What happens when your points are stolen?

Over the last couple of months, a number of cases have been emerging on Flyertalk and elsewhere of people who have had their Priority Club points stolen.  (Priority Club is the loyalty scheme for Holiday Inn, Crowne Plaza and InterContinental amongst other chains.)

For example, a quote from Facebook:

My husband and I have been loyal PC members for years, staying around 200 nights a year. On 9/11 my account was hacked and somebody changed my email address and purchased Amazon gift cards with 148,000 points! I have talked to customer service twice and sent one email and have yet to hear anything on this. Do you know how long it has taken me to save up those points?! Today I can’t even sign on to my account, it’s like it doesn’t exist. I’m getting concerned because I have a reservation tomorrow through the end of the week and don’t know what I’m going to find out when I check in.

What do you do when you wake up one day and find your points have been stolen?  Is it even a crime (the small print of most schemes says that points have no monetary value)?

Whilst this could happen with any programme, the Priority Club website does seem to be substantially weaker than others.  Here are a few key weaknesses:

  • Membership numbers are just 9 numbers long (or an email address) and password just consist of a four-digit PIN code
  • The site does not lock you out however many failed attempts you make at guessing the PIN
  • The programme offers a lot of e-voucher redemptions for retailers where you receive e-mailed gift codes in return for points
  • If you change your e-mail address on the site, there is no confirmatory e-mail sent to your old e-mail address

Amazingly, a hacker would not even need to know that someone was a Priority Club member in order to hack their account.  All they need is a computer running a script which drops a random e-mail address or random 9 digit membership number into priorityclub.com and then tries all 9,999 PIN combinations.  It doesn’t take long.  If they had actual account numbers (easily obtained from anyone working in a PC property) then it would be even easier.

Priority Club Gold card

The thefts reported on Flyertalk are all from people with high balances (six figures) so it is possible that thieves are only targetting accounts with a lot in them, ignoring any others that the script programme throws up.

What is more worrying is the attitude of Priority Club to all this.  The de facto response to the reports of fraud is to accuse the customer of not telling the truth.  This is despite the fact that in all cases the e-mail address on the account was changed immediately before the account was emptied by way of e-mailed gift vouchers.  This is not a US issue, either, with a number of thefts affecting UK residents, including one Head for Points reader.

I can only hope that, in time, all of the people affected do have their points balances restored.  Unfortunately Priority Club is the worst hotel loyalty scheme by far for customer contact as anyone who has ever had an email exchange with their Philippines service centre will know.

What can you do to avoid this?  Nothing, frankly, if the theft really is being done as described above.  A computer could pick your account number at random and then keep guessing PIN’s until it find the right one.

Using a service like AwardWallet to keep track of all your miles and points will at least help you spot any problems, especially if you update all your balances daily or let it e-mail you once a week with all your balance changes.  You do not have to hand over your password details to AwardWallet if you don’t want to – they can be stored locally on your PC if you prefer.

More non-London routes for spending Avios
£15 of free Uber taxi credit in London
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. I have just opened an Award Wallet account and the passwords are stored by them. What do others think about passwords, should I store locally on my PC only

    • I am happy to let AwardWallet hold my passwords – I value the ability to check balances across the many different PC’s and tablets I use in the average week. That said, if you always use the same computer then you have nothing to lose by taking the extra security gained by storing passwords locally (or indeed on Dropbox as UK1 says, which gives you some flexibility if you desperately need access when away from home).

  2. It’s great you highlighted this issue. It hasn’t (yet) affected my account but the accouints posted by FT’ers about the ease with which the points were stolen and the complete lack of any attempt to stop the thefts by taking the most basic of steps is alarming. It is terrible that the continued stance by ICHG is that the accouint holders are the fraudsters themselves is unacceptable. Even the ICHG lurkers have been unacceptably quiet and absent on this topic. I hope ICHG take the rudimentary steps to stop accounts being plundered.

  3. I suppose it couldn’t hurt to try and claim on insurance – they might pay up for a miles purchase, you even if it’s only some of the value.

  4. Interesting blog to read having just opened a PC account this week myself, and thinking exactly that at signup: “The security here is very relaxed!”

    It does seems absurd that a website with such a simple username/pin system available for hackers to exploit also has no added security such as IP tracking, email address change confirmation emails, account lockout or indeed any concern! And considering that you can login with the account number or email, it wouldn’t help to get a long and complicated email address or change you pin frequently, as hacking would only take a few minutes and once done it’s too late.

    While I have a very low start-up balance, it isn’t too much of a problem for me, but considering the value that these “no cash value” points have to people with large balances, I suggest a petition is started against PC to demand concern, points refund and added security – they are the only ones to blame or who can make any difference. In fact it wouldn’t be difficult for anyone of us vaguely tech-savvy people to create the script and hack accounts ourselves, just to harvest email addresses of members to target in an email campaign, addressing them something like this:

    ***

    Hi

    Your PC account has been hacked, this is how I got your name, email and account number:

    This is a friendly email from a concerned fellow PC member trying to demand an end to PC’s lack of security and concern. If the lack of security on your PC account concerns you, please sign this petition or email PriorityClub@ihg.com and complain.

    The next hacker could take all your points, as has happened to countless others already, so act now before it’s too late!

    ***

    Even without a petition website or account hacking, by mentioning this on enough similar blogs, enough people will complain and something will have to be done. But a petition that is publicised cannot go ignored so is the best bet.

    And considering insurance companies do their utmost to reject all valid claims where something of accepted value is taken, I don’t think there’s a hope of any payback for points!

    • Your right. …. there isn’t the slightest chance that an insurance company would pay up particularly as ICHG would tell them adamantly that you took the points yourself. ICHG are well aware of the problem if you believe what their official lurker has said on FlyerTalk but they seem to believe that doing nothing is the right option.

  5. One rather extreme suggestion on FT is to book a large number of dummy awards to take your balance down to almost zero. Any script opening your account will therefore see only a small balance and leave you alone. This is risky, though, if you forget to cancel a booking before the date comes round, as you will definitely lose your points this way!

  6. Any lawyers on here care to comment on whether an affected individual would have a shot with tort law? Despite what their T&Cs say, as a man on the street I would think that their negligence has led to a damage.

  7. Mr Bridge says:

    In the case detialed in raffles post, this is cyber crime, and most police forces have a dept to deal with this. If amazon gift codes were issued it should be possible for amazon to trace where any goods ordred by them were sent. Altough points may not get recovered, there may be enough for the police to track down the theif.