Maximise your Avios, air miles and hotel points

What will a fraudster pay for your Avios log-in details on the dark web?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The other day I came across the Dark Web Market Price Index.  This is a monthly updated list showing what people are paying on the ‘dark web’ (Dream, Point and Wall Street Market, all of which require the Tor browser) for your log-in details to various websites.

The list of prices is huge.  At the top end, Paypal log-in details sell for an average of £280 – that number is driven by a % of the credit balance held in the accounts put up for sale.

At the bottom end, your ASOS log-in details are worth £1.50.  Data like this is primarily useful for helping with ID fraud as part of a broader scam and would not necessarily be used to make fraudulent ASOS purchases.

Avios wing 15

In the travel category, Avios / BA accounts are the clear winner at £6.73 per set of account details.

They would be worth more, but there is clearly a big risk in using a hacked Avios account to book a flight for a future date.  Much of the fraud I hear about is via Avios hotel redemptions.  A fraudster can book and check-in (and hopefully check-out) before you even noticed your points were gone.  I imagine that fraudulent redemption of wine or other goods, sent to ‘safe’ addresses, is also popular.

The image below, click to enlarge, explains a bit more about how the dark web works:

What is the dark web?

Airbnb and Uber accounts are also worth £5+.  The value of a hacked Uber account, given it can be used globally, is obvious.  Whilst you can easily block your account any fraudster timing it right (eg taking rides in the early hours of the morning when the UK account holder is likely to be asleep) can easily get more than £5 of value before the plug is pulled.

Airbnb is more interesting.  Hacking into the account of a host allows you to change their banking details and have stay money sent elsewhere.  Hacking into the account of highly rated guests allows you to book high-end properties without suspicion and then burgle them.

Even Facebook accounts with no financial information sell for an average of £3.74 because the treasure trove of personal data you leave there is enough for many forms of identify theft.  (How many of the security questions on your online banking account could be answered by someone who also had access to your Facebook account?  HSBC tends to ask me: Your child’s middle name?  The town where you went to school?  Where did you live in the year 2000?)

It is a fascinating subject, at least for me, especially after what I learnt at the loyalty fraud conference I attended last year.  You can read the full dark web report here.

British Airways BA Amex American Express

How to earn Avios from UK credit cards (September 2021)

As a reminder, there are various ways of earning Avios from UK credit cards.  Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards. Both have increased sign-up bonuses until 2nd November 2021:

British Airways BA Amex American Express card

British Airways American Express

10,000 Avios for signing up, no annual fee and an Economy 241 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

40,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

60,000 points and an unbeatable set of travel benefits – for a fee Read our full review

The 30,000 points bonus on Amex Gold runs to 9th November 2021. The 60,000 points bonus on The Platinum Card runs to 2nd November 2021.

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies. This card has a limited time offer of 60,000 Avios when you sign up:

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

60,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (72)

  • RussellH says:

    > I would review the password policies of the site you visit and use the maximum length they support

    Yes, but what is also really poor is how few sites still use case sensitive passwords and passwords that include non alpha-numeric characters. Amex, for one, while it does allow non alpha-numeric characters, the letters are not case sensitive. And you always have to type the full password, which is not good. I once recently had an Amex agent warning me not to use upper case, as their systems did not like it. Creation though, often much maligned here, does allow non alpha-numeric characters and is fully case sensitive. Clydesdale Bank likewise. TSB, though takes no account of case and is strictly alpha-numeric only, so you only have a choice of 36 characters.

    No one else quite as bad as IHG, though, that I am aware of!

    • Doug M says:

      Oh great. Thought you had to be kidding, so just typed my carefully mixed case password all in lower and logged in without issue. Amex, really, that is quite surprising.

      • RussellH says:

        Thinking further about Amex, what is worse is that you always have to type that password in fully and there is no second stage – I would imagine that selecting three characters from the 19 I use and then having to use some other peice of information to get in would be an improvement. Even TSB, and Hargreaves-Lansdown do that, even though they do not allow non alpha-numeric characters. FWIW, is it not perhaps time that someone like the FCA manadted minimum login standards?

        • Polly says:

          We get the odd text security no at times from amex. Think the two level security is essential.

        • Fenny says:

          As long as the mandated standards are applied consistently. I don’t mind what they are, but where you have one place wants no more than 8 characters, one wants 10 including 2 numbers etc, it’s all a mess. If somebody sets a standard – say 16 including alphanumeric and special characters, everyone needs to stick to it. But too many companies will whinge about having to change their systems and won’t bother.

        • AndyGWP says:

          If you have a set / mandated password standard tho, it gets easier to hack it!

          If I know your password is exactly 10 characters long, its easier to hack than if I have to guess how long your password is 🙂

        • RussellH says:

          I did suggest **minimum** standards – I would not want anything to prevent higher standards. I do think ‘no more than 8 characters’ is quite wrong though.

          I would want passwords to have to be case sensitive, and allow all ASCII characters from 33 to 127, with a minimum word length of 11. The standards would need to be enforceable at law, with effective penalties which would have to be applied to an organisation’s policy makers – ideally someone at board level or equivalent.

        • AndyGWP says:

          Apologies – my reply was in response to “If somebody sets a standard – say 16 including alphanumeric and special characters, everyone needs to stick to it.”

          …appreciate it gets difficult to see who’s replying to what when we hit the maximum number of nested replies 🙂

    • Scott says:

      Santander is a 5-digit pin for full access to my current and savings accounts (albeit you also need to know the 8 digit customer ID, rather than e.g. an Email address, and there is an additional security question if logging in from a new device for the first time.)
      They do require a OTP if you wish to transfer money to a new recipient, but it still feels inadequate for a bank.

      • Genghis says:

        Not two passwords and the customer ID? Even so, what’s the risk?

        • Richard says:

          Yes, passcode and password for Santander

        • Scott says:

          No, definitely only one 5-digit pin required for access, other than for the circumstances I mentioned. What’s the risk? – maybe little, but it just seems lax compared to other banks.

        • Genghis says:

          Interesting. It’s a 5 digit pin for me on the app on my phone but then that’s an effective 2FA.

  • Tom says:

    I think it is smart phones and their apps that are the security risk.

    Using only a PC and a VPN, I’ve never had a problem

  • Graham Walsh says:

    Re people’s concern of a password manager’s site being hacked, I use another device to authenticate my login to the Lastpass. It’s called a Yubi Key. You could also use another method such SMS.

    Wonder how much my HfP login is worth 🙂

  • Simon says:

    £280 average for paypal login details wow. Personally I move any balance out straight away to my bank even if just £5-10 in credit. That way when I make my next purchase via paypal I can pay the full amount using my AMEX card to max out avios earnings. Paypal doesn’t seem to let me pay the full amount on a card if I have a credit balance in my account.

    Not sure what everyone else does but hopefully a handy tip. I guess people keeping large credit balances are likely to be eBay power sellers etc..

    • Genghis says:

      What about sending money to an email address and it being changed to linked card (even if zero balance)?

    • Rob says:

      I have had £5k in PayPal before, some overseas HFP clients like to pay with it.

    • Scott says:

      No problems for me paying with a credit card via Paypal, when I have a credit balance in my Paypal account.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.