Over the last couple of months, a number of cases have been emerging on Flyertalk and elsewhere of people who have had their Priority Club points stolen. (Priority Club is the loyalty scheme for Holiday Inn, Crowne Plaza and InterContinental amongst other chains.)
For example, a quote from Facebook:
My husband and I have been loyal PC members for years, staying around 200 nights a year. On 9/11 my account was hacked and somebody changed my email address and purchased Amazon gift cards with 148,000 points! I have talked to customer service twice and sent one email and have yet to hear anything on this. Do you know how long it has taken me to save up those points?! Today I can’t even sign on to my account, it’s like it doesn’t exist. I’m getting concerned because I have a reservation tomorrow through the end of the week and don’t know what I’m going to find out when I check in.
What do you do when you wake up one day and find your points have been stolen? Is it even a crime (the small print of most schemes says that points have no monetary value)?
Whilst this could happen with any programme, the Priority Club website does seem to be substantially weaker than others. Here are a few key weaknesses:
- Membership numbers are just 9 numbers long (or an email address) and password just consist of a four-digit PIN code
- The site does not lock you out however many failed attempts you make at guessing the PIN
- The programme offers a lot of e-voucher redemptions for retailers where you receive e-mailed gift codes in return for points
- If you change your e-mail address on the site, there is no confirmatory e-mail sent to your old e-mail address
Amazingly, a hacker would not even need to know that someone was a Priority Club member in order to hack their account. All they need is a computer running a script which drops a random e-mail address or random 9 digit membership number into priorityclub.com and then tries all 9,999 PIN combinations. It doesn’t take long. If they had actual account numbers (easily obtained from anyone working in a PC property) then it would be even easier.
The thefts reported on Flyertalk are all from people with high balances (six figures) so it is possible that thieves are only targetting accounts with a lot in them, ignoring any others that the script programme throws up.
What is more worrying is the attitude of Priority Club to all this. The de facto response to the reports of fraud is to accuse the customer of not telling the truth. This is despite the fact that in all cases the e-mail address on the account was changed immediately before the account was emptied by way of e-mailed gift vouchers. This is not a US issue, either, with a number of thefts affecting UK residents, including one Head for Points reader.
I can only hope that, in time, all of the people affected do have their points balances restored. Unfortunately Priority Club is the worst hotel loyalty scheme by far for customer contact as anyone who has ever had an email exchange with their Philippines service centre will know.
What can you do to avoid this? Nothing, frankly, if the theft really is being done as described above. A computer could pick your account number at random and then keep guessing PIN’s until it find the right one.
Using a service like AwardWallet to keep track of all your miles and points will at least help you spot any problems, especially if you update all your balances daily or let it e-mail you once a week with all your balance changes. You do not have to hand over your password details to AwardWallet if you don’t want to – they can be stored locally on your PC if you prefer.