Loyalty and Reward Programs New Targets for Hackers

When you make it hard for thieves to break into one location, they keep their eyes peeled for other, less difficult opportunities. As banks and retailers start closing the security gaps in their front-facing online portals, fraudsters start looking for other ways to exploit the system.

One of the newest targets? Loyalty reward programs.

While loyalty programs don’t offer the potential for cash from the get go, accrued points can be translated into real-world value. Counted up, there is over $48 billion dollars in unused rewards across all US loyalty programs so it’s not surprising that fraudsters have begun to test those programs for vulnerabilities. And since reward programs can include things like air miles, hotel stays and event tickets, the results can be quite real and quite lucrative.

Original, paper-based loyalty systems were open to abuse by employees, but new digital systems based on a swipe card or member number doesn’t guarantee safety. Loyalty program memberships aren’t often explicitly tied to the customer because no money is being transferred from one institution to another, which means transactions don’t go through an issuer that would have fraud checks built in. The backbone of these electronic reward programs are not nearly as robust, security-wise, as their issuer counterparts because until very recently they haven’t had to be.

Loyalty fraud scams tend to be small scale, account-to-account by nature, and are very similar to the account take-over scenario. To make matters worse, in some systems cashed out points show up as if the item or event was issued by customer service, not the particular loyalty program holder who’s just lost their points, making it even hard to track fraud to the source. And unlike a bank account or credit cards, customers aren’t usually invested in monitoring their accumulated points, making successful thefts even harder to notice.

In some cases, stolen points are used for the fraudster’s own benefit, in others they participate in what’s called triangulation fraud. They’ll head to places like Craigslist to sell a ticket they don’t yet have with a story about not being able to make the flight, enjoy the rooms or see the game. Once they have a buyer, they translate the stolen points into the goods and make the exchange. Ticket exchange sites where sellers can be rated for trustworthiness mean that these kinds of low-burn scams can run a long time without being detected and with little worry to the fraudsters.

British Airways announced at the end of March that their customer loyalty program was hacked. While no personally identifiable information was stolen, they reset customer passwords across the board and locked down accounts immediately following for a few days, including being unable to process points requests. Besides stealing points, these kinds of attacks can also be useful in gaining login credentials that can be turned around and used elsewhere, which speaks to the need of guarding non-PII customer information securely, too.

Guarding that information, both PII and non-PII alike, takes more than just a secure password. It always comes back to answer the question: “is this still my good user and I trust them to check out?” Knowing with certain that the user is the user they say they are, and not someone posing as them or as one pawn in a large scale hack attempt, can only be done with User Behavior Analytics.