Are loyalty schemes becoming more attractive to cybercriminals?

When both Tesco and Boots recently had their loyalty cards hacked within days of each other by fraudsters looking to steal points it raised questions about the vulnerability of customers’ saved points and their personal data.

Over 600,000 Tesco Clubcard holders and 150,000 Boots Advantage Card members were affected by the compromise to their schemes. Although these numbers represent only a small percentage of the total card holders both retailers were forced to initiate a temporary and potentially damaging shutdown of their loyalty propositions.

Aaron Begner, EMEA general manager at fraud prevention firm Forter, says: “The attacks hit only 1% of cards but they shut them down, which shows the impact [on the business] is greater than the degree of the attack.”

He points to the fact that retailers might not have traditionally seen loyalty as exposure to potential theft. Certainly fraudsters have recognised the value because research by Forter has found loyalty fraud attacks have been growing rapidly, with 89% year-on-year growth seen in early 2019.

Such fraud is being fuelled by the enormous amount of personally identifiable information – such as emails and passwords – that are being stolen via the growing number of data breaches taking place. In the first six months of 2019 alone the Forter research revealed 3,800 data breaches had exposed 4.1 billion records. It is just such illegal activity that made it possible for the Boots and Tesco hacks to take place.

Andrew Mann, loyalty expert with experience at Sainsbury’s, Asda, Tesco and Marks & Spencer, says the fact there is fraudulent activity is proof that a scheme is providing sufficient value to customers: “If a scheme is good enough to hack then you know it’s a good scheme [offering value to customers].”

One of the attractions to fraudsters, according to Begner, is that consumers interact very infrequently with their loyalty accounts when compared with their bank accounts. “They might not check them from one month to the next so they are largely unmonitored. This creates a window of opportunity for fraudsters to access loyalty accounts unnoticed,” he says.

Begner says points were not really seen as currency to trade but fraudsters have realised it is low hanging fruit: “To steal a credit card could be hard to monetise but points are much easier to sell on.”

Both Boots and Tesco made it clear that it was simply points that had been stolen and not personal data, which Mann says will have offered a great amount of relief to these retailers. Although he says the ‘value’ in the schemes is the monetary aspect – in the form of the points – the most valuable part of any loyalty programme is very much the customer data linked to the accounts.

“There should be zero tolerance on securing this. The people who lost out from the Boots and Tesco breaches were the shareholders because it was only monetary value that was lost. This is not as bad as losing customer data. This is another thing altogether. Just having fraudsters know what people have bought is bad,” he explains, adding that despite the fact only a modest amount of points – and no data – was stolen will still have reduced the level of trust people place in both Tesco and Boots.

Mann says the balance retailers need to find is between closing the loops – the rewarding and the redemption elements – of their schemes to fraud, while also ensuring they are as easy as possible for customers to use.

One of the weaknesses in the Boots and Tesco schemes could have been their age. Begner suggests it could simply be easier to leave old systems and processes in place rather than updating them with new technology solutions that invariably offer better security. “Loyalty could also be part of marketing departments who do not view the programmes from a risk perspective.”

“Compared to what people are doing with payments, it is lagging behind. Retailers need to monitor their loyalty schemes over the various touchpoints [across channels]. Most organisations have not got a solution for the overall journey and they probably need a partner to help them,” says Begner, adding that retailers need to stop being afraid of using technology in order to better manage the security aspects of their schemes.