By Robert McKay
As COVID-19 travel restrictions are loosened in much of the world, many people are eager to visit friends and family or take a long-postponed vacation. Some of these individuals will be in for an unpleasant surprise when they check their loyalty program balances for the first time in months: they’ll find their accounts drained of points, miles and bonuses.
Travel and hospitality reward programs are a growing target for fraudsters, as loyalty program accounts generally have much weaker security than traditional financial accounts, and consumers tend to check them much less frequently (or never — many accounts are dormant). But the trillions of dollars in unspent loyalty points, frequent flyer miles and other rewards are valuable to criminals around the world, who can cash them in to purchase digital gift cards or high-value merchandise to resell, or use them as cash equivalents to sell to other fraudsters.
Loyalty fraud may not receive the same attention as payment card fraud, but it is extremely common and on the rise. In 2019, loyalty program fraud increased 89% over the previous year. It’s also costly, with experts estimating more than $1 billion every year in losses to program operators.
Unlike with credit cards, consumers generally have no specific legal protection if their loyalty program points are stolen. Considering that the entire purpose of loyalty programs is to encourage customer loyalty, most programs refund them, increasing the bottom-line impact. In addition to the direct cost of reimbursing stolen points, loyalty fraud causes increased customer churn, the loss of lifetime value when customers choose to leave the program after a breach, and potentially fines and lawsuits in relation to the incident. Organizations must also deal with the indirect costs connected with loss of trust from partners as well as members, along with broader reputational damage.
What can hospitality organizations do to strengthen their defenses against loyalty fraud? Following are two places to start.
Improve call center security
Online account takeovers frequently begin with the phone channel. For fraudsters, it’s often easier to obtain sensitive account information by socially engineering a helpful call center agent than to hack directly into a customer account. With so much personal information available for purchase on the dark web (or for free on social media), fraudsters are often able to convincingly impersonate legitimate customers on the phone and correctly answer call center agents’ challenge questions.
In addition to training their agents to be more prepared for this type of fraud, hospitality organizations need to move away from knowledge-based authentication (identity interrogation by agents) to more secure forms of multifactor authentication, such as pre-answer caller authentication combined with voice biometrics. This type of solution prevents most fraudsters from reaching a service agent in the first place, while at the same time reducing call handle times and improving the customer experience.
Add protections for digital transactions
If the easy availability of stolen data makes knowledge-based authentication vulnerable over the phone, the same is true of online transactions: security questions and passwords on their own are no longer reliable ways of verifying identity.
Hospitality organizations have many tools to choose from when it comes to authenticating user identity and preventing illegitimate access to customer accounts. Effective solutions will use a wide range of digital identity markers (such as location, IP address and data relating to the device being used, for example) and assess the connections between a customer’s online and offline identity, their devices, and their typical behaviors.
Taking a holistic view of identity that also includes device data can protect against many types of fraud, including complex schemes designed to defeat the use of one-time passcodes sent to a customer’s device via text message. These include tactics like SIM swapping (when a fraudster switches a victim’s phone number to a SIM card under the fraudster’s control) and man-in-the-middle attacks (when the fraudster calls the customer and poses as someone from the business the customer is interacting with online and asks the customer to read out the one-time passcode). If an organization uses text passcodes or callbacks to verify customer identity, the authentication solution must confirm phone ownership, or at least flag high-risk situations like recent SIM changes or reassigned or forwarded numbers.
Protecting the value of loyalty programs
As in any arms race, fraudsters will continue to develop increasingly sophisticated ways to overcome security measures. But many loyalty programs are not yet making use of the latest tools and technologies that are successfully protecting traditional financial accounts — including intelligent authentication solutions that take an integrated view of identity across online, offline and device-based data, and how those linkages change over time.
Loyalty programs aim to provide customers with additional value and a positive experience that keeps them coming back. To deliver on that promise, hospitality organizations need to implement stronger fraud-fighting solutions that help them protect their loyalty program accounts and the valuable customer relationships they represent.
