BA

What will a fraudster pay for your Avios log-in details on the dark web?

Links on Head for Points pay us an affiliate commission. A list of our partners is here.

The other day I came across the Dark Web Market Price Index.  This is a monthly updated list showing what people are paying on the ‘dark web’ (Dream, Point and Wall Street Market, all of which require the Tor browser) for your log-in details to various websites.

The list of prices is huge.  At the top end, Paypal log-in details sell for an average of £280 – that number is driven by a % of the credit balance held in the accounts put up for sale.

At the bottom end, your ASOS log-in details are worth £1.50.  Data like this is primarily useful for helping with ID fraud as part of a broader scam and would not necessarily be used to make fraudulent ASOS purchases.

In the travel category, Avios / BA accounts are the clear winner at £6.73 per set of account details.

They would be worth more, but there is clearly a big risk in using a hacked Avios account to book a flight for a future date.  Much of the fraud I hear about is via Avios hotel redemptions.  A fraudster can book and check-in (and hopefully check-out) before you even noticed your points were gone.  I imagine that fraudulent redemption of wine or other goods, sent to ‘safe’ addresses, is also popular.

The image below, click to enlarge, explains a bit more about how the dark web works:

What is the dark web?

Airbnb and Uber accounts are also worth £5+.  The value of a hacked Uber account, given it can be used globally, is obvious.  Whilst you can easily block your account any fraudster timing it right (eg taking rides in the early hours of the morning when the UK account holder is likely to be asleep) can easily get more than £5 of value before the plug is pulled.

Airbnb is more interesting.  Hacking into the account of a host allows you to change their banking details and have stay money sent elsewhere.  Hacking into the account of highly rated guests allows you to book high-end properties without suspicion and then burgle them.

Even Facebook accounts with no financial information sell for an average of £3.74 because the treasure trove of personal data you leave there is enough for many forms of identify theft.  (How many of the security questions on your online banking account could be answered by someone who also had access to your Facebook account?  HSBC tends to ask me: Your child’s middle name?  The town where you went to school?  Where did you live in the year 2000?)

It is a fascinating subject, at least for me, especially after what I learnt at the loyalty fraud conference I attended last year.  You can read the full dark web report here.

(Want to earn more Avios?  Click here to visit our home page for the latest articles on earning and spending your Avios points and click here to see how to earn more Avios from current offers and promotions.)

Bits: claim your Hilton Diamond extension, last day for the Hilton sale, Yotel's non-loyalty scheme
Bits: BA CityFlyer food, Charles Tyrwhitt / Avios discount, if you liked the Radio 4 documentary
Click here to join our email list and receive all of the latest Avios, miles and points news by 6am.

BA
Amazon ad
IHG
BA
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. Sanjay says:

    Great article – very interesting!

  2. Mark E says:

    Interesting and slightly worrying. I still find it odd that IHG rewards logins are a four digit PINs.

    • Craig Strickland says:

      In this day and age it’s totally irresponsible, they fully deserve having to replace the stolen points every time an account is hacked.

    • Banana says:

      Happened to me with IHG. 32,000 points stolen. Worst part was that when I called them up using the Skype app, they answered saying “Thanks Mr Rashid for being a spire elite member”… I informed them that wasn’t my name or status. I had to call them again and the exact same thing happened, albeit this time with a different name and status. Truly shocking. I could have made a redemption under those people’s accounts.

      • callum says:

        You can make a redemption just by stating your name and status level? Or their system “recognizing” you meant you could just make any redemption you wanted with no further checks?

    • Steve-B says:

      When you renew Ambassador status, IHG send out the member’s account number and PIN in clear text on the confirmation email, which says a lot about their lax attitude to account security.

      • Yes they did do but I alerted them to this and subsequent renewals don’t have the pin on the Email.

        • Steve-B says:

          I wouldn’t be so sure – my latest renewal email still have this information on and that was only two weeks ago.

        • Not on my November renewal, they might as well put your credit card details on the mail too! I hope you had a go at them for their security balls up if your renewal has your pin on it?

  3. Surprising they sell on that info so cheaply. Would have thought it way more valuable.

    • Some (most? all?) of the sellers are scammers. That report just lists prices, but who knows whether you actually get anything for your money, or it just disappears and leaves you feeling stupid?

      I wonder how much it costs to buy an account used to sell stolen data with good reviews. It’s probably easier to make money this way than actually using stolen data.

  4. OT: am currently at nearly 800 TPs, collection year ends early August.

    I take 25-30 (mostly short-haul) flights per year with BA. Have been trying to whittle down that Avios balance by deliberately booking RFSes and saving the £££. Great value per Avios spent, but sucks for keeping status.

