Tech writer Paul Bischoff learned the extent to which this is happening when he went looking for black market airline miles and points in the anonymous, hidden part of the internet known as the dark web.
“It’s basically like Craigslist,” Bischoff explained. “There are a bunch of listings for all kinds of stuff.”
Bischoff discovered that piles of Alaska Airlines miles could be bought in exchange for bitcoin or another difficult-to-trace cryptocurrency called Monero. Hackers most commonly listed Delta SkyMiles and British Airways points.
“Usually, people won’t find out that their accounts have been hacked until many months after when they are ready to spend down those points,” Bischoff said in an interview Thursday.
Bischoff, based in Victoria, wrote about how you can protect yourself in an article for the online site Comparitech. He advises you choose a strong, unique password for your frequent flier account and follow common sense cyber hygiene practices. He also suggested protecting your airline loyalty account number by shredding boarding passes after flights and not using public wifi hotspots to access your account.
In a brief emailed statement, the PR department at Seattle-based Alaska Airlines said the carrier is aware of unpermitted trafficking in mileage plan miles.
“Our fraud team monitors the dark web and takes action to protect our customers’ accounts whenever possible,” the statement read. “This is a good reminder for our customers to monitor their frequent flier account and if you ever see unusual or suspicious activity, contact us right away.”
The fine print of all major frequent flyer membership agreements includes a clause that prohibits selling miles for cash. If an airline discovers you using stolen miles or selling miles, it reserves the right to wipe out your entire account balance.
In 2015, American and United Airlines notified thousands of customers that their frequent flyer accounts may have been compromised by hackers. Airline spokespeople said the carriers would replace any stolen miles in those cases.
Bischoff said he doubts the buyers of stolen air miles redeem them to book flights or hotels because those purchases require a person to show picture ID when checking in.
“Usually they are used to redeem different types of rewards,” Bischoff explained. “Gift cards are especially popular because they are difficult to trace.”
Bischoff was not able to confirm how the individual purveyors he found on three dark web marketplaces obtained the air miles they offered for sale. His leading theory is that hackers take over personal accounts by tricking owners to reveal their account numbers and passwords with “phishing” emails (i.e., a fake email inquiry from airline) or through a wholesale data breach.
“Some of these vendors have miles in such great quantities that we think that there might be some other means that they’re using to get them,” Bischoff said. “Maybe they have some back channel through the frequent flyer programs because they seem to just have an unlimited amount.”
He said dark web vendors sell credentials to access individual frequent flyer accounts or may choose to transfer miles to a newly created mileage account advertised as “clean.”
A table published on the Comparitech website showed a wide range of prices for the stolen loyalty points. Fifty-thousand Alaska Airlines miles could be bought for the equivalent of about $96, a fraction of how much it would cost to buy that many miles legitimately from the carrier. Forty-five thousand Delta SkyMiles ranged from $101 to $884 after converting the price listed in cryptocurrency.