The Rising Tide Of Loyalty Fraud — And How To Stop It

Would one lock a Ducati to a lamppost with a loop of dental floss? Well, that’s about the equivalent of what’s protecting an estimated $250B in global loyalty rewards — most accounts are protected by just a four-digit PIN, says Peter R. Maeder, co-founder of the Loyalty Fraud Prevention Association. In the latest Digital Fraud Tracker, Maeder discusses the 300 percent rise in fraud targeting loyalty programs, and why PINs for protection are toothless.

From banks to retailers to restaurants, companies are on the hunt for a strategy that will win over customers, with a growing share turning to rewards and loyalty programs.

There’s good reason to offer incentives, too. One recent report found that 86 percent of shoppers have joined loyalty programs, while another discovered that 71 percent of consumers found rewards programs to be a meaningful part of their relationships with brands. These offerings can even help brands edge ahead of their competition — 22 percent of consumers will exclusively shop at stores where they are a loyalty member.

There are ill-intentioned characters mixed in with those loyal customers, however. According to Peter R. Maeder, co-founder of the Loyalty Fraud Prevention Association, a group that offers resources, information and best practices to companies with loyalty programs, digital fraudsters have been using account takeovers (ATOs) to target these offerings. Fraudsters treat accrued rewards points as currency, even while many consumers and even the companies offering the loyalty programs do not.

“One of the problems the loyalty industry has is that the miles or the points that have accumulated in an account are not treated at their true value,” he said, noting that loyalty rewards in accounts worldwide are worth $250 billion, with $60 billion of that in the U.S. alone. “Unfortunately, the programs, and even the account holders, don’t protect them.”

As a result of this lack of protection, loyalty programs are at particular risk for digital fraud.

The Rising Tide Of Rewards Fraud

In recent years, the loyalty space has been hit by an increased rate of fraud attacks — and they don’t come cheap.

The percentage of cyberattacks targeting loyalty and rewards accounts nearly tripled from 2016 to 2017, with 48 percent of businesses being hit by ATO attacks, which cost companies more than $2.3 billion worldwide. Attacks aren’t limited to small businesses (SMBs), either, with several large companies falling victim to loyalty fraud efforts, including KFC, Sears and Delta.

“You have lots of hackers who are trying to steal accounts,” Maeder said. “Once they have this data, they set up fake accounts and transfer points they have stolen from one account into their account, often to sell on the internet.”

These increases have come as many companies — particularly those in the digital space — have been focusing on improving their fraud prevention efforts, especially those around credit cards, debit cards or bank account information. Since loyalty and rewards accounts have not received the same level of attention, fraudsters have been exploiting the vulnerability of these programs.

“The crooks have found out that it’s getting more and more difficult to defraud organizations in the credit card area,” he said.

Schemes created by organizations like the PCI Council can enforce rules and make it more difficult for crooks to commit fraud, but a similar level of protection is missing from the loyalty reward space.

“In the loyalty area, there’s no equivalent to the card schemes. Everybody is on their own,” he noted.

Stopping ATOs And Other Attacks 

Stemming the rising tide of ATOs will require increased attention and investment from companies in the space. These efforts, and the money funding them, will need to be carefully directed to be effective in the fight against digital fraud.

People who travel frequently may earn huge swaths of points with hotel chains, giving them access to a valuable level of rewards and offers. However, according to Maeder, there isn’t much keeping those rewards secure.

“In order to access all those points, [the customer] only needs to enter a four-digit PIN,” he said. “It takes a crook only seconds to break those kinds of codes, so there are a lot of things companies can do.”

He pointed to biometric technology, such as fingerprint and face scanning, as tools that could be used to prevent fraudsters from gaining access to accounts. By replacing weak and ineffective PINs and passwords, which currently plague loyalty and rewards programs, with biometric authentication, companies would be applying the same security standards used to protect major mobile banking apps and other similar offerings.

Biometrics, along with other tools like two-factor authentication, could cut down on ATOs by making it more difficult for digital fraudsters to gain access to the account credentials necessary to complete such an attack. They could also help curb other types of cybercrime that plague the industry.

Protecting these programs and the rewards they store will likely become even more important in the future, according to Maeder. As loyalty accounts age and accrue higher values of rewards, they become more appealing to fraudsters.

Without loyal customers, businesses struggle to survive, but they may also struggle if they don’t defend against ATOs or other digital fraud attacks. Protecting loyalty programs should be a top priority for all merchants, restaurants, banks and other businesses.