Cybercriminals Target Loyalty Programs

They steal points and redeem them for goods they can sell. 

January 09, 2020

ALEXANDRIA, Va.—Retail data breaches that expose consumer financial and personal information have made headlines for years, but now cybercriminals are targeting retail loyalty programs, reports In just one year, loyalty fraud has increased 89%, according to the Forter Fraud Attack Index report, creating headaches for customers, retailers and financial services.

Most consumers are alert for suspicious credit and debit card transactions, but typically, they do not check their loyalty rewards as often as other financial statements, delaying discovery when points have been stolen, said Kimberly Sutherland, vice president of market strategy at LexisNexis Risk Solutions. 

Like other digital goods, such as online content or e-gift cards, loyalty points are easily acquired and hard to get back once they're gone, she said, adding that companies must focus on securing online purchases of digital and physical goods from start to finish.

"Even in terms of setting up those rewards points, we see that there's manipulation of those accounts, where the same individual can use different email addresses, different social media accounts, possibly creating full synthetic identities," Sutherland said. 

Travel-related loyalty programs that offer rewards for hotels and flights, as well as other valuable incentives, are most attractive to thieves. As for which online channel is most vulnerable, Sutherland said fraud attacks of mobile browser sites are more successful than attacks on mobile apps, because mobile apps tend to be more frequently embedded with security updates. 

To monetize loyalty points, hackers can take over consumers' retail accounts where credit card information is stored. Once hackers have compromised one or multiple accounts, they can redeem points for gift cards or send frequent flyer miles as gifts. 

According to Monique Becenti, product and channel marketing specialist at SiteLock, a website security company, retailers must secure the input platforms for signing up for rewards programs. At a minimum, retailers need to make sure they have an SSL certificate to encrypt consumer data transmitted from the consumer to the retailer, she said. Sign-up forms on e-commerce platforms could also be vulnerable to SQL injections or cross-site scripting flaws, leaving accounts and sensitive data vulnerable to unauthorized access.

A major challenge in stopping online fraud is distinguishing human customers from bots. Retailers need to watch for unusual e-commerce activity, such as bots completing transactions in a fraction of the time it takes for humans to do so or one device accessing multiple accounts.

Besides implementing multifactor authentication for suspicious transactions, retailers can use passive authentication methods that don't require customer input, such as examining whether the device is the one associated with that account or if the device has malware on it, Sutherland said. 

Retailers can start by assessing the risk of the device and transaction. If the user is simply trying to access the account or changing the email address associated, the user can be sent a passcode or answer a security question to ensure authentication. While these steps can be time-consuming for customers and retailers alike, consumers are becoming more accustomed to adhering to stronger cybersecurity measures so that companies can protect the personal data they collect.