British Airways recently acknowledged that they suffered a security breach impacting their frequent flyer program. This is yet another security breach to impacted loyalty program systems. Earlier this year both American Airlines and United Airlines suffered security breaches where user accounts were compromised by criminals using stolen account credentials.
Loyalty programs may seem to be unusual targets for criminals as they often don't hold credit card or other financial information. However, what is often overlooked is that not only do loyalty programs contain a large amount of personal data, data which could be used for later spear-phishing or identity theft attacks, the points earned by users can be used to purchase tickets, trips and other rewards. So in effect the points in those accounts has real value.
Late last year Europol conducted an operation which led to the arrest of 118 individuals in 45 different countries. According the International Air Transport Association airlines face over US$1 Billion every year due to fraudulent ticket transactions. While many of these fraudulent transactions are due to compromised credit cards, the use of stolen air miles may also contribute.
A spokesperson for British Airways says the breach impacted
"a small number of frequent-flyer executive club accounts. This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to some accounts."
The spokesperson also stated that British Airways is not
"aware of any access to any subsequent information pages within accounts, including travel histories or payment-card details."
Affected customers have had their accounts frozen and will be unable to use their reward points until the system is restored to normal.
Reading between the lines from the above British Airways statement it appears the breach was due to log-in credentials gleaned from elsewhere on the Internet and used to log into the British Airways site. The most likely scenario being the affected frequent flyer club members used the same login credentials across multiple systems. One of those systems was compromised allowing criminals to access any of the other systems which shared those credentials.
While we can lament and scold users for this insecure practise we should not lay all the blame solely at their feet. When I heard about the breach I decided to visit the British Airways site and register for their frequent flyers' club to see how robust their password management was.
Below is the screenshot I got when I tried to use a secure password, one which uses a mixture of upper case and lower case letters, numerals and some special characters.
As you can see the website has rejected my secure password and I have to downgrade the password to one that uses only upper and lower case letters and numerics. Of course, allowing users to employ a secure password still does not protect them should they re-use that secure password across multiple sites. However, it does raise the security bar for that website or system and helps reinforce good security practises amongst users.
Companies and websites that do not employ secure authentication systems simply help promote lax security amongst their users as many will use simple and easy to remember passwords. There are a number of additional measures websites could employ to increase the security of their users' data such as employing geo-location profiling, device profiling for users' systems, or employ a mobile phone based two factor authentication method similar to the ones used by sites such as Twitter, Facebook, and Gmail.
Breaches like this are also a timely prompt for security officers to review the security of their websites and systems to determine how effective their authentication mechanisms are, particularly any Internet facing system. In addition, its a reminder that if users are reusing passwords across multiple systems it is likely they could be reusing those same passwords on corporate systems too.
These types of breaches are also excellent real life examples to include in security awareness programs as they can personalise the key messages to the users. Many users may be members of various loyally schemes be that for their airlines, hotels, or even shopping. Highlighting how the weak passwords and the re-use of passwords across many systems could lead to them losing their hard earned loyalty points could prompt them to rethink how they manage their passwords. Which in turn should help them practise secure password management in the enterprise.
Good security is not the responsibility of any one party. Rather users, vendors, and companies all need to ensure they take appropriate security measures, otherwise security will never take off.