    Dilemma: stop collecting TPs and back to booking RFS now I have Silver renewed?

    …or push on to 1500 to get Gold for 18 months and Silver for another year after that?

  5. Having an Uber account hacked and blocking it isn’t as simple as you might think. It happened to me a few months back, I kept getting notifications on my phone that drivers were on their way. Changing the password didn’t help, even trying to delete my account didn’t work as it takes 30 days to delete an account forever and a few minutes after deactivating the account I’d get an email saying “welcome back to Uber”

    Worst thing if it happens to you is that there’s no simple way of contacting them to put a stop to it immediately, no phone number or live chat, you just have to send them messages through the app. Couldn’t even remove all my payment options, I was left with PayPal and had to call them to block any further payments to Uber.

    I eventually got Uber to deactivate my account permanently and have never used them since. Uber even have the cheek to blame the user when it happens for not having secure enough details

    • Crafty says:

      Could you have removed all payment methods, or does it make you leave one?

      • On iOS at least, you could just have Apple Pay setup which would only work on your iPhone (that’s what I usually do) that way there are no card details linked which may be compromised if someone hacked my Uber account.

        The downside is that when you travel, if Apple Pay isn’t enabled in the country you go to you will need to add a card whilst you are away before you can book a ride which I discovered in Portugal last year.

      • Bagoly says:

        This is when it is useful to have at least one credit card one does not use (but one does need to remember the security details, and one wants it to be from a credit card provider with good service!)
        Add this “throwaway” card, remove all the others, and then block payments from that card to that provider.
        Thinking about this, perhaps this is where a Revolut virtual card could be useful – one can block it on the app (but to all payees)
        Does anybody have any experience with in-app blocking with other fintech card providers?

        • TGLoyalty says:

          Curve and Monzo also allow you to lock the card but you everyone rather than just 1 merchant.

        • Another good use of a “throwaway card” with a low credit limit is for car rentals. It stops the rental company sticking a large amount for damage on your card, in case you have an accident

        • Starling also allows their debit card to be blocked in app

        • Curve allows in-app blocking. I did it when I lost my wallet last year.

    • I had my Uber details stolen which somebody used for Uber eats to 5 separate addresses in London. I kept getting the receipts through and they totaled around £200. At first Uber tried to blame me also, asking if I had given my details to anybody. After insisting I had never been to that area and have never given my details to anybody they credited my account as did my credit card company to cover me initially. I think I identified the person who was ordering all the food because she had registered a business at one of the addresses and also worked at a nursery where some of the food got delivered. I passed it on to Uber but have no idea if they followed it up. I never save my credit card details with any company now.

  6. I would encourage everyone to invest the time in installing a decent password manager. A good password manager will ensure you only have to remember one password. Below are some popular options

    * 1Password (monthly subscription or one time license)
    * KeePass (free, open source)
    * LastPass (free and subscription)

    Once installed, I would review the password policies of the site you visit and use the maximum length they support e.g. Google supports up to 64 characters including special characters such as punctuation. The applications will generate a random password for you. You only have to remember one password, the master password for the app. Using apps like 1Password and LastPass allows you to sync all of your passwords across of your devices.

    Each of the apps I mention above will have browser extensions and/or support the share sheet on your mobile devices. When you go to a website for which you have stored the login details, press the browser button and it will automatically populate the form. No more copying and pasting or remember which variant of your children’s names you used. Every so often make a point to change your site passwords using the app. This ensure do that if someone gets your old password they can’t sign into your account.

    In addition to the above, turn two factor authentication (2FA) if the site supports it. 2FA requires you to validate logging from a new location by using a one time code. The code can be generated through an application like 1Password, Google or Microsoft authenticator (my favourite) or via text message (PayPal uses text message). Sites like Apple, Facebook, Microsoft, google, eBay, Reddit, and PayPal all support 2FA.

    Re personal identifiable questions like the ones HSBC uses. My wife uses different answers on different sites. She keeps a track through 1Password. 1Password allows you to record custom fields when you generate a new login. When she is prompted for one of the answers she simply copies the response across.

    TL;DR – invest in a password manager, generate unique passwords for each site and use two factor authentication

    • Mikeact says:

      Good advice, I use SafeInCloud across all devices , its free and suits me just fine. Being mean, I didn’t want to pay as I was with 1 Password. And then of course, there are other options to back everything up to the cloud, which can be a safety net when traveling.

      • Just remember though that the service costs money to run so if you aren’t paying, how do they make money? If it’s a cloud only service and it goes out of business, can you get access to all your account logins?

