Maximise your Avios, air miles and hotel points

Rise in Avios theft causes ‘Combine My Avios’ to Iberia to be pulled

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Recent months have seen a substantial rise in Avios fraud on British Airways Club accounts. What is odd is that I haven’t been able to work out how it is being done, and seemingly neither does British Airways.

The entire ‘Combine My Avios’ system between BA and Iberia / Aer Lingus has now been taken down.

BA is saying on social media that this is in advance of a new platform coming soon, but it seems too much of a coincidence for it to be anything other than a fraud prevention measure.

'Combine My Avios' to Iberia pulled

How have British Airways Club accounts been secretly drained?

Here’s the weird thing. I can’t work it out.

Looking at reports, this has been going on for at least 10 months. It is only in the last couple of months that it seems to have reached critical mass, perhaps as hackers share their techniques or manage to automate the process.

To explain what is happening, we need to take a step back.

When you move Avios between British Airways and Qatar Airways, British Airways and Finnair or British Airways and Loganair (or indeed British Airways and Nectar), you create a permanent link between your two accounts.

It means, for example, that you can view your Nectar balance on ba.com or your BA balance at qatarairways.com, and that transfers can be done quickly.

Creating a permanent link reduces fraud, to the extent that a hacker can’t link their own Qatar, Finnair or Loganair account to your BA account if you have already done it yourself.

Avios transfers with Iberia and Aer Lingus are different

The Qatar Airways, Finnair and Loganair partnerships were all set up in the last couple of years and are built on modern technology.

Transfers between BA and Iberia / Aer Lingus have been possible for a decade and work differently.

Each time you want to move Avios, you need to use ‘Combine My Avios’ to create a one-off link between your accounts. After you’ve done the transfer, the link is broken. You start from scratch next time you want to move Avios.

Because there is no permanent link, hackers can attempt to link an Iberia or Aer Lingus account to any BA account at any time.

However ….

Long-term HfP readers will know that the security checks required to transfer Avios between BA and Iberia have always been bizarrely high. EVERYTHING between your accounts had to match – full name, email, date of birth.

It was tricky. What made it worse is that Iberia accounts have three name fields – first name, first surname, second surname – and if you put your surname in the wrong box when setting up your Iberia account you were in trouble.

There are also restrictions on when Iberia Club accounts can be used to make transfers. Transfers are banned until your Iberia account is 90 days old and had some third party activity, eg a flight credit or an American Express Membership Rewards transfer.

'Combine My Avios' to Iberia pulled

As you can see above, there is no longer a link to Iberia or Aer Lingus transfers on the avios.com website. The functionality has also been pulled from the Iberia website.

The hack

Bearing all the above in mind, the Avios thefts that have been going on over the last 10 months make no sense.

This is what seems to have been happening:

  • hackers open an Iberia Club account
  • hackers link the Iberia Club account to a British Airways Club account
  • hackers drain the British Airways Club account into the Iberia Club account (your BA account will show ‘Avios Transfer | Combine My Avios Debit IBPL’ against the withdrawal)

This is despite the fact that:

  • Iberia Club accounts shouldn’t be able to accept transfers until they have some activity on them and are 90 days old
  • Iberia Club accounts shouldn’t be linkable to BA accounts unless every personal detail matches, including date of birth and email address
  • Avios held in Iberia Club are not (as far as I know) easily redeemable for ‘cash-like’ products such as Amazon gift cards – it’s a bit dumb to steal Avios and then use them to book a flight for yourself – so what are they being used for? Same day hotel bookings in China appear to be one answer.

Irrespective of the above, hackers have been able to open Iberia Club accounts, link them to British Airways Club accounts and drain them. Confirmation emails are either not being sent or are being sent but are drowned out by a chunk of spam spent at the same time.

What can you do to protect your Avios?

Given all of the above, it seems that there is no way to protect yourself from this fraud. Even people with 2FA (from the BA trial last year, not currently offered) or highly complex Apple / Google-generated passwords are being hit looking at reports.

British Airways has probably done you a favour by removing the ability to move Avios between BA and Iberia / Aer Lingus accounts.

The good news is that British Airways will always replace your stolen Avios, although it may take a few weeks.

Hopefully we will soon see a new ‘Combine My Avios’ system where you can permanently link your BA and Iberia accounts, which will have the additional benefit of making genuine transfers easier.

Category

British Airways and Avios, Iberia and Iberia Club

Comments (117)

  • lesscleverandrew says:
    30 Aug30 August 11:23

    Sounds like the issue is at the Iberia end. Most likely attackers have found a way to bypass some of the controls you mention. A threat model and/or a penetration test (preferably both) is what is needed here.

