Insecure Loyalty Points are the Dark Web’s New Currency

Written by

We are hard-wired to be lazy, to follow the path of least resistance. Urban planners know this well—despite their best efforts, “desire paths” are a common feature of many parks.

It doesn’t matter where paths are laid, people will take the simplest and most direct route to their destination, flattening grass and creating new pathways of their own.

Hackers are just as lazy as everyone else, and will follow the path of least resistance to make their lives easier. Banks and other financial services providers know how damaging a cyber attack would be to both their systems and reputation, and most have invested heavily in cybersecurity solutions.

Online banking systems are now often as impregnable as their physical safes—getting in and stealing data requires planning, a wide knowledge of vulnerabilities, and a good bit of luck. It seems like too much effort, especially when there are targets that are just as lucrative but are far less secure, such as loyalty points.

Loyalty schemes let customers swap points for goods, making them essentially a currency. This presents hackers with a choice; either steal money from a highly secure virtual vault, or steal points—that work in pretty much the same way—from a far less secure location. Laziness suggests that all desire paths will lead to the latter.

Taking the threat seriously
People don’t treat loyalty points in the same way as they treat other financial products. When our wallet or purse is stolen or lost, we immediately cancel our credit and debit cards. Our loyalty cards can wait. Retailers tend to treat loyalty points in the same way—logging into an account doesn’t have the same level of security, and two-factor authentication is rare.

Retailers can’t be blamed for lower levels of security. After all, the point of loyalty schemes is to keep the customer engaged and to encourage repeat business. If logging into an account becomes difficult or requires extra steps, people are far less likely to use it. People are, as noted previously, fundamentally lazy.

There is also a customer expectation that points will be refunded if something goes wrong. In December, it was reported that a portion of Nectar card members had seen their point balances wiped out—and many were furious, demanding something be done. It wasn’t clear what had gone wrong, but the assumption was that whatever had gone wrong was the supermarket’s fault, and it was up to them to fix it.

Adding fuel to the already complicated fire, consumers don’t track their points in the same way that they do their bank balance, so thefts can go unnoticed for months or even years. People like to let their loyalty points accumulate unseen before they splurge with them, so it can be a shock to check an account and find it empty.

The amounts held in these accounts are often much higher than many realize. It’s not just retailers that need to understand the loyalty points threat, travel organizations with air miles accounts can be worth thousands or even tens of thousands of dollars, and it’s all up for grabs for those who know how.

Businesses need to take this threat as seriously as a bank would treat the theft of funds. Twice as seriously, in fact—theft of loyalty points is often a double hit for the target organization. Not only will they need to refund points that have been stolen, they are likely to have already honored the stolen points.

Stealing, without stealing
The biggest threat is not the literal theft of points, but the misuse of standard business logic to exploit systems to steal points and the use of automated bots to make this as efficient as possible.

For example, “seat spinning” bots put flights being sold by an airline into a basket, but don’t actually buy them—instead, the basket is refreshed as many times as possible, and another bot takes over when it is forced to give up the flight. This process pushes up the price and limits the availability of flights for legitimate customers.

However, those customers can find cheaper flights by looking at third-party sellers. Those sellers are, it turns out, being run by those who are using bots to keep prices high, and only purchase them as part of the sale on the third-party site. 

Customers think they are getting a bargain, but they are actually buying the ticket at a mark-up, and any loyalty points gained won’t go to the buyer, but to the automated middleman. Customers lose out, as they pay more than they should and don’t get the benefit of loyalty points.

The airline loses out because it doesn’t get what was paid for the ticket and the benefit of the loyalty points—they are, after all, designed to encourage repeat business and a warm feeling towards the brand. The hacker wins at least twice over.

Businesses need to treat their loyalty point schemes more like bank accounts, and encouraging their customers to do the same. This is as much a cultural shift as a technological one—customers need to be taught to have the same respect for and protect their loyalty point accounts just as they would any account with “real” money. Any business with loyalty point scheme must do the same.

Not only do they need to protect these accounts, they need to know who is accessing these schemes, and why—not only detecting hacking attempts, but foiling those looking to subvert the everyday business logic to steal points. If not, they are acting like a bank handing out free banknotes.

What’s hot on Infosecurity Magazine?