How hackers could hijack your travel rewards programs and drain your miles

Make sure your hard-earned miles and points are intact

Kurt "CyberGuy" Knutsson explains how AI replaces jobs

CyberGuy shows you which industries are seeing more and more bots take jobs.

For many of us, frequent flyer miles and credit card and hotel loyalty points are valuable. The idea that some of my hard-earned points could be lost or stolen has me leaping to check the app of each program to make sure the balances look right.  And there's good reason to have concern. 

CLICK TO GET KURT’S FREE CYBERGUY NEWSLETTER WITH SECURITY ALERTS, QUICK TIPS, TECH REVIEWS AND EASY HOW-TO’S TO MAKE YOU SMARTER

Some cybersecurity pros have dug up some seriously worrying stuff about the loyalty commerce company Points.com. Recent findings from cybersecurity researchers Ian Carroll, Shubham Shah and Sam Curry have found some upsetting information about the company.

Points.com provides an expansive application programming interface for popular travel rewards programs, including Delta SkyMiles, United MileagePlus, Hilton Honors and Marriott Bonvoy programs.

According to the researcher's findings, the team reported that certain vulnerabilities to Points.com between March and May 2023 made it attractive to hackers. These vulnerabilities could have been exploited by hackers to steal customers' travel points, their data and potentially gain control of the Points loyalty programs altogether.  Here's what we know so far and how you can protect yourself.

IS THIS NEW TECH GOING TO COST YOU YOUR JOB? HERE'S PROOF

how hackers could hijack your travel rewards programs and drain your miles

Passengers pause to check the flight information displays at Ronald Reagan Washington National Airport on Aug. 8, 2023, in Arlington, Virginia. (Chip Somodevilla/Getty Images)

What vulnerabilities did the research team find?

A key issue that was found in the Points.com system involved easily being able to find details like customer rewards account numbers, addresses, phone numbers, email addresses, and partial credit card numbers. The researchers came across a manipulation in the system which would allow them to move around from one part of the Points API system to another, which gave them access to this information.

HOW TO RESTORE DELETED FILES AND REPAIR CORRUPTED DATA

how hackers could hijack your travel rewards programs and drain your miles

A few vulnerability issues have been found with Points.com (CyberGuy.com)

Although there was a limit in place for how much information a person could receive at one time, the researchers pointed out that a hacker could certainly look up a specific person's information and retain it without issue. Plus, there was another issue found that would allow a hacker to take a person's last name and rewards number, which would then let them take over customer accounts and transfer miles or other rewards points to themselves.

For Virgin Red, the researchers found leaked authentication keys that could have allowed an attacker to access the Points.com data for Virgin Atlantic and modify accounts, such as adding or removing points or changing other settings.

For United MileagePlus, the researchers found a vulnerability in the Points.com global administration website in which an encrypted cookie assigned to each user had been encrypted with an easily guessable secret-the word "secret" itself. This could have allowed an attacker to execute malicious code on the website and potentially compromise the entire Points platform.

Points.com has since fixed those vulnerabilities related to Virgin Red and United MileagePlus.

MORE: HOW TO AVOID VACATION RENTAL SCAMS 

What was the biggest issue that was found?

Perhaps the biggest issue that was found, however, was one that would allow hackers to get into any points system they want because of a vulnerability that lies within the Points.com global administration system.

What the researchers found was that each user is assigned a cookie that is encrypted. Normally, this would be a good extra layer of security. 

However, these encrypted cookies were encrypted with the word "secret," which the research team was able to easily guess. And if they can guess it, then a hacker certainly can.

DETECT A CREEP’S UNWANTED BLUETOOTH TRACKER WITH GOOGLE’S NEW SAFETY FEATURE

how hackers could hijack your travel rewards programs and drain your miles

One major issue of concern for Points.com is that any hacker can get into any points system. (CyberGuy.com)

Once they decrypted their cookie, they were able to reassign themselves permissions that a global administrator would have and then re-encrypt their cookie with something more complicated so that no one could decrypt it again. 

If a hacker were to perform this same process, they would be able to access any Points reward system and grant unlimited miles or other benefits to any accounts they want.

MORE: 10 WAYS TO TRAVEL LIKE A PRO FOR A WORRY-FREE TRIP

What can I do to protect my points?

According to the researchers, Points.com has fixed all the vulnerabilities they reported, and there is no evidence that any malicious actors have exploited them before. However, they warn that they may be other unknown bugs in the system that could pose a risk to customers and loyalty programs. With that being said, here are some things you can do to be proactive about your rewards accounts.

  • Monitor your accounts: Keep an eye on your rewards accounts for any unusual activity to see if any significant changes have been made, like a large deduction in your points or rewards.
  • Report any suspicious transactions or changes: If you notice any changes that you know you didn't make to your loyalty account, contact your rewards program, report any suspicious transactions or changes, and see what they can do to help you.
  • Change your passwords: Update passwords for all rewards accounts. Make them complex and unique. Think about using a password manager to help you out. Check out my best expert-reviewed password managers of 2023 by heading to Cyberguy.com/Passwords
  • Activate two-factor authentication (2FA): It's an extra layer of security that will stop hackers from accessing your accounts, even if they crack your password.

We reached out to points.com, which was acquired by Plusgrade, in 2022, for a comment on this story but did not hear back before our deadline.

MORE: NEW ONLINE TRAVEL TOOL MAKES IT EASIER TO USE POINTS INSTEAD OF PAYING FOR HOTEL STAYS 

how hackers could hijack your travel rewards programs and drain your miles

There are many ways to keep yourself safe from hackers like changing your passwords. (CyberGuy.com)

Kurt's key takeaways

The last thing you want is to have all your hard-earned points that you've been saving up for that dream vacation to be taken away from you because of a hacker. Make sure you're always checking your accounts and pay attention to any notifications you might receive from your designated rewards program about major breaches to your information.

How do you feel about this team of researchers finding vulnerabilities within the Points.com system? Should companies have to be regularly checked for security issues? Let us know by writing us at Cyberguy.com/Contact

For more of my security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Copyright 2023 CyberGuy.com.  All rights reserved.

Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

Authored by Kurt Knutsson, Cyberguy Report via FoxNews August 15th 2023