Loyalty schemes are tools used by Merchants to reward customers who continue to buy their goods and services and / or increase their spend. According to estimates, 60% of companies reported that their loyalty customers spend 2 -3 times more than non-loyalty customers.
How it works
The customers will typically earn points with every purchase of the goods or services. The accrued loyalty points can then be redeemed for discounts, vouchers or free items, as an incentive to continue to spend with the merchant. It is worth noting that ‘loyalty’ is a euphemism, as many customers are members of competing merchants’ loyalty schemes.
It is not always about how loyal they are to one merchant, it is usually about how much they are spending and on what. Afterall, if the customer’s overall spend drops, but they only spend at one merchant exclusively, they will get fewer loyalty points, despite being completely loyal. Perhaps the most well-known loyalty schemes are the free coffee when you buy, say, ten cups, or the various airmiles schemes. These schemes do work for the merchant; 75% of customers said they were likely to make another purchase when offered an incentive, according to Wirecard.
Loyalty scheme fraud
Fraud associated with loyalty has been on the rise in recent years. According to a 2019 report by Forter, there’s been an 89% increase in loyalty related fraud from the previous year. Perhaps one explanation for such a rise is that the payment industry has become increasingly effective in securing the payment infrastructure and making it harder for criminals to steal money.
Another explanation could be the sheer amount of value sitting in customer loyalty accounts with merchants. For example, Starbucks has over $1.6 billion of unspent cash in customer’s loyalty cards and wallets. Such trends are increasingly turning criminals’ focus to softer targets such as loyalty schemes, taking advantage of weaker security of the systems to steal this value which can be converted into goods if not redeemed as actual money.
Fraudulent activities associated with loyalty takes different forms; at the basic level is ‘membership fraud’. This is when members of the loyalty scheme try to game the system, or to take advantage of a procedural flaw. For example, Heathrow rewards allowed only one account per household; however, members realised they could slightly tweak their address to register a second family member and take advantage of the ‘joining bonus’ points.
Another example is the infamous story of the ‘pudding guy’ - David Phillips. Mr Phillips took advantage of a promotion by a local supermarket offering air miles with the purchase of certain products. Mr Phillips calculated that the return in air miles he got from a cup of pudding outweighed its price and went ahead to purchase over 12,000 pudding cups during several weeks. He earned more than 1.2 million air miles, enough to get him 40 round trips to Europe. These are not criminal attacks, they just exploit flawed procedures.
At the other extreme are more determined (and often organised) criminals, trying to hack the system for criminal activities. This category pose a more serious threat as they are capable of exploiting weak security systems, as well as the use of sophisticated social engineering techniques to obtain and manipulate customer information. Customer information obtained can then be used to perform account ‘takeovers’ to exploit and steal accumulated points.
Fraudsters also rely on stolen personally identifiable information (PII) exposed during data breaches to target loyalty schemes. According to RSA travel and hospitality make up 13% of the types of accounts for sale on the dark web. Last year, many customers of UK supermarket Morrisons reported that their loyalty points had been stolen from their accounts. Morrisons insisted the problem occurred as a result of email and password reuse across multiple accounts. Notwithstanding, loyalty schemes are continually evolving, and despite their security challenges, they are not going away. And so, If loyalty schemes are to continue to deliver value, they should be protected with the same diligence as payments schemes.
Here are the different categories of loyalty fraudsters, the level of threat they pose and some of the fraud types associated with them.
Fraudsters and hackers, usually part of an organised network that brings together fraudsters with different expertise and resources. Their motivation is to get hold of account and payment information, steal points and sell or barter the stolen points on the dark web.
Technical expertise: High
Threat level: High: Typically target hundreds of accounts. Data and points stolen are used to fund other illicit activities such as drugs and weapons on the dark web.
- Account Takeovers: Fraudsters taking control of existing loyalty members’ accounts, and then using the accounts to redeem or transfer points.
- System Compromise: Fraudsters use their technical know-how and resources to exploit security vulnerabilities within the loyalty system.
These are typically customers that are already members of the loyalty scheme.
Technical expertise: Low
Threat level: Low: Fraud by loyalty scheme members aren’t typically conducted at scale. i.e. They usually affect a single account rather than a full-blown assault on multiple accounts. The threat level here may go up a level as the loophole becomes apparent to other members.
- ‘Double dipping’: Redeeming points simultaneously over multiple channels.
- Unauthorised sale or transfer of points.
- Returns Fraud: A customer buys an item, earns and redeems the points, and then returns the item within the allowed returns window.
- Using fake personal details to register multiple accounts to earn; join up accounts for example.
These are entities with some level of access to the loyalty programme infrastructure. This could be an employee or an employee of a service provider. They could be coerced by an outsider criminal.
Technical expertise: Medium-High
Threat level: Medium-High: Similar to the motivation of members, an insider is typically an employee trying to illicitly add points to their accounts or the accounts of family and friends. However, what makes the threat a level higher is because an employee will more likely have access to account management systems and could tamper with protections to avoid detection.
- Unauthorised points correction.
Security experts often suggest implementing stronger security features such multifactor-authentication and the use of strong passwords to protect loyalty schemes. These are welcome suggestions; it is however not always realistic to implement expensive countermeasures just for loyalty points as is demonstrated by many schemes using magnetic-strip cards as identifiers, rather then smart cards. A holistic approach to securing the systems and reducing frauds is required in order to enforce the security controls on customers and fraudsters alike.
At Consult Hyperion, we have called for a closer alignment between payment and loyalty for years. Card (and mobile) payments are a mature technology with relatively acceptable levels of security which have been proven over numerous decades. A seamless way of integrating loyalty into payments would allow loyalty schemes to take advantage of the robustness of the payment schemes.
Despite clear benefits, such integration has been limited, perhaps due to the associated costs to the merchant or the inconvenience to the customer. Earlier attempts to integrate loyalty into payments did so by co-hosting two separate applications on the same smartcard - one for payment and for loyalty. This method offered better security, but also required two separate transactions at the Point-of-Purchase, significantly affecting customer experience.
For integration to be seamless, loyalty data could be passed as part of the payment data during the transaction. Within the provisions of the EMV specifications which underpin card payments today, there are several options worth considering by merchants looking to offer more secure loyalty schemes. For face-to-face payments, there are potential storage areas within the payment card / mobile to store loyalty identity information during the transaction. The payment schemes also have a provision in their specification for an integrated data storage (IDS) area on a payment card that may be available for use by all merchants, if it is included by the issuing bank on their cards.
In the online world, the security advantages of 3D secure (3DS) could be leveraged by merchants for loyalty. 3DS is an authentication protocol that adds an additional layer of security to online payments by requiring customer authentication before authorising the payment, which is ideal for authenticating access to the the customers's loyalty account. For example, Amex offers instant redemption of membership rewards points at the point of 3DS authentication. This is a good example of leveraging security in payments technology to provide a more secure loyalty programme.
As our lives and activities increasingly become digitised, attackers will continue to find ways to compromise systems. Integration of loyalty into payments will allow loyalty schemes to take advantage of the security infrastructure used in payments, increase customer satisfaction and hopefully shift the focus of criminals away. In the future, we must use our experience of working with payment brands, merchants and banks to design new and secure payment products and value-added services such as loyalty, to meet regulatory requirements and global best practices.