14 DAY TRIAL // Customer accounts from loyalty programs offer enough benefits for cybercriminals to be interested in hacking them, as a Hilton Honors client has recently found out.
Hilton Honors is a hospitality company that provides its loyal customers with points for each stay at their locations, offering the possibility of enjoying free stays or significant discounts, if sufficient points have been accumulated.
Crooks book hotel rooms across the East Coast
Security blogger Brian Krebs reports that Brendan Brothers, a customer with a loyalty account at Hilton Honors, has been cleaned out of more than 250,000 points gathered as a result of his trips from Newfoundland, Canada.
The crooks broke into his account and used the reward for booking rooms towards the end of September in locations across the East Coast of the United States.
Moreover, the cybercriminals used the credit card details associated with the account to purchase additional points.
After breaking into the account for the hospitality services provided by Hilton Honors, the hackers changed the email addresses for various service notifications, in an attempt to hide the fraudulent activity.
It is clear that such services do not pay too much attention to securing the log in procedure for these accounts. In the case of Hilton Honors, the company offers the possibility of using a username and password pair or a member number and four-digit pin for accessing the account.
Without supplementary security measures, the PIN is easy to guess using automated tools that would brute-force their way in. In a recent attempt to foil these sort of attempts, the company introduced a Captcha to the process.
There is a demand for such goods
Following this incident, Krebs started to search for evidence of trading loyalty points on dodgy forums, and he found plenty of it on Evolution Market, a marketplace hidden in the TOR anonymity network.
The research led to finding out that the points from Hilton Honors could also be used for purchasing items, electronics included, from the company’s stores. Moreover, the reward points can be redeemed for gift cards that can be exchanged for cash.
An advertiser offering Hilton Honors rewards even warned potential buyers that there was a risk for using them for personal hotel stays, although they are safer and cheaper than relying on stolen credit cards.
In this case, the benefits of two-factor authentication (2FA) are obvious, and the security measure should be adopted on a larger scale for all services that provide an online account.