Hackers Take Airlines for a Ride
Posted January 16, 2015
Thousands of American and United Airlines’ Usernames and Passwords Hacked from a Third Party. And Thieves Fly Free.
Airlines were taken for a ride when hackers booked or made mileage transactions on approximately three dozen accounts. In his nydailynews.com Jason Silverstein (link to article) cited an American Airlines spokesperson saying that 10,000 accounts were hacked, including at least two cases of a hacker booking a trip or making an upgrade.
Third-party source hacked
Both airlines denied their systems were hacked and pointed to an as yet undisclosed third-party source whose password protection evidently wasn’t up to the task. While credit card numbers and other account information wasn’t compromised, hackers were still able to steal usersnames and passwords and log into thousands of accounts.
A lucrative haul
In his story on computerworld.com (link to article), Jeremy Kirk cites Alex Holden, CTO of Hold Security, a company that specializes in monitoring illegal data trading, observing that “gaining control of a loyalty card account is almost as good as cash. For example, a hacker who gains control of an account with tens of thousands of reward miles can sell an airline ticket for cash and then pay for it with stolen miles.
“Holden says, ‘Attacks against airline loyalty programs are very common and profitable.’ With points or miles in hand, hackers have also used legitimate services such as Points.com, a service for managing multiple rewards programs. Loyalty rewards can be exchanged, redeemed or used for gift cards — an easy way to cash out.
“Holden said analysts at his company see travel-related login credentials circulate on lists sold by cybercriminals. In other cases, it appears travel agencies have been compromised.”
Pros consistently warn of password-protection weaknesses.
For years ThreatMetrix’s Alisdair Faulkner, Chief Products Officer and Andreas Baumhof, Chief Technology Officer, have been warning about the inherent weaknesses in password protection. The failure, which has resulted in millions upon millions of compromised accounts at Target, Home Depot, Staples, Sony and a host of others, is what Alisdair Faulkner dubbed the “Password Apocalypse.”
Offers Faulkner, “Retailers are caught between a rock and a hard place. They loath introducing speed bumps, such as resetting passwords or requiring two-factor authentication, as these steps pose an inconvenience to their customers.”
He adds, “Consumers who store credit cards online or use the same login information across sites might as well hand their account information to cybercriminals. However, the bulk of the responsibility falls on retailers, who must implement a comprehensive cybercrime protection platform that differentiates between suspicious and authentic transactions without inconveniencing customers.”
In a recent bizjournals.com article Baumhof asked, “Did you know that two-factor-authentication is available on LinkedIn, Twitter and Google? My guess is that less than 2 percent of users know this and use it — and that’s exactly the problem. Businesses cannot push the responsibility to the end-user.
“The risk of relying on passwords is that once account login information is compromised, cybercriminals gain access to personal data and identities that can be used for fraudulent retail transactions. Once an attacker apprehends a username and password, the possibilities for fraud are endless, especially if the same information is used across multiple accounts — such as retail, social media and online banking accounts.
“Protecting account data requires effective cybersecurity strategies that go above and beyond passwords to quickly differentiate between suspicious and legitimate transactions.”