Reward Points Next Target for Hackers
Hackers for Hilton Honors: That’s the new mantra being sung by the hacking community. Readers of the KrebsOnSecurity.com site have recently reported that their Hilton Honors loyalty accounts were siphoned by e-criminals.
An article on the KrebsOnSecurity.com site explains that one of the latest big trends is for hackers to go after rewards programs.
Many people are aware that a good number of companies offer “reward,” “award” and “loyalty” points as well as airline miles. Hackers long ago realized that the accounts that manage these programs are quite vulnerable.
It can get as bad as losing 250,000 Hilton Honors points, as one reader reported to KrebsOnSecurity.com. The thieves used the stolen points to redeem several hotel stays spanning the states. The hackers even changed the victim’s primary and backup e-mail accounts, preventing him from receiving alerts to the hotel bookings. Ironically, the victim is co-founder of a security firm that focuses on fraud detection. This shows how vulnerable those awards accounts really are.
A Hilton account requires a password and username, or … a member number with a four-digit PIN—and it’s this second method that hackers have been cracking through. And since then, Hilton recently made changes to its login process.
The site LoyaltyLobby reports that Hilton added a CAPTCHA to its login process to make brute force attacks more difficult. The CAPTCHA distinguishes humans from “bots” by asking, for instance, the sum of two numbers. The hackers used an automated tool to rapidly go through countless permutations of number sequences to stumble across actual PINs and member numbers.
LoyaltyLobby then says that a hacker sold Hilton Honors accounts for a dirt-cheap rate. The KrebsOnSecurity article says that quite a few people are offering the points for a tiny fraction of what they’re worth—offerings that can be found on suspicious forums. These “hot” points can be redeemed for all sorts of goodies like golf clubs and electronics.
United Airlines currently requires only the member number and PIN, meaning, a robot can get in. Don’t be surprised if more news turns up about stolen airline flights being sold for a ridiculously cheap price.