At Easy Solutions we spend a lot of time thinking, talking and researching fraud: fraud on different parts of the world and across different verticals, from the most complex to the simplest methodologies. Even with all the different variables that make up these kinds of crimes, one thing is the same across all kinds of electronic fraud—their lifecycle. The lifecycle of a fraud incident is made of three key stages:
- Planning and targeting
- Setup and launch
- Exploit and cash out
Historically, we saw criminals exclusively target financial institutions, which makes sense because that’s where the money is, right? Well, not all the money. We are increasingly seeing fraudsters expand their operations to other verticals because there is money to be made outside of the financial sector. Just last week, readers of the Krebs on Security blog complained to Brian Krebs that their Starwood Preferred Guest loyalty accounts have been hijacked by scammers. Increasingly, hackers are turning to the travel industry because there’s real money to be taken there. How many of us have thousands of unused airline miles? Today you can purchase virtually anything with those miles, to the point that many consider those miles currency. Keep in mind, about 1M miles is worth more than $10,000 USD!
In this blog post, we are going to walk you through a few ways that fraudsters are carrying out travel reward program fraud.
Planning and Targeting
It all starts with a good old, great looking phishing attack in the form of an email which is sent to millions of users, where 3 to 5% of recipients will fall for the trick and click on the link provided.
Setup and Launch
Upon clicking, the user is taken to a site where he/she can download their plane ticket. In this stage, the criminal is on the hunt for everything and anything: credentials to redeem miles, credit card reward points, healthcare information, intellectual property, and any other valuables.
Once the credentials are stolen, the fraudster can access a wide range of goods, including car and vacation rentals, electronics and even make donations.
Scenario 2: Password Reuse
Even if users don’t fall for a phishing scam that pretends to be from the airline, the prevalence of password re-use among consumers is making the vulnerable targets. In the Starwood case, hackers are leveraging passwords stolen from other sites, combined with a tool that automates the checking of account credentials at the Web site for the popular travel rewards program.
What to do?
Is there any doubt that travel reward points are a valuable currency? In 2015, the travel industry is becoming the hackers’ new playground. Travel companies would be wise to take banks and financial institutions as their role models, when trying to determine how to reduce losses from fraud. They should implement a multi-pronged approach to protecting themselves and their customers, and reducing the risk of both tangible (miles/dollars) and intangible (brand) losses.
Multi-factor authentication, already adopted by most financial institutions and many email providers, is likely to become more attractive to travel companies, as a simple and effective way to prevent theft from password reuse. Additionally, we expect to see travel companies adopting fraud intelligence, a long used tool of the financial services community, to protect themselves against phishing attacks on their brands. A multi-layered fraud prevention approach results in more sensitive threat detection that finds and stops more attacks than either layer would locate by themselves, reduces false positives and can actually shut down a wide range of attacks before any money or miles get taken from customer accounts.
As more travel industry transactions move to electronic channels, cybercriminals are casing the platforms they are performed on to see what they can steal. By learning from what financial institutions have done to break the cycle of fraud, travel companies will be able to efficiently and effectively ramp up their level of protection before they become the next fraud victims.