Len Covello, Chief Technology Officer, Engage People
Loyalty fraud costs merchants upwards of $1 billion per year, and a layered approach can help stamp out malicious actors in their tracks.
Nearly every major consumer brand has a loyalty program, but brands are contending with the reality that these customer engagement tools can also be breached by malicious actors.
Loyalty programs are critical tools a brand can use to encourage repeat purchases and build long-term customer lifetime value. But as shoppers fill their loyalty wallets with banks of unused points, fraudsters are increasingly looking to exploit vulnerabilities.
Loyalty fraud is a top cybersecurity issue that presents major financial and reputational consequences for brands. According to the Loyalty Security Association, 72 percent of loyalty program managers have experienced issues related to fraud. Fraudulently redeemed frequent flyer miles explain the reach of the problem: Research from the Loyalty Security Association found that 1 percent of redeemed miles are fraudulent, representing a $3.1 billion problem globally. Liabilities tied to the five most valuable airline-loyalty programs grew 12 percent to $27.5 billion last year.
How does loyalty fraud happen?
Practitioners say loyalty fraud happens most often in three ways.
Internal Fraud. This occurs when someone on the inside of a loyalty program management organization initiates the attack, including contact center agents, and others with insider privileges, including third-party vendors. One example of this referenced by compliance practitioner Billy Byrne is an instance where an airline agent created loyalty accounts from information based on data from thousands of passengers, but he used his own email account. This allowed him to accumulate approximately 2.6 million air miles.
External Fraud. These are premeditated actions of external actors who seek to breach loyalty systems. Types of attacks include account takeovers, identity theft, and botnet attacks. An account takeover is an instance where a malicious actor gains control of a user’s account through stolen credentials. Loyalty points obtained through fraudulent means are also offered up for sale on the dark web for a fraction of their value. For example, in a Hilton Honors hack, 250,000 points sold for $3.50 on the dark web. Some experts say that account takeover fraud is the most common type of loyalty program fraud. According to Stuart Barwood, director of global airline strategy at fraud prevention company Forter, one in every 300 login attempts to loyalty programs are account takeover attempts, with programs at airlines and hotels being the most common targets. Meanwhile, botnet attacks, according to cybersecurity firm Kaspersky, are “networks of hijacked computer devices used to carry out various scams and cyberattacks.”
“Gaming” fraud. This occurs when a member can cut through a system vulnerability, exploiting accrual and redemption loopholes. This could include “double dipping,” e.g., redeeming via phone as well as online if the system is vulnerable; and status shortcuts.
What’s the extent of the damage?
It’s estimated that $1 billion a year is lost due to loyalty program fraud, per The New York Times.
What can brands do to protect their loyalty programs from breaches?
Cybersecurity experts say brands need to implement a form of “layered protection” across all touchpoints, and understand the behavioral attributes of users to be able spot fraud attempts and stamp them out as quickly as possible.
- Secure the authentication layer. Ensure the means to access accounts are sufficiently protected. This can be achieved through unique passwords, along with multi-factor authentication. “To avoid fraud, protection needs to be present at all touch points—from the user logging in and signing up for the bonus program to redeeming their reward,” wrote cybersecurity firm Kaspersky in a recent paper.
- Implement robust access controls. As referenced above, employees and others who have access to keys to obtaining critical loyalty information can be the source of an internally-initiated breach. Applying an access control strategy based on a “need to know” basis is critical to limiting the sources of a loyalty program breach.
- Build detailed customer profiles. Assemble as rich a repository as possible of information on members to confirm the validity of customer information. “The more you know about each customer, the better you can compare profiles and weed out the duplicates,” wrote fraud detection technology company DataVisor.
- Use technology to understand the behavioral characteristics of users: Implementing a tech-forward solution can ensure you understand the characteristics of user behaviors in order to detect when fraud is being attempted or in progress. For example, SAS Airlines uses artificial intelligence-based tools to analyze behavioral characteristics to prevent fraud. “SAS built a complex fraud detection model that looks for patterns across a wide variety of variables, including where people log in to SAS systems, the email addresses and credit cards they use, when and how they travel, whether they’re part of point-sharing pools, and other aspects of their profile and history,” according to a recent Microsoft case study.
- Tokenize. This involves applying a solution payment providers use to protect card numbers to loyalty data. It involves, according to payments technology firm Chargeback Gurus, converting sensitive information, including credit card numbers, into “token” numbers “that can be linked to accounts by the card networks, but are unintelligible in their tokenized form to fraudsters and other observers.” We often think of tokenization as solely the domain of the card providers, but as the Loyalty Security Association points out, it can be effectively used to safeguard loyalty program data. Tokenization “can be used for any piece of data, including usernames, passwords, and email addresses.”
- Communicate often. Let users know as quickly as possible of a loyalty program data breach to ensure you can advise them and retain users’ trust.
It can’t be emphasized enough that an antifraud program is about ensuring sufficient guardrails for each access and activity point within a loyalty program administration regime. Consistency of implementation comes from the leadership of an organization setting the tone, and ensuring each employee or group involved adheres to antifraud best practices at all times.
While a forward-thinking antifraud program introduces additional costs to the loyalty program, the negative impact of fraudulent behaviors could prove much more costly both in financial losses and reputation.