Ai Editorial: Averting breach of loyal members’ details by working in unison with them

First Published on 31st July, 2017

Ai Editorial: When airlines can actively involve their loyal customers, incorporate their inputs while designing benefits and tier-levels, they can also alert them and highlight the significance of account security and password protection. Is enough being done, questions Ai’s Ritesh Gupta


As of today airlines are suffering as the malice of loyalty fraud is on the rise. The latest news of Canada’s WestJet stating that “some WestJet Rewards member profile data has been disclosed online by an unauthorized third party” has once again underlined the threat of such attacks. Airlines need to quickly assess – the safety of data of members, and their accounts at this juncture – if they haven’t done so in the recent past.

In case of WestJet none of the data contained credit card or banking information, but this is a precarious issue. Rewards cards not only have a customer’s name, address and telephone number, but are frequently linked to partial credit and debit card information as well. It is enough for cybercriminals to work out an “identity” and go on a crime spree.


Are passengers aware or don’t care?

Airlines need to work out stronger means to safeguard members’ privacy. Even as airlines such as WestJet are working with the government, law enforcement agencies and the technology industry to combat the growth of hacking and other cybercrimes, it important that members are conveyed the significance of shielding their respective passwords.

According to digital security specialist, Gemalto, customers “often have thousands of points saved but many never think their frequent flyer points are at risk of being stolen”. The team goes on to add, “…they never think anyone would want access to their points.”

Significance of being aware

There are security challenges that an organization needs to manage, but members, too, need to be aware of how to take small steps to be in control of their own accounts. Considering the number of cases featuring  compromised usernames and passwords, program members, too, can be involved in taking appropriate action before the situation goes out of control, and both the brand and customers end up being at the receiving end.

Just like on-board flight safety is imperative (we all go through it despite it coming across as a mundane exercise for travellers on flights) and airlines even find creative ways to convey the message, similarly, airlines need to create awareness about password protection from time to time. For instance, how does malware get installed on a PC? It could be via logging onto a fake website or phishing scam (email that looks as if it’s from airline’s FFP). So why not create awareness about the same? After all, it is for the benefit of loyal members, too.

Carriers must propel them to update their current ID and password, and provide guidelines for making them more secure. How to keep the device safe from malware and viruses?

Among the other areas:

·          Airlines can encourage members to check their accounts or status on a regular basis. Is there any redemption they can’t fathom or weren’t involved in? Are miles or loyalty currency being used without the knowledge of a member? Considering the fast-growing market for the tangible value of stolen reward points/ miles and hackers/ fraudsters capabilities to steal the same, this calls for more proactive action.

·          Do members of a frequent flyer program treat their respective loyalty accounts as credit card information? This type of fraud is similar to card-not-present fraud. An account can hacked by capitalizing on weak passwords, stealing of identity etc. So it must be highlighted that if fraudsters gains access to an account, they can seize points/ miles and rob loyal members by availing redemption options (other threat is data breach). As Michael Smith, Managing Partner, Airline Information and Co-Founder, (Loyalty Fraud Prevention Association (LFPA) says passengers (or customers at large) should be wary about which Wi-Fi they are connecting to, and also as FFP members they must be cautious about sharing name and account number. “With those two bits of information, fraudsters just need to guess your password and they are in to your account,” he says. Smith asserts that a flyer shouldn’t share or post the picture of a boarding pass, as it features vital information.

So organizations need to inform travellers about simple mistakes that can unknowingly create havoc with loyalty or FFP accounts.

Being more vigilant and proactive

As for airlines, the responsibility is bigger than ever since the use of bots and proliferation of stolen data on the dark web is flourishing.

They have to rely on a set of assessment tools, such as device identification, geo-location, device intelligence and user-behavior profiling.

As Gemalto suggested recently, operators of FFPs or loyalty programs should assess if loyalty account has been accessed from a device that isn’t recognizable or registered, or an unidentifiable device has modified personal or account details, abrupt use of points or miles much higher than done previously, multiple tickets have been purchased with names differing from the account holder etc.

Also, one of the common causes of security breaches involve bad security practice from employees.

As highlighted in one of our recent articles, Botnet attacks on loyalty programs, how to negate them?, airlines need to identify the ways in which account information can potentially be accessed, in all probability via a blend of phishing scams, identity theft, and cracking of feeble passwords. Overall, the fraud prevention initiative, via behaviour analytics, device identification and tightening of data and IT infrastructure, needs to offer protection to loyal members.


Hear from experts about loyalty fraud at the upcoming 2017 APAC Loyalty Fraud Prevention Workshop, to be held in Singapore on 23rd August this year. For more, click here


Attend Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more, click here

Follow Ai on Twitter: @Ai_Connects_Us