Hackers are getting smarter, and there’s value in your Avios
You may be surprised to hear that your Avios are a target for hackers. If you’re sat on hundreds of thousands of Avios, that could be worth thousands of pounds. How would a hacker use those points, how can you secure your account, and what happens if you end up being hacked?
Why would a hacker steal your Avios?
It might seem like an Avios theft is a bizarre crime, but if someone can gain access to your account then they could transfer your points out to another account. They can then use those accounts.
The proliferation of ways to spend points is a double-edged sword. It’s great for consumers and point collectors, but it also gives hackers new ways to convert stolen points into something of value. For example, with Etihad, you can convert points into a visa card. That’s a direct conversation from points to pounds. Useful if you have some spare points left over, and even more useful if your account got hacked.
How would you know if your BA account has been hacked?
For most people the first inkling that your account has been hacked will be unexpected emails. They may relate to your account itself (such as your email or password being changed). It could be a notification that Avios have been transferred.
A hack is more likely to happen overnight, as hackers will want to get their work done while you sleep and, therefore, can’t react as quickly to a hack.
How can you stop this happening?
You can never make any system 100% secure, but you can take steps to reduce the likelihood of a hack.
Firstly, the weaknesses are not just in your own BA account. If you have a household account, those individuals and the pooled points taken could be hacked. Your own email address and those of anyone in your household are also weak points. They should be secured, using 2FA or similar.
It is not possible to manually set up 2FA (Two-factor authentication) on your BA account, which is a frustrating weakness. You do have to setup 2FA (sometimes referred to as OTP) when you setup a conversion between BA and partners such as Finnair and Qatar.
2FA is where you get a code from another source, like an SMS or an authenticator app, which adds another layer of security to your account. It is not infallible, but it is significantly more secure than just having a username and password.
In short, if you ever have the option of securing an account using 2FA I’d suggest you accept it. Yes it can be annoying having to get 2FA codes. Every time I log into Qatar I now have to wait for an SMS to arrive before I can get into my account. Qatar, unlike BA, allows you to setup 2FA on your frequent flyer account.
How to make your BA accounts more secure
- Ensure the login to your BA account is a unique password used just for BA and that it’s a “complex” password. That means long, ideally random characters, numbers and symbols. The more complex the password, the harder it is for someone to use a “brute force” approach or to guess the password. Having a password that’s unique to any other logins you have also mean if someone gains access to those accounts using a password then they won’t be able to get into your BA account directly.
- If you have a Finnair, Aer Lingus or Qatar account, setup 2FA on those accounts.
Setting up 2FA on BA and partner websites
BA: There is no way to setup 2FA on your Executive Club account, but you can set it up on the BA Shopping website to protect transfers between BA and Qatar. Login to the BA Shopping website, then select Move Avios in the menu. Select either Qatar or Finnair Plus. Click the “Link accounts now” button on the left, login to your Qatar or Finnair Plus account and then follow the instructions to setup 2FA.
Iberia: There is no way to setup 2FA on your Iberia Plus account directly. You can setup 2FA on your Iberia Wallet, which allows you to combine Avios and your Vueling Club points. Login to the Iberia website, click the menu in the top right (Under your own name). Select My Iberia Plus. Click “Link your Iberia Plus and Vuelling Club accounts” and on the next page “Login your Avios Wallet (sic)”.
Qatar Airways: You can setup 2FA on your account. Login to your account and click the person icon in the top right, then select “Edit Profile”. In the “More about you” section click the “Change OTP Settings”.
Aer Lingus: When you signup for Aer Club you’ll receive an email from Aer Lingus asking you to setup 2FA. Click “Set up Two-Factor Authentication” in the email and enter your mobile phone number. Enter the verification code sent to your phone. There is no way to adjust your 2FA settings on the website at present.
Finnair: You can setup 2FA on your Finnair account. Login to your account, click your name in the top right of the website and then select “Update Profile”. Open the “Two-factor authentication” block on this page and follow the instructions.
What should you do if you believe you are hacked?
Firstly, ring BA immediately and inform them immediately. It’s likely that they will suspend your account. This will stop you logging in, but it will also stop a hacker from doing the same.
The BA forums on Flyertalk are a great resource, and there are a couple of threads related to hacked accounts:
- https://www.flyertalk.com/forum/british-airways-executive-club/2175430-hacked-account-avios-transferred-out-what-expect.html
- https://www.flyertalk.com/forum/british-airways-executive-club/2143188-need-your-help-my-account-hacked-then-closed-ba.html
I would also say it’s essential to consider what other accounts the hackers may have access to if the passwords are the same as the BA Executive Club.
Will BA refund your stolen Avios?
The consensus is that your Avios will be returned eventually. There are no guarantees on timescales or outcomes. As always with BA, if an issue is complex, then the solution won’t come easily. The front-line support staff will not be experts in cyber security and may not really understand the process for handling a hack. That can make the process more frustrating.
Being hacked is deeply frustrating. It could mean that you have to delay a travel booking because the Avios you were relying on are no longer there, or the account you need to make the booking is suspended. Beyond that, there’s also an emotional side to every hack: the feeling that someone else has got into your account.
I’ve known people who have been hacked to feel ashamed and embarrassed. The reality is that hackers are smart individuals, and it is almost impossible to secure an account fully. If you are emotionally impacted by being hacked, then know that it wasn’t personal and that it can happen to anyone.
