Site icon Life on Beacon

How Hackers Stole 98k Frequent Flyer Points – And How I Got It Resolved

Someone hacked into my JetBlue TrueBlue account last week and stole nearly 100,000 points and racked up over $1,000 in flights and fees – and it took me 10 days to realize it.  I used to fly JetBlue between Logan and Washington Dulles weekly when I lived in Boston.  Since moving down to Texas, I’ve rarely flown the airline, beyond the occasional hop around the East Coast.  Not surprisingly, I just don’t log into that account much, nor did I realize how much risk that account was at.

How I knew my account was hacked

If it wasn’t for an email from the accounting department at my firm yesterday afternoon, who knows how long the hack would have gone unnoticed.  They emailed to notify me that I was behind on my expense reports – there were a number of small charges from JetBlue from 10 days prior that had not been submitted.  Since I haven’t flown JetBlue in over a year, I hopped into my expense account to see if it was an error.  Maybe they sent me someone else’s alert by accident?

Sure enough, there were the charges.  

Brilliant Fraudster Move #1:  The charges were mostly small, falling far short of setting off a fraud alert on my credit card.  They later attempted to charge a $988 ticket to my card which was rejected – but it’s a corporate card so I don’t get emails about fraud.  

These guys were pros.

The extent of the hack

I logged into my JetBlue account to find more bad news.  The charges on my AMEX weren’t the cost of tickets.  Half of the charges were the fees for booking flights using my TrueBlue (frequent flyer) points!  

Brilliant Hacker Move #2:  They booked a trip 2 hours before the flight departed.  So, even if I had been faster in realizing what happened, they would have already been safely aboard the flight.  I noticed while they were enjoying their (free) trip to NYC.  

We’re still not sure how they accessed my account and whether it was just my info they got, or if they got into JetBlue’s system somehow and my account was one target.  None of my other accounts appear to have been compromised.  But, my JetBlue account was using a fairly basic password and my personal email, and my AMEX info was stored for quick booking. 

Getting it resolved

I immediately hopped on an online chat with JetBlue while I wrapped up a work call.  The chat agent was able to cancel the flights that had not yet been taken using the ticket numbers and names that I was able to pull from our expense system (thank you AMEX for capturing and reporting that data!).  Meanwhile, our office manager cancelled my current AMEX and had a new card issued to me.  

When my work call ended, a JetBlue supervisor called me to authenticate some information in my account and started work on the flights that had already been flown.  The supervisor was quick to share that they often flag redemptions as fraud if the name on the ticket doesn’t match the name on the account.

Brilliant Hacker Move #3:  They booked tickets for multiple people, one of which was me! I obviously didn’t board the flight, but by listing me as one of the passengers, it didn’t set of the JetBlue fraud alert. 

After about 10 minutes, the supervisor had approved the refund of my points and refunded the AMEX charges.  They also sent over any of the information I had about the people flying on the tickets redeemed through my account over to their internal department that handles fraud.  If they tried to check-in at the airport for the return flight from JFK, JetBlue would alert the appropriate authorities.  

How to prevent this from happening to you

Super straightforward.  Solution 1:  Protect your passwords.  

Easier said than done, though.  I worry about my bank info being stolen so I change that password regularly, use multi-factor authentication, and don’t carry a debit card.  I never thought about the impact that someone stealing my frequent flyer points could have, though.  What if JetBlue hadn’t been so helpful?  Those points could book thousands of dollars in flights – and I’m not protecting that as well as I might the equivalent amount of dollars.

The hubs and I subscribed to LastPass right after we resolved the issue with JetBlue.  LastPass is a secure password vault, enabling us to change the passwords to different sites to unique, random passwords that are difficult to hack.  The passwords are stored in LastPass, which is only accessible from our devices using a Master Password.  The browser plug-in even alerts me to sites not secured through LastPass as I access them, so I can slowly build my library and secure even the most minor sites.  

 

Solution 2:  De-link your credit cards, everywhere.  

When I was traveling weekly to Dulles, having my AMEX saved on JetBlue.com saved me a lot of time.  But, it also exposed me.  We started to run through how many sites have my personal credit card stored for easy access.  Would I notice a small charge to Nordstrom that I didn’t authorize?  Potentially not.  As we change our passwords and log them in LastPass, I’m also de-linking my credit cards.  It also means I’m less likely to make a purchase in the middle of the night when I’m consoling a crying baby – win win!

So, my question to you:  What accounts do you have that are vulnerable?  Are you doing enough to protect them?

 

EARN UP TO 50,000 BONUS POINTS WHEN YOU OPEN A SOUTHWEST CREDIT CARD

 

Exit mobile version