        • Mikeact says:

          Trev…if Dropbox go belly up, then I guess we’re all in trouble.

        • Technically you’re not, because your stuff is also on the hard drive of all your synced computers. I see it as safer than just having stuff on a hard drive that could be stolen or break. There are NO FILES AT ALL on any of my PCs – the only active folder is Dropbox and everything goes in there and syncs between a) my home laptop, b) my office laptop and c) my 13 inch travelling laptop.

          There is also a HFP sub-directory which is shared with Anika and all the company stuff is done in there.

    • I’ve tried LastPass but found it clunky and thought it integrated poorly with Chrome. If you have other recommendations I’d like to use them but I’ve just found all the solutions suboptiomal so far…

    • Have always worried that this meant the baddies only needed to know the password manager password and everything would be insecure?

      • Same here, also concerned if there were to be a problem with the password manager,then I would be unable to get access to none of my accounts.

      • That’s why you want to use a second factor for authentication (e.g. a one time code generated by something like google authenticator) for your password manager. That way a hacker would need to figure out your password manager password plus a 6 digit code which changes every 30 seconds.

        • Bagoly says:

          But these password managers are honeypots to hackers, so they are presumably trying some advanced methods to get in. The providers are advanced too, but imagine what happens when one does get cracked – then everything is blocked.
          With individual accounts, in a very bad scenario, one may end up with one bank chasing one for a fraudulent debt, but at least one can use other accounts to live.

    • Jimbob says:

      Having had my debit card details recently cloned, and not sure how, I’ve become rather paranoid.
      Looked at the password managers, and as others have said, appear rather clunky, but perhaps it just getting used to it.
      I suppose my greater concern, is if someone hacks into the password manager database centrally. I’d assume that they would be highly prized hack

      • It is a case of getting used to them. I personally use 1Password as it offer functionality like watchtower, large text, etc. The browser integration works well as does the share sheet (the box with the arrow pointing up in iOS). Quite few apps (https://blog.agilebits.com/1password-apps/) have integrated the service into their app so you can just click a button, authenticate via TouchID/FaceID and automatically login.

        The databases are encrypted. MSecure (another great password manager though not as feature rich as the others I mentioned earlier) for example uses blowfish encryption which has never been cracked. 1Password uses AES 256-bit encryption which is industry standard

    • Mr Dee says:

      Buy a Macbook Pro with Touch ID and you can just use fingerprint recognition to access your 1password or through an iphone

    • Brighton Belle says:

      I bought 1Password but it just couldn’t cope with the variety login protocols in the Uk. I stopped using it because it just didn’t deliver the smooth logins it promised. Not everything is just Username + Password.

      Has anyone in the UK got it to work successfully?

      • Mr Dee says:

        Don’t have any problems using it, if you mean multiple pages where you need your details entering then it may require some setting up initially, also the using a certain character or number from your password may take some getting used to. Either way much better than nothing.

      • I’ve been using 1Password for quite a few years in the UK, there are a handful of websites that the “auto fill & submit” doesn’t work for but on the occasion that happens I just copy/paste the password manually. I happily take the extra security of per site complex passwords over the occasional inconvenience!

      • Hector says:

        I’m using1password in the UK and have done for several years. I would not be without it.

    • Can I be cheeky and leave my Last pass referral here? If you register, we each get a free month of Premium.

      I’d recommend it, but I appreciate you may take my opinion as biased!

      https://lastpass.com/f?10533386

  7. Mjngus says:

    How long before someone manufacturers junk Facebook accounts via a cheap click factory and some stock images, then sells them for £3+ each on the dark web? This would be some great poetic justice (albeit a one off if the feedback mechanisms on the dark web worked).

    • It’s probably happening already.

    • A huge number of FB accounts are already fake, used for farming likes so they can access personal details. If FB really cared about any kind of privacy for their customers, they could easily block and delete the fake accounts. But they are happy to keep them, as they sell them along with everyone else’s data to advertisers.

  8. IslandDweller says:

    @Lumma. One of the (many) issues in the tfl vs Uber court case is that the London mini cab licencing regime (and to operate in London Uber had to have a mini cab licence) requires the cab operator to have a manned London phone number. This is something that Uber was not complying with, but has now pledged to implement. Of course, there are many other issues at stake here – I seem to recall it’s due back in court next month.

    • Ja Lawrie says:

      I’m amazed how many people blatantly sell Avios and Virgin Miles on eBay. Because of high transfer costs many sell them and just provide the login details…….

