7 Loyalty Program and Rewards App Attacks
The number of attacks targeting loyalty and rewards programs is growing. Here are some of the lowlights.
March 4, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt1d27907be6fd73b3/64f0d33351fd697f3ed7da44/01-loyalty.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Cybercriminals love loyalty cards and mobile pay app accounts. According to recent statistics, cyberattacks against these programs are markedly rising as crooks keep probing for the weakest link in financial payment systems to siphon off anything that can be tied to a cash payoff.
Loyalty programs and rewards apps are increasingly high-value targets for several reasons. First of all, they hold financial value without necessarily being monetary implements. By engaging in credential stuffing attacks to take over online loyalty program accounts, attackers gain a lower-risk method of stealing money without the same level of criminality as, say, defrauding a financial institution. Additionally, for those criminals who don't care about such niceties, these programs are often tied to mobile payment systems and thus linked to credit cards. On top of that, many of the apps and the entire programs themselves are built and administered by third parties that may or may not operate under the same security standards as the brands they work with. All of this is a recipe for fraud.
"Fraudsters are diversifying into softer currencies that are not primarily financial and moving beyond transactional credit card fraud into areas such as loyalty account fraud," says Michael Reitblat, CEO and co-founder of Forter, which released research last October showing loyalty card fraud increased 89% year over year in 2019.
The anecdotal evidence is piling up to support those numbers, too, as many major brands have gone public lately with news of breaches and exposures of their loyalty and mobile pay apps, many of which share the same underlying platforms. Here are some of the lowlights.
Within just a few days of launching a mobile pay feature last summer, the convenience store chain saw its rewards and payment app, 7pay, under assault. According to reports about the incident, the security weaknesses in the app enabled attackers to siphon $500,000 worth of value from just 900 Japanese customer accounts by tapping into payment cards linked to their accounts on the app.
In August Mastercard reported that some 90,000 German customers with accounts in its Priceless Specials rewards program were impacted by a breach that exposed names, addresses, and credit card numbers. While this was a pretty run-of-the-mill information exposure, it did highlight the fact that many of these loyalty programs are run by third parties that may have less stringent security protections than the brands they work with, thus making systems related to those programs a perfect target for attackers.
The Dunkin' Donuts reward program DD Perks and its associated app have been a high-value target for credential stuffing attackers for several years now. According to a lawsuit filed last year, customers complained that attackers had been taking over accounts as far back as 2015, with little warning from Dunkin' until about 2018. Now the company has been more visible about its warnings, coming forward, for example, in February 2019 when it said DD Perks accounts were being assaulted by a massive credential stuffing campaign seeking to take over rewards accounts to drain their points value.
One of the big blows to consumers stemming from the massive Marriott hack in late 2018 was the fact that the bad guys stole Starwood Preferred Guest loyalty account information. As experts noted, the breach put loyalty customers at risk of having their valuable points siphoned off by the crooks -- a con that often has a much longer tail than credit card theft, which can usually be headed off by canceling and reissuing cards. Not uncoincidentally, Marriott completely rebranded its loyalty program as Marriott Bonvoy shortly after going public with attack details.
Just before the 2019 holidays, customers of British retailer Sainsbury's reported that the points associated with the firm's Nectar loyalty program were being stolen in mass quantities, sometimes being drained of hundreds of pounds worth of value at a time. Like many account takeover schemes, this one doesn't have hard numbers of impacted accounts attached to it; as often the case, the news is anecdotal because the attackers take a spray-and-pray credential stuffing approach to pick off accounts wherever they can.
Frequent flyer miles are a classic form of loyalty rewards that are reaping big criminal yields for cyberattackers. According to research conducted by Comparitech in 2018, a number of illicit Dark Web marketplaces were filled with stolen frequent flyer miles put up for resale by criminals, often 100,000 miles at a time. The miles came from dozens of different airlines, including British Airways, Delta, Emirates, and Virgin. The report shines a light on the consistent pressure that crooks put on the extremely valuable frequent flyer accounts that customers own worldwide.
Similar to the Sainsbury's attacks, customer reports of attacks against Pizza Hut's Hut Rewards program members circulated online in June 2019 as account holders reported their free pizza rewards were stolen by cybercriminals. Pizza Hut told reporters that the attack accounted for a "few hundred" accounts, or less than 1% of Hut Rewards customers. Nevertheless, it stands as a lesson that the bad guys, however they can manage it, are looking for any opening they can to scam customers out of valuable services or goods.
Similar to the Sainsbury's attacks, customer reports of attacks against Pizza Hut's Hut Rewards program members circulated online in June 2019 as account holders reported their free pizza rewards were stolen by cybercriminals. Pizza Hut told reporters that the attack accounted for a "few hundred" accounts, or less than 1% of Hut Rewards customers. Nevertheless, it stands as a lesson that the bad guys, however they can manage it, are looking for any opening they can to scam customers out of valuable services or goods.
Cybercriminals love loyalty cards and mobile pay app accounts. According to recent statistics, cyberattacks against these programs are markedly rising as crooks keep probing for the weakest link in financial payment systems to siphon off anything that can be tied to a cash payoff.
Loyalty programs and rewards apps are increasingly high-value targets for several reasons. First of all, they hold financial value without necessarily being monetary implements. By engaging in credential stuffing attacks to take over online loyalty program accounts, attackers gain a lower-risk method of stealing money without the same level of criminality as, say, defrauding a financial institution. Additionally, for those criminals who don't care about such niceties, these programs are often tied to mobile payment systems and thus linked to credit cards. On top of that, many of the apps and the entire programs themselves are built and administered by third parties that may or may not operate under the same security standards as the brands they work with. All of this is a recipe for fraud.
"Fraudsters are diversifying into softer currencies that are not primarily financial and moving beyond transactional credit card fraud into areas such as loyalty account fraud," says Michael Reitblat, CEO and co-founder of Forter, which released research last October showing loyalty card fraud increased 89% year over year in 2019.
The anecdotal evidence is piling up to support those numbers, too, as many major brands have gone public lately with news of breaches and exposures of their loyalty and mobile pay apps, many of which share the same underlying platforms. Here are some of the lowlights.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024