In recent years, it has become clear that cybersecurity is an issue that many companies are struggling with. Unfortunately, that extends to the world of customer loyalty programs. Both Marriott Bonvoy Hotel And IHG One Rewards has suffered data breaches affecting millions of consumers, and the 2017 Equifax attack left millions of Americans vulnerable. identity theft. Clint Hendersona managing editor at TPG, recently had AAdvantage account hacked and over 300,000 miles stolen.
With loyalty programs being such a vulnerable target, protecting your information from being compromised is more important than ever. So how do you do it?
TPG spoke with Bahman Hayata software engineer specializing in cybersecurity who has worked for IBM and Microsoft, to ask for advice on how to keep our data safe from hackers. According to Hayat, data hacking is becoming more common due to poor cybersecurity and sometimes negligence.
“There are many ways for data to be breached, from unsecured storage containers and databases on the internet to social engineering attacks against authorized users to simple human error,” Hayat said. “At this point, we should assume we have been affected and expect to be affected again.”
While giving up our information puts us at risk, participating in a rewards program isn’t something we can ignore. So what can we do to protect ourselves from future data breaches? Here are some simple steps you can take.
Avoid providing sensitive information unless necessary
The first step to protecting your account is to avoid providing sensitive information in the first place.
“Anytime you have to provide personally identifiable information to a service, think carefully about whether it’s necessary,” Hayat said. “The less we provide, the less likely we are to be affected by a breach.”
Your birthday, passport Phone numbers and even addresses can put you at risk, so avoid providing this information if possible. If you need to provide this information, it’s less risky if the site offers two-factor authentication. If the program doesn’t, Hayat recommends reaching out and asking the program to start providing it.
Related: How to Recognize and Prevent Credit Card Fraud
Daily News
Reward your inbox with the TPG Daily newsletter
Join over 700,000 readers to get the latest news, in-depth guides, and exclusive offers from TPG experts
Use two-factor authentication
Setting up two-factor authentication for your loyalty accounts is an easy but important way to increase online security.
Two-factor authentication adds an extra layer of security by requiring two forms of verification before granting access. Typically, this involves something you know (like a password) and something you have (like a smartphone app that generates a temporary code or sends a push notification or email) or using biometrics like a fingerprint or facial recognition. This dual requirement makes it harder for unauthorized individuals to gain access because they will need both your password and the second factor.
Additionally, two-factor authentication provides immediate alerts if someone tries to access your account, allowing you to take quick action to secure your account. This proactive approach is critical in preventing unauthorized transactions or misuse of your points and miles.
If you’re an Amazon customer, you’ve probably set up two-factor authentication and are used to receiving text messages with verification codes when you try to log in to your account. This keeps your information safe from potential hackers who could access your password and charge your Amazon account. You might be thinking, “That’s not smart. They’d have to provide their home address for those orders. They’d get caught.”
A hacker could have many different motives for wanting to access your Amazon account, including The scam is called “tooth brushing”, where they send poor quality products to customers who do not order and then write fake reviews about these products to increase their reach in the online market.
According to Hayat, multi-factor authentication can help prevent situations like this. While Amazon uses text-based authentication, Hayat advises against using it.
“These are vulnerable to SIM swapping attacks, where an attacker can convince your carrier to port your phone number to their SIM,” he says. “If you must use text-based authentication, call your carrier and set up a PIN with them. I recommend using Microsoft Authenticator or Google Authenticator. If you want to go one step further, use a YubiKey.”
Related: Understanding 3D Credit Card Security and How It Can Affect Your Travel to Other Countries
Check if your data has been breached
Hayat also recommends regular check-ups. Have I been Pwned? to see if your information has been exposed in a data breach. If your account has been compromised, the best thing to do is to immediately change your password and start using a password manager and multi-factor authentication.
Use a password manager
Confession: I used to keep all of my rewards program passwords in a document on my laptop. If someone got access to that document, all of my information would be compromised. Experts recommend creating unique passwords for each account, but that’s incredibly difficult to manage if storing them all on a computer or paper file isn’t an option.
