September 4, 2019 By Diane Benjuya
Limor Kessem
6 min read

Loyalty and fraud. Not a nice pairing. Loyalty is great for business, fraud taxes it with ongoing losses. Yet the two have become inseparable in the past two decades, with fraudsters banking on loyalty points, miles and rewards and using them for their own profit.

Loyalty programs can be costly to implement, but they can also achieve great business results. According to a Bond Brand Loyalty report, 77 percent of consumers stick with the brands they are members of. On the flip side, fraudsters use and abuse loyalty programs as a form of currency exchange among themselves, with losses amounting to an estimated $1 billion every year. This estimate is likely rather conservative, considering the size of recent data breaches in the hospitality sphere and the estimate that more than $100 billion a year in reward points are not being redeemed because more than half of reward memberships in the U.S. are inactive, which makes loyalty accounts a rife source of profit for criminals.

But while the value of airline loyalty programs and the customers they serve is well-established, protecting these assets in terms of security controls is often an afterthought. Loyalty program systems are rarely considered as crown jewels, while in reality, the customer data they collect and use is beyond doubt some of the most important and a critical part of the business’s livelihood. When lost in attacks, customers’ personal and financial data results in fines, lawsuits and elevated breach remediation costs that justify rethinking how we protect loyalty programs.

Figure 1: Today’s airline applications are falling prey to account hacking, leading to loyalty fraud (Source: IBM Trusteer airline fraud vectors demo)

A note to chief information security officers (CISOs): B2C risk may not be your problem. But think again. Fighting fraud that attacks consumers, like loyalty fraud, requires deploying security technologies. We urge you to consider joining your digital colleagues at the table to help them understand solutions that can make a difference.

Airline Loyalty Programs Are a Top Target

While loyalty program fraud can hit a large variety of organizations, from entertainment to restaurants to grocery stores, 2019’s “IBM X-Force Threat Intelligence Index” noted that the transportation industry, which includes airlines, is the second most-targeted sector for cyberattackers.

Figure 2: Most frequently targeted industries in 2018 (Source: IBM X-Force)

Airline reward programs are such a lucrative target because they are both a kind of currency and replete with personal information on frequent flyers. These factors make the airline industry — and the hospitality industry as a whole — a top target to hackers motivated by financial gain. And with 4,378 million passengers per year, the airline industry is a gatekeeper to an immense quantity of data from which cybercriminals can make illicit profit.

In a data breach that recently befell an Asian airline company, frequent flyer-related information was among the choice of data nabbed by attackers. In the case of a major U.K. airline, the attackers specifically accessed the personal data of some 500,000 customers who used a payment card to make reward bookings. These are just two recent cases. The wider picture of hospitality award fraud has been affecting hundreds of millions of customers worldwide.

Monetizing in the Dark

Once in the hands of the attackers who breach the data, these troves are underway to be monetized by fraudsters in the dark enclaves of the web. Just take a peek at some of the more popular darknet markets — anonymous sites on the web where illegal activities can go undetected — for a mind-boggling eyeful of stolen frequent flyer miles (aka FFP) for sale.

Figure 3: Frequent flyer miles are sold on the darknet (Source: IBM X-Force)

Alongside masses of airline points offered for sale, reward points that can be used hotel bookings are also on offer. And that’s just part of the picture; darknet vendors even offer “air miles account takeover services” for sale, helping lower the bar for would-be criminals looking to try their hand in loyalty program fraud.

Chris Staab, co-founder of the Loyalty Fraud Prevention Association (LFPA), explains: “Today’s loyalty program industry is a large ecosystem of partners offering purchases through frequent flyer points. On the dark side, you have ‘mileage brokers’ that illicitly buy and sell points.”

LFPA research found 1 percent of today’s redeemed miles to be fraudulent — a $3.1 billion problem worldwide.

The potential cost of stolen points to the program’s operator is initially twofold: the cost of reimbursing customers and the fines levied by regulatory bodies for failing to prevent a data privacy breach.

