High-flying thieves with stolen usernames and passwords have broken into customer accounts at both American Airlines and United Airlines, booking trips for themselves using peoples’ stores of frequent flier miles.
The hack happened in December, but both airlines began notifying affected customers this week. The Associated Press reported that the login information was pilfered through an as-yet-unknown third-party source.
A United Airlines spokesperson told the Associated Press that mileage transactions were made on only about three dozen accounts, and that the stolen goods would be restored into users’ customer accounts. American, on the other hand, was not so lucky: about 10,000 AA accounts were hacked.
Jon Oberheide, co-founder and CTO at Duo Security told Infosecurity that the incident shows that attackers can be very innovative and creative when it comes to monetization schemes.
“Going after frequent flyer miles, Candy Crush gold, or virtual swords and armor in World of Warcraft may seem like a surprising tactic for attackers, but for them it's an efficient way of monetizing low-hanging fruit attacks such as phishing and credential theft,” said Oberheide. “If there's something of liquid assets of value, attackers will go after it no matter how unusual it may seem in nature.”
Further, preventing these highly-scalable and automated phishing attacks will require organizations of all shapes and sizes, including airlines and their frequent flyer programs, to adopt two-factor authentication for their users, he added.
“For the affected airlines and customers, there's sure to be some turbulent times ahead. It's unclear how much runway the attackers will have before airlines land some strong authentication options for their most valued flyers. While these breaches create a lot of baggage for the airlines to deal with, it's important for them to ground these attacks before they really take off.”