Loyalty and fraud. Not a nice pairing. Loyalty is great for business, fraud taxes it with ongoing losses. Yet the two have become inseparable in the past two decades, with fraudsters banking on loyalty points, miles and rewards and using them for their own profit.

Loyalty programs can be costly to implement, but they can also achieve great business results. According to a Bond Brand Loyalty report, 77 percent of consumers stick with the brands they are members of. On the flip side, fraudsters use and abuse loyalty programs as a form of currency exchange among themselves, with losses amounting to an estimated $1 billion every year. This estimate is likely rather conservative, considering the size of recent data breaches in the hospitality sphere and the estimate that more than $100 billion a year in reward points are not being redeemed because more than half of reward memberships in the U.S. are inactive, which makes loyalty accounts a rife source of profit for criminals.

But while the value of airline loyalty programs and the customers they serve is well-established, protecting these assets in terms of security controls is often an afterthought. Loyalty program systems are rarely considered as crown jewels, while in reality, the customer data they collect and use is beyond doubt some of the most important and a critical part of the business’s livelihood. When lost in attacks, customers’ personal and financial data results in fines, lawsuits and elevated breach remediation costs that justify rethinking how we protect loyalty programs.

Figure 1: Today’s airline applications are falling prey to account hacking, leading to loyalty fraud (Source: IBM Trusteer airline fraud vectors demo)

A note to chief information security officers (CISOs): B2C risk may not be your problem. But think again. Fighting fraud that attacks consumers, like loyalty fraud, requires deploying security technologies. We urge you to consider joining your digital colleagues at the table to help them understand solutions that can make a difference.

Airline Loyalty Programs Are a Top Target

While loyalty program fraud can hit a large variety of organizations, from entertainment to restaurants to grocery stores, 2019’s “IBM X-Force Threat Intelligence Index” noted that the transportation industry, which includes airlines, is the second most-targeted sector for cyberattackers.

Figure 2: Most frequently targeted industries in 2018 (Source: IBM X-Force)

Airline reward programs are such a lucrative target because they are both a kind of currency and replete with personal information on frequent flyers. These factors make the airline industry — and the hospitality industry as a whole — a top target to hackers motivated by financial gain. And with 4,378 million passengers per year, the airline industry is a gatekeeper to an immense quantity of data from which cybercriminals can make illicit profit.

In a data breach that recently befell an Asian airline company, frequent flyer-related information was among the choice of data nabbed by attackers. In the case of a major U.K. airline, the attackers specifically accessed the personal data of some 500,000 customers who used a payment card to make reward bookings. These are just two recent cases. The wider picture of hospitality award fraud has been affecting hundreds of millions of customers worldwide.

Monetizing in the Dark

Once in the hands of the attackers who breach the data, these troves are underway to be monetized by fraudsters in the dark enclaves of the web. Just take a peek at some of the more popular darknet markets — anonymous sites on the web where illegal activities can go undetected — for a mind-boggling eyeful of stolen frequent flyer miles (aka FFP) for sale.

Figure 3: Frequent flyer miles are sold on the darknet (Source: IBM X-Force)

Alongside masses of airline points offered for sale, reward points that can be used hotel bookings are also on offer. And that’s just part of the picture; darknet vendors even offer “air miles account takeover services” for sale, helping lower the bar for would-be criminals looking to try their hand in loyalty program fraud.

Chris Staab, co-founder of the Loyalty Fraud Prevention Association (LFPA), explains: “Today’s loyalty program industry is a large ecosystem of partners offering purchases through frequent flyer points. On the dark side, you have ‘mileage brokers’ that illicitly buy and sell points.”

LFPA research found 1 percent of today’s redeemed miles to be fraudulent — a $3.1 billion problem worldwide.

The potential cost of stolen points to the program’s operator is initially twofold: the cost of reimbursing customers and the fines levied by regulatory bodies for failing to prevent a data privacy breach.

The U.K. Information Commissioner’s Office (ICO) fined British Airways 183 million pounds, the largest GDPR era fine to date, representing 1.5 percent of the airline’s 2017 turnover. GDPR rules allow fines of up to 4 percent of annual turnover, which can truly impact vendors that have already suffered considerable fraud losses and loss of business due to a breach.

