TY - JOUR
AU - Umar,, Assad
AB - Abstract There has been a sharp rise in loyalty card fraud, with both companies and consumers missing out on the benefits they were designed to deliver. Assad Umar, Consultant at Consult Hyperion, explores the history and where these schemes are going in the future. Loyalty schemes are toots used by merchants to reward customers who continue to buy their goods and services and/or increase their spend. According to estimates, 60% of companies reported that their loyalty customers spend two-three times more1 than non-loyalty customers. Customers will typically earn points with every purchase of the goods or services; the accrued points can then be redeemed for discounts, vouchers or free items, as an incentive to continue to spend. However, it's not always about how loyal the customer is to one merchant, it's usually about how much they're spending and on what. Afterall, if the customer's overall spend drops and they only spend at one merchant exclusively, they will get fewer loyalty points, despite being completely ‘loyal’. Perhaps the most well-known loyalty schemes are the free coffees when you buy ten cups, or the various airmiles schemes. These schemes do work for the merchant: 75% of customers said they were likely to make another purchase when offered an incentive, according to Wirecard2. Loyalty scheme fraud Fraud associated with loyalty has been on the rise in recent years. According to a 2019 report by Forter3, there's been an 89% increase in loyalty-related fraud from the previous year. Perhaps one explanation for such a rise is that the payment industry has become increasingly effective in securing the payment infrastructure and making it harder for criminals to steal money. Another explanation could be the sheer amount of value sitting in customer loyalty accounts with merchants. For example, Starbucks has over $1.6 billion of unspent cash in customer's loyalty cards and wattets4 Such trends are increasingly turning criminals' focus to softer targets such as loyalty schemes, taking advantage of weaker security of the systems to steal this value which can be converted into goods if not redeemed as actual money. Fraudulent activities associated with loyalty takes different forms; at the basic level is ‘membership fraud’. This is when members of the loyalty scheme try to game the system, or to take advantage of a procedural flaw. One example is the infamous story of the ‘Pudding Guy’ — David Phillips, who took advantage of a promotion by a local supermarket offering air mites with the purchase of certain products. Mr Phillips calculated that the return in air mites he got from a cup of pudding outweighed its price and went ahead to purchase over 12,000 pudding cups during several weeks. He earned more than 1.2million air mites, enough to get him 40 round trips to Europe5. These are not criminal attacks, they just exploit flawed procedures. Organised crime At the other extreme are more determined (and often organised) criminals, trying to hack the system for criminal activities. This category pose a more serious threat as they are capable of exploiting weak security systems, as well as using sophisticated social engineering techniques to obtain and manipulate customer information to perform account ‘takeovers’ to exploit and steal accumulated points. Fraudsters also rely on stolen personally identifiable information (PII) exposed during data breaches to target loyalty schemes. According to RSA6, travel and hospitality make up 13% of the types of accounts for sate on the dark web. Last year, many customers of UK supermarket Morrisons reported that their loyalty points had been stolen from their accounts. Morrisons insisted the problem occurred as a result of email and password reuse across multiple accounts7. Notwithstanding, loyalty schemes are continually evolving and despite their security challenges, they are not going away. If loyalty schemes are to continue to deliver value, they should be protected with the same diligence as payments schemes. Way forward Security experts often suggest implementing stronger security features tike multifactor-authentication and the use of strong passwords to protect loyalty schemes6. However, it's not always realistic to implement expensive countermeasures just for loyalty points, as is demonstrated by the fact many loyalty cards still use magnetic-strips as identifiers. A holistic approach to securing the systems and reducing fraud is required in order to enforce the security controls on customers and fraudsters alike. At Consult Hyperion, we have called for a closer alignment between payment and loyalty for years8. Card (and mobile) payments are a mature technology with relatively acceptable levels of security which have been proven over numerous decades. A seamless way of integrating loyalty into payments would allow loyalty schemes to take advantage of the robustness of the payment schemes. . Organised criminals . Members . Insiders . Description Fraudsters and hackers, usually part of an organised network that brings together different expertise and resources. Their motivation is to get hold of account and payment information, steal points and sell or barter the stolen points on the dark web. These are typically customers that are already members