Travel dilemmas: Just how secure are your travel rewards?

It's almost summer vacation time. Do you know where your travel rewards are? (Dave Bredeson/Dreamstime/TNS)

Combined ShapeCaption
It's almost summer vacation time. Do you know where your travel rewards are? (Dave Bredeson/Dreamstime/TNS)

It’s almost summer vacation time. Do you know where your travel rewards are? Because they may not be tucked safely in your account where you would expect to find them. They may have been stolen.

That’s the word from Kevin Lee, a trust and safety architect with Sift Science, which fights digital fraud.

Loyalty programs are big business in travel, of course, and many other companies (grocers, drugstores, clothing retailers, etc.). Those points you and millions of others have been stockpiling from a variety of sources are worth about $48 billion, Lee said.

Impressive number. Thieves think so too. But here’s where you and thieves may differ (besides the whole honesty thing): People who steal points and miles think of those awards as currency. You may think of them as a tool to get you where you want to go.

There’s a huge gulf between those two mind-sets, which may result in a failure to mind your points.

“Not me!” I thought as Lee was telling me this.

Yes, me. And probably you too.

Here is how you can protect your stash.

—Regular check-ins  

Check on them, Lee said. Just as you keep an eye on your bank account, you should take a look at the accounts that have your miles, and not just every few months but once a month or more. The bigger the account, the more often you need to check in.

—A word to the wise 

Practice good password hygiene. You have long since stopped using 123456 as your password, of course, and you use a different password for everything, naturally.

But do you guard that information? “Let’s put it this way: I’ve seen (people) keep passwords on a sheet of paper under a laptop,” said Brian Lapidus, practice leader, identity theft and breach notification, for Kroll, which is in the investigation and risk-mitigation business.

That’s where a password manager comes in. I finally realized that if I have 125 accounts I have 125 passwords, no two alike. I need that space on my brain’s hard drive for more important stuff, like where I left my car keys.

There are all kinds of password keepers, some free, some at a small cost, some that allow you access across multiple devices. Lee suggests taking a look at Tom’s Guide ( for recommendations. You may also want to consult ( for its favorites.

—Try auto-alerts 

Set up an alert when points are withdrawn, said Emily McNutt, news editor at ThePointsGuy, a travel reward web site that helps people maximize points and miles.

“I know if I get an e-mail that says, ‘Thank you for using 50,000 of your points’ and that wasn’t me, there’s an issue here,” she said.

“I opt in for as many (alerts) as possible.” (Check under “settings” on a site to see if that’s where to opt in; otherwise, give your card company a call, she said.)

She also is a fan of, which helps you track your points and miles and will notify you of withdrawals.

—Mum’s the word 

Limit the amount of information you share on social media, said Lapidus, who said he was astounded at the number of people whose start-of-vacation selfies include their airline boarding pass.

Those passes may contain your frequent-flier number, and if your password is weak, you’ve set yourself up for trouble.

—Be dark-web savvy 

Consider a program that monitors the dark web, where stolen information is a hot commodity, Lapidus said. This “underbelly of the web,” as he called it, isn’t a place for neophytes.

Instead, consider a service that monitors the dark web for your information so you don’t have to get your hands dirty.

But do be cautious. Los Angeles Times business columnist David Lazarus looked into the offer from Experian, a credit reporting agency, to do a scan to see whether your information is on the dark web.

In return, the agency gets to deluge you with junk e-mail. You would know that, Lazarus said, if only you bothered to read the 17,600-word terms of service.

You may already have that service.

LifeLock, for instance, just notified me about a data breach of a site I use often. “We detected identity information belonging to you on the Dark Web, a term used which may also include the deep web or a peer-to-peer file sharing network,” its explainer said.

“The information found is usually from a ‘list’ that’s being given away, traded or sold. The list could be old, so it’s important to see whether or not the information on it is out of date.”

Before you sign up with a company, check on the provider’s history and background, Lapidus said. “Consumers can also look for independent verification, such as a high BBB (Better Business Bureau) rating to help them evaluate.”

These precautions may seem like overkill.

But you’ll also never know whether what you do today prevents problems tomorrow.

Besides, that trip to Bora-Bora may be within reach with just a few more points. In that case, the only one who should have their fingers on your dream is you.


(Have a travel dilemma? Write to We regret we cannot answer every inquiry.)

About the Author