A reminder about frequent flyer account security

London Air Travel » Travel Media & Technology Bulletin » A reminder about frequent flyer account security

British Airways Executive Club Cards
British Airways Executive Club Cards

In recent weeks we’ve received e-mails from two major frequent guest programmes (Hilton Honors and Starwood Preferred Guest) advising us to change our account passwords.

We’ve also seen anecdotal claims online regarding Avios frequent flyer miles having been stolen from British Airways Executive Club accounts, with BA also temporarily freezing accounts following suspected unauthorised access. The Mandarin Oriental hotel group was also recently the subject of a data theft.

This is a timely reminder that frequent flyer miles and hotel reward currencies do have a substantial monetary value (in redemption terms) and accounts should be treated as you would an account for any other financial instrument.

Given how big the frequent guest and flyer industry has become with many travellers having accounts across a range of hotels and airlines, it’s often difficult to keep track of every account and fraudulent activity can easily go un-noticed.

Some of the methods we have heard fraudsters adopt to access accounts have bordered on the ingenious and there can be no immunity against the risk of fraud – particularly when it is airlines and hotels that are compromised. However, there are some simple steps that can be followed to improve account security:

1. Registered E-mail Addresses

Use the e-mail address with which you have registered your accounts sparingly.

Use it only for registering with established and reputable websites. Keep a separate e-mail address for registrations on websites that may not be reputable. Your password for your e-mail account should always be unique. Never use the same password for any other account.

2. Enable Two Factor/Step Authentication

Many frequent guest programmes now offer two factor/step authentication before your account can be accessed.

The most common is two step authentication where a unique passcode is sent to your phone before you can login from a new device.

It’s far from infallible but it does add an extra layer of security. It is also one means of being alerted to a potential unauthorised attempts to access your accounts.

Frustratingly, the BA Executive Club does not offer this.

3. Public Computers & Networks

As you would with online banking, avoid accessing your accounts on public computers or through networks where you cannot be confident of their security.

You should always access accounts through a secure https (not http) connection in your browser. Always make sure you log out after accessing your account. Use a reputable Virtual Private Network “VPN” to secure your connection to public WiFi networks such as at hotels and airports.

4. Password Security

It is advisable not to use the same password across your frequent guest and flyer accounts as fraudulent access to one account will prompt attempts to access others.

Your password should be a “strong” password with a combination of capitalised and lower case letters, numbers and characters that could not be easily guessed. Your password should not be based on any public information about you, such as family members, profession or personal interests.

Also change passwords regularly. Ditto for e-mail and online banking accounts.

5. Run software updates regularly

Apple, Microsoft and developers of apps issue regular software updates.

Although not always explicitly mentioned, these do include security updates as well as updates to software functions. Always run these as soon as they become available.

6. Be alerted to data breaches

Large scale breaches of data do occur.

The website Have I Been Pwned can advise you whether your e-mail address has been included in any historical breaches. You can also be set-up to be notified of any future breaches.

7. Check accounts regularly

It’s worth checking accounts regularly for any suspicious activity.

As you would with statements from banks and credit card companies, always review periodic e-mail statements from airlines and hotels.

Facebook, Google and Microsoft also enable users to run security audits where recent login activity can be reviewed.

8. Phishing e-mails, texts & pop-up windows

Also, be aware of “phishing” e-mails, texts and pop-up windows.

Always treat any unsolicited correspondence with caution. Like banks, airlines and hotels will never e-mail or text you requesting your personal details. Also be aware of e-mails and texts in respect of bookings that you do not recognise. Or e-mails containing attachments (airlines and hotels do not send booking details via attachment). If any doubt, go directly to the airline website via your browser, rather than following the link in the e-mail.

If you receive an unsolicited telephone call, take their number and call back (after Googling the number) from a different line. Similarly, with text messages, Google the number before taking any action.

Unexpected pop-up windows advising that your computer has been compromised (with a telephone number to call to resolve the matter) are likely to be nefarious in their intentions.

9. Have a plan

Large organisations have contingency plans for data loss or compromised security.

It’s worth having a plan of what you would need to do (eg which account passwords need to be changed) in the event of a data breach.

10. Keep up to date with internet security

As with any professional field, knowledge about internet security is continuously evolving.

Good sources of information are Action Fraud, the National Cyber Security Centre. and industry commentator Graham Cluley.

We welcome any thoughts and comments below: