Hackers Now Stealing Your Loyalty Rewards & Points

The Hilton HHonors site recently added a CAPTCHA check to its login process, presumably to cut down on hackers' attempts to hijack accounts.

The Hilton HHonors site recently added a CAPTCHA check to its login process, presumably to cut down on hackers’ attempts to hijack accounts.

While we hear almost daily reports of retailers having their payment systems hacked and customer records stolen, it looks like cybercriminals are increasingly realizing they can turn a profit by stealing assets many consumers treat as an afterthought — loyalty rewards.

KrebsOnSecurity.com reports on the rise of rewards-related theft, and specifically on the growing number of consumers who have seen their Hilton Honors loyalty accounts violated by hackers.

One man tells Krebs that he recently had more than 250,000 points stolen from his Hilton account.

First, the thieves accessed his online account and changed the e-mail addresses associated with the account so that he would not receive any correspondence regarding the use and abuse of his rewards.

Then they helped themselves to six different Hilton hotel reservations in September, from Atlanta all the way up the Atlantic coast to Stamford, CT, where we assume they attended a taping of the Jerry Springer Show.

It gets worse — because the victim had a corporate credit card linked to the Hilton Honors account, the thieves were able to use that card to purchase additional points.

Krebs checked out some online black markets where people buy things they can’t get at the corner sore (at least not legally) and found people selling Hilton HHonors points for a fraction of their face value, from as little as $10 for 50,000 points to only $200 for 1 million points, along with suggestions on how the purloined points could be used — turn them into gift cards, buy items from the Hilton HHonors online marketplace, or just turn them in for cash.

The seller advises against using them to book travel for yourself but does admit that it’s “safer (and cheaper) than using a carded hotel service.”

So how are thieves getting this info?

The fact is that, though many of us have earned some sort of loyalty rewards — whether it’s from airlines, hotels, retailers, or credit cards — not everyone treats the online repositories of these assets with the security they deserve. So you might be throwing away a good password on an unsafe site, or maybe you’re using a simple, common password on a site that is otherwise secure.

In the case of Hilton, it looks like hackers are taking advantage of the fact that there are two login options — either a user name and password or a member number and 4-digit PIN.

Hilton isn’t talking about these incidents, but Krebs points out that the hotel chain recently added a CAPTCHA step to its login process in an apparent effort to stop hackers from brute-forcing their way into accounts. This seems to indicate that thieves were just running scripts to try as many number/password combinations as possible until the account was unlocked.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.