Image Image Image Image Image Image Image Image Image Image
Scroll to top



Are Your Frequent Flyer Miles Secure?

Are Your Frequent Flyer Miles Secure?

As this week’s data breach at US Airways reminds us, even the computer systems of the country’s largest companies are not hack-proof.

Although full details are unlikely to be forthcoming from US Airways, WSOC TV in North Carolina reported on Wednesday that 7,700 Dividend Miles accounts had been compromised and that some miles had indeed been stolen.

Criminals tend to be rational actors, and rational actors are goal-driven. What, then, were the hackers after in breaching US Airways’ computer security? Specifically: stealing miles to what end?

Miles have value, of course. But to unlock that value without implicating yourself is no easy matter.

Have award tickets issued in your own name, leading the authorities right back to you? Dumb! Maybe you could have tickets issued in the names of people to whom you sell tickets. But then the buyers are in a position to point the finger at you. Redeem the tickets for merchandise? It must be shipped, either to you (guilty!) or to an accomplice. Gift cards? Same problem.

Even assuming a malefactor has the Dividend Miles’ members usernames and account passwords, there’s simply no easy way to make use of the miles without leaving an easy-to-follow trail of evidence.

Perhaps that explains why there are so few instances of frequent flyer mile theft.

In the US Airways case, the airline apparently restored the missing miles promptly, and the affected Dividend Miles members weren’t affected for long. But it’s still an experience best avoided, if possible.

If you’ve ever been the victim of credit card fraud, you know the drill and the outcome. Ultimately the unauthorized charges will be reversed. But not before you’ve spent plenty of time on the phone with the credit card company and filling out claim forms. It’s an inconvenience and a time-waster.

In the end, there’s not much you can do to ensure your account’s security. Constantly changing your password might help, but it’s a lot of work to avoid such an infrequent occurrence. And unless the change were made immediately following the data theft, it would be for naught anyway.

Your best hope — an it’s a realistic one — is that most hackers are smart enough to know that frequent flyer miles just aren’t worth stealing.

Reader Reality Check

Have your frequent flyer miles ever been stolen? How?

Related posts:

  • Joseph

    Have my miles ever been stolen? Heck yes, by the airline (or hotel chain) when they “expire.”

    I understand the need, from a bookkeeping standpoint, for FF points not to last “forever.” However, 12 month expirations are indefensible. They are just a way for the corporations to pick our pockets.

  • Justin

    They could be sold to brokers fraudulently… what’s a $35 wire transfer fee (to an offshore account, naturally) when the miles aren’t yours to begin with?

  • Jennifer Church

    I wonder if those folks who use the same password for all of their accounts are more at risk. Maybe the FF mile thieves don’t really want the miles — they just want the profile info, password, etc. in order to hack something more lucrative.

  • Tim Winship

    Miles themselves can’t be transferred. What brokers do is bring together a seller and a buyer. The seller redeems his miles in the buyer’s name and gives him the ticket. The broker takes a commission. Very easy for the authorities to I.D. the participants in the transaction.

  • Tim Winship

    Good point. And a good argument for NOT using the same password for multiple online accounts.

  • Justin

    In this case the brokers would be the ones being defrauded….

    A scammer, let’s call him Steve, steals the password from the account owner, let’s call him Adam. Steve calls a Broker, let’s call him Bob, via any of the anonymous ways to place a call, and pretends to be Adam. He sends Bob (again, via anonymous email) a screenshot of Adam’s account and gives Bob log-in information for the account so he can verify it on his own.

    He agrees to sell Adam’s miles to Bob and gives Bob an offshore bank account # to which he requests money be sent.

    All is fine until 6 weeks later when Bob redeems a ticket for a customer, let’s call him Carl, and his wife to Paris. Now Adam realizes his account has been hacked and he calls the airline and has the tickets cancelled.

    Steve has long since withdrawn the money; Broker is now out every cent he paid Steve and he has no idea who he even is at this point since all along he thought he was speaking to Adam.

  • Fanfoot

    Tim, I think you’re doing your readers a dis-service. Suggesting there is little they can do is incorrect. Don’t use the same password at multiple sites. Use long passwords of random characters. These days that means at least 12 letters/numbers/characters with mixed case. Which means using a password manager like LastPass or 1Password. Most of the passwords people come up with on their own are crappy (does your have Monkey in it? Does it end with numbers and there are no other numbers in it? Do you replace E’s with 3’s and I’s with 1’s? Do you uppercase only the starts of words? Etc). If your password is harder to brute-force than others and the site that was stolen followed reasonable security precautions (encrypted and salted) then having one of the last passwords to be cracked will be of help to you. Using one that will take them forever to be cracked is even better.