How can businesses stay ahead of loyalty point fraud?
By Yasmin Duggal / 25th Jun 2021
Table of Contents
In our recent webinar featuring Netacea’s Head of eCommerce, Tom Platt, we explored the rising threat of loyalty point fraud and how businesses can reap the benefits of loyalty schemes while staying protected from attacks and retaining customer loyalty.
Watch the full webinar on demand or catch up on the takeaways here:
What is loyalty point fraud and how does it work?
Loyalty reward programs are a regular feature of the eCommerce landscape, with points accumulated based on repeated purchases. Often the points are redeemable against products or services offered by the business; other schemes offer flexibility to spend the points elsewhere.
For years, adversaries have been exploiting loyalty schemes to access personally identifiable information (PII) and purchase products or services to use or resell for a healthy profit.
Using Netacea’s BLADE (Business Logic Attack Definition) framework, we can see that loyalty point fraud begins with the attacker obtaining credentials from the dark or open web, before injecting them into various websites until they get a match.
Typically, Proxying and CAPTCHA bypass are used to get round defense measures, before fraudulently obtained payment details are fed into checkout pages and the transaction is redirected. Netacea has seen a particular rise in account aggregation, used to consolidate credentials from multiple accounts and increase the attack surface.
Why are loyalty accounts a prime target?
As the loyalty industry grows, 45% of loyalty point accounts remain inactive, making many vulnerable to attack. It’s predicted that annual loyalty point fraud will soon surpass traditional credit card fraud – which currently amounts to between $4 billion and $5 billion annually.
Why will loyalty fraud overtake credit card fraud?
- Loyalty point fraud is much harder to track than monetary transactions.
- Accounts are checked by customers far less frequently than bank accounts.
- Businesses tend to neglect point accounts and prioritise ‘legitimate’ currency attacks like credit card abuse.
- Loyalty points are often easily used or transferable either within the targeted company or via a third-party service.
How does loyalty fraud cost businesses?
Loyalty point fraud causes businesses financial harm in four main ways:
- Losing the original value of the loyalty points / credit to the adversary.
- Losing the currency out of the business’ ecosystem.
- Reimbursing the affected customers with the monetary value or loyalty credit stolen in the attack.
- Dealing with the repercussions of any brand damage and loss of customer trust.
Who is targeted?
With loyalty reward programs more appealing than ever (memberships were expected to reach 5.5 billion worldwide by the end of 2020), loyalty point fraud is becoming a growing problem for the eCommerce and travel industries.
Hotel chains and flyer miles are popular amongst these types of attacks. A batch of flyer miles can be purchased on the dark web for as little as $31, and 200,000 airline points (worth approximately $2,000) can sell on the dark web for just $45.
After a turbulent economic year, eCommerce businesses use loyalty points as a way of:
- Onboarding new customers
- Bringing existing customers back to the brand
- Ensuring long-term customer value
At a time when the growth of eCommerce platforms and saturated omnichannel experience makes for a tough fight for customer loyalty, reward schemes play a big part in retaining custom.
Expanding the attack landscape
As customers create more accounts across various sites and reuse passwords, the opportunity for adversaries to attack multiple accounts with the same credentials also grows.
There are now hundreds of e-wallets and apps available online which allow customers to aggregate their loyalty accounts into one tidy depository, but a lack of password security creates a low barrier to entry for attackers. Once they have obtained a set of credentials, adversaries have access to multiple customer loyalty accounts to abuse across sites.
How can businesses protect themselves and their customers?
Treat loyalty point fraud as you would credit card fraud
The main challenge Netacea sees with businesses suffering from loyalty point fraud is treating it less seriously than credit card fraud – or fraud which targets ‘legitimate’ currency.
It’s crucial businesses employ the same level of stringency to loyalty point accounts as other customer accounts. Monitor traffic across loyalty point schemes and ensure you have an overview of who is using them and whether that traffic is coming from malicious bots or human users. Implementing CAPTCHA as a first line of defense helps to filter the human traffic from the bots.
Encourage good password hygiene
In an ideal world, all customers would use avoid password reuse and use a password manager to track their credentials. Unfortunately, with the average user belonging to 14.7 loyalty accounts, passwords are commonly reused and responsibility for protection falls to the business.
The most important step businesses can take is implementing multi-factor authentication (MFA) on login pages to alert customers to any suspicious login activity on loyalty accounts. Separating username and password fields with a two-step process makes it harder for credential stuffing attackers to access customer accounts.
Secure third-party systems
The increase of third-party apps used to aggregate loyalty accounts into one tidy catalogue unfortunately sometimes comes with poor security and a low barrier to entry for attackers. Third parties must make sure e-wallets and the like are secured appropriately with at least MFA to decrease the surface area available to adversaries.
“Businesses need to treat loyalty point schemes with the same stringency as we would PII or credit card data, because it’s equally as valuable and potentially as damaging to our business.” Tom Platt – Head of eCommerce at Netacea
Want to know more about fraud targeting loyalty schemes? Watch the full webinar ‘Customer Loyalty: How are bots exploiting businesses?’ on demand here.
Using sophisticated bot management to stop loyalty fraud
Netacea bot management protects your websites, mobile apps and APIs from loyalty point fraud. Our Intent Analytics™ Engine uses advanced machine learning techniques to detect loyalty fraud attempts by spotting patterns of logins that indicate suspicious behavior.
To find out how much malicious bots could be costing your hospitality business, visit Netacea’s new bot calculator.