As we’ve all learned the hard way over the last two or three years – cybercriminals are an incredibly inventive group. No matter what new and brilliant ideas the best white hats in the world come up with to keep them at bay – the ever-innovative computer-using criminal class will come up with another method of getting in.
Switch to EMV cards to prevent card cloning? No problem – cybercriminals will pivot to card-not-present transactions.
Tougher-to-trick encryption that makes brute forcing one’s way into a system hard? No problem – stop hacking the machines and start hacking the people instead through phishing attacks that get them to “voluntarily” give up their password protections without knowing it.
As an Innovation Project speaker observed a few years ago – no matter how well the best payments professionals lock their front door, the best in cybercrime will always find the window that you forgot to close all the way and lock.
Which, in payments, is now loyalty programs and the large, valuable points banks they build over time. In other words, the window that the industry didn’t really understand was a window until the cybercriminals broke through it.
It’s now a window that CyberSource now wants to shut and lock. CyberSource is a Visa-operated firm that announces today that its real-time Loyalty Fraud Management Solution will now be available via its Decision Manager platform.
CyberSource senior vice president Andre Machicao told Karen Webster that Loyalty Fraud Management was a natural extension for CyberSource, given its heritage in fraud management and the solutions it already had in place with its Decision Manager platform.
He also characterized the core of the problem – and why loyalty fraud is on the uptick: though consumers don’t tend to think of rewards points banks as money, the vaults that store them are, in essence, vaults full of virtual money waiting to be spent.
“That is part of the problem for the merchants – consumers often don’t notice or keep track. Merchants end up with huge, unredeemed point banks. For all intents and purposes these points-based rewards programs offer a kind of sophisticated virtual currency,” Machicao noted. “There are billions of dollars being accrued in point banks, and creative fraudsters are now full-scale attacking those vectors.”
Attacks that are coincident with the emphasis that merchants in travel, hospitality and retail have placed on loyalty and rewards programs in an effort to create more affinity with their consumers.
“Merchants are increasingly focused on using these programs to create experiences that help their most loyal and consistent users become more engaged. That, in turn, has given rise to account takeovers.”
Takeovers, Machicao notes, that are becoming disturbingly common. Once fraudsters have a user’s loyalty account information – either obtained by hacking the desired target site directly, or by gaining consumer information on a different site entirely, and then relying on the fact that most people repeat the same password/username combo throughout their digital life – loyalty account hacks are now an onramp to other nefarious activities.
“The creativity and ingenuity of the fraudsters is fascinating,” Machicao told Webster. “What fraudsters are doing in general terms is looking for the path of least resistance, where can they take the most value for the least work – and with these large points banks they have a lot of options.”
Most commonly, Machicao noted, fraudsters either log in and “spend” a customer’s points directly, or open a dummy account where they can aggregate the points of several accounts at once into a single location before spending them.
“There are some very sophisticated rings that will then run more programs on top of that,” Machicao further noted. They may work with other parties like travel agencies that collude with ‘laundering’ the points.”
Loyalty programs, insofar as they deal with a firm’s most loyal customers – have a unique set of requirements when it comes to monitoring fraud. These are regular customers – with very regular use patterns when it comes to their loyalty accounts. When the customer starts acting “unusually” – it is actually easier to spot.
“We’ve extended all of the intelligence we use around core payment transactions and built a group of attributes out of it for loyalty programs. That includes monitoring IP address, device profiles, where is the consumer coming from, how often they are logging-in – all of these things are as applicable to a loyalty payment as they are to standard payments. So we are adding those attributes and then looking for suspicious behavior that is uncharacteristic of the consumer.”
And because these consumers are a better-known commodity in many regards, Machicao told Webster that the odds of false positives actually decline.
Which is all-important, Machicao noted, because of what the program the security protects is meant to do – inspire loyalty to the brand.
This means the needle Cybersource has to thread is pretty narrow – points banks have to remain easy and accessible to the right customer so that they can swap their points into their payments without friction. At the same time, the friction level has to stay very high for cyber criminals – so they don’t capitalize on the ease of use to easily snap up the points and anger the customer.
“This type of fraudulent activity not only impacts the profitability of businesses, but also hurts customer trust and loyalty — the very things these programs were designed to build,” Machicao noted.
But the good news, Machicao said, is that Cybersource already knows how to do that for payments and can now do it for loyalty points as well.
The customer’s experience won’t change – but hopefully the fraudsters will now have a much tougher road to hoe and decide loyalty point fruit isn’t so low-hanging after all.