanced password security for account holders. These might include adding multifactor authentication of any account changes, via email, text and other means. For better login security, the travel sites should make 2FA mandatory for users. The points are already in the accounts, so the likelihood that users will abandon them is small.
In terms of notifying users, travel sites may want to add an option for text notifications of suspicious behavior, much like what credit cards do today. In fact, the credit card industry is a good model for the travel industry to emulate; while fraud remains a problem in the credit card sector, protections are comparatively robust and levels of fraud are lower. That said, in many cases, this lower level comes at the cost of false-positives and negative user experience.
All of these steps will need to play a role in improving the security of travel and hospitality attacks in the face of ATOs focused on grabbing points. And just as Bitcoin fell out of favor as a black market currency due to systemic and security changes, loyalty points, too, will become harder to gather and more tightly policed. Until then, however, loyalty points will remain the illegal tender of choice on the dark web.