Deep Dive: How QSRs Protect Their Loyalty Programs

Rewards and loyalty programs are becoming more and more popular among QSRs looking to encourage customers to make return visits so they can capture additional revenue. These programs can take many different forms, such as offering one free menu item after several other purchases, a points-based system that customers can mix and match for a variety of perks or a “surprise-and-delight” structure that randomizes rewards to periodically thrill customers with unexpected treats.

Programs like these may seem innocuous, but they are treasure troves of personal data, making them prime targets for hackers, fraudsters and other bad actors. Attacks on rewards programs have become alarmingly frequent, but payments providers, restaurants and third-party mobile ordering apps are taking significant steps to protect themselves and their customers.

What Fraudsters Want, and How They Get It

Rewards programs can hold surprisingly large amounts of valuable data for hackers to exploit. Payment information is an obvious target, but rewards points also hold value, whether hackers spend them or sell them on dark web marketplaces.

Coffee and donut giant Dunkin’ fell victim to a rewards points hack last December. The chain notified customers that it had fallen prey to a credential stuffing attack, in which a hacker enters a large number of acquired username and password combinations to gain access to accounts.

“Third parties who obtained DD Perks account holders’ usernames and passwords through other companies’ or organizations’ security breaches may have used this information to log into certain DD Perks accounts if the account holders used the same username and password for unrelated accounts,” a Dunkin’ spokesperson told ZDNet at the time.

It didn’t take long for the hackers to profit from their deeds: Cybercriminals were selling Dunkin’ loyalty credits for a fraction of their value. “Grab hacked Account Dunkin Donut now with cheap ever price on market!” one listing on Dream Marketplace proclaimed, with the seller offering $25 of Dunkin’ credit for $10.

Rewards program fraud is not isolated to the food and beverage industry, however. Cybercriminals stole the personal information of 350 million Marriott customers, many of whom were part of the Starwood Preferred Guests program, in one of history’s largest breaches last year. The hackers made off with more than five million unencrypted passport numbers.

Hackers are also drawn to rewards programs due to their perceived ephemerality. Customers sign up for them en masse to take advantage of one-time offers and they often forget about them, allowing hackers to run amok before their presence is detected. Such programs are often only protected by passwords, which users recycle from other sources to avoid remembering more than one. 

How to Stop Bad Actors

Many providers are hardening their rewards programs against cybercrime to prevent such attacks. ChowNow, a third-party online food ordering platform that provides ordering channels to 10,000 eateries across the U.S, is making strides in fraud prevention for its rewards program. ChowNow leverages artificial intelligence (AI) and machine learning (ML) to analyze each transaction conducted on its app and cross-references it with other transactions to determine its legitimacy. If one customer is placing orders in several cities at once, for example, the tool can easily detect fraud. Most transactions, however, are assigned trustworthiness scores based on several factors, including how recently the user’s email address was created and whether the credit card associated with the transaction has been logged in a fraud database.

ChowNow processes $40 million in transactions each month, far beyond a human team’s capabilities. The AI is able to automatically block users that it deems untrustworthy, and users can contest this with human representatives if they believe the system was wrong.

First-party mobile ordering apps are taking other steps to prevent fraud. The fast-casual chain &pizza, based in Washington, D.C., partnered with Stripe to ensure that none of its customers’ payment data would ever reside in its app. Taziki’s Mediterranean Café adopted biometric authentication, which is known to be more secure, allowing customers to log in via facial or fingerprint recognition. Biometric systems can be spoofed, so the chain now also requires customers to enter their credit cards’ CVV codes when ordering.

“Requiring people to enter their three-digit security codes is a feature to make sure they actually are who they say they are by evidence of them having this physical card on their person and being able to prove that at time of order, rather than somehow gaining access to someone’s account,” Taziki’s CEO Dan Simpson said in an interview with PYMNTS.

Regardless of the security feature employed, it’s just as important that customers are made aware of the risks inherent in rewards programs and how to help protect themselves. Customers want their unexpected surprise to be the occasional free pizza – not a stolen identity.