Customer loyalty accounts in danger from cyber criminals

The retail, hospitality and travel sectors are being bombarded with malicious cyber attacks, registering 63 billion credential stuffing and four billion web application attacks in the space of just 24 months, according to data contained in a recent Akamai report.

In the report, State of the internet/security: loyalty for sale – retail and hospitality fraud, Akamai, a specialist in intelligent edge and web security, said that customer loyalty programmes were a potential goldmine for cyber criminals.

“Criminals are not picky – anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and report author.

“This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

Akamai explained that loyalty programmes were acutely vulnerable because while password reuse is a perennial concern across all digital services used by the average consumer, one tends not to view one’s Tesco Clubcard or Nectar points in the same risk bracket as one’s banking passwords. Hence, people are far more likely to use weak passwords to access them.

Additionally, said Ragan, many loyalty programmes have almost comically bad security baked in – or not – on the retailer’s side.

“Some of the top loyalty programmes targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources,” said Ragan.

If compromised, a loyalty card account contains a trove of useful data which can be handily sold on on dark web marketplaces. This could include personally identifiable information such as credit card details or email and postal addresses, everything a cyber criminal needs to max out their victim’s cards, take over their accounts, or steal their identity.

Even the loyalty points accrued by consumers in some schemes have some value, Akamai found. It shared details of a number of compromised accounts its researchers spotted for sale on the dark web.

Among them was an account with US supermarket chain Kroger, complete with $30 worth of accrued points to be used at petrol stations, on sale for just $13, representing a $17 net benefit to the buyer. A similar account with Shell’s rewards programme included not just savings on petrol but the ability to order groceries for kerbside pickup – even cyber criminals have to eat.

Some accounts, particularly those associated with hotel chains, command higher price points on the dark web, said Akamai. A Hilton Honors account with a points balances of over 600,000 could fetch as much as $850. A night at a high-end Hilton property, for example the Grand Wailea Waldorf Astoria Resort on Maui, Hawaii, can be had for just under $900, or 95,000 Honors points – even cyber criminals like to go on holiday.

Perhaps unsurprisingly, Akamai said that the problem had spiked since the advent Covid-19 pandemic. As more businesses moved online and more consumers started to engage with them in ways they had not before, cyber criminals were quick to begin circulating and recirculating lists of compromised credentials in the hope of identifying new and vulnerable loyalty accounts.

This has led to a “significant” uptick in inventory and sales related to loyalty programmes. As consumers around the world prepare for a pandemic-stricken holiday season, expect to see a further increase in this type of cyber crime, it added.

The best mitigation against falling victim to cyber crime through an account held with a retailer is to avoid online shopping, mask up, and pay cash in a bricks and mortar store. However failing this, paying attention to password hygiene, and guarding your retail accounts as jealously as you would your bank, is the next best thing.