Your Travel Rewards Points Were Stolen. Now What?

ShareThis

A few years ago, I logged on to the website of an airline mileage program to book a flight, only to find that my miles were gone. I called the airline in a panic, and was told that another customer must have given my frequent flyer number by mistake when booking their flight. The miles were soon restored to my account. No harm was done — except to my confidence in the system.

In a time when two-factor authentication and complex passwords are required to conduct so many transactions, it's unusual that many airlines and points programs still allow you to book with rewards simply by giving your membership number over the phone. Booking online does require passwords, but with so many large-scale data breaches happening recently, many of our passwords have been compromised.

So it's no big shock that cybercriminals have been monetizing stolen rewards points on the dark web by selling discounted trips, paid for with stolen points. In fact, some have even been so brazen as to set up travel agencies and travel portals, complete with photos from happy customers, security firm Flashpoint reports.

Here's how you can protect your hard-earned points from sticky fingers.

Exercise "password hygiene"

If you haven't changed all your passwords recently — especially since Yahoo recently disclosed that all 3 billion of its accounts were hacked in 2013 — do it now. Make your new password longer and more complex. If you're not good at thinking up hard passwords, try a password generator like the one offered by LastPass. And keep updating your passwords about twice a year. (See also: Stop Making These 8 Risky Password Mistakes)

Monitor your mileage accounts

I use AwardWallet to keep track of how many miles I have in the dozen or so points accounts that I maintain for my family. Not only can I glance over all the accounts on the software's dashboard, but it actually sends me an alert when my totals change. So if a hacker used my frequent flyer miles to book a flight, I'd get an alert right away. There are other points tracking tools available as well. (See also: 4 Best Tools for Tracking Your Rewards Miles)

Guard those account numbers

Most credit card companies have stopped printing your card number on every bill, but awards programs haven't gotten so guarded yet. I receive junk mail with my frequent flyer number on it, which is bad because mailbox theft is a common criminal tactic. You can ask your points programs to stop sending you junk mail, and you can also consider getting a locking mailbox to prevent this and other forms of identity fraud. Treat those numbers like the sensitive private information they are. (See also: 18 Surprising Ways Your Identity Can Be Stolen)

Don't log onto your points account on a public Wi-Fi connection

Most of us know not to use online banking while sitting in the airport, but we might not think twice about checking our mileage totals. Don't do it. Criminals can set up Wi-Fi connections that scrape users' data while they log in. Doing this at airports and hotels makes a lot of sense from the thief's point of view — if you want to find customers with a lot of miles, try the airport. (See also: 3 Sneaky Ways Identity Thieves Can Access Your Data)

Beware of shifty agents and brokers

There are "mileage brokers" out there who have accrued large mileage totals, and who offer to book you discount flights which they will pay for with miles. Don't bite, because you have no way of knowing whether the miles they are using were acquired legally or stolen. As a personal rule, I wouldn't give my mileage or points account numbers to anyone I wouldn't hand my credit card to.

Contact the program immediately if you suspect a problem

If you aren't able to log onto your account, you might have just forgotten your password — or someone might have changed it. If you notice an unexplained password problem or any other mysterious activity, change your password immediately, and call the security team for your points program.

They should be able to investigate whether there's been a breach, and they may be able to add extra security to your account, such as requiring a password for any reservation change, or adding two-factor authentication for logging in. As with all forms of identity theft, being proactive helps nip problems in the bud. (See also: Don't Panic: Do This If Your Identity Gets Stolen)

Like this article? Pin it!

Disclaimer: The links and mentions on this site may be affiliate links. But they do not affect the actual opinions and recommendations of the authors.

Wise Bread is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.