Canadian Underwriter

Why rewards programs are a new cyber threat

May 21, 2019   by Jason Contant

Print this page Share

If your client offers loyalty and rewards programs, they may want to keep a closer eye on securing these “non-traditional risk points” from cyber criminals.

Earlier this year, several McDonald’s customers in Canada complained that criminals had breached their accounts on the restaurant chain’s loyalty app and placed unauthorized orders, some totaling more than $1,000, according to media reports.

And in the massive data breach last year at the Marriott hotel chain, hackers exposed the data of up to 500 million customers, including members of the chain’s Starwood Preferred Guest rewards program.

“Everything from frequent flyer miles to bonus points to hotel rooms are targets for cyber criminals who can sell these loyalty points on the web,” Don Duncan, security engineer for Vancouver-based NuData Security, told Canadian Underwriter last week.

“Customers and companies alike are not always monitoring reward points that are accruing and don’t necessarily notice when cyber criminals come in the back door and steal them,” he said. “Most companies concentrate their efforts on securing the front door from fraud – the transaction point – but often miss the bad actor sneaking in the back door where their reward feature is situated.”

Reward or loyalty points have become a “great objective since they don’t trigger a credit card payment event,” Duncan noted. “If online companies are only monitoring the outcome of purchases and transactions, they are leaving themselves open to a whole world of risk they have no visibility into. Along with account takeover fraud, non-traditional risk points such as adding reward and loyalty points should be continuously monitored.”

Duncan recommends multi-layered solutions that include passive biometrics and behavioural analytics to monitor loyalty or rewards programs, as these analytics verify users by their inherent behaviour and not the data (that could have been stolen) itself.

“This technology change makes stolen credentials valueless,” Duncan said. “Best of all, these passive systems are invisible to hackers and customers alike removing friction from the transaction, and even offering good customers a VIP experience when warranted.”