Ah summer: the time for cookouts and fireworks and long days at the beach trying not to check your email. It's also a time to finally use all those airline miles and hotel points you've accumulated to get a free place to stay and free transportation to get there.
If they haven't been stolen, that is.
Those points and miles have become the target of the latest hacking scams, and most travel-related sites haven't done much about it, according to the recently released State of Email Trust Report from email security company Agari. While financial institutions are still attacked with gusto, Agari has found that most of them have put up roadblocks to those attacks. And when one path is blocked, scammers will quickly find one that is not.
"Criminals are still going after the liquid assets in banks and credit cards, but they've found those sites have been locked down," says Patrick Peterson, Agari founder and CEO. "It's much harder to do something with airline miles and hotel points, but it's much easier to get your hands on."
Airline points a new form of black market currency?
Peterson calls scamming customers out of miles and points the "issue du jour" in travel hacks.
"Criminals have discovered that they can monetize all those wonderful airline and hotel points," he says. "They are very busy doing some very nefarious things with that, and a lot of our hotel chains and airlines are up in arms."
In January, for example, the Starwood Preferred Guest program was hacked. Lufthansa and British Airways saw similar incidents this spring.
Hackers are doing this, Peterson says, because banks and credit card companies have finally gotten serious about security, and even though there's less cash value to miles or points, they're still worth something on the black market especially if the hacking process can be automated.
"It's quite surprising they got away for so long with so little security," Peterson says of many travel sites.
Two big exceptions in these security flaws, he said, are Booking.com and Delta, which were both ranked "Safe" by Agari's TrustScore rankings.
Multiple travel-related sites, including AirTran, American Airlines, CheapOAir, Expedia, Marriott, SkyWest, United Airlines and USAirways were ranked "Vulnerable," the lowest rank possible. Sites for Hotels.com, Jetblue, Priceline, RentalCars, Travelocity, Trip Advisor and Virgin America ranked "At Risk," which is in the middle.
How the hack works
While the target of these travel scams points may have changed, the method of getting the information acquiring usernames and passwords has not.
Scammers are still sending phishing emails to get consumer information, and also sending invoices or vouchers for fake tickets to get malware onto consumer's machines, said Peterson.
Sign up for CIO Asia eNewsletters.