Following the news that 2 airlines were targets of attempt to steal customers' miles Ken Westin, security analyst, Tripwire explains why these systems have poor security controls in place:
“We have seen similar compromises occur with other loyalty programs, such as with Hilton Honors several months ago. Air miles and loyalty programs are low hanging fruit for hackers because although air miles and points can be used as a form of currency to purchase trips, hotel stays and other goods and services, they generally lack the security controls you would usually see with traditional forms of currency such as with credit card transactions.
“Loyalty points and air miles are not required to be secured by secure compliance initiatives such as PCI and the level of security provided to secure user accounts is up to the vendor. Most of the websites for accessing these accounts have had woefully inadequate security, with improper password policies and none that I have seen offer any sort of two-factor authentication option for better security. The fact these miles and points can be traded in underground markets in exchange for bitcoin or other forms of crypto currency paired with the lax security to gain access to the accounts creates a perfect opportunity for the enterprising hacker to generate income from their exploits.”