How to protect yourself from a rewards program data breach

In recent years, it has become clear that cybersecurity is a problem that many companies are struggling with. Unfortunately, that extends to the world of loyalty programs. Both Marriott Bonvoy and IHG One Rewards have experienced data breaches that affected millions of consumers, and the Equifax fraud in 2017 left millions of Americans vulnerable to identity theft. Clint Henderson, managing editor at TPG, recently had his Advantage account hacked and more than 300,000 miles stolen.

As loyalty programs are vulnerable targets, protecting your information from exposure is more important than ever. So, how do you do that?

TPG spoke to Bahman Hayat, a software engineer who works for IBM and Microsoft, for advice on keeping our data safe from hackers. According to Hayat, data hacking has become more common due to poor internet security and sometimes negligence.

“There are many ways data breaches occur, from storage buckets and databases left unsecured online to social engineering attacks against authorized users to simple human error,” Hayat said. “For now, we have to assume that we have already been affected and expect to be affected again.”

Although providing our information exposes us to risk, joining a rewards program is not something we can avoid. So, what can we do to protect ourselves from future data breaches? Here are some simple steps you can take.

Avoid giving out sensitive information unless absolutely necessary

The first step to protecting your account is to avoid giving out sensitive information in the first place.

“Anytime you have to give your personal information to a service, think twice about whether it’s necessary,” Hayat said. “The less we give, the less likely we are to be affected by law enforcement.”

Your date of birth, passport number and address can put you at risk, so avoid giving this out if possible. If you need to provide this information, the risk is minimal if the website offers you two-factor authentication. If the program does not work, then Hayat recommends reaching out and asking to start giving it to you.

Related: You can identify and prevent credit card fraud

Use two-factor authentication

Setting up two-factor authentication on your loyalty account is a simple but critical way to improve your online security.

Two-factor authentication adds an extra layer of security by requiring two forms of authentication before granting access. Typically, this involves something you know (like a password) and something else you have (like a smartphone app that generates a temporary code or sends an app or email notification) or using biometrics like fingerprints or facial recognition. This dual requirement makes it very difficult for unauthorized people to gain access, as they would need both your password and the second item.

Additionally, two-factor authentication provides an immediate warning if someone is trying to access your account, allowing you to take immediate action to protect it. This functionality is important to prevent unauthorized transactions or misuse of your points and miles.

If you’re an Amazon customer, you’ve probably set up two-factor authentication and are used to receiving text messages with verification codes when you try to log into your account. This keeps your information safe from hackers who might access your password and charge things to your Amazon account. You might be thinking, “That’s not smart. They’re going to have to give their home address on those orders. They’re going to get caught.”

A hacker may have a variety of motives for seeking access to your Amazon account, including a scam called “brushing,” in which they send low-quality products to customers who have not instructed them to leave fake reviews of these products in order to increase their online reach. market place.

According to Hayat, multifactor authentication can help prevent situations like this. While Amazon uses text-based authentication, Hayat advises against it.

“Those are vulnerable to SIM swapping attacks, where an attacker can convince your carrier to transfer your phone number to their SIM,” he said. “If you must use text-based authentication, call your carrier and set up a PIN with them. I recommend using Microsoft Authenticator or Google Authenticator. If you want to go further, use YubiKey.”

Related: Understanding 3D credit card security and how it can affect your travel abroad

Check if your data is at risk

Hayat also recommends that you regularly check Have I Been Pwned to see if your information has been compromised as a result of a data breach. If your account has already been compromised, the best thing to do is to change your passwords immediately and start using a password manager and multifactor authentication.

Use a password manager

Confession: In the past, I kept all of my rewards program passwords in a document on my laptop. If someone had access to that document, all my information would have been compromised. Experts recommend creating unique passwords for each account, but that’s incredibly difficult to manage when storing them on a computer or paper file isn’t an option.

Hayat recommends a password manager as a secure way to store all your login credentials in one place.

“That way, you’ll have a strong and unique password for every service and if one of them is leaked, an attacker won’t be able to use that for other services. This will protect you from something called ‘credential stuffing,'” Hayat said.

“Credential logging is where an attacker uses compromised credentials to gain unauthorized access to user accounts on other services,” Hayat continued. “For example, if you use the same password on websites A and B, if website A’s data is breached, an attacker can use that to access website B. Using different passwords will protect you from such attacks.”

Hayat recommends 1Password as a good option that is reputable and secure.

Related: Why a password manager is an important part of my points and miles strategy

Monitor your credit

Whether you invest in a credit monitoring service or check your credit periodically, Hayat recommends checking your credit report annually to make sure there are no discrepancies. If a criminal charges your credit card in your name, you will see it on your credit report. You can even get a free credit check through Experian and get notifications when a new account is opened or your credit score changes.

Hayat recommends freezing your credit and lifting the freeze for a while before opening a new account for extra peace of mind. A credit freeze will prevent anyone from accessing your credit information or opening a new account. If your data has been leaked, suspending credit is the best way to protect yourself from further damage.

Related: 6 things you should do to improve your credit score

Loyalty programs for complaints to get honesty about security

With all the recent data breaches, it is becoming clear that companies are not taking the necessary steps to keep our data safe.

“Many companies today are not making the necessary investments in cybersecurity,” Hayat told TPG. “We see time and time again that leaked passwords are not fast and salted or weak hashing like MD5 is used, which can be easily cracked. Therefore, as users, we must take the necessary steps to protect ourselves in the event of a breach.”

Hayat recommends contacting loyalty programs and banks that don’t use two-factor authentication and asking them to do so. After all, we are responsible for our data, and if we give it to a third party as a loyalty program, we have to make sure it stays safe.

How does your loyalty program protect you from fraud?

A recent spate of data breaches has led to various airline and hotel systems requiring two-factor authentication as a mandatory step when logging into an account. While this can be frustrating for anyone who logs in regularly, it’s better to be safe than sorry. Here’s how major loyalty programs are fighting data breaches:

Flight plans

• American Airlines AAdvantage: Optional two-factor authentication via email
• Delta SkyMiles: No two-factor authentication option
• Frontier Miles: Dual authentication of your choice
• JetBlue TrueBlue: Mandatory two-factor authentication via email with option to switch to more secure text message two-factor authentication
• United MileagePlus: Offers a selective two-factor authentication test
• Southwest Instant Rewards: No two-factor authentication option
• Free Air: No two-factor authentication option
• Air Canada Aeroplan: Mandatory two-factor authentication by email
• Air France-KLM Flying Blue: Mandatory two-factor authentication by email
• British Airways Executive Club: Two-factor authentication option by email
• Qatar Airways Privilege Club: Mandatory two-factor authentication by email
• Singapore Airlines KrisFlyer: Two-factor authentication for bookings; two-factor authentication is mandatory for changes to KrisFlyer accounts

Hotel plans

• Hilton Honors: Mandatory two-factor authentication by email for limited operations only, such as signing in using a new device.
• Marriott Bonvoy: Optional two-factor authentication for email or phone verification
• IHG One Rewards: No two-factor authentication option
• Radisson Rewards: No two-factor authentication option
• Hyatt World: No two-factor authentication option

Related: Why small charges on your credit card can mean big problems

Bottom line

As technology continues to improve, it’s no wonder that hackers are targeting our information. Since loyalty programs contain personal information and hundreds of thousands of points or miles, keeping your account safe is important.

Follow the tips outlined in this article to minimize potential damage and help protect yourself from further identity theft.