Fraudsters who attack e-commerce merchants aren't always focusing their nefarious efforts where you might think. Instead of trying to steal products or services, sometimes they're seeking access to retailers' online rewards programs, either to use the points in hijacked customer accounts or to steal personal data. The lengths criminals have gone to for loyalty program information may surprise you.
When you review the facts about rewards programs, it’s a little surprising it’s taken so long for fraudsters to target them on a large scale. About 87% of U.S. consumers are members of at least one loyalty program, with the average consumer belonging to six, according to a 2019 report by Blackhawk Network Research. Nearly half of U.S. business surveyed by Blackhawk offer loyalty programs because they encourage repeat business, increase revenue and raise the lifetime value of customers who are members.
Here's more about why loyalty programs are such a tempting target, what the risks are for merchants and consumers and how to protect your rewards program.
Valuable accounts, weak security
Rewards programs are popular with businesses and consumers, but there's not a lot of discussion about the fact that these programs are a repository of two things criminals want: points that can be used to make purchases or converted to cash and data that can be sold and exploited for account takeover attacks. In the U.S., the total value of rewards accounts is $60 billion, according to Loyalty Fraud Prevention Association co-founder Peter R. Maeder. Maeder told PYMNTS that the global value in these accounts is $250 billion.
Despite all that value, security around rewards programs is often less than robust. And as point-of-sale and card-not-present fraud become harder to commit, fraudsters are turning to rewards accounts as a new revenue stream. One security expert described rewards program security to the New York Times as "the path of least resistance," due to simple signup procedures and lax password requirements. Simple passwords are easy for bot-assisted fraudsters to crack, and the four-digit PINs that protect many loyalty accounts are even easier.
Loyalty program fraud is expensive
The cost of rewards program fraud is high, and it's rising. PYMNTS reported that attacks on loyalty accounts rose nearly threefold from 2016 to 2017, at a global cost of $2.3 billion. Remediation often includes the cost of replacing stolen rewards. One case, reported by the New York Times, involved a Hilton Honors member who lost 80,000 program points (worth an estimated $400) to hackers. Hilton replaced the points after the man reported the theft. Those reimbursements add up, and there are more costs to consider.
Loyalty program breaches generate bad publicity that can contribute to customer churn. Marriott has been in the headlines periodically since November 2018 because of a huge breach in Starwood's loyalty program, which wasn't discovered before Marriott acquired Starwood. Around the same time, Radisson Hotel Group reported a breach in its Radisson Rewards program that affected an undisclosed number of accounts.
Since the initial report, Marriott has rebranded its rewards program. That's a wise move, because research shows that consumers are wary of brands that have been breached. A 2018 Ping Identity study found that more than three-quarters of consumers stop engaging with brands that have been breached, and 49% won't join or use online services that have been breached.
There are also regulatory penalties. Marriott faces $123 million in GDPR fines, based on the loss of personal data for an estimated 37 million customers in the U.K. and European Economic Area. As more states and nations enact data protection laws, like the California Consumer Privacy Act that takes effect in 2020, companies may face a growing list of penalties and fines for loss of their loyalty program data.
Criminals are willing to work for rewards program data
It's clear that, although rewards programs can be good for businesses and consumers, the consequences of breaches can be severe. What's recently become obvious is just how big a target loyalty programs are for organized criminal hackers. Even when the accounts aren't easy to crack, fraudsters may be willing to work hard to breach accounts at scale.
In April of this year, a breach was reported at Wipro, one of India's largest IT service companies. Wipro has major retail, government, and industry clients around the world, and, at first, it appeared that the goal of the breach was to gain access to Wipro customers' systems. Investigators found that hackers had been in Wipro's systems for about three years. The sophistication of the attack raised the possibility that it was state-sponsored, perhaps an espionage campaign.
That idea was largely discarded when investigators found that the intruders were after loyalty and gift card programs run by Wipro's clients. Recently, cybersecurity firm RiskIQ published a report of its investigation of the Wipro breach. It says the breach was part of a much larger campaign against dozens of firms in different industries. The "gift card shark" group's motive was to phish their targets' employees, access the targets' networks, and steal data from customer loyalty, employee rewards and gift card programs.
In all, RiskIQ uncovered five separate attack campaigns by the gift card shark group since 2016. Four of them targeted loyalty and rewards programs. RiskIQ found evidence that Best Buy, Staples, GameStop, Darden Restaurants and Expedia were among the dozens of companies targeted by the group. The group also went after money transfer, prepaid services and payment services providers, along with a large group of targets that couldn’t be identified.
Why did this group target loyalty and gift card programs so extensively? The investigators think the goal was to convert rewards points to gift cards and gift cards to currency, then find a way to "transfer funds to more traditional institutions." What was the plan for that money? How much was stolen? Who’s behind the crimes? Security professionals still don’t know.
The time for better rewards program security is now
The lesson of the Wipro breach is that every merchant with a loyalty program needs to take steps now to make the program more secure. As with online card fraud prevention, layers of security are the best defense against rewards program hackers.
One step is to tighten the password or PIN complexity requirements for your reward program accounts. A four-digit PIN is not complex enough. Although it takes as long 111 hours to brute force a random four-digit PIN, 20% of PINS are 1234, 0000 or 1111, which can be tested manually in seconds. Rewards program members should also be encouraged to create a unique password for their account that they don't reuse anywhere else.
Encrypting rewards' program member data can reduce the damage done if there is a breach. Although more than 9 million of the payment card numbers exposed in the Marriott-Starwood loyalty program breach were encrypted, more than 5 million customers' passport numbers were not encrypted, leaving them vulnerable to identity theft.
It's also worth considering just how much data your rewards program needs to collect. That's because you must protect it whether you're using it or not. And in the wake of so many breaches, consumers are more wary about sharing information for rewards. A recent Harris Poll found that 76% of US consumers are more likely to join a loyalty program that only requires their name and phone number. Approximately 71% said they'd be less likely to participate if they had to share account information or "other sensitive data."
Finally, it's a good idea to monitor rewards account activity the same way payment card activity is monitored for suspicious activity like purchases close together in time but in different states, or a series of unusual redemptions that don't match past accountholder behavior. When you can identify hacked accounts quickly and alert the customer, you limit the damage to their account, protect your relationship and safeguard your bottom line.