Maximise your Avios, air miles and hotel points

Rise in Avios theft causes ‘Combine My Avios’ to Iberia to be pulled

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Recent months have seen a substantial rise in Avios fraud on British Airways Club accounts. What is odd is that I haven’t been able to work out how it is being done, and seemingly neither does British Airways.

The entire ‘Combine My Avios’ system between BA and Iberia / Aer Lingus has now been taken down.

BA is saying on social media that this is in advance of a new platform coming soon, but it seems too much of a coincidence for it to be anything other than a fraud prevention measure.

'Combine My Avios' to Iberia pulled

How have British Airways Club accounts been secretly drained?

Here’s the weird thing. I can’t work it out.

Looking at reports, this has been going on for at least 10 months. It is only in the last couple of months that it seems to have reached critical mass, perhaps as hackers share their techniques or manage to automate the process.

To explain what is happening, we need to take a step back.

When you move Avios between British Airways and Qatar Airways, British Airways and Finnair or British Airways and Loganair (or indeed British Airways and Nectar), you create a permanent link between your two accounts.

It means, for example, that you can view your Nectar balance on ba.com or your BA balance at qatarairways.com, and that transfers can be done quickly.

Creating a permanent link reduces fraud, to the extent that a hacker can’t link their own Qatar, Finnair or Loganair account to your BA account if you have already done it yourself.

Avios transfers with Iberia and Aer Lingus are different

The Qatar Airways, Finnair and Loganair partnerships were all set up in the last couple of years and are built on modern technology.

Transfers between BA and Iberia / Aer Lingus have been possible for a decade and work differently.

Each time you want to move Avios, you need to use ‘Combine My Avios’ to create a one-off link between your accounts. After you’ve done the transfer, the link is broken. You start from scratch next time you want to move Avios.

Because there is no permanent link, hackers can attempt to link an Iberia or Aer Lingus account to any BA account at any time.

However ….

Long-term HfP readers will know that the security checks required to transfer Avios between BA and Iberia have always been bizarrely high. EVERYTHING between your accounts had to match – full name, email, date of birth.

It was tricky. What made it worse is that Iberia accounts have three name fields – first name, first surname, second surname – and if you put your surname in the wrong box when setting up your Iberia account you were in trouble.

There are also restrictions on when Iberia Club accounts can be used to make transfers. Transfers are banned until your Iberia account is 90 days old and had some third party activity, eg a flight credit or an American Express Membership Rewards transfer.

'Combine My Avios' to Iberia pulled

As you can see above, there is no longer a link to Iberia or Aer Lingus transfers on the avios.com website. The functionality has also been pulled from the Iberia website.

The hack

Bearing all the above in mind, the Avios thefts that have been going on over the last 10 months make no sense.

This is what seems to have been happening:

  • hackers open an Iberia Club account
  • hackers link the Iberia Club account to a British Airways Club account
  • hackers drain the British Airways Club account into the Iberia Club account (your BA account will show ‘Avios Transfer | Combine My Avios Debit IBPL’ against the withdrawal)

This is despite the fact that:

  • Iberia Club accounts shouldn’t be able to accept transfers until they have some activity on them and are 90 days old
  • Iberia Club accounts shouldn’t be linkable to BA accounts unless every personal detail matches, including date of birth and email address
  • Avios held in Iberia Club are not (as far as I know) easily redeemable for ‘cash-like’ products such as Amazon gift cards – it’s a bit dumb to steal Avios and then use them to book a flight for yourself – so what are they being used for? Same day hotel bookings in China appear to be one answer.

Irrespective of the above, hackers have been able to open Iberia Club accounts, link them to British Airways Club accounts and drain them. Confirmation emails are either not being sent or are being sent but are drowned out by a chunk of spam spent at the same time.

What can you do to protect your Avios?

Given all of the above, it seems that there is no way to protect yourself from this fraud. Even people with 2FA (from the BA trial last year, not currently offered) or highly complex Apple / Google-generated passwords are being hit looking at reports.

British Airways has probably done you a favour by removing the ability to move Avios between BA and Iberia / Aer Lingus accounts.

