For "trapezemen" who love to fly, aviation mileage is no longer a new topic. How to take advantage of various membership level benefits of airlines? How to accumulate miles? How to redeem routes? These mileage-related research and analysis have even developed into a very mature community culture.
In the constant development and change, airline mileage has become an important means for airline companies to improve passenger loyalty and interact with frequent flyers.
But just imagine, the air miles and points you have accumulated "hardly" during the journeys, dreaming of redeeming a free air ticket for "white whoring" for a trip one day, but the points in the account are destroyed by a stranger one day. Strangers all stealing... Does it sound a little weird?
However, this strange thing not only exists, but has even formed a complete industrial chain.
In today's digital age, the development of technology not only brings convenience to people's lives, but also provides hackers with more opportunities. Especially in recent years, the aviation industry has gradually begun to rely on IT systems, coupled with the fact that airlines have many weaknesses in protecting customer information and preventing hacker attacks, this has given hackers a "perfect" opportunity to take advantage of.
They take advantage of the weak airline system loopholes again and again to illegally obtain other people's airline points and miles and sell them again, so as to truly realize "free" air travel for buyers.
Hackers exploit airline loopholes to grant unlimited mileage points to any user
An incident happened recently, which can be said to have caused a "big earthquake" in the air travel industry.
Security researchers have discovered an exploitable vulnerability in the API of Points.com, one of the leading providers of digital infrastructure for frequent flyer loyalty programs for airlines and hotels worldwide.
Be aware that many well-known airlines and hotels often have their own frequent flyer or so-called loyalty (points) rewards programs, and the digital infrastructure of many of these programs (including Delta’s SkyMiles, United’s MileagePlus (MileagePlus), Hilton Honors Club and Marriott Bonvoy) are all built on the Points.com platform, and the back-end systems and service suites, including APIs, are also provided by Points.com.
Hackers take advantage of this vulnerability in the frequent flyer system to not only steal customer privacy data and points, but also steal customers' "loyalty currency" (such as miles) and transfer them to their own accounts, causing the victim's account to be emptied. Condition.
Attackers could also exploit these vulnerabilities to leak customer data, steal, or even take over Points global management accounts to gain control of the entire loyalty program. It's even possible to control the entire system to award unlimited air miles or hotel night credits to anyone.
In fact, as early as March this year, security researchers discovered multiple vulnerabilities including API traversal and API configuration issues. in:
The API traversal vulnerability allowed researchers to query customer orders for the rewards program and obtain order records containing sensitive data such as account information, addresses, phone numbers, email addresses, and credit card numbers.
An API configuration issue could allow a hacker to generate an account authorization token for any user using only a name and membership number, thereby taking over customer accounts and controlling mileage or other reward points. Additionally, a vulnerability was discovered where encrypted cookies were encrypted with an easy-to-guess secret, allowing hackers to easily decrypt the cookie and gain administrator privileges to take control of the entire system.
Theft of points and miles like this is very common in daily life.
Many celebrities have revealed that their miles have been stolen
In addition to the possibility of the mileage of ordinary people being stolen, the airline accounts of actors and celebrities who travel to many places all the year round are even more "a piece of fat" in the eyes of hackers.
Previously, a fan of actor Wu Lei shared the audio of a chat with an airline staff, claiming that another fan stole Wu Lei's air miles to exchange for air tickets many times, and lost a total of 230,000 flight miles.
After the incident of Wu Lei's mileage being stolen attracted attention, singer Jiang Yingrong also stated on her personal Weibo that her air mileage had been stolen, and the total number of stolen mileage was close to 300,000. Jiang Yingrong's studio also stated that after contacting the airline, they did not receive a reasonable explanation.
Actor Li Chen also posted on Weibo saying that he checked the news out of curiosity, and found that his mileage has been stolen since 2018, and more than a dozen people have enjoyed this "benefit". Li Chen mentioned on Weibo, "If you don't buy air tickets, can you buy a few of my movie tickets to support it?" It seems to be a joke, but more of a kind of helplessness.
If you just check it, you will be "acquired", which means that the group whose interests are damaged in real life is far larger than we imagined. It's just that the incident quickly attracted everyone's attention because it involved celebrities.
But in fact, "mileage theft" is nothing new, it happened as early as a few years ago.
According to media reports, as early as 2011, Chengdu cracked the first "mileage theft case". According to reports, an employee at an airline sales office took advantage of his position and system loopholes to steal the personal information of 21 passengers within two months, resold more than 1 million kilometers of miles, and made a profit of more than 50,000 yuan. Indicted on suspicion of theft.
