Advertiser Disclosure

How to prevent your miles from being hacked & stolen

by on Mon December 29, 2014 • No Comment


Travel hacking has grown as a hobby, but there’s another kind of mile hacking that’s dangerous and growing even faster. It’s hacking into accounts and stealing miles to book unauthorized tickets. Miles have real cash value to brokers, and accounts holding them are an easy target because people don’t check in on them as frequently as financial accounts.

Case in point – Yahoo writer Dan Rosenbaum.

He had his United MileagePlus account hacked, with hundreds of thousands of miles stolen and used to book fraudulent tickets, while also finding one of his own tickets was canceled.

Fortunately, he resolved his case, got the miles reinstated and his trip rebooked.

But in the process he learned about some basic vulnerabilities that anyone with a sizable mileage balance should know about.

You can read his story – one of the most important this year if you care about miles and points.

And here are some of the most actionable points Dan makes:

Don’t use hotel wifi or public airport wifi.

United’s security team told him many accounts are compromised while members are traveling and using free hotel or airport wifi. Perhaps related, United recently added authentication to wifi networks at its United Clubs. To make sure you’re secure in places with unsecure networks get a mobile hotspot added to your data plan if you travel frequently and access your account on the road.

Add https:// when logging into your airline’s website.

Despite the sensitivity and value of frequent flier accounts, none of the big U.S. airlines uses a secure socket layer by default on their home pages. That’s a risk to you, since all of them let you login to your account directly from the home page, transmitting your username and password in an unsecure environment.

You can get around that by adding https:// to the website address before logging in.

For example, go to via and you’ll pass your credentials in a more secure encrypted format.

Add a password to your reservations.

You can ask to have a security code or passphrase added to your reservations so they can’t be cancelled over the phone by an unauthorized party. It’s not a formal procedure, but just tell the reservation agent to make a note in your reservation record that only someone with that phrase or code can change the reservation.

It’s cumbersome – you have to call in and add one each time, and it won’t help if someone gets online access to your account and cancels flights, but it’s an extra layer of security if you’re concerned.

Try this for really important trips that will be difficult to rebook.

If your login stops working contact the airline immediately.

That’s a red flag your password has changed by someone unauthorized. Call immediately and investigate what’s happening. The longer you wait, the more likely damage will be done. Miles are valuable – treat them like cash, especially if you have a big balance.

Unfortunately it can take several days to complete an investigation – in United’s case it asks that you email and wait 7 to 10 days.

He got things sorted out sooner by getting in touch with a friend who is a very frequent flier with United, but you probably don’t have a friend like that.

So best to make your case known on social media and be patient. This fraud victim got miles reinstated within a day.

Beware of good deals.

Mileage brokers are growing rapidly. They acquire points on the cheap (some by paying consenting parties, some by theft) and use them to buy First and Business Class tickets on your behalf, charging you a price lower than the market price for a cash ticket.

So if someone tries to sell you a heavily discounted Business or First Class ticket, think twice. It’s probably a mileage broker who may be using miles stolen from someone’s account to book the flights. If the fraud is detected, at best you’ll have your trip canceled, and at worst you could be in the chain of liability.

There is no such thing as a truly safe ticket from a mileage broker, and some of them hide the fact they are mileage brokers, making things even more confusing.

What will change?

Frequent flier security feels stuck in 2001. There’s a lot to improve on.

At minimum the airlines need to beef up their login systems with things like challenge questions. United still uses a vulnerable 4 digit PIN to login, while American and Delta have shifted to longer, more secure password phrases.

Going further, we’d like to see apps send text alerts when there is mileage activity, the way bank apps do when your credit or debit card is used.

Airlines are catching on, and expect more improvements in 2015, but nothing is foolproof.

Even bank point programs, with more robust bank level authentication are seeing a big rise in fraud.

The following two tabs change content below.

Chase Sapphire Preferred® Card

Miles dont expireas long as card is open
Learn more

Partner Offer

50,000 bonus points

Intro Offer

$0 introductory annual fee, then $95

Annual Fee


Foreign Transaction Fee Waived


Points Can Transfer to Airline Miles ?

Still confused? Have a question?

Leave a comment below -- we'll reply shortly -- no need to use your real name. Or, use the email form at the top of the page for private advice.

"These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered."

Leave a Reply

Your email address will not be published. Required fields are marked *