The adoption of chip-enabled EMV credit cards has helped reduce the amount of card present fraud in brick-and-mortar stores, but for identity thieves, the necessity for someone else’s credit information is the mother of invention (or ingenuity). The latest target for fraud? Travel loyalty programs.
As account takeover (ATO) soars, loyalty points accounts in particular are being preyed upon in greater numbers; of all non-card present fraud that occurred in 2016, 4% of attacks were on loyalty and rewards points accounts, but that number jumped to 11% in 2017. In 2016, 48% of online businesses experienced an increase in ATO over the previous year, and ATO losses reached $2.3 billion. This article from Sift Science discusses why hackers are targeting loyalty points accounts and what hoteliers could do about it.
Why target loyalty points accounts?
Unfortunately, loyalty accounts are easy to drain, making them even more attractive to ATO fraudsters. They’re designed to make redeeming points for goods and services simple, which in turn means it’s just as simple for a criminal to quickly use up an unsuspecting victim’s points without having to input any form of payment or other information (though the victim’s payment and personal data is accessible to the thief once they log into the account).
The fact that many people tend to let their points languish or forget about them before getting around to redeeming them makes them sitting ducks, ripe for the hunt. As of 2016, $48 billion in rewards sat unredeemed in customer accounts.
Fraudsters use stolen credit cards to earn even more loyalty points
Fraudsters aren’t just interested in hacking accounts for points – they’ve also found ways to cheat loyalty programs by racking up points illegitimately. Using a hotel loyalty program as an example, the criminal often acquires stolen credit card information in bulk and then uses it to purchase multiple stays. These transactions accrue a massive amount of loyalty points, which the criminal then redeems before the fraud is discovered. Once the cardholder of the stolen information discovers the fraud, they file a chargeback.
The fallout can be devastating for both the hotel and the customer. The hotel is responsible for chargeback fees and loses the profits generated from the sale, in addition to the value of the points redeemed by the fraudster, which the hotel now has to pay out a second time to reimburse the customer’s loss. Generally, the fraud is discovered too late for the hotel to have time to rebook the room, which results in the loss of several hundred dollars per attack. An understandably angry customer might find themselves unwilling or unable to trust that a similar attack won’t happen again, possibly choosing to no longer do business with the hotel. These customers may be some of the most loyal customers to the hotel – perhaps even VIPs – which would result in a significant loss in revenue should the customer cut ties with the brand.
How can travel companies circumvent loyalty program fraud?
Some hotels are looking at changing the way they structure their loyalty programs. For example, the Mandarin Oriental has just launched its first ever loyalty program that uses perks instead of points.
Other solutions hotels might consider adopting to address the issue include:
- Setting limits on how fast customers can earn points and spending requirements to accrue points
- Establishing manual review teams
- Checking customer point transactions histories, looking for how long and at what pace a person accrued points, as well as how fast those points were spent
- Introducing 3D Secure or other verification methods