It’s difficult to get your head around the numbers in the dark market of loyalty fraud.

But, when more than 70% of a $238 billion market is at risk of being stolen overnight, with a quick phone call or a few clicks of the keyboard, it’s time to pay attention.

Update: This story originally ran on October 27. On November 3, stories began appearing on hotel and security news sites about a hack of Hiton’s HHonors program.

Members of the program have been reporting random charges on their HHonors credit cards and points being stolen from their accounts. Apparently, some hackers are getting some nice free vacations in Bora Bora.

Flyertalk’s got the details on the hack and a thread with ongoing developments.

Points aren’t just scores, and miles are more than distance traveled. Loyalty program credits are currency, every bit as good as cash; they were travel’s Bitcoin long before the e-currency was dreamt up.

According to a January 2013 report by International Travel News, at the end of 2004, The Economist estimated that there were 14 trillion unused miles/points accumulated worldwide.  This figure was revised up by CNBC to 15 trillion frequent-flyer miles outstanding by 2011, and on the following year the Economist and WebFlyer increased that number of unredeemed miles to 23.8 trillion.  The same ITN report cites the Economist assessing the value of outstanding miles at more than $700 billion, by 2005, “about equal to that of all of the printed US currency in circulation worldwide at the time.”

In dollars and cents, each mile is valued around $0.01, bringing the value of the 23.8 trillion unredeemed miles in the 2011 Economist and WebFlyer assessment to $238 billion.

This high-value, unregulated currency is under attack from fraudsters, who exploit the loopholes and security gaps of the banks in which points and miles accounts are stored.

We spoke with experts in this field to grasp the scope of the exposure and discuss emerging solutions.

“These crimes are valued less by the authorities because there’s no real money,” CellPoint Mobile CEO, Kristian Gjerding explains. “It’s a legal grey zone, because you can’t call the police or prosecute as you would with other crimes.”

Gjerding puts the grey zone in black and white, citing figures from Consumer Reports. “Worldwide, more than 70 frequent flyer programs have about 300 million members.” There’s a lot to steal and a lot of potential victims of fraud, but the systems which can be exploited are a manageable number. Learn to crack one system, it’s easy to crack others. All of them have common vulnerabilities. And in each one, there are millions of accounts to steal from.

Michael Smith, Managing Partner, Ai Group, Inc., reports that 72% of airline loyalty programs have been prey to fraudsters, and that 30% say the problem is growing each year.

He agrees with Gjerding about the difficulties of getting the authorities to respond, and understands that it’s hard for many to think of points and miles as currency, but he insists that’s how we should think of them. “Miles were already the fourth biggest currency in the world years ago,” he tells us. “They are currencies.” Smith points out that, not only can points and miles be exchanged for goods and services, but, in some programs, they can even be redeemed as cash.

The worst part of this criminal activity, is that it often goes undetected. “Surveys suggest that 80% of fraud is discovered by accident,” Smith says. The airline or hotel may not be aware of any issue with an account until a customer complains. While the formal response could be that the member is responsible for the security of his account, Smith points out that this puts the company operating the loyalty program in the awkward position of telling a prized customer that they are out of luck.

Types of Fraud

The vulnerabilities of the systems are multifold, but can be grouped into three main categories of criminal activity: fraud by employees, fraud by business partners, and fraud by criminal organizations. The first two categories of fraud have plagued loyalty programs for many years, with mixed response by the companies running the programs to tighten security. The third has emerged more recently and is a booming business.

Helen Porter, head of product development for SITA’S Passenger Solution Line, tells us: “Fraud within Frequent Flyer Programs is a reality of life.”

Porter, Smith, and Gjerding agree on the principal methodologies which the three groups of fraudsters use. Staff, such as call center agents, flight attendants, and check-in desk staff, can credit miles to their personal accounts when travelers have no program affiliation or fail to use it. Business partners, such as travel agents, can do the same. Members themselves can commit fraud by double-dipping on claims for mileage for the same trip, claiming miles from two airline partners for a revenue-share ticket, for example.

The professional fraudsters — the criminal enterprises arising in the market expressly to take a chunk out of these unregulated virtual banks — collect legitimate miles into fictitious accounts with similar names to legitimate accounts, and manipulate systems to take over the identities of unsuspecting travelers.

