Bot Armies Are Targeting Loyalty Points; Here’s How to Safeguard Your Customers
As back-to-school season kicks into high gear and holiday-driven spending looms in the distance, retailers across the country are using loyalty point programs to build relationships with customers and incentivize them to return for future purchases, driven by the promise of discounts, perks, exclusive benefits and more.
However, over the last year, and especially during the summer spending boom, customer loyalty point accounts have become the target of cybercriminals, who see this store of data as an excellent and vulnerable entryway into consumers’ accounts and, by extension, their wallets.
For retailers whose loyalty points are a source of trust and connection with customers, a data breach or account takeover because of a loyalty program can be devastating. To adequately safeguard customers, retailers must understand and prepare now for loyalty point fraud before it’s too late.
Loyalty Points Are a Shiny Target for Cybercriminals
To protect customers, retailers must first understand what it is about loyalty points specifically that make them such an enticing target for cybercriminals.
According to Statista, average memberships in loyalty programs in the U.S. have gone up since 2015, with the average user in 2021 holding an average of 16.6 accounts. Of those accounts, however, only 7.6 were actively used. That’s only about 46 percent of accounts, meaning the average American leaves more than half of their membership accounts unused and unattended.
Any major store of valuable data that includes information like date of birth and credit card details presents a shiny target for bad actors. When you couple that with the large number of largely unused or unsupervised loyalty accounts out there, and you have a recipe for retail disaster.
How Bot Armies Make Their Mark
One of the most prevalent methods cybercriminals use to facilitate loyalty point fraud is credential stuffing and account takeover (ATO).
Credential stuffing, or the “automated injection of stolen username and password pairs (“credentials”) into website login forms,” according to the OWASP Foundation, allows attackers to use large swaths of illegally obtained data to take over accounts and access the valuable data that lies within. These types of attacks have been increasing. In fact, Akamai data from the 2021 holiday shopping season reflected a whopping 226 percent increase in credential stuffing attempts as attackers aimed to compromise customer accounts. We've seen repeated patterns of this during other key gift-giving periods, including Christmas, Diwali, and Singles Day in China.
With loyalty point accounts, we often see as many as 1 billion attacks per day that are exclusively targeting loyalty points. And, as hackers often do, it’s likely we’ll see these types of attacks grow more sophisticated and dangerous as time goes on.
How to Protect Customers and Businesses
To effectively protect their own personal data, consumers must reevaluate their loyalty point accounts and deactivate ones they aren’t using. In addition, consumers should monitor accounts regularly and if they notice anything out of the ordinary, change their passwords and work with the organization owning the account to ensure it’s protected. Using different login credentials for each account can also make it more difficult for an attacker to gain access and is generally a best practice in cyber hygiene.
For retailers that own the loyalty programs, educating themselves and strengthening their bot detection and mitigation capabilities is the best first step to protecting employees and customers. By understanding how cybercriminals facilitate these attacks and implementing measures to address them proactively, they can not only protect customers, but keep their hard-earned loyalty and trust in the process.
In his 12 years at Akamai, Patrick Sullivan has held a number of leadership positions including leading the Enterprise Security Architect team. Sullivan and his team work with customers when they come under attack and designs security architectures to protect them from threats. In the course of helping to fend off attacks, he has gained visibility into attacks targeting many of the top Enterprises. With his ability to see Security issues as a critical component of a client’s business strategy, Sullivan often speaks at security events and with clients around the world. Prior to Akamai, Sullivan held various leadership positions at DISA, AT&T, Savvis, and Cable and Wireless.