    Reply
  • Maples says:
    30 Aug30 August 11:53

    Probably some rogue internal SWEs.

    Reply
  • squall says:
    30 Aug30 August 12:15

    My Avios were stolen on the 14/08. Transfer to Iberia. I also received hundreds of spam emails to disguise the one confirming the transfer. I already had Iberia account for years. I have spotted that email and informed BA about the theft within 30 minutes, but not heard anything back since. I hope I’ll get my 152000 back at some point

    Reply
  • LD27 says:
    30 Aug30 August 12:29

    My experience as posted on HfP at the time. I have had IB, Finnair and Qatar accounts for more than 10 years. I have never successfully linked my IB/BA accounts even though I have Avios in each. That didn’t stop around 300k of Avios being transferred from my BA account to IBPL (but not to my account) just over a year ago. This happened over night Saturday/Sunday UK time; a weekend within 2 weeks of me sorting out flight issues with BA India call centre; I was abroad at the time and had just bought an Avios ticket back to UK.

    I had been unable to log into my BA account from Friday evening. I was unable to check in for my flight on Sunday (UK time). Whilst waiting to board flight back to UK I was able to access my account in the App. I could see that I had less than 10k Avios in my account (they had been deposited Sunday morning from a Monthly subscription) and the remainder had been transferred to IBPL on Saturday. I could see that my email account had been changed. I checked my emails and had received one from BA stating that my email had changed and to contact them if I hadn’t changed it. I was not bombarded by emails. As soon as I got home on Sunday afternoon I rang BA silver number. My details were taken and my account locked but was told the Fraud team did not work over a weekend. I was not asked to produce ID or proof of address. About 2 weeks later my Avios were returned.

    Reply
  • Spoony says:
    30 Aug30 August 12:40

    This happened to me at the end of July. I had received a mail but I assume that because it was all in Spanish it ended up in my SPAM box, but I reported it straight away to BA who said they’d look into it.

    I chased BA up last week as I still hadn’t heard anything but they’ve told me that I just need to wait for the process to go through. Someone else that I was speaking to on a forum had exactly the same thing at about the same time and she’s already had hers reinstated.

    Reply
  • Sunlit says:
    30 Aug30 August 12:41

    Nectar is particularly prone to hacking. I had my Nectar account hacked a few ago – as its a barcode, hackers guess the password, try it at a test location (Eg Esso garage for 1pt credit, then refund 1pt debit before emptying the entire balance. My guess is Nectar is the weak link

    Reply
    • ColinThames says:
      30 Aug30 August 22:32

      Yes, I had 82000 pts stolen this way but got them refunded. At least Nectar introduced a way of locking spending eventually.

      Reply
  • Damien says:
    30 Aug30 August 14:28

    this caught me out this past couple of weeks – not a theft, but the removal of the service, no manual way to move them by BA, and no new service ready – so my points are sat there that I wanted to use on an available upgrade on aer lingus and no way to do it. not happy, but I guess theirs worse things happening in the world

    Reply
  • Lady London says:
    30 Aug30 August 14:28

    The thing I notice about the BA website is it doesn’t clear cache. So old data or entries is there and there’s even several choices you used previously, sometimes very previously, that evrn come up as prompts on a screen that should really start clean – it may be a new type of screen you haven’t loaded before but this still happens.

    That, and progressing through functionality or even if thr same screen is reloaded, you can know you’ve actually been switched to another server because ranfomly you get very different versions of the same screen.

    I picture BA’s IT as a series of atolls in a sea. Yoi get switched around them all the time. And your experience and buttons available will vary accordingly on whatever version of the screen lives on each atoll. So you gave to HUACA (reload), find a different route, swiych browsers, kick off a VPN etc, to get a version of the page you need eg one with the “Custom Trip” (or with a button labelled something different, that does the same) if you want BA Hols.

    With caches left not cleaned when they should be even mid-session, it would be relatively easy to intercept data and create other transactions with it.

    I’m fairly obsessive about cleanup even more often than once a day but during a website session I think when moving where it’s handled within the session BA should do more cleanup of cached data. I haven’t seen this problem on other sites much for a long time but when I first started progrsmming it was a common error.

    Reply
    • memesweeper says:
      30 Aug30 August 22:51

      There are only two hard things in Computer Science: cache invalidation and naming things.

      Reply

Leave a Reply to David W Cancel reply

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

SPECIAL OFFER: Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card!

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get 10,000 bonus Hilton Honors points and instant Gold status!

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? Get the only free credit card with points which convert to Avios

SPECIAL OFFER: Get points worth 40,000 Avios with 'first year free' American Express Gold!

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!