Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label loyality points. Show all posts

Hackers Have Scored Unlimited Airline Miles, Targeting One Platform


TRAVEL REWARDS PROGRAMS, such as those provided by hotels and airlines, highlight the unique benefits of joining their club over others. However behind the scenes, several of these programs—including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy—share the same digital infrastructure. The business Points, which offers a variety of services including a comprehensive application programming interface (API), provides the backend.

In a new finding, a group of security researcher discovered that the vulnerabilities in the Point.com API are most likely exploited to expose customer data, steal customers’ “loyalty currency,” (such as miles) or the Points global administration accounts in order to acquire control over the entire program.

About the Vulnerabilities

The researchers discovered a vulnerability that involved a manipulation that enabled them to move between internal sections of the Points API infrastructure and then query it for incentive program client orders. 22 million order records, which include information like customer rewards account numbers, addresses, phone numbers, email addresses, and partially completed credit card numbers, have been found in the system. A hacker could not just dump the entire data store at once since Points.com set limits on how many responses the system could provide at once. However, the researchers point out that this would have made it possible for the threat actor to look up for certain people of interest or to gradually drain data from the system over time.

Another bug found was apparently an API configuration issue that could allow a threat actor to enable account authorization token for a user with only their last names and reward numbers. These two pieces of information might have been obtained through earlier hacks or might have been gained by using the first weakness. By controlling client accounts and transferring miles or other reward points to themselves using this token, attackers might deplete the victim's accounts.

The researchers also noted that the two vulnerabilities shared similarities with the other bugs that were discovered earlier, one that impacted the Virgin Red and the other affected the United MileagePlus. However, these bugs too were patched by Points.com.

Most importantly, the researchers discovered a flaw in the Points.com global administration website, where an encrypted cookie issued to each user had been encrypted with a secret phrase "secret" itself, making it vulnerable. The researchers could essentially assume god-like ability to access any Points reward system and even offer accounts limitless miles or other perks by guessing this. They could then decrypt their cookie, reassign themselves global administrator credentials for the website, and re-encrypt their cookie.

Moreover, the researchers assured that their fixed indeed do their jobs right and claimed that Points were in fact very prompt and cooperative in addressing the disclosures.  

Are your rewards and loyalty points getting less? You might want to take a look!


The universe is lazy, everything that occurs follows the principle of least action. It should be no surprise that living things have evolved to obtain the most benefit for the least work; consider the intersection of intelligence and energy. And the same is true for humans, we are inherently lazy - choosing the path of least resistance. No matter the work, we will choose the shortest, most easy and least time-consuming way to do it. No matter the path, we will take the most direct and simplest route.

The same could be said for the cyber world wizards, the hackers who would take the easiest path to hack and earn and hence have chosen a new way to earn and steal - "Loyalty Points".


Loyalty Points 

Digital Banking systems nowadays is as safe and impenetrable as their physical counterparts and require planning, knowledge and a load of luck to hack. And when there are easily accessible, far less secure targets like Loyalty Points, then why do so much work?

 Loyalty Points and schemes are rewards given to customers that they can swap for goods and offers much like currency. Since these are less secure, easy to steal our lazy hackers are now attacking these points instead of the highly secure bank accounts and vaults.

Need to be taken seriously

Andy Still, CTO Netacea writes for Infosecurity Group Website, "People don’t treat loyalty points in the same way as they treat other financial products. When our wallet or purse is stolen or lost, we immediately cancel our credit and debit cards. Our loyalty cards can wait. Retailers tend to treat loyalty points in the same way—logging into an account doesn’t have the same level of security, and two-factor authentication is rare."

People are often careless with their reward accounts, they leave it for months before they check it and the theft goes unnoticed. There's also a benefit that the stolen points will be refunded. In this scam, both the businesses and the customers are affected. The customer doesn't get the benefit of loyalty points nor does the business get what they want- repeat business, customer loyalty and branding. Business needs to take their loyalty points scheme like bank accounts and ask their customers to do the same.