3 Steps to Protect Your Hotel's Loyalty Program from ATO Attacks and Online Fraud

Summer is here, and with it comes planning for long-awaited vacations. Many travelers rely on loyalty program points to offset the cost of traveling. Unfortunately, some may be in for a rude awakening when they find their loyalty accounts have been hacked and points stolen by fraudsters, leaving them with nothing to redeem. 

Loyalty fraud typically involves account takeover (ATO), where a fraudster gains unauthorized access to an account linked to a loyalty rewards program. ATO attacks have increased in frequency, complexity, and severity in recent years, especially as malicious actors find new ways to streamline attack vectors and make them accessible to fraudsters of all skill levels. Some 69% of companies surveyed lost revenue due to bot-driven account fraud in 2022.

The hospitality industry has been hit especially hard by automated bot and ATO attacks. According to Lexis Nexis, automated bot attacks have skyrocketed in travel and hospitality with a 239% increase over the past year, concentrating on vulnerable loyalty programs. The stakes are high for hotels as they work to build up their cybersecurity protections against ATOs without losing sight of the user experience guests expect.

How and Why Bad Actors Are Targeting Loyalty Programs

One of the reasons ATO attacks have surged is due to new tools and techniques that have lowered the barrier of entry for adversaries. In many cases, bad actors specialize in specific parts of the attack chain, limiting their overall traceability while still giving them multiple opportunities to profit from breached accounts. An example of this is an actor whose sole job is to steal loyalty points or account credentials, where there is someone else who sells them to other bad actors.

In addition, we’ve seen a shift away from the traditional exploitation of credit card information toward a more targeted approach that focuses on taking advantage of customer loyalty programs and point balances. This trend is especially evident in the hospitality industry and is driven by two factors: 1) changing travel patterns following the global pandemic in 2020 and 2) limited options to reverse lost points post-attack.

During the earliest days of pandemic lockdowns, there was a steep decline in travel and, as a result, most people were not accessing or monitoring loyalty reward accounts for prolonged periods. This created an opportunity for attackers to quietly target accounts and slowly pilfer customer points without being detected.

Additionally, loyalty points aren’t tracked or managed by big financial institutions, so it’s harder to roll back unauthorized point usage compared to unauthorized credit card usage. Fraudsters have quickly realized they are less likely to face consequences when they target loyalty reward programs, so these accounts have become top targets.

And finally, loyalty points are easier to “cash out,” even if attackers don’t have access to all of a user’s personal information. With loyalty programs, unauthorized users can more easily exchange points for gift cards or transfer points to other connected accounts without additional identity verification. While guests may be accessing those accounts more frequently than they did at the height of the lockdown, it’s still not easy to recover stolen loyalty points once bad actors are discovered. There’s usually no standardized way loyalty points can be frozen and reissued when an ATO attack occurs.

ATO attackers most frequently use credential stuffing techniques, looking for leaked credentials from previous breaches and using that information to access other accounts that use similar credentials. These malicious actors rely on target research, residential proxies, social engineering techniques, and bypass configs to make their attacks more effective and profitable.

Oftentimes, loyalty program members are using the same or similar credentials for their loyalty accounts as they do for other personal accounts, making them particularly vulnerable to credential stuffing and ATO attacks.

CAPTCHAs: Flawed Security That Harms User Experience

CAPTCHAs have long been used to verify and protect user identities on websites, but as AI tools have grown more sophisticated, CAPTCHAs no longer suffice.

Several generative AI tools are now able to bypass CAPTCHA images and questions. There’s also a growing number of CAPTCHA-solving services that can quickly and affordably get through CAPTCHA barriers while doing so six times faster than a human can.

On top of their security limitations, CAPTCHAs create a poor user experience for customers.  Solving CAPTCHAs can be a tedious process and every second counts when you’re trying to influence travelers to book on your website or mobile app. Online hotels need to recognize the limitations of CAPTCHAs and consider alternatives such as invisible challenges for online security.

Steps to Combat ATO Attacks and Online Fraud

1. Stop fraud at the front door: Take proactive measures to combat ATO attacks in your organization. Your team should shift its focus from downstream fraud to stopping fraud before it occurs at account login.
2. Implement up-to-date threat detection tools: CAPTCHAs are not ideal in today’s threat landscape, and many other tools can detect and mitigate ATOs. Look for robust bot detection and mitigation solutions that do not use a CAPTCHA and are resilient enough to detect ATO attacks in real-time, even when attackers change their tools and techniques.
3. Break down internal silos to improve cross-functional collaboration: Consider combining anti-fraud and cybersecurity efforts into one team, and make sure they’re closely partnering and communicating with account management or e-commerce teams to reduce threat response silos.

Today’s top hotel brands are committed to safeguarding guest data while enhancing the overall guest experience. To this end, hotels must take proactive steps to combat the nefarious activities of ATO attacks and loyalty fraud. Rather than relying on traditional CAPTCHAs, hotels should incorporate cybersecurity best practices across all parts of their operations. A key element of this involves obtaining internal support to promote a stronger and more proactive response to stopping ATO threats. Ultimately, it falls upon technology leaders to spearhead these efforts and ensure the safety and protection of their guests’ sensitive information and loyalty points.

ABOUT THE AUTHOR

Sam Crowther is the founder and CEO of Kasada, a cybersecurity company specializing in stopping bot attacks. He began his career as a teenager working for the cybersecurity division of the Australian government. Sam launched Kasada in 2015 to provide innovative web traffic integrity solutions to companies around the world.  Now, Sam has become a renowned visionary in bot management and cybersecurity.  The company is protecting over $50 billion in eCommerce, $10 billion in gift cards, and billions of user accounts - for many of the world’s largest online businesses.