Hackers Make Off with Millions of Air India Frequent Flier Miles
An orchestrated hacking campaign is targeting members of Air India’s frequent-flyer program, so far pilfering $23,745 worth of travel miles.
The Flying Returns program has more than 195,000 customer accounts. The Delhi Police said that the attack appears to have been aided by a company insider or travel agency staffer who knew the loopholes and vulnerabilities in the system. Those responsible created 20 separate email IDs to “divert the reward points earned by passengers,” according to Air India.
Praveen Lal, commercial manager at the airline, told the Times of India: “All the affected membership accounts have been suspended so that no further activity can take place from these accounts. The affected user IDs have been deactivated along with user IDs that have identical usernames and passwords. Also, all such user IDs that have not been active for the past three months have been deactivated.”
A senior police officer, who wished to remain anonymous, added: “Apart from the computer hacker, we suspect the role of a present or a former employee who may be aware of the intricacies and loopholes in the system. We have asked the airline to supply us a list of employees who have quit the company recently.”
This isn’t the first time that mileage accounts have been targeted. High-flying thieves with stolen usernames and passwords hacked into customer accounts at both American Airlines and United Airlines in late 2014, booking trips for themselves using people’s stores of miles.
A United Airlines spokesperson said that mileage transactions were made on only about three dozen accounts, and that the stolen goods would be restored into users’ customer accounts. American, on the other hand, was not so lucky: about 10,000 AA accounts were hacked.
Air India is looking into which flights may have been purchased with the stolen miles, but Kaspersky Lab warned back in 2011 that miles can be used as a form of online currency. It noted a case of a cyber-criminal selling access to a Brazilian botnet that sends spam, in exchange for 60,000 flight miles. In another instance, air miles were offered for stolen credit cards.
Source | Infosecurity-Magazine