Loyalty rewards are big business for many retailers from national juice chain Jamba Juice, J. Crew and 7-Eleven, along with local mom and pop shops. There’s just something so satisfying about getting that 10th drink for free. We love the perks, but so do hackers.
A paper punch card has no real risks associated with it, but if you’ve signed up for a card — physical or digital — you can be sure your data is being stored with the vendor because they track your purchases to grant you their freebies. And where there’s stored data, there’s risk. And the more data associated with your loyalty account, the bigger the risk is for your personal information to be stolen.
Big risk loyalty programs include hotels and airline accounts. In an exposé posted late last year by Motherboard, “How Hackers Sell Luxury Hotel Rooms for Next to Nothing,” it was reported that Hilton Honors points were on sale at a deep discount — under $900 for 100,000 points, which could score the buyer as many as 20 hotel nights — on The Dream Market, the longest-running and largest dark marketplace on the web. Airline points are also a prime target. The market closed on April 30, but others will take its place.
Stealing airline miles may not seem like it makes sense because you usually need proof of ID to cash them in for travel. But like many cybercrimes, the miles or other rewards aren’t always used directly to buy corresponding goods, but rather, used to purchase gift cards. Last year Air Miles, the Canadian rewards program, warned members that thieves stole cash miles and used them to purchase products in stores. Air Miles suspended the ability to cash in miles for gift cards while it investigated the issue.
Beyond losing your rewards, you could also fall victim to identity theft. Rewards cards not only have your name, address and telephone number, but are frequently linked to partial credit and debit card information as well.
Identity thieves use this information and combine it with other pieces of your information from other sources. With all these pieces, criminals can easily create a fake identity and go on a shopping spree.
You should protect your loyalty accounts the same way you do your financial and other sensitive accounts. But before you begin securing these accounts, do a little housekeeping.
Make a list of all of the loyalty accounts you have enrolled in. You can start by gathering physical cards from your wallet and any other places you might have stashed them. Go through your email for notifications from retailers, which should help jog your memory about programs you may not have used in some time. Ask yourself, “Do I really need this program?” to help reduce your risk pool.
One Southwest customer shared this story on the company’s forum. His Southwest Rapid Rewards account was hacked, changing his email and address and then ordering $400 of Amazon gift cards. He alerted Southwest but had yet to receive a response. “I am canceling my Southwest card because the company does not have the level of security as a credit card company. Its rewards website can be easily hacked [and] you can lose your points at any time.”
Once you’ve compiled your cut list, go on each website and cancel your account. Dispose of any physical cards. With the remaining programs, go in and change your password.
Each account should have its own password and one you have not previously used. Enable two-factor authentication whenever possible. Check your account rewards on a regular basis, especially for airline and hotel programs. If you see a discrepancy, contact the company immediately.
Looking ahead, when you sign up for a new rewards program, keep these safety tips in mind. Never include your passport, social security or driver’s license number. If the signup form asks for an email address, use an alias email account you’ve created just for rewards programs and other subscriptions. If there is an app associated with the program, think twice about downloading it because of ongoing problems with fraudulent apps. Can you use the website instead? Just input your phone number at checkout?
And finally, when you are looking to buy miles or points, only purchase from the company. Individuals selling on eBay and similar platforms may not be legitimate — if it sounds too good to be true, it may be a scam.