Loyalty Points: The New Underground Currency

Most of us will have a loyalty card or two, some of us have stacks of them, all slowly earning points until they become just as valuable as cold-hard cash.

Some of your loyalty cards might be a good old fashioned save up the stamps job, while others take on a far more sophisticated, digital life of their own. It’s these points that are up for grabs to any Tom, Dick or Harry hacker who wishes to swoop in and sell them on.

In this blog, we’re exploring the growing, billion-dollar underground loyalty points currency and what attackers are doing to lay their hands on said points.

How do loyalty points expose businesses to fraud?

Organizations are becoming more aware of the threats posed by online fraud, particularly in light of stricter regulations for payment processes; most payment services now require two or three-factor authentications to verify the user.

And yet, loyalty points fraud remains a prevalent issue across a host of industries, as cybercriminals seek new ways to exploit and defraud businesses.

At Netacea, we have seen more and more online marketplaces popping up, dedicated to selling access to stolen accounts with cashable points and credits.

From air miles to supermarket rewards, you don’t even need to venture into the dark web any more to find all you need to eat, shop and travel for a fraction of the actual cost. That makes one thing very clear, while security teams are busy protecting their payment gateways, hackers are setting themselves up to attack a business’s most loyal customers.

It’s a double blow for businesses with online rewards and points. Not only must they fork out for the cost of the product or experience that the hacker has stolen, but they must also reimburse the customer.

Loyalty points fraud in action

Earlier this year, household names including Dunkin Donuts, Superdrug and Hilton Honours have all hit the headlines as victims of loyalty points fraud.

Each brand was forced to ask customers to reset their passwords when their loyalty programs were targeted.

In January 2019, Hilton Honours – the hotel chain’s rewards scheme – was targeted by hackers in what would become the largest personal data breach in history. Attackers were not able to access the targeted loyalty points, but passport details and travel information.

The hotelier later confirmed that of the 500 million guests whose personally identifiable information (PII) was initially believed to be at risk, the data of just 5 million guests were found to be unencrypted and exposed. A small solace.

Dunkin Donuts’ DD Perks was also targeted for customer loyalty points. Hackers gained access to the accounts using compromised credentials that are readily available in data dumps throughout the web.

DD Perks credits were then sold on dark web forums such as Dream Marketplace, for a fraction of their value. Buyers can purchase $25 worth of Dunkin Donuts loyalty points for just $10, and that’s 100% profit for the seller.

How does loyalty points fraud work?

Loyalty points attacks are typically conducted over a prolonged period often involving multiple steps, tools and potentially different groups of hackers all with a view to maximizing the value they can extort from any business. We typically see these attacks follow four phases:

Credential stuffing

To carry out a successful loyalty points attack, the hacker needs to gain unnotarized access to a customer account. Typically, this is achieved with a credential stuffing attack, in which hackers attempt to log in to thousands of accounts on your site per minute using a credential acquired in legacy data breaches.

Account monitoring

Once a hacker has successfully accessed the customer account, they will use monitoring tools to check the points balance available. If the account is of significant value they may seek to spend the points or sell the account immediately however, others may choose to monitor the account until it accumulates more points, before committing fraud.

Account sale

The next stop is monetizing the points. A quick internet search will quickly reveal accounts for sale on a range of marketplaces, selling loyalty points for a myriad of household names in retail, finance, and travel.

Cold-hard fraud

Finally, using the points. Here we see hackers either convert or move points across accounts and businesses to spend elsewhere or using them to obtain free goods or services.

How to mitigate loyalty points fraud

Protecting your business against loyalty points fraud requires security further up the defensive chain. As stated above, credential stuffing attacks typically provide the route into a customer account for hackers, so start your mitigation strategy here.

Credential stuffing protection

Your credential stuffing protection must secure login forms on your website, mobile apps and APIs, by detecting and mitigating attacks before they escalate, to prevent the risk of future fraud.

Monitoring online marketplaces

Work with external security teams or use monitoring tools to track online marketplaces selling your breached accounts.

Fraud detection

As a final layer of protection, work with manual fraud teams to investigate transactions for any anomalous behavior.

Prevent credential stuffing attacks with Netacea

At Netacea, we provide a smarter bot management solution that solves the complex problem of credential stuffing in a scalable, agile and intelligent manner, across websites, mobile apps and APIs.

Our technology monitors all site visits to a specified path and analyses them in context relative to each of the visitors to the enterprise estate. The technology then automatically learns from the business’ web estate according to the specified priorities it faces.

Find out more about credential stuffing attacks and how we can help today.