December 17, 2015
How should retailers secure their rewards programs?
Credit card fraud is a known epidemic in the U.S., one that financial institutions and retailers are finally moving to address with EMV technology. But with all eyes on credit cards, there are other avenues into the bank accounts of retailers and customers that are softer targets for hackers: loyalty and rewards programs are becoming prime targets for fraud.
According to CreditCards.com, hackers are increasingly focusing on stealing loyalty rewards points as well as undertaking identity theft through rewards programs. A 2015 study by Colloquy indicated the average household belongs to 29 loyalty programs, and 17 of those are inactive. So hackers can presumably take advantage of defunct but active accounts that consumers have forgotten about.
Recent news of vulnerabilities in high-profile loyalty programs illustrate just how real the concerns are.
Earlier in 2015, Starbucks’ highly-popular rewards program was hacked by penetration tester Egor Homakov. Mr. Homakov, who blogs at security threat assessment solution provider Sakurity, was able to hack a Starbucks loyalty card and add non-existent funds from one card to another. According to his blog, Mr. Homakov presented the breach as a white hat endeavor and revealed it to the company immediately.
Mr. Homakov further explained that he was told by a support person at Starbucks that it was impossible to put him in touch with anyone on the company’s technical team. When he finally was able to reach someone after two weeks, Starbucks did not express thanks for the heads up.
"The unpleasant part is a guy from Starbucks calling me with nothing like ‘thanks’ but mentioning ‘fraud’ and ‘malicious actions’ instead," Mr. Homakov wrote on his blog. "Sweet!"
Other loyalty program-heavy spaces, such as the hotel industry, have also been targeted.
Most notoriously, Hilton’s HHonors loyalty program experienced one of the industry’s first large-scale rewards data breaches in 2014. Legitimate rewards accounts were hacked and sold online. This resulted in fraudulent rewards points being used to buy goods off of participating sites.
Security Intelligence notes that, in light of the growing number of data breaches in the loyalty space, customers may grow reticent to sign up for such programs.
- Crooks’ new target: your reward points – CreditCards.com
- Starbucks for unlimited coffee – Sakurity
- U.S. Customer Loyalty Programs Memberships Top 3 Billion For First Time, 2015 Colloquy Census Shows – Colloquy
- Ongoing: Hilton’s loyalty program hackers continue selling account access – Tnooz
- Building a loyalty program that doesn’t reward cybercriminals – Security Intelligence
BrainTrust
Recent Discussions
Discussion Questions
Do you foresee that consumers will shy away from loyalty program enrollment due to the threat of security breaches? Should retailers be investing more in securing loyalty cards, and what can they do to stave off fraud?
Poll
If the loyalty program breaches are severe enough to generate substantial publicity they could cause consumers to shy away from the programs, especially those programs that collect a lot of data and provide few rewards. Retailers need to treat loyalty programs like cash and protect them the way they protect consumer financial transactions.
In this day an age, consumers may face a reality that nothing is really secure!
An interesting question for retailers is whether loyalty “cards” are still relevant. In today’s omnichannel environment, with increasingly mobile shoppers, physical loyalty cards are starting to disappear.
The future would seem to be loyalty mechanisms that can be mobile-driven. A key question is whether a retailer can afford to invest enough to secure their cloud and customer data in a digital loyalty program.
As far as consumers, it is a question of risk versus reward, plus trust.
If the rewards are perceived to be valuable enough, even Millennials will give up their data for a latte … until their trust is violated. Just ask Target what happens to your brand trust when there is a widespread security breach.
Even with all the news on hacking in virtually all aspects of our digital lives, the typical consumer may voice an opinion when asked, however their actions show that they remain loyal to their merchants over time.
Should retailers invest more in data security in general? Of course, because there are some new technologies in just the past few months that have come to market and can help make huge strides toward a more secure enterprise.
Yes to both questions. It will only take a few data breaches to discourage shoppers from providing personal information to the retailer, only to have it compromised and or have their rewards pirated.
When most of the current electronic loyalty programs were formulated my sense is that database fraud was not that high on the priority list. I know that in the original programs which I was involved with, all assumed the customer database was inside the “firewall” and there was no real discussion about any other security measures.
Fast-forward to today, with mobile and fluid access to the shopper’s points and other data, there are many more opportunities for bad things to happen. More must be done, and there must be a continual effort on the retailer’s behalf to anticipate data breaches before they happen.
Consumers won’t shy away from loyalty program enrollment any more than they are shying away from credit cards. Security issues are less of an issue for loyalty programs for consumers than they are for merchants and program sponsors. The best loyalty software has fraud prevention capabilities and the best-in-class providers will only dial those up. In the big scheme of loss prevention for retailers, loyalty fraud from hacking is not at the top of what’s causing their shrinkage.
Reward hacking is just coming to the surface of public recognition. The companies/retailers are going to have to step up their protection. They won’t be able to turn to the credit card companies to bail them out. There will be other ways to cover stolen points. Here is the bottom line: The company that steps up and shows they are making the effort to protect ALL of the customer’s data wins.
Loyalty providers have been addressing data security for the past five years and most “should” be well on the way to establishing an environment that safeguards customer loyalty program data just as they would other sensitive personal and financial data. Most of the enterprise systems providers have been PCI compliant for several years, an indication that brands wanted this box to be ticked.
