Loyalty program abuse: How malicious bots target hotels
By Yasmin Duggal / 19th May 2021
Hotels across the globe have been subject to massive data breaches and widespread loyalty fraud over recent years. Competitive bookings have become a prime target for cybercriminals who take advantage of look-to-book ratios and the vast amounts of data held by hotel chains to execute loyalty program abuse.
But as severe travel restrictions came into play and bookings ground to a halt, hotels became almost redundant for 12 months of the pandemic. While unnecessary travel was banned by governments around the world, working from home meant hotels lost out on corporate business too.
As the travel industry gets back on its feet in 2021, hotels are reopening and encouraging tourists back through their doors, meaning an increase in online reservations over the summer months. But with a surge in bookings comes increased opportunity for cybercriminals to exploit loyalty point and reward schemes, which a lot of hotels now have in place.
In this blog we explore the risk of loyalty program abuse to the hotel industry and how to keep your business and customer data secure.
What is loyalty program abuse?
Loyalty point fraud has been a growing problem over the course of the pandemic; as more services went digital, the public was forced to make most purchases online. There are now 5.5 billion loyalty point memberships worldwide, and it’s predicted that annual loyalty point fraud will surpass traditional credit card fraud – which currently amounts to between $4 billion and $5 billion annually.
Loyalty points are often stolen and sold on the dark web for a fraction of the price they are worth. Hackers either cash out the loyalty points they find in a customer account to sell on for a profit or transfer them to another account. A $2,000 booking on a travel site would cost approximately $700 on the dark web, on average costing between 25% – 35% of the original trip fare. There are even criminal travel agencies on the dark web that can drive down prices for holidays by using stolen loyalty points.
Loyalty points are much harder to track than monetary transactions. Accounts are checked by customers far less frequently than bank accounts. In fact, 45% of loyalty point accounts are inactive, leaving them vulnerable to attack. Often loyalty program abuse goes unnoticed by customers.
How do threat actors use account takeover to steal loyalty points?
Account takeover fraud for loyalty point accounts was estimated to reach $1 billion in 2020. As customers have been forced to shop, communicate and book everything digitally, cybercriminals have capitalised on multiple accounts with the same login credentials, while loyalty points lie dormant and vulnerable in accounts.
Most account takeover on hotels takes place using credential stuffing tools. These tools can carry out large-scale loyalty fraud attacks, quickly testing high volumes of stolen account credentials against multiple websites. Once the cybercriminal finds a username and password combination match, they can enter the account and behave as the customer, exploiting loyalty points by moving them to another account or reselling for a profit.
Loyalty program abuse is easy money for cybercriminals because:
- Customers do not keep as close tabs on their loyalty point accounts compared to bank accounts
- Although a form of digital currency, many companies don’t keep loyalty point accounts secure
Between July 2018 and June 2020 there were over 100 billion credential stuffing attacks; 63 billion of these were targeted at retail, travel and hospitality.
Why do threat actors target the hotel industry?
Alternative payment methods including loyalty points account for over half of all travel transactions, giving cybercriminals ample opportunity to gain fraudulent access to customer credit and execute loyalty program abuse.
Account takeover, specifically credential stuffing techniques, is a huge problem for hotel chains. Account takeover across the hotel industry can lead to stolen credentials, loyalty point fraud and ultimately data breaches. A Marriott data breach in 2018 exposed as many as 383 million customer loyalty accounts.
The coronavirus pandemic caused airlines, hotels, and other loyalty programs to extend or waiver the expiration on their loyalty programs, as flights were cancelled, hotels were re-booked, and brands scrambled to recoup business from 2020 customers.
As cybercriminals looked at ways to ramp up business during the pandemic, unused loyalty points from cancelled holidays were a prime opportunity to sell on valuable goods for a healthy profit on the dark web. While customers remained in limbo, unable to rebook staycations and international trips until travel restrictions permitted, loyalty point fraud could happen right under their noses.
Securing your business against loyalty fraud
2021 offers a renewed threat to hotel loyalty programs. As the hotel industry reopens and millions of customers make online bookings once again, the opportunity for loyalty point fraud is ever present.
It’s important that customers use different passwords across accounts to minimise the risk of attackers targeting multiple accounts once they gain access to one. Plus, remembering to keep an eye on accrued loyalty points sitting in your accounts means companies can react quickly to any suspicious activity and reimburse what you’re entitled to.
For businesses, investing in a sophisticated bot management strategy is key to cutting attackers off at the first stage of the loyalty fraud kill chain. Netacea Bot Management utilises machine learning to intelligently analyse user behaviour, detected and preventing suspicious activity before it causes damage to both customer and brand.
To find out how much malicious bots could be costing your hospitality business, visit Netacea’s new bot calculator.