Brendan Brothers, a frequent traveler based in Newfoundland, Canada, discovered that his Hilton Honors account was missing more than a quarter-million points, incentives he’d accumulated through a Hilton brand loyalty program. Brothers said the perps cashed in the points for half a dozen hotel stays in the last week of September, booking rooms all along the East Coast of the United States, from Atlanta to Charlotte, N.C. all the way up to Stamford, Conn.
“They got into the account and of course the first thing they did was change my primary and secondary email accounts, so that neither me nor my travel agent were getting notifications about new travel bookings,” said Brothers, co-founder of software security firm Verafin.
When they exhausted Brothers’ points, the fraudsters used a corporate credit card that was already associated with the account to purchase additional points.
“The thieves reserved rooms at more affordable Hilton properties, probably to make the points stretch further,” Krebs reports.
Brothers has yet to hear from Hilton after filing a complaint about the mischief.
According to Krebs, vanishing bonuses are a growing trend within awards programs.
“The online accounts used to manage these reward programs tend to be less secured by both consumers and the companies that operate them, and increasingly cyber thieves are swooping in to take advantage,” he writes.
For example, “Hilton gives users two ways to log into accounts: With a user name and password, or a member number and a 4-digit PIN. What could go wrong here? Judging from changes that Hilton made recently to its login process, thieves have been breaking into Hilton Honors accounts using the latter method.”