of the loyalty scheme. These are entities with some level of access to the loyalty programme infrastructure. This could be an employee or an employee of a service provider. They could be coerced by an outsider criminal. Technical expertise / threat level High: Typically target hundreds of accounts. Data and points stolen are used to fund other illicit activities such as drugs and weapons on the dark web. Low: Fraud by loyalty scheme members aren't typically conducted at scale. i.e. they usually affect a single account rather than a full-blown assault on multiple accounts. The threat level here may go up a level as the loophole becomes apparent to other members. Medium-High: Typically, an insider (employee) tries to illicitly add points to their accounts or the accounts of family and friends. However, insiders can be high threat as they may access account management systems and tamper with protections to avoid detection. Fraud types 1. Account takeovers: Fraudsters taking control of existing loyalty members' accounts, then using the accounts to redeem or transfer points. 2. System compromise: Fraudsters use their technical know-how and resources to exploit security vulnerabilities within the loyalty system. 1. ‘Double dipping’: Redeeming points simultaneously over multiple channels. 2. Unauthorised sale or transfer of points. 3. Returns fraud: A customer buys an item, earns and redeems the points, and then returns the item. 4. Using fake personal details to register multiple accounts to earn points and sign-up benefits. 1. Unauthorised points correction. . Organised criminals . Members . Insiders . Description Fraudsters and hackers, usually part of an organised network that brings together different expertise and resources. Their motivation is to get hold of account and payment information, steal points and sell or barter the stolen points on the dark web. These are typically customers that are already members of the loyalty scheme. These are entities with some level of access to the loyalty programme infrastructure. This could be an employee or an employee of a service provider. They could be coerced by an outsider criminal. Technical expertise / threat level High: Typically target hundreds of accounts. Data and points stolen are used to fund other illicit activities such as drugs and weapons on the dark web. Low: Fraud by loyalty scheme members aren't typically conducted at scale. i.e. they usually affect a single account rather than a full-blown assault on multiple accounts. The threat level here may go up a level as the loophole becomes apparent to other members. Medium-High: Typically, an insider (employee) tries to illicitly add points to their accounts or the accounts of family and friends. However, insiders can be high threat as they may access account management systems and tamper with protections to avoid detection. Fraud types 1. Account takeovers: Fraudsters taking control of existing loyalty members' accounts, then using the accounts to redeem or transfer points. 2. System compromise: Fraudsters use their technical know-how and resources to exploit security vulnerabilities within the loyalty system. 1. ‘Double dipping’: Redeeming points simultaneously over multiple channels. 2. Unauthorised sale or transfer of points. 3. Returns fraud: A customer buys an item, earns and redeems the points, and then returns the item. 4. Using fake personal details to register multiple accounts to earn points and sign-up benefits. 1. Unauthorised points correction. Open in new tab . Organised criminals . Members . Insiders . Description Fraudsters and hackers, usually part of an organised network that brings together different expertise and resources. Their motivation is to get hold of account and payment information, steal points and sell or barter the stolen points on the dark web. These are typically customers that are already members of the loyalty scheme. These are entities with some level of access to the loyalty programme infrastructure. This could be an employee or an employee of a service provider. They could be coerced by an outsider criminal. Technical expertise / threat level High: Typically target hundreds of accounts. Data and points stolen are used to fund other illicit activities such as drugs and weapons on the dark web. Low: Fraud by loyalty scheme members aren't typically conducted at scale. i.e. they usually affect a single account rather than a full-blown assault on multiple accounts. The threat level here may go up a level as the loophole becomes apparent to other members. Medium-High: Typically, an insider (employee) tries to illicitly add points to their accounts or the accounts of family and friends. However, insiders can be high threat as they may access account management systems and tamper with protections to avoid detection. Fraud types 1. Account takeovers: Fraudsters taking control of existing loyalty members' accounts, then using the accounts to redeem or transfer points. 2. System compromise: Fraudsters use their technical know-how and resources to exploit security vulnerabilities within the loyalty system. 1. ‘Double dipping’: Redeeming points simultaneously over multiple channels. 2. Unauthorised sale or transfer of points. 