According to another Guangzhou Daily report, two men once sold 280,000 airline mileage points in other people’s China Southern Airlines Sky Pearl membership cards. One of the men sold the mileage points in the China Southern Airlines membership account obtained from another man. Listed for sale on Taobao, and finally exchanged for four air tickets from Guangzhou to Dubai. In the end, the two were sentenced to two years and one and a half years in prison, respectively.
Even though there have been lessons learned from many people being sentenced, many people still take risks. After all, this matter is really profitable. Wouldn't it be nice to have free air tickets?
"Black production" of points and mileage trading is rampant
In fact, the original intention of these points and miles was to reward the loyal passengers of the airline company, allowing them to redeem free tickets, upgrades and other benefits. However, black market traders obtain a large number of points and miles through various illegal means, and sell them at high prices to those who are unwilling to accumulate points through normal channels. This not only harms the interests of the airlines, but also deprives the truly loyal passengers of the benefits they deserve.
But now, driven by profit, aircraft points and mileage have already become a degenerate "business" and an underground "black industrial chain". The emergence of such black market transactions has brought many problems and risks to airlines and passengers.
On some second-hand trading platforms, a new channel for purchasing special air tickets has quietly emerged. There are a large number of sellers who provide mileage exchange services or directly sell mileage points, covering most airlines including China Southern Airlines, Shenzhen Airlines, China Eastern Airlines, Air China, etc. The price ranges from 400 to 500 yuan per 10,000 miles.
Those who sell mileage points often steal user information through credentialing, SMS hijacking, etc., and cash out by exchanging points for virtual and physical goods and air tickets. Another kind of point deception is to upgrade the account by purchasing short-distance air tickets multiple times in a short period of time, and use the upgraded account to obtain long-distance or international special air tickets and resell them for cash.
Tech research firm Comparitech has previously discovered that cybercriminals are selling airline loyalty points on the dark web, requiring buyers to pay in Bitcoin and Monero. Because these loyalty points can be used to redeem tickets, shopping cards, recharge cards or make other reservations. And in some places, users can exchange without even showing their identity certificates, which gives hackers an opportunity.
These hackers entered the user's personal account on the airline's website, or obtained information such as user names, passwords and PINs in various ways through forged emails, text messages or websites. Then instantly sell the compromised account or transfer the points to another account for easy cash out of points.
Nowadays, there is a flood of personal information, and mileage redemption is mainly through mobile phone binding, which is very easy to be used by hackers; after personal mileage points are stolen, the cost of personal rights protection is too high, and many people simply give up rights protection because the process is cumbersome. This matter has not received the attention it deserves for many years.
Behind the theft of mileage points is the "pot" that airlines cannot escape
In fact, at its root, the theft of these airline member mileage points is inseparable from information leakage. Because stealing mileage points is like the game "stealing account", as long as you have the user's personal information, crack the password, and bind other mobile phone numbers, you can use it.
And this is closely related to the imperfect system of the airline company, and there are some potential system loopholes or security loopholes in the management and protection of passenger points accounts.
For example, airlines lack multi-factor authentication, weak password policies, and fail to update system patches and security updates in a timely manner, which allows attackers to obtain passenger login credentials by guessing passwords, using malware or phishing, and then access and Steal mileage points.
On the other hand, there may be technical loopholes or security risks in the airline's system. Attackers could exploit these vulnerabilities to bypass security measures and gain access to passenger loyalty accounts. This could be due to flaws in the system design, improper configuration, or out-of-date software.
When mileage points are stolen, passengers may face problems such as loss of points, difficulty in booking flights, and leakage of personal information. In the process of recovering mileage points, passengers may need to spend a lot of time and energy contacting airlines and resolving disputes, and may not even be able to fully recover the stolen benefits in the end.
It is not too late to mend the dead. We must admit that it is very difficult for airlines to completely keep passenger information from being leaked in today's information-streaking world, but they cannot let it go. Airlines should choose a more secure system architecture, adopt strong authentication measures, implement monitoring and alerting mechanisms, and patch possible vulnerabilities in a timely manner.
The existence of loopholes in airline companies is indeed inevitable, and it is imperative to draw attention to it and take actions to protect the information security of passengers.
But for hackers, by taking advantage of the security loopholes of the airline company, stealing points and miles, or controlling the whole system to illegally award flight miles or hotel accommodation points to others, the final destination will be "jail", and they must always be careful Remember, don't touch the red line of the law.
As for us consumers, if we want to prevent the theft of mileage points, one of the measures we can take now is to strengthen the password strength setting of the airline member account, and the other is not to keep too much mileage, and try to use it as soon as possible.
At the same time, when buying tickets for travel, you should also calmly review all transaction information, try to find travel products and services that meet your psychological expectations within a reasonable price range, and do not "greed for small and cheap" to buy tickets with miles illegally stolen by others . On the premise of fully ensuring legality and safety, enjoy the travel time with a more relaxed attitude.