The exposure to loyalty program identity theft is significant. As Smith tells us, because the sensitive data required to manipulate the account is out in the open, it is ready for exploitation.

“Some of the security controls are weak,” Smith says.  “For example, programs which require that the caller give the operator their PIN. I’ve even heard of an operator telling a customer, who had trouble logging in, to simply use master password ‘Pineapple3’.” But, while some travelers may be savvier about giving sensitive data by phone or using blanket passwords, carelessness in other areas make them just as vulnerable. “When you walk through the terminal, think of all the boarding passes left behind and how much loyalty information is printed right on there.”

The passenger’s name, the loyalty number, the flight data to redeem, even the loyalty member’s status can be found on most boarding passes with no encryption or secrecy controls. Though electronic boarding passes are becoming more common, they used less often than printed passes. Industry experts say most travelers feel more secure when they can hold their boarding in their hand.

But those same passengers pay little attention to where they leave the boarding pass after it’s used. “IATA has considered ensuring the secrecy of data on the boarding card,” Smith says, but it’s still not an industry standard. “This is the soft underbelly of aviation.”

Professional hackers who support criminal enterprises don’t need to walk the terminal combing for abandoned boarding passes to find sensitive information ready for exploitation. They can do so from the comfort of their chair, in the anonymity of their cyber life, and loyalty members give them all the data they need, just by being social. “Fraudsters can use email accounts, and social media profiles to reverse-engineer an identity,” Smith points out. Banks and other financial institutions have responded with more complex methods of verification, but many of the companies offering loyalty programs haven’t kept up with the pace of change.

CellPoint Mobile has worked with financial institutions, to address these data-gaps, and transferred that experience into the development of more responsive verification systems which address these vulnerabilities in loyalty programs. “We use multi-factor authentication, and data-profiling modules which monitor activity profiles of the accounts and activity around the account” Gjerding says. “The rule sets based on that data monitor transactions for suspicious activities commonalty linked to fraud. We’ll do a cell phone check to ensure that it is associated with the account, for example. We may use credit card validation, unique SIMs on phones and unique credit cards.”

For obvious reasons, CellPoint can’t divulge all the details of the complex methods it uses to track and verify loyalty program activity. Gjerding limited himself to telling us that it is comprehensive and intelligent, gathering patterns of behaviour and determining from a number of factors when activity is irregular and should be verified. This data, he emphasized is not stored in a way which infringes on the members privacy, but it is sufficient to ensure security. “There may be more data points required in certain high-risk environments,” he adds.

SITA’s Horizon Loyalty fraud prevention program also uses multi-fact verification, pairing the email address of the user with a mobile phone verification, proof of address, IP logging, and monitoring of changes to the account and transactions on the account. “The monitoring of [these factors] will, in certain cases, prevent fraudulent activity,” Porter explains. “In other cases [it provides] Frequent Flyer Program management with an indication of potential fraud.

Accounts suspected of fraudulent activities are suspended for further analysis and strengthening of security measures. IP logging plays a crucial part of identifying and analyzing the impact of fraudsters.” She adds: “The development of fraud prevention measures is a continuous process, as fraudsters find new ways to exploit the vulnerabilities within Frequent Flyer Programs.”

“A loyalty fraud solution,” Gjerding says, “provides airlines the necessary tools to detect and alert key stakeholders to loyalty program fraud in real time, and it offers airlines’ most loyal and valued customers the confidence and security they need as they increasingly use their mobile devices to plan, book or redeem their rewards for travel, and manage their frequent flyer accounts on the go.”

Whatever the methodology, awareness of the vulnerability is the first big step forward for loyalty programs and for their members.

“Some airlines are aware of the standard problems, some are savvier, but all airlines are potential targets,” Smith says. The only way for travelers to protect themselves, he suggests, is vigilance. He suggests travelers manage their loyalty accounts, and the data associated with them, as carefully as they manage access to their personal bank accounts.

Miles and points are currency, Smith emphasizes, every bit as much as the dollar or euro or yen. They can be used for many real-world financial transactions, everything ranging from travel to shopping to cash. Either we treat them as carefully as money, or we stand to lose a fortune.

Photo Credit: Mileage programs can be easy targets for fraud. Karl Baron / Flickr