When it comes to customer loyalty, Daniel Shkedi says that brands often sign on to a “social contract” when it comes to protecting the data they collect and store from its customers.

“Customers say ‘We will give you our business, as long as you create a sense of trust and protect our personal data and our accounts,” says Shkedi, the Senior Product Marketing Manager for Forter, which offers a fraud prevention platform used by some of the top online retailers.

“When a loyal customer is the victim of fraud or abuse, that trust is broken and is very hard to regain. In addition, fraud attacks prompt merchant fraud/risk teams to react,” he says. “When responding to impending threats, fraud teams use tools that introduce friction into the user journey, ultimately damaging the customer experience.”

While consumers sometimes fail to follow proper guidelines with their own data and online security, Shkedi says that the onus for fraud prevention is larger on the businesses that collect the consumer information.

“That is both the common practice and in many cases a legal requirement,” he says. “Merchants are required to implement anti-fraud systems and other safeguards to protect card-not-present credit card transactions.”
 

Why Loyalty Programs Have Become Targets

When it comes to fraud amongst consumers who are part of loyalty programs, Shkedi says there are four main reasons why those programs have become a target:

  • In recent years these programs have offered more rewards and benefits to customers. The rewards have grown both in value and liquidity due to the competitive nature of the market.

  • Loyalty program security has lagged behind other account-based services such as banking and credit cards, making them an easy target for fraud.

  • Low threat awareness. Shkedi says consumers should ask themselves a simple question: how often do you check your bank account? “I check mine every other day. Now, how often do you check your loyalty accounts? I have 4-5 accounts and have probably checked them 5 times collectively,” he says.

  • Loyalty fraud can occur throughout the entire user journey, from registration, at login, on the financial info page, when you redeem points, and at the point of transaction. These multiple touch points of vulnerability make it an extremely difficult problem to deal with.

“As a result, loyalty points have become a new currency for fraudsters and are especially prevalent in dark web markets,” Shkedi says.
 

Bots and Automated Attacks Exploiting Customer Accounts

Some retailers who have moved to more experiential reward opportunities where program membership is required, but those brands are seeing bots signing up thousands to tens of thousands of accounts. Shkedi says bots and automated attacks have been exploiting customer accounts for quite a while now, and automated attacks are an advanced cyber threat that cannot be detected or thwarted with legacy fraud tools or manual review teams.

“These threats require highly-advanced fraud prevention platforms that can process a wide array of data types like device or network data, behavioral analytics, and other cyber intelligence data points,” he says.

Meanwhile, Forter’s Account Protection Solution can accurately identify automated bot traffic used to scrape information from websites. It distinguishes between good bots  — such as Google indexing services — and scraping bots used by competitors and malicious actors. Shkedi says customers have the option to hard block this traffic, thwart bots with a user challenge, rate-limit to manage the scope and frequency of scraping, or even control the content presented to scrapers to deceive the scrapers or prevent them from getting fresh content or specific promotions.

Financial considerations have even led some retailers to alter or limit employee access to loyalty programs due to fraud and gaming concerns, but Shkedi says there is a way to address employee fraud and gaming issues.
“Inside jobs are definitely a growing concern,” he says. “But the good news is that this problem can be solved with a variety of access management tools. However, this is much more of a traditional cyber security issue within organizations, rather than fraud perpetrated by external actors.”
 

Measuring Fraud Prevention

Shkedi points out that there are several metrics that are often utilized to measure fraud prevention:

  • Approval Rate: the percentage of transactions that are approved for processing.

  • Chargeback Rate: the percentage of transactions that were successfully disputed due to fraud.

  • False Decline Rate: the percentage of registrations, logins or transactions that were falsely rejected.

  • False Acceptance Rate: the percentage of bad guys that were falsely admitted into the loyalty program.

  • Abandonment/Drop-Offs: the percentage of users that abandon the online session. High drop-off rates are indicative of increased friction that is impairing the customer experience.

“Of course, operational analytics such as average spending per transaction or annual spending can be used as success metrics in fraud prevention as well,” Shkedi says.

Overall, fraud inside loyalty programs is skyrocketing, and Forter points out that online transaction fraud losses — which are increasingly driven by account-focused attacks — were expected to reach $25.6 billion in 2020.