3. Returns fraud: A customer buys an item, earns and redeems the points, and then returns the item. 4. Using fake personal details to register multiple accounts to earn points and sign-up benefits. 1. Unauthorised points correction. . Organised criminals . Members . Insiders . Description Fraudsters and hackers, usually part of an organised network that brings together different expertise and resources. Their motivation is to get hold of account and payment information, steal points and sell or barter the stolen points on the dark web. These are typically customers that are already members of the loyalty scheme. These are entities with some level of access to the loyalty programme infrastructure. This could be an employee or an employee of a service provider. They could be coerced by an outsider criminal. Technical expertise / threat level High: Typically target hundreds of accounts. Data and points stolen are used to fund other illicit activities such as drugs and weapons on the dark web. Low: Fraud by loyalty scheme members aren't typically conducted at scale. i.e. they usually affect a single account rather than a full-blown assault on multiple accounts. The threat level here may go up a level as the loophole becomes apparent to other members. Medium-High: Typically, an insider (employee) tries to illicitly add points to their accounts or the accounts of family and friends. However, insiders can be high threat as they may access account management systems and tamper with protections to avoid detection. Fraud types 1. Account takeovers: Fraudsters taking control of existing loyalty members' accounts, then using the accounts to redeem or transfer points. 2. System compromise: Fraudsters use their technical know-how and resources to exploit security vulnerabilities within the loyalty system. 1. ‘Double dipping’: Redeeming points simultaneously over multiple channels. 2. Unauthorised sale or transfer of points. 3. Returns fraud: A customer buys an item, earns and redeems the points, and then returns the item. 4. Using fake personal details to register multiple accounts to earn points and sign-up benefits. 1. Unauthorised points correction. Open in new tab Despite clear benefits, such integration has been limited, perhaps due to the associated costs to the merchant or the inconvenience to the customer. Earlier attempts to integrate loyalty into payments did so by co-hosting two separate applications on the same smartcard — one for payment and for loyalty9. This method offered better security, but also required two separate transactions at the point-of- purchase, significantly affecting customer experience. Seamless integration For integration to be seamless, loyalty data could be passed as part of the payment data during the transaction. Within the techology underpinning card payments today (EMV), there are several options worth considering by merchants looking to offer more security. For face-to-face payments, there are potential storage areas within the payment card/mobile to store loyalty identity information during the transaction. Payment schemes also have a provision in their specification for an integrated data storage (IDS) area on a payment card that may be available for use by all merchants, if it is included by the issuing bank on their cards. In the online world, the security advantages of 3D secure (3DS) could be leveraged by merchants for loyalty. It adds an additional layer of security to online payments by requiring customer authentication before authorising the payment, which is ideal for authenticating access to the customers's loyalty account. For example, Amex offers instant redemption of membership rewards points at the point of 3DS authentication10. This is a good example of leveraging security in payments technology to provide a more secure loyalty programme. Conclusion As our lives and activities increasingly become digitised, attackers will continue to find ways to compromise systems. Integration of loyalty into payments will allow loyalty schemes to take advantage of the security infrastructure used in payments, increase customer satisfaction and hopefully shift the focus of criminals away. In the future, we must use our experience of working with payment brands, merchants and banks to design new and secure payment products and value-added services such as loyalty, to meet regulatory requirements and global best practices. References Loyalty Big Picture Report. Loyalty One, 2019 Consumer Incentives 2019: The Digital Transformation of Rewards, Rebates, and Loyalty. Wirecard, 2019 Fraud Attack Index 2019. Forter. Fiscal 2018 Annual Report. Starbucks. ‘Meet David Phillips...’ HuffPost, July 2016. Loyalty Points Fraud: Why Reward Programs are a Growing Target. RSA. ‘Morrisons Customers Slam Supermarket...’ Moneywise.co.uk, Feb 2020. Payments and loyalty. chyp.com, February 2007. https://bit.ly/2UiwHMC Using Smart Cards to Gain Market Share. Aneace Haddad, 2000. Use Membership Rewards points with SafeKey FAQs. Amex, 2020. https://amex.co/3dplAZE © 2020 The British Computer Society This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model)
TI - The Rise of Fraud in Loyalty Schemes
JO - ITNow
DO - 10.1093/itnow/bwaa049
DA - 2020-06-01
UR - https://www.deepdyve.com/lp/oxford-university-press/the-rise-of-fraud-in-loyalty-schemes-t6IDhlTbOR
SP - 44
VL - 62
IS - 2
DP - DeepDyve
ER -