Looking for B2B E-Commerce Leads? The E-Commerce Times Offers a 100% Satisfaction Guarantee Request Info

Posted By:  Ecommerce Exchange on 10/11/2019 in Security

How Rewards Programs Can Attract 'Loyal' Cybercriminals to Your Business

How Rewards Programs Can Attract 'Loyal' Cybercriminals to Your Business

For retailers, growing their customer base while retaining their current customers and simultaneously staying relevant among competing brands is an ongoing challenge. To set themselves apart, many retailers have implemented loyalty programs to encourage customers to shop their brand for added incentives.

According to a survey, 53 percent of customers who took part in loyalty programs expressed positive feedback and acknowledged they were able to use their loyalty or "bonus points" to put toward future purchases, proving this strategy increases customer engagement and retention.

Today, many retailers are evolving from in-store only to digital loyalty programs allowing shoppers to access their account from any device, check how many loyalty points they have, transfer points to a friend, or put them toward their next online purchase. While this process offers a seamless experience for shoppers, digital loyalty programs have become a target for cyber attackers who are increasingly exploiting loyalty programs for their own financial gain, primarily using a couple of approaches.

Bonus Points Takeover

One common way hackers can gain access into the accounts of reward program participants is through brute force to guess an email password. Brute force is an illegal attack by a hacker to obtain a password using several repetitive trial-and-error attempts.

Password cracking can be made even simpler, as malicious actors often use credentials that were previously compromised in a breach or data leak, a practice that multiplies in profit when victims use the same login credentials for different accounts. Malicious programs that covertly collect passwords and usernames, commonly known as "password stealers," can also help an attacker obtain valid credentials. 

Once a cybercriminal has access to a personal account, the actor has several opportunities to make his or her actions profitable. If the loyalty program allows bonus points to be transferred between accounts, a hacker can send all the collected points from the breached account to his own.

Alternatively, malicious actors can use their own delivery address to buy goods for themselves using the breached account. In cases where cybercriminals do not choose to make a purchase from the retailer, they can sell stolen account details on the Dark Web, including personal information like addresses, phone numbers or shopping preferences.

Welcome Gifts for Fraudsters

Accounts of existing loyalty program users are not the only target for cybercriminals. It's even easier for them to take advantage of "welcome points" given to new customers, as they can register multiple fake accounts to accumulate points.

On one occasion, Kaspersky's fraud analytics team discovered a case in which fraudsters had created almost 3,000 accounts registered with just a single email address. Criminal actors were keen to learn that while most card registration platforms recognize variations of dots placed within the same account name (e.g. johnsmith vs. j.ohnsmith vs. jo.hnsmith) as being entirely different accounts, Gmail does not. This made it possible for the fraudsters to receive email verification notices in a single Gmail account for thousands of new credit card registrations.

With enough illegally sourced welcome points, hackers can seek out buyers of various goods and offer to purchase products on their behalf at a discount greater than what a retailer offers. This allows criminals to convert points into cash, and then repeat the process.

The more people they attract, the more loyal their following grows, and their fraudulent business prospers. Unfortunately for the owners of the loyalty programs, buyers looking to take advantage of these schemes don't have to know how to navigate the Dark Web, as they're conveniently found on popular peer-to-peer e-commerce websites and social media.

Fraud Prevention Keys

If retailers continue to be unaware of fake customer loyalty program accounts, they will likely believe that their loyalty program is effectively driving sales when, in reality, it is helping fraudsters gain a profit.

To protect loyalty programs from fraud, we recommend retailers consider a fraud prevention solution that incorporates all of the following measures:

  • Identifies unique devices and determines whether the device in use is unique to the program;
  • Discovers fake account generation by applying biometry and signature to detect bots;
  • Discovers anomalies in how browser windows are opened with machine learning models; and
  • Balances usability and security, and uses additional authentication steps only in suspicious cases through risk-based authentication for loyalty accounts to prevent account takeovers.

Byline written on behalf of Rob Cataldo, vice president of enterprise sales, Kaspersky North America.

Related Articles

Show Phone Number
View Profile

Member since 09/04/2017

Contact Ecommerce Exchange

Search Blog Articles

Get the ALL EC Newsletter