The good news is that British Airways will always replace your stolen Avios, although it may take a few weeks.

Hopefully we will soon see a new ‘Combine My Avios’ system where you can permanently link your BA and Iberia accounts, which will have the additional benefit of making genuine transfers easier.

Category

British Airways and Avios, Iberia and Iberia Club

Comments (105)

  • TimM says:
    30 Aug30 August 07:57

    Simplification is the answer. Treat Avios as the currency it is and have one central bank for it. Employing thousands of people across so many airlines duplicating each others’ work, each with the vulnerable IT systems will always be legal cases waiting to happen.

    As a former computer scientist, I am shocked that such low standards in Avios IT were ever allowed to exist. BA IT is infamously terrible.

    When I was at Oxford, every line of code had to have pre and post conditions that must be proved. It is simply a matter of logic. I strongly suspect those working in Avios, BA and IAG have never had such a discipline. It is a false economy.

    Reply
    • Can says:
      30 Aug30 August 08:51

      Hoare logic and BA?!? :))

      Reply
    • memesweeper says:
      30 Aug30 August 10:27

      Unfortunately, as Rob has commented, if you have a central balance with a central bank it will want paying every time someone flies or is otherwise awarded Avios by a participating airline. Good for IAG and bad for the airlines. What we have now is more like “Fractional Reserve Banking” but the airlines never need to clear unless their points are actually spent in another scheme.

      The lack of testing and robust monitoring/instrumentation is unforgivable. Programming in the logic to alert on suspicious transfers ought to be doable, and clearly isn’t possible.

      Reply
  • Not Long Now... says:
    30 Aug30 August 08:10

    I suppose this may be an excuse why 9000 Avios refund from an IBE reward flight change still haven’t appeared in my account after 2 weeks?

    Reply
  • Steve says:
    30 Aug30 August 08:34

    My account was hacked on 2 August, sent hundreds of spam emails and by the time I had junked them 224 500 Avios had been “stolen”, the word of the customer service agent.
    I have and only have a linked Qatar account.
    Still waiting for an email or call from BA regarding this despite the customer service agent saying I will receive either.
    Until then my account is locked and effectively BA unusable for me.

    Reply
    • Richard says:
      30 Aug30 August 09:43

      Hi Steve yes I had exactly the same problem in July but only 68,000 stolen to Iberia.Also 600 junk emails arrived in my inbox the same day…. A nightmare to clear and still getting one a day now
      The good news is BA eventually refunded my points last week .I was so pleased to read the article on HFP and your comments as I never put the two issues together ! Hope you get yours back asap

      Reply
    • Nige says:
      30 Aug30 August 10:20

      Don’t expect any response soon. I’m in the same boat. I got an email the day after reporting requesting my ID and proof of address. I have since emailed and called numerous times, but it’s the always the same response on the phone. Someone will get back to you. They never do. That was 6 weeks ago

      Reply
  • David W says:
    30 Aug30 August 08:42

    Presumably the fraudsters can’t also cancel existing bookings and take that Avios too with this method?

    Reply
    • JDB says:
      30 Aug30 August 09:01

      Unfortunately, cancellation and subsequent removal of Avios has also been reported.

      Reply
      • David W says:
        30 Aug30 August 09:12

        Yes I’ve seen that, but I thought it was happening vie account hacking, password compromise etc? This article is more worrying as it says passwords don’t matter.

        Reply
        • Rob says:
          30 Aug30 August 09:18

          They don’t. Very clear from the Flyertalk thread on this topic. People who don’t even know their own passwords (because Apple generated a 20 character one and stored it for them) are being hacked.

          Reply
          • memesweeper says:
            30 Aug30 August 10:29

            “Fixing” the issue by preventing transfers is clearly only half the problem solved then, and not the most important half. I wonder if BA have any idea how the BA accounts are being compromised?

          • Londonsteve says:
            30 Aug30 August 13:31

            Rob, in your opinion is there anything at all we can do to better protect our balances? Granted, with the halt on transfers to IB the issue might temporarily go away.

          • Rob says:
            30 Aug30 August 13:52

            No, unfortunately not, especially if its being set up by insiders in the call centres.

