Building a Loyalty Program That Doesn’t Reward Cybercriminals

Loyalty or rewards programs are a popular marketing tool, and for good reason. For businesses, they offer an opportunity to lock in customers in a positive way; for consumers, they provide ways to earn deals or freebies, such as frequent flier miles. This makes a loyalty program a win-win for everyone involved.

Unfortunately, all too often, firms and their customers are not the only winners: Cybercriminals also find these programs attractive. If they can illegally garner reward points intended for loyal customers, they can sell these prizes on the black market. What’s more, security flaws in loyalty programs may compromise customers’ personal data, including their private financial information — the ultimate pay dirt for professional cyberthieves.

Fortunately for enterprises and their customers, security measures are available to ensure that a loyalty program rewards only loyal customers, not those out to abuse the system.

The Growing Challenge of Loyalty Program Abuse

Two recent security breach incidents underline the potential risks in these programs. LoyaltyLobby reported that security researchers discovered the Hilton HHonors program was vulnerable to an attack technique known as cross-site request forgery (CSRF). By exploiting this vulnerability, anyone with a Hilton HHonors account could hijack another customer’s profile simply by knowing the account number. Not only could attackers steal rewards points, they could obtain personal information, including partial credit card numbers.

British Airways and its most loyal customers were victims of another recent security breach, according to The Guardian. Automated hacking software, deployed by unidentified cybercriminals, compromised thousands of frequent flier rewards accounts. No personal information was exposed, but the airline was forced to freeze accounts while the breach was cleaned up — leaving top executive-club flyers unable to use their points in the meantime.

Safeguarding the Enterprise and Its Customers

Concerns about providing personal information threaten to erode consumers’ willingness to participate in loyalty programs, according to TechnologyAdvice. So how can firms protect themselves and their most loyal customers against security risks?

The threats to these programs are not specific to the particular technologies they utilize, but rather are characteristic of a broad range of security threats. Customer data may be compromised by company insiders, unscrupulous customers or professional cybercriminals. Basic security precautions such as the encryption of data at all stages, both in motion and at rest, will help minimize the risk of a breach.

But enterprises must also be proactive in responding to breaches when and if they occur. In today’s information security world, firms must assume that they have already been hacked — and they have to be ready to manage the consequences. This can mean the difference between losing and keeping business. For example, one retail firm, Buffer, gained plaudits for its swift response to a data breach, explaining what had happened, what it meant and telling its customers how to protect themselves in a timely manner.

Being Proactive in the Security Fight

Reaching out to loyal customers proactively can also be the key to implementing other basic security precautions such as strong passwords. Passwords are frustrating. But the more that customers understand that passwords exist for their own protection, the more willing they will be to put up with minor inconvenience.

By taking affirmative steps to undergird the security of their loyalty program, retail enterprises will be able to continue using this powerful tool to keep their best customers coming back for more.

Contributor'photo
Rick Robinson is a writer and blogger, with a current 'day job' focus on the tech industry and a particular interest in...