A hacker stole more than 25,000 miles from my Lufthansa Miles & More account last week. Based on previous experience when reporting fraud to other companies, as I called the Miles & More U.S. phone line, I expected either to be connected with their fraud office or to be contacted by them as soon as possible, in order to get to the bottom of the incident.
Almost a week later, I’m still waiting.
Many airlines have taken measures in the last couple of years to prevent hacking of frequent-flier accounts. Lufthansa’s Star Alliance partner United Airlines, for example, used to allow logging into an account simply with a four-digit PIN code. It no longer does, having realized that hackers have ways of figuring out such a number — after all, the possible combinations are limited.
Lufthansa, however, seems not to have received that message. You can still log into a Miles & More account with a five-digit PIN code. That was what someone — possibly a Russian hacker, if his name is any indication — did last Monday.
That morning, a booking confirmation for the Linx Hotel near Galeão International Airport in Rio de Janeiro arrived in my email inbox. It was for that same day — but it wasn’t for me. The name on it was Ilya Izeulin. I suppose I was lucky he hadn’t changed the email address in my account, so I automatically received the reservation.
I immediately called Miles & More to report the fraudulent activity, cancel the reservation and get my miles back. The agent said that they use a third-party provider for hotel bookings called Get A Room, that reservations are nonrefundable, and the Miles & More system is unable to cancel them. She added that the main Miles & More office in Germany was closed for a public holiday, so nothing would be done for another day or two.
I was surprised by her cavalier attitude. The only thing she could do was recommend that I change my PIN and send a message to the office in Germany, which has yet to contact me. Realizing that the hacker could be checking in to his Rio hotel any minute, I suggested that they call the hotel or Get A Room to inform them of the fraud. I was told they don’t do that.
The next day, the agent left a voice message, advising me to send a letter in the mail explaining the incident and providing proof of my identity. She gave a mailing address in Germany. I called back to ask for an email address or fax number — after all, my miles were set to expire next month, and I wasn’t willing to wait for weeks for letters to fly back and forth over the Atlantic. I was told there was no email or fax number I could use.
Worried that the hacker could figure out my new PIN and steal even more miles, I asked to speak to a supervisor to express my concern that Lufthansa wasn’t taking fraud seriously. I was told all supervisors were on the phone with other customers, and someone would call me back. They never did.
I reached out to Lufthansa’s Twitter team and asked if I could send them a copy of my ID for them to forward to the appropriate office. They agreed. I also sent a message with my ID attached through the Lufthansa website, perhaps naively trusting the airline’s claim that its site is secure. By the end of the week, the stolen miles were back in my account.
No one has contacted me, however, to discuss the incident, so they can learn from the experience and prevent more fraud. It’s obvious Lufthansa makes it easier for hackers to steal miles. In addition to the insufficient PIN log-in protocol, they allow same-day bookings for a person different from the account-holder — these are two red flags. Moreover, their system doesn’t permit canceling such bookings.
It’s no secret that last-minute booking fraud has been on the rise for some time. Also last week, Alaska Airlines banned award reservations on some of its partner-carriers within 72 hours of departure, though it later said the restriction would apply only to intra-Asia flights.
Lufthansa missed an opportunity to catch the abuser in the act. The airline has staff at Galeão Airport, and it had the name of the hacker — or at least the beneficiary of the stolen miles, if those were two different people. Someone could have gone to the nearby Linx Hotel. Perhaps that’s too much to expect. But Lufthansa has a responsibility to protect its customers’ account. It should make the log-in protocol more secure — using a password is currently one option, but so is a PIN. That makes the system vulnerable and should end. Lufthansa should also restrict same-day bookings for people different from the account holder without credible proof of identity, and allow cancellations of fraudulent reservations.
It’s a prevalent practice in the airline loyalty business to use hotel — and other non-flight — bookings as a way to offload miles, which are a liability in those companies’ accounting books. But they have accumulated so many so-called partners and third-party vendors that it has become a huge challenge to prevent fraud.
Even though the stolen miles are back in my account, it won’t be safe until Lufthansa makes meaningful changes.