Shkedi believes that the loyalty program team should be directly involved in fraud prevention activities, and it is a challenge that requires a strong partnership between all relevant stakeholders in the organization.

“Increasing threat awareness and periodic training is an important internal practice for fraud prevention activities,” he says.


Defining Fraud and Abuse

There are various types of frauds when it comes to loyalty programs, as well as different types of loyalty abuse, or what is called ‘gaming.’ Shkedi says fraud is criminal activity, and includes:

  • Account Takeover (ATO): Attacks by which fraudsters leverage multiple methods such as brute force attacks/stolen credentials, or automated cyber-attacks to hack into existing accounts and steal user credentials, funds, or benefits.

  • Account Opening Fraud and Abuse: when fraudsters create multiple fake loyalty accounts, occasionally leveraging stolen identities or synthetic IDs, then use them for a variety of fraudulent schemes, including loyalty points laundering.

  • Transactional Fraud: After hacking into accounts, fraudsters use credit cards or other payment methods linked to loyalty accounts to perform fraudulent transactions.

Shkedi says gaming or policy abuse occurs when legitimate users violate various business policies to receive benefits or rewards by exploiting loopholes in the system. Notable examples include signup, referral, and coupon rewards being overshared or gained dishonestly.

For instance, Shkedi says a signup abuse happens a lot in loyalty programs where online customers take advantage of signup benefits  — free points or coupons — by hiding their identity, opening multiple accounts, and then transferring points or rewards to a single account.

“This could be an airline frequent flyer program that offers 200 free points upon signup,” he says. “The abuser then opens several accounts by hiding their identity and transfers all of the rewards into a single account.”
 

Exploiting A Program’s Sharing Options

Shkedi says it is important to stress that the main effort in this type of fraud is the monetization process. After gaining access to accounts or user data, he says fraudsters exploit the program’s sharing options to transfer points to “safe accounts” that were set up in advance.

“In order to conceal the origins of stolen points, fraudsters at times create a complex sequence of legitimate and illegal transfers to execute point laundering schemes,” Shkedi says. “At the end of the ‘laundering funnel,’ fraudsters use multiple techniques to monetize.”
Those techniques include:

  • Redeeming and Reselling: Fraudsters purchase goods or services with loyalty points and resell them in dark web marketplaces and/or hidden Telegram channels. A widespread technique is buying untraceable gift cards and reselling them for 25%-60% of their value.

  • Accounts and Data for Sale: Fraudsters sell points, hacked accounts, or stolen data to third parties.

  • Points-as-a-Currency (PaaC): At times, loyalty fraudsters pay other cyber-criminals or illegal service-providers with stolen points, exploiting their increasing value, liquidity and anonymity.

Many travel and entertainment brands have expressed new and unique challenges with ‘credential stuffing’ attacks for loyalty programs, especially those that may not be as frequently monitored. These attacks are an automated trial-and-error method used by cyber-criminals to hack into accounts. Shkedi says the fraudster activates a script that repeatedly inserts username and password combinations — often from a stolen list of data — on the login page until it is able to access the account.

“More sophisticated scripts are also capable of labelling the combinations that worked,” Shkedi says. “That enables the fraudster to launch manual ATO attacks later.”

Thankfully, Forter offers a solution that can effectively detect credential stuffing attacks on loyalty program login pages. Signals are collected and correlated by Forter’s fraud prevention platform using advanced machine learning techniques, predictive models, and expert security research to identify credential stuffing and account takeover attacks.


Best Practices to Address Fraud and Gaming

Going forward, Shkedi says there are best practices that brands can utilize to address fraud and gaming challenges, and a few have made serious changes to their cybersecurity/fraud prevention policies, including:

  • Increasing threat awareness. Online service-providers/e-retailers have invested more time and effort in educating their loyal customers and staff on the perils of loyalty program fraud.

  • Moving to an automated approach. Enterprises have implemented new AI-driven fraud prevention solutions that are 100% automated.

  • Protecting multiple touch points. Loyalty programs create a wide attack surface that needs to be protected. More and more programs are shifting from protecting only the checkout page to full end-to-end protection of the entire customer journey (from login to logout).

 
Visit https://www.forter.com/
 

Recent Content