Frequent travelers and credit card users are familiar with travel points and rewards programs that offer customers incentives and perks for their loyalty. However, these programs have also attracted a darker element: cybercriminals looking to exploit vulnerabilities and steal these coveted, hard-earned travel points.

Let’s delve into the rise of travel point theft, websites dedicated to this illicit trade, and the significant impact it has on consumers and travel companies.

The Rise of Travel Points Theft

Travel points theft involves cybercriminals gaining unauthorized access to travel reward accounts and either using the stolen points for personal gain or reselling them on the black market. This form of fraud is becoming more common and sophisticated, with attackers using methods such as phishing, credential stuffing, and malware to obtain login credentials. Once they have access, they can quickly drain accounts of their valuable points, leaving users high and dry.

How Travel Points Theft Happens

Credential stuffing and account takeover attacks are the primary methods cybercriminals use to steal travel points. Here’s how these attacks typically unfold:

1. Credential Harvesting: Cybercriminals gather login credentials through data breaches, phishing scams, or purchasing stolen credentials from dark web marketplaces.
2. Bot Attacks: Using bots, attackers test these harvested credentials across multiple travel-related websites to find matches. Bots can quickly test thousands of login combinations, making them highly effective and scalable.
3. Account Access: Once they gain access, cybercriminals can drain travel points, change account details, or sell access to other fraudsters.
4. Resell or Use of Points: Stolen travel points can be used for personal travel, transferred to other accounts, or sold online. The value of these points makes them an attractive target for fraudsters.

Black Market Websites Facilitate Travel Points Theft

Several websites and online forums are dedicated to the trade of stolen travel points. These platforms operate in the dark corners of the internet, providing a marketplace for fraudsters to buy and sell points. These anonymous transactions are difficult for authorities to track and shut down, perpetuating the cycle of theft and resale.

The Impact on Consumers

For consumers, the theft of travel points can be both financially and emotionally devastating. Travel rewards often represent significant value, accumulated over time through frequent travel and spending. When these points are stolen, consumers lose the benefits—and their trust in the travel companies they patronize. Additionally, recovering stolen points can be a time-consuming process, involving numerous interactions with customer service and proving the legitimacy of the claim. There is no guarantee that the points will be recovered or replaced.

Poor User Experience & Data Leaks

The consequences of travel point theft extend beyond financial loss. Customers often endure a very poor user experience due to the disruption and stress caused by the theft. The process of reclaiming stolen points can be tedious and frustrating, leading to dissatisfaction and potential loss of loyalty. Furthermore, when cybercriminals gain access to travel accounts, they often obtain personal information such as names, addresses, and travel histories. This can lead to data leaks and subsequent identity theft, exacerbating the damage done to the consumer.

The Cost to Travel Companies

Travel companies also face substantial financial losses due to travel point theft. When points are stolen, companies are often compelled to replace them to maintain customer trust and satisfaction. This replacement comes at a direct cost, impacting the company’s bottom line. Moreover, the reputational damage can lead to a loss of customer loyalty and future business.

According to the DataDome Bot Security Report 2023, a staggering 91% of travel websites are not protected against simple bot attacks​​. This alarming statistic highlights the vulnerability of the travel sector to bot-driven cybersecurity threats. Businesses in this sector must understand the cost implications of these threats and the return on investment (ROI) of implementing an online fraud solution.

Protecting Against Travel Points Theft

1. Bot Protection Solutions: Utilizing advanced bot protection solutions like DataDome’s can help detect and block automated attacks aimed at stealing credentials​​​​. These solutions use machine learning to analyze traffic patterns and differentiate between legitimate users and bots, making it harder for cybercriminals to use bots for credential stuffing and other automated attacks.
2. Fraud Detection Solutions: For instances where bots are sophisticated enough, or a fraudster is manually entering accounts to steal travel points, an advanced fraud detection solution—like Account Protect—can keep your business safe. These solutions analyze users’ behavior and account activity, identifying suspicious activity and promptly addressing it.
3. Enhanced Security Measures: Implementing multi-factor authentication (MFA) and encouraging users to set strong, unique passwords can significantly reduce the risk of account breaches.
4. User Education: Educating customers about the risks of phishing and other social engineering attacks can empower them to protect their accounts. Providing clear guidelines on recognizing fraudulent emails and websites can help reduce the likelihood of credential theft.
5. Regular Security Audits: Conducting regular security audits and vulnerability assessments can help identify and mitigate potential weaknesses in the system. These audits should include penetration testing to ensure that the defenses are robust against various attack vectors.

Bots Don’t Fly. So Don’t Let Them Steal Points….

Travel point theft is a growing concern that poses significant risks to both consumers and travel companies. By implementing comprehensive security measures and leveraging advanced bot protection solutions like the DataDome Platform, companies can safeguard their reward programs and maintain customer trust. As cyber threats continue to evolve, staying vigilant and proactive in security efforts is essential to protecting valuable travel points and the company’s bottom line. Additionally, improving user experience and preventing data leaks are critical components of a robust defense strategy, ensuring that customers feel secure and valued.

Want to see how DataDome can keep both your customers’ travel points and your profits safe? Try it for free or book a demo today.