Fraudsters Target American AirlinesFrequent Flier Accounts Compromised
American Airlines reports that unauthorized individuals obtained usernames and passwords from third-party sources to access a limited number of accounts for AAdvantage, the airline's frequent flier program.
"We have 70 million AAdvantage accounts, and less than 10,000 may have been accessed," says Martha Thomas, a spokesperson for American Airlines.
"We've only positively identified two instances of unauthorized activity [on breached accounts]," Thomas says. "We're continuing to investigate, but it appears any fraudulent activity was limited to a very small handful of the 10,000 accounts.
The compromise follows a similar incident at United Airlines that came to light in late December, when the company notified several thousand of its MileagePlus members that intruders accessed their frequent flier accounts (see: Fraudsters Target United Frequent Fliers). For approximately three dozen accounts, the intruders were able to make a mileage transaction, such as booking a ticket, United said.
The Security Implications
Breaches involving airlines are worrisome because of the implications of fraudsters booking airline tickets under the guise of frequent fliers, says Shirley Inscoe, an analyst at the consultancy Aite Group.
"Frequent fliers are often exempted from the same level of security scrutiny in airports as other passengers," she says. "If the fraudster booked the ticket in the name of the frequent flier, and has identity documents that can pass airport scrutiny, we could see another round of terrorist attacks involving airplanes."
The fact that both American Airlines and United were targeted shows the value fraudsters see in mileage points, which are a quasi-currency, says fraud expert Tom Wills, director of consulting firm Ontrack Advisory. "They're less valuable than hard cash, but only slightly less because airline trips are valuable to a lot of people, and they're expensive to buy."
In addition, frequent flier accounts aren't subject to PCI compliance, money laundering scrutiny or mandatory two-factor authentication, Wills says. "That makes it that much easier for the fraudsters to work with them."
The similarity of two frequent flier program attacks makes it appear that the same or related groups may have been involved, Wills adds.
Need for Better Authentication
The re-use of usernames and passwords across multiple websites contributes to a higher rate of fraud, says Al Pascual, director of fraud and security at Javelin Strategy and Research. "To address this trend, businesses can implement two-factor authentication," he says.
Given the fact that a majority of consumers use the same online credentials for multiple websites, it is foolish for airlines not to assume their customer credentials have been compromised in all of the recent data breaches, Inscoe at Aite Group says. "They should use multi-factor authentication," she says. "While it is a bit more complicated and costly, it is worthwhile to protect an asset frequent fliers appreciate and often take steps to accumulate."
In addition, organizations can bolster their password policies, such as by requiring frequent password changes as well as encouraging the use of password managers, Pascual says.
Airlines and other retailers can also consider other alternatives to common username and password account access, such as through biometric authentication, which will soon be a standard feature on smart phones, Wills says. "This takes away the usability concerns about passwords," he says. "Although for robust security, biometric access has to be used together with other security layers," including encryption of account information and behavioral analytics, Wills explains.
American Airlines says it's notifying affected customers and has locked the accounts that may have been accessed without their authorization.
The airline says it's working with U.S. federal law enforcement to investigate the matter. Although the affected accounts do not contain Social Security numbers or full payment card information, impacted customers are being offered free credit monitoring services for one year.