Loyalty Points a Gold Mine for Hackers

Credit card information was once considered the Holy Grail for hackers, with bad actors targeting retailers in an effort to glean this sensitive data and use it to fraudulently purchase goods and services. In recent years, the industry has grown more security-minded and introduced new ways to protect against the use of stolen card data — e.g., greater adoption of EMV chip cards, or requiring that online shoppers input their card’s CID number prior to purchase. As such, the value of stolen credit card information has dropped significantly on the black market. So, does this mean that retail is no longer in hackers’ sights?

Unfortunately, no. While it’s true that hackers are pursuing credit card data less frequently, there's another, growing area of online fraud that has significant implications for retailers and consumers alike: loyalty programs. In many ways, these programs are a more attractive target for bad actors as people don’t typically monitor their loyalty point accounts with the same frequency and precision as their credit card purchases. As a result, the theft of loyalty points often goes unnoticed for a significant period of time.

Fraudulently accessing loyalty program accounts is typically quite easy for a bad actor. The hacker buys compromised credentials (i.e., password and username pairs) from the dark web or obtains them from a breach, uses these credentials to access an account, and then uses or transfers the points. Dunkin’ Donuts made headlines last year when it announced that the accounts of some of its DD Perks participants had been hacked, and Canadian loyalty program PC Optimum has also publicly struggled with loyalty theft.

Retail is not the only sector to fall victim to loyalty theft — the hospitality and airline industries are also top targets. However, given the crowded and competitive nature of retail, it’s a problem that can hit brands particularly hard in multiple ways, including:

• Customer friction and attrition: Depending upon a customer’s brand loyalty and existing competitive options, losing their loyalty points can range anywhere from an irritation through to a significant issue that causes them to sever ties with the brand. It’s estimated that it can be five to 25 times more expensive to acquire new customers than it is to retain an existing one. Therefore, losing a customer, particularly one that's loyal enough to join your rewards program, can have a negative impact on revenue.
• Merchandise costs: Brands that allow loyalty points to be redeemed in the form of tangible merchandise (for example, a free branded T-shirt or baseball hat after a certain monetary value has been reached) are typically on the hook to give these items to the rightful customer — a cost that can quickly add up.
• Lost revenue: The factors outlined above can impact companies’ bottom lines, and there's also the cost associated with a public breach — particularly one in which the affected customers vocally express their disapproval and abandon the brand.

So, what can retailers do to protect against this glaring vulnerability? One tactic is to encourage customers to be more security conscious as part of joining the loyalty program. For example, educate them on loyalty fraud and the importance of frequently tracking their points. Another consideration is to invest in credential screening for your loyalty program, so that customers can be notified if their loyalty account credentials have been compromised and take action before their points are fraudulently redeemed.

As with all aspects of security, there's no easy fix and no single solution or approach in isolation that can entirely protect a retailer from the threat of attack. However, given that the vast majority of shoppers are members of at least one rewards program, it’s critical that retailers offering loyalty points be aware of loyalty fraud and take a proactive approach to their program’s security.

Josh Horwitz is chief operating officer at Enzoic, a cybersecurity and fraud detection solution.