It has become practically impossible to keep up with the number of loyalty-related security breaches. In today’s edition of “Who Got Hit?”, we read that Tesco is sending security warnings to 600,000 Tesco Clubcard loyalty members following fraudulent activities. The breach is suspected to be attackers trying to ‘brute-force’ their way into the loyalty system, using stolen credentials, potentially from a different breach. In recent years, fraud associated with loyalty has been on the rise. According to a 2019 report by Forter was an 89% increase in loyalty related fraud, from the previous year.
Perhaps one explanation for such a rise is that the payment industry has become increasingly effective in securing the payment infrastructure and making it harder for criminals to steal money. Additionally, the amount of value sitting in customer loyalty accounts continues to rise. For example, Starbucks has over $1.6 billion of unspent value in customer’s loyalty card and wallet accounts. Such trends are increasingly turning criminals’ focus to ‘softer’ targets such as loyalty schemes, taking advantage of weaker security of the systems to steal this value which can be converted into goods if not redeemed as actual cash.
Loyalty fraudsters can loosely be categorised, based on their motivations, technical expertise and level of access to the loyalty systems and processes. The table below outlines such categorisation:
Strong Passwords are no Panacea!
Security experts often suggest implementing stronger security features such as multifactor-authentication and the use of strong passwords to protect loyalty schemes. These are welcome suggestions; it is however not always realistic to implement expensive countermeasures just to protect loyalty points. A holistic approach to securing the systems and reducing frauds is required in order to enforce the security controls on customers and fraudsters alike.
Colleagues at Consult Hyperion have called for a closer alignment between Payment and Loyalty for years now. Card (and mobile) payments are a mature technology with relatively acceptable levels of security which has been proven over numerous decades. A seamless way of integrating loyalty into payments would allow loyalty schemes take advantage of the robustness of the payment schemes. Despite clear benefits, such integration has been limited, perhaps due to the associated costs to the merchant or the inconvenience to the customer. But a lot is changing in the world of customer authentication. Recent advances such as FIDO 2 and 3D-Secure 2.0, will allow strong customer authentication to be achieved within various contexts (including loyalty!), while maintaining a positive customer experience.
Within Consult Hyperion, our subject matter experts bring a deep understanding of the relevant payments technologies, as well as decades of experience in assessing and designing secure systems. If you would like to know more, feel free to give us a call.
More detail can be found here