How loyalty programmes can safeguard against sophisticated cyberattacks

It’s a $48 trillion opportunity that cybercriminals are only too happy to target. That figure represents the amount of unspent loyalty points globally, with the estimated cost of loyalty fraud costing programme operators roughly $1bn a year.

An example of this earlier this year was a large-scale cyberattack that targeted SITA and with it millions of travellers enrolled in loyalty programmes of airlines including Singapore Airlines, Lufthansa and New Zealand Air.

One of the most common vulnerabilities of these loyalty programmes is authentication attacks. There are several common modes of authentication attacks. These include brute force, phishing, password spraying, weak password recovery validations and credentials stuffing. According to Akamai, over $100bn credential stuffing attacks took place between 2018 and 2020, with around $63bn directed to the retail, travel and hospitality sector.

Reportedly, 72 per cent of airline loyalty programmes have an issue with fraud, with 30 per cent saying that the situation was worsening every year. Alarmingly, 10 per cent of airline loyalty programmes didn’t even know if they had a problem with fraud.

The impact of vulnerable authentication systems can have far-reaching consequences on end-users. These include account takeovers and also unauthorized redemptions of loyalty points, with some of these points often sold on the dark web.

For organisations, they stand to lose customer trust, reputation and money when they are subjected to an attack. The onus then is not only on organisations to protect their own systems, but also to somehow add a level of protection to their customer’s devices – be it tracking risky users and or having systems in place to distinguish between a genuine user and fraudster, even if the login credentials match.

In most cases loyalty accounts are authenticated by a simple password, especially one that users share between different online services. It implies that a common password leak from any one of the user’s services is enough to perform a successful account takeover attack on all of his/her other services.

Two (or Multi) Factor Authentication (2FA) is one way for operators to safeguard their access gates. These may include the use of OTP codes via SMS and email. While successful to an extent in preventing cybercrime, it is unpopular since it would simply be too much effort. The key is to enhance security without creating an unnecessary, unpleasant or tedious and negative experience for the end-user.

That’s where products from IT services company, Comarch, comes into play. It has previously rolled out its Cyber Threat Protection (CTP) anti-fraud system as well as its tPro Mobile solution to specifically help with adaptive authentication in a process which is fully transparent to end-users.

CTP is designed to protect the identity of the end-user and to verify their credibility. It could have wide-ranging benefits in banking or loyalty programmes where it is absolutely critical to verify the user’s identity. To this end, the system offers features including device reputation, behavioural biometrics, and identity cloning, among others.

The tPro Mobile protects against loss of access to accounts in the event of leakage of login data due to phishing or mass leakage of databases, remote attacks and operations carried out on behalf of a client and unauthorised change to balances.

tPro meets requirements of the European Union’s PSD-2 Directive and enables mobile token support on the back-end side with features such as support for VPN, geolocation and strong cryptography, support for document signer and face and fingerprint biometric capabilities.

By inspecting the user behaviour, his device and his environment, account takeover attacks can be effectively stopped. Based on parameters including behavioural biometrics, identity cloning, device reputation and recognition and malware detection, Comarch’s system calculates a transaction scoring and the system either then asks for a 2FA, grants access directly or denies access based on perceived enhanced threat levels.

With machine learning, the software gets smarter and reduces false positives and enhances user experience even further. Owing to products such as these, loyalty programmes are bound to get smarter, safer and provide a smoother user experience.

To learn more about Comarch’s Cyber Threat Protection software click here and for its tPro Mobile Solution click here