Skip to content
  • Airlines
  • Deals
  • Hotels
  • Places
  • Potpourri
    • Travel Research
  • Trip Reports
  • Airlines
  • Deals
  • Hotels
  • Places
  • Potpourri
    • Travel Research
  • Trip Reports
hotel loyalty programs personal reflections

How easy is it to steal hotel loyalty points from someone’s account? Looks easy to me!

  • by Ric Garrido
  • April 12, 2016
  • 16 Comments
  • 2898 Views
Facebook Twitter Reddit Print Share via Email
a living room with a couch and a tv

This is a follow-up to my discovery last week that someone redeemed over 200,000 points from three of my hotel loyalty program accounts in Club Carlson, Choice Privileges and IHG Rewards Club for New York hotel reward stays over a five day period. These were fraudulent hotel reward stays I discovered had happened as I started an 11 day trip in Europe at the beginning of April.

Loyalty Traveler Take: if I was scared before that my online security had been breached, I am now even more frightened at how easy it was to get information about my hotel loyalty program accounts over the phone.

This was an old school Phone Hack

I returned home to California last night and this morning I followed up on the travel hack of several of my hotel loyalty program accounts. My concern was this was a major online hack of my computer.

Turns out after my own investigation today that this appears to be an old school telephone hack with all hotel reservations made through hotel loyalty program phone call centers with my name on the reservation and a second name. The other name was the same for all reservations. The other name was the person who checked in and it was the same name used for all three different hotel loyalty account reward stay reservations at New York hotels. There was no issue with the person checking in at each of these New York hotel without me present for any of the three stays. One hotel even charged my credit card for incidental charges due to the credit card being on file in my hotel loyalty program account.

I did not get all the information I wanted out of hotel phone representatives I spoke with today, but I sure was amazed at the amount of information I did get without providing much personal identifying information about me, beyond what someone could learn about me from the phone book or a quick Google search or LinkedIn. I feel like I was able to hack myself over the phone.

One hotel loyalty program changed my hotel loyalty program account to a new account number and another program changed my phone number on my account today during my phone calls. Needless to say, I paid attention to how much information I was requested to provide before these changes were made to my accounts.

Believe me, if I was scared before that my online security had been breached, I am now even more frightened at how easy it was to get information about my accounts over the phone and make changes to my hotel loyalty account profiles without providing any kind of significant password protected information regarding my hotel loyalty program accounts.

I pretty much have come to the conclusion after my conversations with a few hotel and hotel loyalty program representatives that any of us with hotel loyalty program accounts can easily be hacked over the phone to pay for someone else’s hotel reward nights with our points.

I have opened up investigations with all three hotel loyalty programs and a credit card issuer. Having my points restored is not the big concern for me. I know that will happen.

My primary concern is how easy it is for someone to hack hotel loyalty program accounts with a phone call and take my points again. Or your points. And my concern is how to prevent that from happening.

I think this story is kind of a blockbuster revelation. I imagine this is a far bigger widespread problem for many hotel loyalty program members than I was ever aware existed.

How easy is it to steal hotel loyalty points from someone’s account?

Looks easy to me!

suite

How much did this hotel suite cost?

Who cares? You hacked someone else’s points to pay for the free reward stay!

Tags:

hotel loyalty program account securityhotel loyalty programspersonal reflectionspoints fraud

Share This Post:

Facebook Twitter Reddit Print Share via Email

16 Comments

  • Big D April 12, 2016

    I do like that Hyatt sends an email at the time of booking an award stay.

  • Raj April 12, 2016

    Surprised that they do not have adequate checks in place prior to anyone making an award reservation. I am assuming that the hotel reward numbers are not freely available and they should be confirming as such when someone is calling over the phone.

  • Ric Garrido April 12, 2016

    I receive emails from IHG too regarding upcoming reward stays. I did not get an email for any of four reward stays in three different programs booked by phone on day of arrival. They did not even appear in my account until after the stays were completed.

    I learned about these reward stays when welcome amenity points posted after the stays.

  • Sara J April 12, 2016

    Thank you for the warning. Having a credit card on file is convenient (I have had a phone reservation agent add it without my knowledge) but in the end, I would prefer to input it each time and be safe. I have also had someone get into my marriott account years ago and change my email to an unknown email from a foreign email company. When I reported the fraud to Marriott, the customer service replied, “maybe you asked a friend to book a room for you.” I replied that I only book my own rooms. I changed the password and fortunately, no points were used.

  • MSer April 12, 2016

    Moral of the story is for people to stop posting personal details on social media.

  • M April 12, 2016

    I have the same concerns with booking and especially changing/canceling airline award tickets over the phone.

  • Ric Garrido April 12, 2016

    @MSer – As far as I know my hotel account numbers have never been posted anywhere. I do not use any online services to track my loyalty program accounts.

