Loyalty fraud wave sparks security tech collaboration
By David Heun
Published June 21 2019, 12∶01am EDT
More in Payment fraud, Loyalty and rewards, Retailers
Hackers are flocking to loyalty and rewards programs, pushing marketers to embed extra fraud technology to stem financial losses.
Fraudsters find the stored-value accounts that fund loyalty programs easy to take over and sell online, and the attacks are evolving from brute force malware and phishing to broader assaults on entire businesses.
“Program sponsors are aware of the risks and prevalence of fraud as it relates to loyalty, however Engage still finds itself educating a number of partners with industry specific data,” said Len Covello, chief technology officer at Engage People, a Toronto-based loyalty marketing company that serves financial institutions and retail clients.
Loyalty: good points and bad points
- Consumers maintain 3.3 billion loyalty programs
- Stored points, travel miles valued at $48B
- 81% of consumers equate points with cash
- 72% of program managers have experienced fraud
- One in 10 program members never check balancesSource: Chargebacks911 U.S. data
Engage just entered a partnership with AI-driven fraud technology company Kount to shore up defenses for the mix of Engage’s white label clients who offer rewards programs such as points, or points plus cash.
By partnering with the Boise, Idaho-based Kount, Engage People is hoping to counter a worldwide trend in which account takeovers have resulted in $5 billion in losses in 2017 and $4 billion in 2018, while compromises on loyalty programs have nearly tripled in the past two years, according to Javelin.
The problem is particularly acute in the travel industry because the loyalty points in those programs are easily converted to valuable assets on the black market, according to Julie Conroy, a research director at Aite Group, calling loyalty programs a “soft underbelly” because merchants don’t necessarily protect the points as money.
“Criminals are quick to capitalize on that oversight,” Conroy said.
Attackers are also targeting e-mail APIs, allowing a takeover of an e-mail account, attacking the password reset function and assuming a fake identity through that e-mail to probe and steal from loyalty programs.
“All of these attacks are happening simultaneously,” said Rich Stuppy, chief customer experience officer at Kount. Based on the amount of protection a business or financial institution has, the fraudster has a tool to step up attacks and penetrate, Stuppy added.
And it’s not a simple case of someone stealing your rewards program and spending the points for their own enjoyment. There’s not enough reward to the fraudster in that scenario.
“A single fraudster can only spend or transfer so many loyalty points,” Stuppy said. “But what they can do is use a very effective way to monetize this by putting the programs up for sale in online marketplaces, Facebook groups or dark web forums.”
In those scenarios, a loyalty program with $100 of value is sold for $50. When there are hundreds or thousands of those accounts available, the fraudster has developed a model for a solid return on investment.
AI and machine learning gathers loyalty transaction data from merchants and issuers. Combined with fraud analysis, that can mitigate attacks at the front end of the process.
“A layered defense remains important, but it is making sure tools are in the right place and executing decisions on policy and strategy in a way that aligns with how the business wants to treat its customers,” Stuppy said.
Kount uses this mix of AI and analysis to examine events that come through its platform real-time.
“We are also drawing conclusions and looking for evidence without the signals from machine learning, finding the hidden relationships and stopping them as fraud emerges,” Stuppy said, adding the process provides clues as to what a consumer might commonly do to redeem loyalty points, such as the amount redeemed, the app used to do so, the time and place. For an individual consumer, there might be 10 or 15 different use cases, Stuppy said.
Reports of compromised or drained accounts help detect fraud, but that data may surface too late to catch fraud as it emerges. Unsupervised machine learning can often deter fraud in real time, while the machine learning developing red-flag signals adds supporting data, he added.
“But if an organized fraud ring was involved, we could identify hundreds of thousands of events in real-time that would indicate a cluster of activity that would be much higher than for a normal person,” Stuppy said.
As more merchants add loyalty components to their businesses, the fraud attacks will increase, Aite’s Conroy said. “Protecting loyalty offerings just as you would any other part of your business is important.”