Maximise your Avios, air miles and hotel points

What will a fraudster pay for your Avios log-in details on the dark web?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The other day I came across the Dark Web Market Price Index.  This is a monthly updated list showing what people are paying on the ‘dark web’ (Dream, Point and Wall Street Market, all of which require the Tor browser) for your log-in details to various websites.

The list of prices is huge.  At the top end, Paypal log-in details sell for an average of £280 – that number is driven by a % of the credit balance held in the accounts put up for sale.

At the bottom end, your ASOS log-in details are worth £1.50.  Data like this is primarily useful for helping with ID fraud as part of a broader scam and would not necessarily be used to make fraudulent ASOS purchases.

In the travel category, Avios / BA accounts are the clear winner at £6.73 per set of account details.

They would be worth more, but there is clearly a big risk in using a hacked Avios account to book a flight for a future date.  Much of the fraud I hear about is via Avios hotel redemptions.  A fraudster can book and check-in (and hopefully check-out) before you even noticed your points were gone.  I imagine that fraudulent redemption of wine or other goods, sent to ‘safe’ addresses, is also popular.

The image below, click to enlarge, explains a bit more about how the dark web works:

What is the dark web?

Airbnb and Uber accounts are also worth £5+.  The value of a hacked Uber account, given it can be used globally, is obvious.  Whilst you can easily block your account any fraudster timing it right (eg taking rides in the early hours of the morning when the UK account holder is likely to be asleep) can easily get more than £5 of value before the plug is pulled.

Airbnb is more interesting.  Hacking into the account of a host allows you to change their banking details and have stay money sent elsewhere.  Hacking into the account of highly rated guests allows you to book high-end properties without suspicion and then burgle them.

Even Facebook accounts with no financial information sell for an average of £3.74 because the treasure trove of personal data you leave there is enough for many forms of identify theft.  (How many of the security questions on your online banking account could be answered by someone who also had access to your Facebook account?  HSBC tends to ask me: Your child’s middle name?  The town where you went to school?  Where did you live in the year 2000?)

It is a fascinating subject, at least for me, especially after what I learnt at the loyalty fraud conference I attended last year.  You can read the full dark web report here.

(Want to earn more Avios?  Click here to visit our home page for the latest articles on earning and spending your Avios points and click here to see how to earn more Avios from current offers and promotions.)

Comments (72)

  • RussellH says:

    > I would review the password policies of the site you visit and use the maximum length they support

    Yes, but what is also really poor is how few sites still use case sensitive passwords and passwords that include non alpha-numeric characters. Amex, for one, while it does allow non alpha-numeric characters, the letters are not case sensitive. And you always have to type the full password, which is not good. I once recently had an Amex agent warning me not to use upper case, as their systems did not like it. Creation though, often much maligned here, does allow non alpha-numeric characters and is fully case sensitive. Clydesdale Bank likewise. TSB, though takes no account of case and is strictly alpha-numeric only, so you only have a choice of 36 characters.

    No one else quite as bad as IHG, though, that I am aware of!

    • Doug M says:

      Oh great. Thought you had to be kidding, so just typed my carefully mixed case password all in lower and logged in without issue. Amex, really, that is quite surprising.

      • RussellH says:

        Thinking further about Amex, what is worse is that you always have to type that password in fully and there is no second stage – I would imagine that selecting three characters from the 19 I use and then having to use some other peice of information to get in would be an improvement. Even TSB, and Hargreaves-Lansdown do that, even though they do not allow non alpha-numeric characters. FWIW, is it not perhaps time that someone like the FCA manadted minimum login standards?

        • Polly says:

          We get the odd text security no at times from amex. Think the two level security is essential.

        • Fenny says:

          As long as the mandated standards are applied consistently. I don’t mind what they are, but where you have one place wants no more than 8 characters, one wants 10 including 2 numbers etc, it’s all a mess. If somebody sets a standard – say 16 including alphanumeric and special characters, everyone needs to stick to it. But too many companies will whinge about having to change their systems and won’t bother.

        • AndyGWP says:

          If you have a set / mandated password standard tho, it gets easier to hack it!

          If I know your password is exactly 10 characters long, its easier to hack than if I have to guess how long your password is 🙂

        • RussellH says:

          I did suggest **minimum** standards – I would not want anything to prevent higher standards. I do think ‘no more than 8 characters’ is quite wrong though.

          I would want passwords to have to be case sensitive, and allow all ASCII characters from 33 to 127, with a minimum word length of 11. The standards would need to be enforceable at law, with effective penalties which would have to be applied to an organisation’s policy makers – ideally someone at board level or equivalent.

        • AndyGWP says:

          Apologies – my reply was in response to “If somebody sets a standard – say 16 including alphanumeric and special characters, everyone needs to stick to it.”

          …appreciate it gets difficult to see who’s replying to what when we hit the maximum number of nested replies 🙂

    • Scott says:

      Santander is a 5-digit pin for full access to my current and savings accounts (albeit you also need to know the 8 digit customer ID, rather than e.g. an Email address, and there is an additional security question if logging in from a new device for the first time.)
      They do require a OTP if you wish to transfer money to a new recipient, but it still feels inadequate for a bank.

      • Genghis says:

        Not two passwords and the customer ID? Even so, what’s the risk?

        • Richard says:

          Yes, passcode and password for Santander

        • Scott says:

          No, definitely only one 5-digit pin required for access, other than for the circumstances I mentioned. What’s the risk? – maybe little, but it just seems lax compared to other banks.

        • Genghis says:

          Interesting. It’s a 5 digit pin for me on the app on my phone but then that’s an effective 2FA.

  • Tom says:

    I think it is smart phones and their apps that are the security risk.

    Using only a PC and a VPN, I’ve never had a problem

  • Graham Walsh says:

    Re people’s concern of a password manager’s site being hacked, I use another device to authenticate my login to the Lastpass. It’s called a Yubi Key. You could also use another method such SMS.

    Wonder how much my HfP login is worth 🙂

  • Simon says:

    £280 average for paypal login details wow. Personally I move any balance out straight away to my bank even if just £5-10 in credit. That way when I make my next purchase via paypal I can pay the full amount using my AMEX card to max out avios earnings. Paypal doesn’t seem to let me pay the full amount on a card if I have a credit balance in my account.

    Not sure what everyone else does but hopefully a handy tip. I guess people keeping large credit balances are likely to be eBay power sellers etc..

    • Genghis says:

      What about sending money to an email address and it being changed to linked card (even if zero balance)?

    • Rob says:

      I have had £5k in PayPal before, some overseas HFP clients like to pay with it.

    • Scott says:

      No problems for me paying with a credit card via Paypal, when I have a credit balance in my Paypal account.