    The moral of the story is hotel loyalty programs appear to need tighter phone security measures. My loyalty program accounts are all password protected for online transactions.

    Today I phoned to discuss the fraud issue with two different hotel programs and the phone representatives made changes to my accounts over the phone, including creating an entirely new account with one program.

    The only information I provided was my name, address, phone and account number. Neither of the program representatives asked me for my account passwords before making changes to my program accounts. My name, address and phone number are in the local phone book and easily available.

    I doubt it would be too hard to phish around and get a hotel loyalty program account number over the phone. I can think of several different ways to approach the issue of getting an account number over the phone and I am not even a hacker trying to get information.

  • Bob April 12, 2016

    I recently had someone book a hotel room using my hotwire account over the phone. I got an email about this stay. They used their name and credit card on the reservation(or perhaps a stolen name and/or credit card- just not mine), but everything was listed under my hotwire account name and number. After calling customer service I was told that this was done by phone. They told me that their agents will book anyone by just giving name and phone info. Hotwire did not seem too concerned about this. I am now monitoring all my accounts! I do not use social media.

  • nsx at flyertalk April 12, 2016

    Did you get your stolen points back?

  • Lisa April 12, 2016

    It wouldn’t necessarily be more secure if you had been asked for a password. Social hackers are adept at convincing reps why they don’t have/need the password: husband out of town and unreachable, for example, and oh, the roof is leaking all over my house! I just need one night! They play on people’s sympathy.

    Read this article http://fusion.net/story/281543/real-future-episode-8-hack-attack/

  • Greg April 12, 2016

    What I would like to know is why didn’t the loyalty program notify you when points were deducted out of your account. I blame the loyalty program for not having a system in place that makes it mandatory for them to send an instant email anytime an award is issued.

    Did you call IHG and ask why an email was not sent out

  • razorgeorge April 12, 2016

    I had my email hacked last year. It had to have been a system hack of my provider, which is a joke. Anyway, they got into my loyalty programs and tried to buy a laptop and some other things. My inbox messages were redirected to my trash folder, and the hacker got a copy of everything. It took me a couple of days to realize what happened. I got all of the points back and put a pin number on my accounts to keep it from happening again. Crazy times!

  • Stealing Points, New Starbucks Rewards,Hotels for the Wealthy - TravelBloggerBuzz April 13, 2016

    […] Stealing hotel points and staying on your dime points . Done over the phone. Somebody did it with Loyalty Traveler. Wow. You have been warned! […]

  • IMH April 13, 2016

    Thanks for keeping us informed. It wouldn’t be difficult (or add much work for customers) for hotel chains and airlines to require ‘second method’ confirmation for redemptions or account changes — especially if someone who only ever manages their account online switches to using the phone. An online booking might require text message confirmation. A phone booking could be confirmed by email.

    Many programmes have something similar in place for address or email changes: a message to the old address saying that a change has been made and asking the customer to call if they didn’t make it.

    (OT: is leaving a comment the only way to get notified of future comments/updates to a post?)

  • Ric Garrido April 13, 2016

    @IMH – there used to be a comments subscription link on my page. I had not noticed before, but apparently it was removed when BoardingArea retooled the site last year for mobile viewing.

  • Paulo April 13, 2016

    I know that this kind of problem happens with airlines too, at least here in Brazil. In January I had my TudoAzul miles stolen. People used my 38.000 miles to get last minute tickets. I discovered 7 days after the flights because my e-mail was changed by the call center assistence. They created a fake email with my name, called the airline and confirmed my name, date of birth and CPF (brazilian Social Security Number). With this info, they changed my e-mail. Then, they clicked at lost password and got access to my account. I didn’t receive any confirmation because the e-mail was changed. Pretty easy, since all of that info can be hacked from databases of online stores, universities, work, etc.
    One idea that I gave to TudoAzul support is to ask questions that only the owner of the account will know like: Did you flew recently with points? From where to where? Or, what was the last time you earned points with Azul?

    In the end, they returned the points to my account after 1 month but the situation was a stress that could be avoided if they had a safer system.

Comments are closed.

Airlines and Fare Deals

Hotels

Limited Time Deals

Places

Popular Posts

Top Ten U.S. Cities by Hotel Rooms

a building with many windows

Rich pretenders at The Thief Oslo, Ascend Hotel Collection

a collage of a hotel

Choice Ascend Hotel Collection – 10 hotel points deals in USA for Autumn 2023 stays

a white building with trees and a walkway

Best Western Rewards points redemption value analysis June 2023

a looking down at a building with white and black wooden slats

Hotel Review: Crowne Plaza Amsterdam South to the city center easily accessible by metro

  • About
  • Contact
  • Privacy Policy
© 2023 Loyalty Traveler - All Rights Reserved. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Loyalty Traveler with appropriate and specific directions to the original content.