These days, almost every B2C company across retail, restaurants, hospitality, airlines, and other industries has a customer rewards program, or loyalty program in place. Rewards accounts give customers perks for their continued support of businesses through loyalty currency, whether that’s points to save on future purchases, special offers, travel miles, freebies, or other benefits. Since customers can connect their payment information to these accounts or preload money onto store cards, they function similarly to small bank accounts, but typically with significantly less security. They’re also exceedingly popular – for example, Starbucks’ Q3 Fiscal 2023 Results reported over 31 million active rewards members in the U.S. only, up 15% from 2022.
Due to their large membership pools, the rewards programs offered by top brands represent sizable assets. In 2021, American Airlines’ AAdvantage program was reported to be worth up to $31.5 billion. But despite these staggering figures, these accounts often fly under the radar as potential targets for cybercrime. As a result, brands may fail to implement the appropriate security measures to protect customers’ rewards accounts against cyberattacks, and consumers may underestimate the risk of sharing their personal or financial information with these platforms or applications.
The appeal to hackers
Unfortunately, attacks against rewards programs are becoming more frequent. Earlier this year, retail chain Hot Topic experienced a series of data breaches in which hackers obtained valid credentials for its Rewards accounts, likely from a dark web database, and used them to gain unauthorized access to its website and mobile applications. Even more recently, Caesars Entertainment suffered a massive cyberattack that exposed the company’s loyalty program database, among other sensitive information, to hackers – causing a ripple of negative security implications.
So what motivations are at play for hackers? First, to participate in these programs, customers share sensitive information that cybercriminals are eager to get their hands on, such as names, emails, addresses, order histories, or payment details. Hackers may try to breach these programs to steal information, cash out, or utilize the loyalty currency, like air miles. Whatever their specific motivations are, cybercriminals have caught onto the fact that these programs are often easier to breach – and much less risky – than bank accounts or other fiercely protected assets. Additionally, since the digital infrastructure powering rewards programs is often built and administered by third parties, it’s possible for the security of these applications to not be on par with that of the brands they’re associated with.
Protecting rewards assets
In response to loyalty program attacks, companies often advise impacted customers to reset their account logins with “strong,” unique passwords. But in today’s cybersecurity environment, passwords are an entirely inadequate security measure to authenticate customers’ identities and keep hackers out. In fact, adversaries employ a wide array of highly effective techniques, such as phishing, social engineering, and credential stuffing, as well as readily available tools, including generative AI, to make bypassing passwords and weak multi-factor authentication (MFA) shockingly easy. So regardless of whether customers practice good password hygiene – like using password managers and not reusing passwords across accounts – passwords are not a true obstacle for hackers.
To better protect customers’ data and rewards revenue from security breaches, Chief Security Officers (CSOs) and other leaders need to be much more vigilant. Importantly, this means not relying on weak security measures like passwords or phishable MFA to keep loyalty accounts safe from threats. To ensure only authorized users can gain access, companies should implement passwordless, phishing-resistant MFA that is drastically more difficult for hackers to circumvent and take the burden of authentication off of customers.
For instance, passkeys are an up-and-coming authentication solution that companies can support, providing the highest possible level of security for accounts while keeping the login process easy and frictionless. Passkeys use public-key cryptography tied to a user’s account and a registered website or app. Users are validated through device biometrics, like facial identification or fingerprints, or a PIN or pattern. As the vulnerability of passwords becomes increasingly apparent, more and more companies are working to deploy passkey technology to their customers.
When today’s customers participate in loyalty programs with their favorite brands, they expect their personal and financial information to be well protected in return. But as the number of rewards breaches steadily grows, companies need to rise to the challenge and implement greater security for these accounts. A critical first step is to decrease reliance on passwords and other weak authentication factors like one-time codes and push notifications and move toward stronger MFA that’s resistant to phishing attempts, like passkeys. As security teams and consumers gain more knowledge of these solutions and increase adoption, they’ll mitigate top threats to their loyalty accounts and other valuable systems while delivering a modern customer authentication experience that delights.