The U.K. Information Commissioner’s Office (ICO) fined British Airways 183 million pounds, the largest GDPR era fine to date, representing 1.5 percent of the airline’s 2017 turnover. GDPR rules allow fines of up to 4 percent of annual turnover, which can truly impact vendors that have already suffered considerable fraud losses and loss of business due to a breach.

The Ponemon Institute’s “Cost of a Data Breach Report,” sponsored by IBM, provides additional information about the true cost of a data breach.

Airline Sector Plagued by Familiar Threats

Where is the Achilles heel that attackers leverage to target airline loyalty program accounts? There’s a litany of fraud threats targeting users on both digital and mobile channels. These include phishing attacks, SMishing texts that lure people in with tempting offers such as free ticket giveaways, and bot-driven credential stuffing attacks that automatically submit numerous username-password combinations until they get in. Trojan operators are also part of the landscape of attackers who look to take over loyalty reward accounts.

Part of the problem is the old security-versus-usability challenge, with service providers trying hard not to affect the customer experience on their revenue-generating websites. When controls are applied, they can be basic or even ineffective. For example, some airline industry experts acknowledge that security controls in the user sphere rely too much on two-factor authentication (2FA) and static verification measures to protect loyalty accounts, even though attackers increasingly bypass such measures.

Addressing questions about ways to secure airline loyalty programs, Nikhil Borle of IBM Security told an audience at the Airline & Travel Payments Summit in Malaysia that loyalty program fraud involves taking over or creating a loyalty account. Once in, attackers look for all the ways possible to cash in the points. Looking at the following steps can allow defenders to adapt better security controls to the problem they wish to address.

Figure 4: Loyalty fraud at work, from account takeover to cashing out miles

An Awakening to Better Security

The good news is that the airline industry is waking up to the problem. In October 2018, the International Air Transport Association (IATA), an airlines trade association, validated a set of best practices for fraud protection. It issued a battle cry “to acknowledge the scope of loyalty fraud and manage it from a business perspective while tackling it from a technology perspective.”

The IATA recognizes the difficulty: “It’s hard to determine what might constitute unusual activity. These days, people accumulate a mass of loyalty points through a variety of conduits and not just an airline booking. And the travel patterns of many FFP members are inconsistent, ebbing and flowing with business needs.”

The IATA also noted that “methods that fraudsters use are varied and innovative. Social engineering, machine learning, and artificial intelligence are just a few examples … It is a constant game of one-upmanship going on between the fraudsters and those trying to prevent fraud.”

Let Airlines Fly Planes

It’s the job of airlines to fly their 4,378 million passengers safely to their destinations. Effective loyalty fraud gatekeeping means bringing in dynamic fraud detection and risk-based user authentication solutions that combine tools and threat intelligence and a vast data lake that can fly under the radar of cybercriminals.

But is that enough? Can these controls help to mitigate risk in an era when rich customer data regularly makes it into the hands of fraudsters?

Fraud detection solutions need to be continuous and seamless and take a user-centric approach to authentication. They need to detect the risk of fraud without relying on measures like two-factor authentication, which often proves less effective against account takeover threats. Yet in the greater scheme of things, security should also be balanced with usability, avoiding friction that begets customer abandonment.

Today, we can arm up to not only fend off fraud, but also to cultivate delight throughout the customer journey using passwordless and personalized access and by requesting authentication only when warranted. That kind of customer journey leads to better Net Promoter Score (NPS). The great news, noted Staab, is that airlines with improving NPS have experienced top-line growth of 5–15 percent over the last 10 years.

Loyalty fraud is here to stay, so let’s turn lemons into lemonade by letting transparent loyalty fraud protection fuel your digital growth.

IBM Security has solutions to help you counter cyber fraud and improve your customers’ digital journey. We invite you to learn more about IBM Trusteer solutions for fraud detection and risk-based authentication:

  • Come to IBM booth No. 71 at the World Aviation Festival in London on Sept. 4–6 to meet Trusteer experts and walk through login and account takeover use case demos for the airline sector.
  • Want to go deeper? Register for the Loyalty Fraud Prevention Association’s loyalty fraud trends webinar on Sept. 19, featuring Trusteer’s Shaked Vax as one of the panelists.

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today