Securing the Digital World

Loyalty Points Fraud: Why Reward Programs are a Growing Target

Nov 26, 2018 | by Heidi Bleau |

What's moving to the top of fraudsters' holiday shopping lists this year? Reward points. With banks and credit card issuers making card fraud tougher than ever, fraudsters have set their sights on another target: loyalty points programs. And why not? Loyalty points accounts are easy pickings—typically guarded by little more than a username/password combination, and often forgotten by consumers until they're ready to use them. Once acquired, they're easily redeemed for flights, hotel rooms, gift cards and merchandise, or offered for sale on the dark web for a fraction of their face value.

Perhaps you have been building up travel points for a family vacation or hotel rewards for a romantic weekend getaway. Unlike your bank or credit card, you are probably not checking the balance on your customer loyalty accounts, and fraudsters could be stealing reward points without you even knowing it. Recent reports of loyalty program-related airline and hotel data breaches suggest these types of attacks are on the upswing, and RSA research supports the idea. Our data analysis of one major dark web marketplace shows that travel/hospitality businesses and rewards programs collectively make up 13 percent of the types of accounts for sale.

Phishing is another source fraudsters use to acquire access to loyalty points accounts. RSA saw a 70 percent increase in global phishing attacks in Q3 which is typical as fraudsters look to harvest fresh credentials to use during the holiday shopping season. Here's what you need to know about the kinds of tactics fraudsters are likely to use in these attacks, and how businesses and consumers can fight back.

Phishing, Smishing and Bots: A Few of Fraudsters' Favorite Things
Knowing what you're up against is the first step to prevent damage from a loyalty program breach. Phishing is a typical entry point for fraudsters, as in this recent scam in which fraudsters posing as representatives of an airline's rewards program sent emails to customers asking them to update their loyalty program information. (And if phishing is rampant, can smishing be far behind? Smishing works the same way phishing does, but the message purporting to be from a legitimate company comes via text rather than email.) Travel and hospitality companies are also seeing bots being used to try to access customer accounts using fake or stolen credentials. According to one report, nearly 40 percent of traffic on travel-related websites comes from impersonator bots.

Your Holiday Message to Fraudsters: Winter Is Coming
If your business offers a reward points program for customers, here are some tips to help put a damper on loyalty-program fraud activity during the holidays:

Monitor, monitor, monitor. Awareness is everything. Digital risk monitoring across fraud forums can help you see how your brand is being targeted for fraud and reveal potential business-process vulnerabilities. Social media monitoring can be an eye-opener, too; there's nothing like seeing a fraud threat targeting your business to help focus your fraud prevention efforts. If your organization doesn't have the internal resources to step up levels of monitoring, consider contracting with a vendor who specializes in cyber intelligence services.

Rethink authentication. The old username/password combination just isn't enough to protect loyalty programs from being breached by determined fraudsters. Consider the use of multi-factor adaptive authentication to watch for signs of fraud based on device, user behavior and other indicators.

Be aware of account takeover. Fraudsters take advantage of high volume traffic times, such as Black Friday and Cyber Monday, to launch automated attacks to test credentials that may have been stolen from other breaches. Loyalty programs are a prime target for these types of attacks. Align your security policies to watch for anomalies in the way users navigate your website and look for signs of account takeover such as thousands of login attempts within only a few minutes or multiple failed logins from the same IP address or geo-location.

What Consumers Can Do to Keep it the Most Wonderful Time of the Year
Consumers may not have the sophisticated fraud-prevention tools at their disposal that loyalty-program operators have, but they can still take steps to avoid becoming victims of fraud. RSA suggests advising your customers to:

Use different passwords for different accounts. Yes, it's a pain, but using different passwords can confine the damage to just one account if credentials are stolen.

Treat loyalty accounts like bank accounts. That means checking points balances frequently, monitoring for unfamiliar transactions often and reviewing statements regularly.

Sign up for fraud alerts. Exercise the option to get a text, email or call when loyalty points are used and when trips paid for with points are booked or modified.

Say yes to multi-factor authentication. If a website you do business with offers the option of multi-factor authentication (biometrics, one-time password or other authentication methods in addition to username/password), take it. A second factor can foil a breach attempt that uses credential stuffing.

Double-check before downloading mobile apps. Be sure the app is downloaded from a reputable source like the Apple Store or Google Play Store. Look for clues like a logo or interface that doesn't look quite right. In addition, always read the permissions requested by an app to ensure they are appropriate for the service.

Fraudsters will always find new kinds of accounts to breach and new ways to breach them, and loyalty and reward points programs are no exception. But there's plenty businesses (and their customers) can do to protect against fraud—and keep fraudsters from getting everything they want for the holidays this year.

# # #

The best way to stay one step ahead of fraudsters this holiday season is to keep on top of the latest fraud trends. Learn about them by reading the most recent RSA Quarterly Fraud Report.