      • NFH says:
        30 Aug30 August 11:39

        Does British Airways subsequently reinstate the cancelled bookings? If not and there are no more Avios seats available, have victims successfully claimed the high cash cost of a replacement booking under Article 8 of Regulation (EC) No 261/2004?

        Reply
        • Rob says:
          30 Aug30 August 12:43

          You would struggle to win that unless you can prove that the back was not down to your negligence, which would be very hard. Who knows what spyware you may have accidentally installed or who is monitoring keystrokes on your work PC?

          Reply
          • NFH says:
            30 Aug30 August 13:21

            If it went to court, then a judge would decide on the balance of probabilities. Everything I’ve read here points, on the balance of probabilities, to a deficiency in British Airways’ security, not British Airways Club members’ negligence.

            Has BA confirmed whether compromised passwords are used by the hackers? If not, then it would be hard for BA to blame its customers.

  • Lumma says:
    30 Aug30 August 09:11

    Have they definitely said that the ability to transfer will come back? I’ve got a lot of Accor stays next month which automatically credit to Iberia and don’t want the miles stuck there

    Reply
  • ChrisBCN says:
    30 Aug30 August 09:49

    Curious that you have completely missed Vueling in this article…

    Reply
  • Mark says:
    30 Aug30 August 10:15

    Insider fraud is HUGE across multiple sectors. RCCL Have a huge issue at the moment with rogue off shore agents making changes to bookings, mainly casino comps.

    Capital on Tap had a huge issue not long ago which could have only been insider.

    I know Amex have had issues in the past.

    It’s not new and it’s hard to spot / stop if you haven’t got robust systems.

    A friend of mine used to own a chain of petrol stations, they’d hire new staff to do the night shift. They’d work three days skimming every credit card then disappear, that was back in the 90’s and it still happens now!

    It’s why you should ALWAYS pay via apple or google pay on a terminal. It’s the only encrypted transaction format.

    Reply
    • memesweeper says:
      30 Aug30 August 10:31

      Some card intermediaries now charge a tiny bit less per transaction for Apple Pay despite it being a tiny bit higher in back end fees. I assume the reason is vastly reduced fraud risk.

      Reply
    • ADS says:
      30 Aug30 August 11:01

      FT has an extensive thread about people on delayed BA flights receiving emails within hours from companies wanting to chase BA for your compensation.

      BA has known for years that they have an insider leak – but it keeps happening.

      This is presumably another manifestation of BA’s insider leak / fraud.

      Reply
      • JDB says:
        30 Aug30 August 11:28

        The issue of people receiving texts from compensation firms wasn’t an insider leak but BA’s message service provider accidentally mishandling data which was reported to the ICO by BA and explained to affected passengers.

        The much more serious issue of Avios theft remains unexplained.

        Reply
        • memesweeper says:
          30 Aug30 August 14:09

          … and I think BA then continued to use said message provider, only for them to suffer the same issue again!

          The issue for many firms is personal data (PII) is much, much, more valuable to an attacker than it is to the data holder. They scrimp on data security as the data isn’t worth much *to them*. Unfortunately the only fix for this is giant fines for data breaches which might make firms wake up to the risk of ignoring their responsibilities, and/or stop holding/handling PII.

          Reply
    • kevin86 says:
      30 Aug30 August 11:57

      “It’s not new and it’s hard to spot / stop if you haven’t got robust systems.”

      Most don’t have robust systems. That would cost money and they’d rather just sort things problems on a case-by-case basis. Until there’s a big attack that costs them money, by which time it’s too late.

      Companies never learn as they’re often run by idiots who did poor jobs in their previous roles

      Reply
  • John says:
    30 Aug30 August 11:02

    So what is the best way to protect your avios

    Reply

Leave a Reply to David W Cancel reply

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

SPECIAL OFFER: Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card!

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get 10,000 bonus Hilton Honors points and instant Gold status!

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? Get the only free credit card with points which convert to Avios

SPECIAL OFFER: Get points worth 40,000 Avios with 'first year free' American Express Gold!

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!