Securing the Digital World

Loyalty Fraud: Are You a Sitting Target?

Sep 18, 2017 | by Heidi Bleau |

Cybercriminals are increasingly turning to loyalty schemes as a rich source of rewards. The fact is loyalty and reward points accounts often sit unused and not accessed for long periods of time. Most often, these portals lack adequate protection and still rely on a simple username and password, leaving accounts vulnerable to brute-force attacks and allowing fraudsters to quietly slip in and cash out.

Research by Airline Information shows that 72 percent of airline loyalty schemes have experienced fraud, and our own research shows that 24 percent of retailers view loyalty fraud as one of the most detrimental threats to their e-commerce business.

Loyalty fraud has become such a problem that associations have been developed to offer best practices to the retail industry on how to tackle the threat. If you are an organization – a bank, credit card issuer, hotel, airline, merchant, or other – that provides loyalty rewards or cash back programs, consider yourself a target.

Three Effective Ways to Combat Loyalty Fraud

It's clear that loyalty and reward schemes need to be taken as seriously as a target for fraud. There are a myriad of fraud management techniques organizations can employ to combat the threat including the following three best practices:

Digital risk monitoring. The black market still remains a bustling marketplace for fraudsters looking to trade and sell stolen identities and fraud-as-a-service offerings. Social media has become a breeding ground of fraud activity with cybercriminals operating and trading compromised data in plain sight. Compromised loyalty rewards and e-commerce accounts can sell between $2 to $10 each, depending on the merchant. Conducting regular digital risk monitoring across fraud forums can help organizations understand how their brand and customers are being targeted and uncover potential vulnerabilities in their business processes.

Strong authentication. To a fraudster, trading loyalty and reward points for vacations, gift cards, electronics, and other high-value merchandise are just as good as cash. Strong, risk-based authentication should be enforced as powerful as it would be if those accounts held real money. In addition, as loyalty and rewards accounts are not accessed as often as say a bank or credit card account, it is likely customers will need to reset their password more frequently. Even simple changes such as using out-of-band SMS/text methods instead of challenge questions to verify a customer's identity before allowing a password reset could help deter a considerable amount of fraud.

Behavior analytics. Perhaps one of the biggest cyber threats enabled by massive data breaches is account takeover. Loyalty and rewards accounts are often one of the first targets for cybercriminals, and they can use free tools such as Sentry MBA to easily test the validity of thousands of compromised credentials. In one case, RSA saw a cybercriminal use a single IP address to test nearly 200,000 stolen accounts and logged in to more than 18,000 valid customer accounts successfully in less than two hours using credential stuffing techniques. Web behavior analytics solutions observe everything in the clickstream and focus their anti-fraud features on users and devices, starting with assaults against the login page, including testing stolen account credentials, to post-login abuses such as conducting fraudulent payments.

A new report, produced by 451 Research and commissioned by RSA, helps fraud and security decision-makers navigate the complex world of web behavior analytics, enabling them to counter the threat of loyalty fraud and cybercrime, without interfering with their organization's core business.

Keep up to date on all things related to fraud. Follow us on Twitter @RSAFraud.