From Neiman Marcus to Macy’s, StockX and Poshmark, retail data breaches have repeatedly made headlines for exposing consumers’ credit and debit card information. But while consumers may be watching their credit card and bank account balances for suspicious activities, another currency is increasingly under attack: loyalty program incentives.
As retailers lure customers through loyalty programs, their rewards may be easier targets for cybercriminals, experts told Retail Dive. Per the Forter Fraud Attack Index report, loyalty fraud has increased by 89% in only one year. Failing to protect such incentives is not only a financial headache for customers, retailers and financial services, but it can also drive consumers to more secure competitors, experts said.
While consumers may be on high alert for suspicious credit and debit card transactions, consumers do not check their loyalty rewards as often as they might examine their other financial accounts. It thus delays discovery when points have been stolen, said Kimberly Sutherland, vice president of market strategy at LexisNexis Risk Solutions.
Much like other digital goods such as online content or e-gift cards, loyalty points are easily acquired and hard to get back once they're taken, Sutherland said, adding that companies should increasingly focus their security efforts on securing online purchases of digital and physical goods from start to finish.
"Even in terms of setting up [of] those rewards points, we see that there's manipulation of those accounts, where the same individual can use different email addresses, different social media accounts, possibly creating full synthetic identities," Sutherland said.
Both Sutherland and Colin Sims, COO of the fraud prevention firm Forter, pointed to travel-related loyalty programs such as those that offer rewards for hotels and flights, as well as other high-value incentives, as higher risk for attracting hackers.
As for which online channel is most vulnerable, Sutherland said fraud attacks of mobile browser sites are more successful than attacks on mobile apps, because mobile apps tend to be more frequently embedded with security updates.
Where retailers fall short in securing their loyalty programs is securing the input platforms for signing up for rewards programs, Monique Becenti, product and channel marketing specialist at SiteLock said. At a minimum, retailers need to make sure they have an SSL certificate to encrypt consumer data transmitted from the consumer to the retailer, she said.
Sign-up forms on retailers' e-commerce platforms could also be vulnerable to SQL injections or cross-site scripting flaws that could leave accounts vulnerable to unauthorized access to sensitive data, she said.
Becenti described cross-site attacks as attacks that code deployed through a web browser by adding malicious code to a webpage or input field, causing the site to request the user to re-enter their login credentials and steal the username and password. A SQL injection, on the other hand, uses malicious code to retailers’ website input fields to trick the server into giving a hacker unauthorized access to that website’s database, she said.
Why exactly are hackers going after users' loyalty incentives? For one thing, there isn't much technology made specifically to prevent loyalty fraud, Sims said.
Becenti and Jill Knesek, chief security officer of digital marketing technology provider Cheetah Digital told Retail Dive that consumers' loyalty program information can be a gateway for other valuable user information such as customer identification numbers, email addresses or credit card information, which, as Becenti pointed out, hackers can later sell on the dark web or use themselves.
To monetize consumer loyalty points, hackers can take over consumers' retailer accounts where their credit card information is stored, Sims said. Once hackers have compromised one or multiple accounts, they can redeem points for gift cards or sent frequent flyer miles as gifts, he said.
"You can actually sell a ticket to someone else. They pay you, and then you turn around and buy that ticket with loyalty points and switch the name on that ticket later," Sims explained. "Fundamentally, you paid for the ticket with points. That's the only thing that's different from regular credit card fraud."
In fact, online fraudsters continue to increasingly target retailers selling digital or digital and physical goods, Sutherland said. According to LexisNexis' Risk Solutions Cybercrime report, the rate of daily fraud attacks against gift card providers originating in the U.S. peaked to just over 12% in June 2019, its highest point in the previous two years.
Once the dust settles after the holiday season, retailers will likely find that they saw an increase in both e-commerce sales and a slight uptick in fraud, per a report from fraud prevention firm Riskified.
For retailers, one of the biggest challenges in stopping online fraud is distinguishing human customers from bots, Sutherland said. Retailers need to keep an eye out for unusual activity on the e-commerce platforms such as bots completing transactions in a fraction of the time it takes for humans to do so or one device accessing multiple accounts, she said.
On the other hand, using such indicators can further complicate retailers' efforts to authenticate transactions, because most merchants don't have the data analysis capabilities, Sims said. Unlike modern fraud detection services, retailers are limited to examining their own data set, he added.
In the past, retailers once relied on certain rules to detect fraudulent transactions, such as logins from a foreign server, leading to a "spider web" of rules for retailers to manage and audit, Sims said. Such criteria also catch real consumers whom retailers mistake for hackers, he said.
"If you are a luxury watch retailer and you see someone connecting from a foreign VPN from Hong Kong and shipped to a hotel room, you wouldn't be wrong to think that's a suspicious transaction," Sims said. "But if you understand that that person has also booked a hotel room at a luxury hotel and that's a typical travel pattern for them... all of a sudden this person starts to look like an investment banker."
Balancing ease of use with cybersecurity
As more retailers create loyalty programs to encourage consumers to come back, they can't afford to neglect their cybersecurity efforts, experts told Retail Dive.
By now, consumers are well aware of the importance of securing their personal data online, but relying too much on security features, such as requiring multifactor authentication when logging in, can be a cumbersome user experience for the customer, Sims said. Plus, multifactor authentication may not be an effective tool if, say, the customer's email address associated with the account is also compromised, he said.
Besides implementing multifactor authentication for suspicious transactions, retailers can also adopt a combination of passive authentication methods that don't require customer input, such as examining whether a particular device is the one associated with an account or if the device has malware on it, Sutherland said.
Retailers can start by assessing the risk of the device and transaction, Sutherland said. For example, is the user simply trying to access the account, or are they changing the email address associated? The latter of the two would require more active authentication, such as receiving a passcode or sending users a security question, she said.
Though verifying users' identity can be time-consuming for customers and retailers alike, Knesek said consumers are becoming more accustomed to adhering to stronger cybersecurity measures so that companies can protect the personal data they collect.
"I remember when passwords could be ‘12345,' and now you have to have more difficult ones with a capital letter and a number," Knesek said with a chuckle. "To me, the most important thing is making sure that the data is secure."
Beyond being a financial hassle for retailers and financial services firms providing the loyalty incentives, failing to protect customers' loyalty rewards could drive consumers to competitors even if the consumer offers the item or service they seek at a reasonable price, Sutherland said.
"As a consumer, if I have earned [loyalty points], I expect to use them," Sutherland said. "If someone then inappropriately accesses my account and takes those points from me, then… now I've completely eliminated my trust with the company, and I no longer have what I deserve."