How Lufthansa Makes It Easier for Hackers to Steal Miles

A hacker stole more than 25,000 miles from my Lufthansa Miles & More account last week. Based on previous experience when reporting fraud to other companies, as I called the Miles & More U.S. phone line, I expected either to be connected with their fraud office or to be contacted by them as soon as possible, in order to get to the bottom of the incident.

Almost a week later, I’m still waiting.

Many airlines have taken measures in the last couple of years to prevent hacking of frequent-flier accounts. Lufthansa’s Star Alliance partner United Airlines, for example, used to allow logging into an account simply with a four-digit PIN code. It no longer does, having realized that hackers have ways of figuring out such a number — after all, the possible combinations are limited.

Lufthansa, however, seems not to have received that message. You can still log into a Miles & More account with a five-digit PIN code. That was what someone — possibly a Russian hacker, if his name is any indication — did last Monday.

That morning, a booking confirmation for the Linx Hotel near Galeão International Airport in Rio de Janeiro arrived in my email inbox. It was for that same day — but it wasn’t for me. The name on it was Ilya Izeulin. I suppose I was lucky he hadn’t changed the email address in my account, so I automatically received the reservation.

I immediately called Miles & More to report the fraudulent activity, cancel the reservation and get my miles back. The agent said that they use a third-party provider for hotel bookings called Get A Room, that reservations are nonrefundable, and the Miles & More system is unable to cancel them. She added that the main Miles & More office in Germany was closed for a public holiday, so nothing would be done for another day or two.

I was surprised by her cavalier attitude. The only thing she could do was recommend that I change my PIN and send a message to the office in Germany, which has yet to contact me. Realizing that the hacker could be checking in to his Rio hotel any minute, I suggested that they call the hotel or Get A Room to inform them of the fraud. I was told they don’t do that.

The next day, the agent left a voice message, advising me to send a letter in the mail explaining the incident and providing proof of my identity. She gave a mailing address in Germany. I called back to ask for an email address or fax number — after all, my miles were set to expire next month, and I wasn’t willing to wait for weeks for letters to fly back and forth over the Atlantic. I was told there was no email or fax number I could use.

Worried that the hacker could figure out my new PIN and steal even more miles, I asked to speak to a supervisor to express my concern that Lufthansa wasn’t taking fraud seriously. I was told all supervisors were on the phone with other customers, and someone would call me back. They never did.

I reached out to Lufthansa’s Twitter team and asked if I could send them a copy of my ID for them to forward to the appropriate office. They agreed. I also sent a message with my ID attached through the Lufthansa website, perhaps naively trusting the airline’s claim that its site is secure. By the end of the week, the stolen miles were back in my account.

No one has contacted me, however, to discuss the incident, so they can learn from the experience and prevent more fraud. It’s obvious Lufthansa makes it easier for hackers to steal miles. In addition to the insufficient PIN log-in protocol, they allow same-day bookings for a person different from the account-holder — these are two red flags. Moreover, their system doesn’t permit canceling such bookings.

It’s no secret that last-minute booking fraud has been on the rise for some time. Also last week, Alaska Airlines banned award reservations on some of its partner-carriers within 72 hours of departure, though it later said the restriction would apply only to intra-Asia flights.

Lufthansa missed an opportunity to catch the abuser in the act. The airline has staff at Galeão Airport, and it had the name of the hacker — or at least the beneficiary of the stolen miles, if those were two different people. Someone could have gone to the nearby Linx Hotel. Perhaps that’s too much to expect. But Lufthansa has a responsibility to protect its customers’ account. It should make the log-in protocol more secure — using a password is currently one option, but so is a PIN. That makes the system vulnerable and should end. Lufthansa should also restrict same-day bookings for people different from the account holder without credible proof of identity, and allow cancellations of fraudulent reservations.

It’s a prevalent practice in the airline loyalty business to use hotel — and other non-flight — bookings as a way to offload miles, which are a liability in those companies’ accounting books. But they have accumulated so many so-called partners and third-party vendors that it has become a huge challenge to prevent fraud.

Even though the stolen miles are back in my account, it won’t be safe until Lufthansa makes meaningful changes.

2 thoughts on “How Lufthansa Makes It Easier for Hackers to Steal Miles

  • Last month (Jan 2019) someone hacked the account and had stolen during 11 days more than 400.000 Lufthansa miles from my account. I am unable to change the password. It is impossible to get someone of Lufthansa at the Phone to receive a satisfying response of how to manage this desaster.
    If anyone has a clue how to proceed please leave a note.

  • Hi, found your article and wanted to add my experience: I logged into my Mile&More Account to book an award flight and noticed someone had stolen all my miles (requesting a big GiftCard). I called Lufthansa Germany, but when selecting English Language I was forwarded to US.
    When I told them the miles were stolen they did not even challenge that and sid they would return them back.
    I tried to add that the hacker had added his details to my profile (email, address) but they were not interested.
    The weirdest thing is that they did not sound surprised at all and were not interested in investigating if/who/how entered my account.
    I will wait a few days and try to contact Lufthansa Germany to report the details.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.