The Ponemon Institute’s “Cost of a Data Breach Report,” sponsored by IBM, provides additional information about the true cost of a data breach.

Airline Sector Plagued by Familiar Threats

Where is the Achilles heel that attackers leverage to target airline loyalty program accounts? There’s a litany of fraud threats targeting users on both digital and mobile channels. These include phishing attacks, SMishing texts that lure people in with tempting offers such as free ticket giveaways, and bot-driven credential stuffing attacks that automatically submit numerous username-password combinations until they get in. Trojan operators are also part of the landscape of attackers who look to take over loyalty reward accounts.

Part of the problem is the old security-versus-usability challenge, with service providers trying hard not to affect the customer experience on their revenue-generating websites. When controls are applied, they can be basic or even ineffective. For example, some airline industry experts acknowledge that security controls in the user sphere rely too much on two-factor authentication (2FA) and static verification measures to protect loyalty accounts, even though attackers increasingly bypass such measures.

Addressing questions about ways to secure airline loyalty programs, Nikhil Borle of IBM Security told an audience at the Airline & Travel Payments Summit in Malaysia that loyalty program fraud involves taking over or creating a loyalty account. Once in, attackers look for all the ways possible to cash in the points. Looking at the following steps can allow defenders to adapt better security controls to the problem they wish to address.

Figure 4: Loyalty fraud at work, from account takeover to cashing out miles

An Awakening to Better Security

The good news is that the airline industry is waking up to the problem. In October 2018, the International Air Transport Association (IATA), an airlines trade association, validated a set of best practices for fraud protection. It issued a battle cry “to acknowledge the scope of loyalty fraud and manage it from a business perspective while tackling it from a technology perspective.”

The IATA recognizes the difficulty: “It’s hard to determine what might constitute unusual activity. These days, people accumulate a mass of loyalty points through a variety of conduits and not just an airline booking. And the travel patterns of many FFP members are inconsistent, ebbing and flowing with business needs.”

The IATA also noted that “methods that fraudsters use are varied and innovative. Social engineering, machine learning, and artificial intelligence are just a few examples … It is a constant game of one-upmanship going on between the fraudsters and those trying to prevent fraud.”

Let Airlines Fly Planes

It’s the job of airlines to fly their 4,378 million passengers safely to their destinations. Effective loyalty fraud gatekeeping means bringing in dynamic fraud detection and risk-based user authentication solutions that combine tools and threat intelligence and a vast data lake that can fly under the radar of cybercriminals.

But is that enough? Can these controls help to mitigate risk in an era when rich customer data regularly makes it into the hands of fraudsters?

Fraud detection solutions need to be continuous and seamless and take a user-centric approach to authentication. They need to detect the risk of fraud without relying on measures like two-factor authentication, which often proves less effective against account takeover threats. Yet in the greater scheme of things, security should also be balanced with usability, avoiding friction that begets customer abandonment.

Today, we can arm up to not only fend off fraud, but also to cultivate delight throughout the customer journey using passwordless and personalized access and by requesting authentication only when warranted. That kind of customer journey leads to better Net Promoter Score (NPS). The great news, noted Staab, is that airlines with improving NPS have experienced top-line growth of 5–15 percent over the last 10 years.

Loyalty fraud is here to stay, so let’s turn lemons into lemonade by letting transparent loyalty fraud protection fuel your digital growth.

IBM Security has solutions to help you counter cyber fraud and improve your customers’ digital journey. We invite you to learn more about IBM Trusteer solutions for fraud detection and risk-based authentication:

  • Come to IBM booth No. 71 at the World Aviation Festival in London on Sept. 4–6 to meet Trusteer experts and walk through login and account takeover use case demos for the airline sector.
  • Want to go deeper? Register for the Loyalty Fraud Prevention Association’s loyalty fraud trends webinar on Sept. 19, featuring Trusteer’s Shaked Vax as one of the panelists.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read

How Security Teams Combat Disinformation and Misinformation

4 min read - “A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

4 min read

A View Into Web(View) Attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

9 min read

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

4 min read - While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

4 min read