      A lot of this is common sense. Just been article on breakfast tv that hacked twitter accounts are asking people to send them cyber currency. Hacked Elon Musk account asking if they send money needed for development of next best thing then he’ll send double back. So the multi billionaire boss of American Tesla firm resorts to Twitter for money…… appears fraudsters making $50k day!!!

  9. RussellH says:

    > I would review the password policies of the site you visit and use the maximum length they support

    Yes, but what is also really poor is how few sites still use case sensitive passwords and passwords that include non alpha-numeric characters. Amex, for one, while it does allow non alpha-numeric characters, the letters are not case sensitive. And you always have to type the full password, which is not good. I once recently had an Amex agent warning me not to use upper case, as their systems did not like it. Creation though, often much maligned here, does allow non alpha-numeric characters and is fully case sensitive. Clydesdale Bank likewise. TSB, though takes no account of case and is strictly alpha-numeric only, so you only have a choice of 36 characters.

    No one else quite as bad as IHG, though, that I am aware of!

    • Doug M says:

      Oh great. Thought you had to be kidding, so just typed my carefully mixed case password all in lower and logged in without issue. Amex, really, that is quite surprising.

      • RussellH says:

        Thinking further about Amex, what is worse is that you always have to type that password in fully and there is no second stage – I would imagine that selecting three characters from the 19 I use and then having to use some other peice of information to get in would be an improvement. Even TSB, and Hargreaves-Lansdown do that, even though they do not allow non alpha-numeric characters. FWIW, is it not perhaps time that someone like the FCA manadted minimum login standards?

        • We get the odd text security no at times from amex. Think the two level security is essential.

        • As long as the mandated standards are applied consistently. I don’t mind what they are, but where you have one place wants no more than 8 characters, one wants 10 including 2 numbers etc, it’s all a mess. If somebody sets a standard – say 16 including alphanumeric and special characters, everyone needs to stick to it. But too many companies will whinge about having to change their systems and won’t bother.

        • AndyGWP says:

          If you have a set / mandated password standard tho, it gets easier to hack it!

          If I know your password is exactly 10 characters long, its easier to hack than if I have to guess how long your password is 🙂

        • RussellH says:

          I did suggest **minimum** standards – I would not want anything to prevent higher standards. I do think ‘no more than 8 characters’ is quite wrong though.

          I would want passwords to have to be case sensitive, and allow all ASCII characters from 33 to 127, with a minimum word length of 11. The standards would need to be enforceable at law, with effective penalties which would have to be applied to an organisation’s policy makers – ideally someone at board level or equivalent.

        • AndyGWP says:

          Apologies – my reply was in response to “If somebody sets a standard – say 16 including alphanumeric and special characters, everyone needs to stick to it.”

          …appreciate it gets difficult to see who’s replying to what when we hit the maximum number of nested replies 🙂

    • Santander is a 5-digit pin for full access to my current and savings accounts (albeit you also need to know the 8 digit customer ID, rather than e.g. an Email address, and there is an additional security question if logging in from a new device for the first time.)
      They do require a OTP if you wish to transfer money to a new recipient, but it still feels inadequate for a bank.

      • Genghis says:

        Not two passwords and the customer ID? Even so, what’s the risk?

        • Richard says:

          Yes, passcode and password for Santander

        • No, definitely only one 5-digit pin required for access, other than for the circumstances I mentioned. What’s the risk? – maybe little, but it just seems lax compared to other banks.

        • Genghis says:

          Interesting. It’s a 5 digit pin for me on the app on my phone but then that’s an effective 2FA.

  10. I think it is smart phones and their apps that are the security risk.

    Using only a PC and a VPN, I’ve never had a problem

  11. Graham Walsh says:

    Re people’s concern of a password manager’s site being hacked, I use another device to authenticate my login to the Lastpass. It’s called a Yubi Key. You could also use another method such SMS.

    Wonder how much my HfP login is worth 🙂

  12. £280 average for paypal login details wow. Personally I move any balance out straight away to my bank even if just £5-10 in credit. That way when I make my next purchase via paypal I can pay the full amount using my AMEX card to max out avios earnings. Paypal doesn’t seem to let me pay the full amount on a card if I have a credit balance in my account.

    Not sure what everyone else does but hopefully a handy tip. I guess people keeping large credit balances are likely to be eBay power sellers etc..

    • Genghis says:

      What about sending money to an email address and it being changed to linked card (even if zero balance)?

    • I have had £5k in PayPal before, some overseas HFP clients like to pay with it.

    • No problems for me paying with a credit card via Paypal, when I have a credit balance in my Paypal account.

Please click here to read our data protection policy before submitting your comment.