Hayat recommends using a password manager as a secure solution to store all your login information in one place.
“That way, you have a strong, unique password for every service, and if one of them is leaked, the attacker won’t be able to use that password for other services. This protects you from something called ‘credential stuffing,’” Hayat said.
“Credential stuffing is when an attacker uses leaked credentials to gain unauthorized access to user accounts on other services,” Hayat continues. “For example, if you use the same password on sites A and B, if site A’s data is compromised, the attacker can use that password to log in to site B. Using unique passwords will protect you from such an attack.”
Hayat recommends 1Password because it’s a great, reputable, and secure choice.
Related: Why a password manager is an important part of my points and miles strategy
Monitor your credit
Whether you invest in a credit monitoring service or check your credit score occasionally, Hayat recommends checking your credit report annually to make sure there are no discrepancies. If a hacker maxes out your credit card in your name, you’ll see it on your credit report. You may even get free credit monitoring through Experian and get notified when new accounts are opened or your credit score changes.
Hayat recommends freezing your credit and then temporarily lifting the freeze before opening a new account for peace of mind. A credit freeze will prevent anyone from accessing your credit information or opening new accounts. If your data is breached, a credit freeze is the best way to protect yourself from further damage.
Related: 6 Things to Do to Improve Your Credit Score
Recommend loyalty programs to get more serious about security
With all the recent data breaches, it’s clear that companies aren’t taking the necessary precautions to keep our data safe.
“A lot of companies today are not making the necessary investments in their cybersecurity,” Hayat told TPG. “We see that Leaked passwords are not hashed and salted or weak hashes like MD5 are used, which can be easily cracked. Therefore, as users, we must take the necessary steps to be protected in case of a breach.”
Hayat recommends contacting loyalty programs and banks that haven’t implemented two-factor authentication and asking them to do so. After all, we’re responsible for our data, and if we’re handing it over to a third party like a loyalty program, we should make sure it stays secure.
How does a loyalty program protect you from fraud?
A recent spate of data breaches has led many airline and hotel loyalty programs to require two-factor authentication as a mandatory step when logging into their accounts. While this can be frustrating for anyone who logs into their accounts frequently, it’s better to be safe than sorry. Here’s how major loyalty programs are fighting data breaches:
Airline program
- American Airlines AAdvantage: Optional two-factor authentication via email
- Delta SkyMiles: No two-factor authentication option
- Frontier Miles: Optional Two-Factor Authentication
- JetBlue TrueBlue: Mandatory two-factor authentication via email with option to switch to more secure two-factor authentication via text message
- United MileagePlus: Rolling out selective testing of two-factor authentication
- Southwest Rapid Rewards: No two-factor authentication option
- Free Spirit: No two-factor authentication option
- Air Canada Aeroplan: Two-factor authentication required via email
- Air France-KLM Flying Blue: Mandatory two-factor authentication via email
- British Airways Executive Club: Optional two-factor authentication via email
- Qatar Airways Privilege Club: Mandatory two-factor authentication via email
- Singapore Airlines KrisFlyer: Optional two-factor authentication for flight bookings; mandatory two-factor authentication for changes to KrisFlyer accounts
Hotel Program
- Hilton Honors: Mandatory two-factor authentication via email for limited activities only, such as logging in with a new device
- Marriott Bonvoy: Optional two-factor authentication for email or phone verification
- IHG One Rewards: No two-factor authentication option
- Radisson Rewards: No two-factor authentication option
- World of Hyatt: No two-factor authentication option
Related: Why Small Charges on Your Credit Card Can Cause Big Problems
Last line
As technology continues to advance, it’s no surprise that hackers are targeting our information. Since loyalty programs contain personal information as well as hundreds of thousands of points or miles, keeping your account secure is important.
Follow the tips outlined in this story to minimize potential damage and help protect yourself from future identity theft.