If one believes that loyalty currency is viewed by consumers as an alternate currency with real monetary value, then the data is important to be protected. Considering that points and miles are points of heated contention in divorce proceedings, etc., we can assume that many consumers have adopted this view.
I don’t think that conversation around data risks will cause consumers to hit the pause button on enrollment, but do think that a serious approach to data protection of all types must be adopted by retail brands.
Consumers have grown numb to stories about data breaches and fraud. Further, rewards programs are relatively low on the worry list compared to credit cards and demand accounts that have real cash value and more sensitive PII.
Retailers, on the other hand, face losses if they don’t safeguard their programs. FIS suggests monitoring and exception reporting aroundunusual activity. This includes increases in employee access and time spent on customer loyalty databases, surges in redemption activities, clusters of unsuccessful logins, new shipping addresses or other unusual profile changes.
Sadly, since the old days of checkout staff giving extra stamps on cards to modern day account manipulation, much loyalty fraud is insider-driven.
More Discussions
How Timely Is the Planned Lowe’s Website Renovation Focusing on Personalization?
Is Lowe’s being timely with its website reno, and is it right to be placed as…Should Costco Be Opening Members-Only Gas Stations?
Is this the right move for the warehouse club?As Boomers ‘Age Out of Peak Purchasing,’ How Can National Brands Retain Interest With Gen Z?
According to a recent First Insight study titled “Is Gen Z Still Choosing Your Brand,” while…
If the loyalty program breaches are severe enough to generate substantial publicity they could cause consumers to shy away from the programs, especially those programs that collect a lot of data and provide few rewards. Retailers need to treat loyalty programs like cash and protect them the way they protect consumer financial transactions.
In this day an age, consumers may face a reality that nothing is really secure!
An interesting question for retailers is whether loyalty “cards” are still relevant. In today’s omnichannel environment, with increasingly mobile shoppers, physical loyalty cards are starting to disappear.
The future would seem to be loyalty mechanisms that can be mobile-driven. A key question is whether a retailer can afford to invest enough to secure their cloud and customer data in a digital loyalty program.
As far as consumers, it is a question of risk versus reward, plus trust.
If the rewards are perceived to be valuable enough, even Millennials will give up their data for a latte … until their trust is violated. Just ask Target what happens to your brand trust when there is a widespread security breach.
Even with all the news on hacking in virtually all aspects of our digital lives, the typical consumer may voice an opinion when asked, however their actions show that they remain loyal to their merchants over time.
Should retailers invest more in data security in general? Of course, because there are some new technologies in just the past few months that have come to market and can help make huge strides toward a more secure enterprise.
Yes to both questions. It will only take a few data breaches to discourage shoppers from providing personal information to the retailer, only to have it compromised and or have their rewards pirated.
When most of the current electronic loyalty programs were formulated my sense is that database fraud was not that high on the priority list. I know that in the original programs which I was involved with, all assumed the customer database was inside the “firewall” and there was no real discussion about any other security measures.
Fast-forward to today, with mobile and fluid access to the shopper’s points and other data, there are many more opportunities for bad things to happen. More must be done, and there must be a continual effort on the retailer’s behalf to anticipate data breaches before they happen.
Consumers won’t shy away from loyalty program enrollment any more than they are shying away from credit cards. Security issues are less of an issue for loyalty programs for consumers than they are for merchants and program sponsors. The best loyalty software has fraud prevention capabilities and the best-in-class providers will only dial those up. In the big scheme of loss prevention for retailers, loyalty fraud from hacking is not at the top of what’s causing their shrinkage.
Reward hacking is just coming to the surface of public recognition. The companies/retailers are going to have to step up their protection. They won’t be able to turn to the credit card companies to bail them out. There will be other ways to cover stolen points. Here is the bottom line: The company that steps up and shows they are making the effort to protect ALL of the customer’s data wins.
Loyalty providers have been addressing data security for the past five years and most “should” be well on the way to establishing an environment that safeguards customer loyalty program data just as they would other sensitive personal and financial data. Most of the enterprise systems providers have been PCI compliant for several years, an indication that brands wanted this box to be ticked.
If one believes that loyalty currency is viewed by consumers as an alternate currency with real monetary value, then the data is important to be protected. Considering that points and miles are points of heated contention in divorce proceedings, etc., we can assume that many consumers have adopted this view.
I don’t think that conversation around data risks will cause consumers to hit the pause button on enrollment, but do think that a serious approach to data protection of all types must be adopted by retail brands.
Consumers have grown numb to stories about data breaches and fraud. Further, rewards programs are relatively low on the worry list compared to credit cards and demand accounts that have real cash value and more sensitive PII.
Retailers, on the other hand, face losses if they don’t safeguard their programs. FIS suggests monitoring and exception reporting aroundunusual activity. This includes increases in employee access and time spent on customer loyalty databases, surges in redemption activities, clusters of unsuccessful logins, new shipping addresses or other unusual profile changes.
Sadly, since the old days of checkout staff giving extra stamps on cards to modern day account manipulation, much loyalty fraud is insider-driven.