Data security is big business, consulting firms have identified a huge
mark business opportunity in working with loyalty programs.
There’s no way to be perfectly secure, and programs don’t often admit what’s really going on — plenty of blame shifting, talk about the need for strong passwords and changing passwords (blame the customer), talk about third parties getting hacked (blame the partners).
Truth is that some amount of hacking risk is a cost of doing business, you don’t want to be ‘too secure’ or you’ll be too difficult to do business with. Customers who have to constantly change passwords that they can’t remember are customers who will be frustrated and won’t engage with the program online. And complex unique passwords are passwords that members have to write down or store in an unencrypted file on their computer which introduces its own albeit different security issue.
What’s more, shifting responsibility for security onto members doesn’t work when the programs effectively indemnify members against any consequences of a hack by restoring points in full. Why should members invest effort in hack prevention, when a hack doesn’t actually cost them anything?
But there are basic things that a program can do, and things that members can do, to keep their accounts more secure. And relative security is all they need – you don’t need to be hack-proof, just more difficult to hack than the next program and next member down the digital ‘street’.
How Hackers Use Points
Stolen points rarely get used for travel.
It’s too easy for airlines to find fraudulent bookings. Account hacks get noticed anyway and programs will cancel future travel reservations. There’s too much risk anyway because flagging where a person will be going, with their real name, allows the opportunity to intercept that person or at least track them down later. There’s not even really enough time to sell the tickets retail, necessarily, anyway.
A couple of years ago Priority Club (now IHG Rewards Club) had a glitch where you could click a link over and over for 300 points at a time ostensibly to download their shopping bar tool (and should have only been able to do this once). People scripted the process, earned millions of points.
- Those who redeemed for future hotel stays got those reservations cancelled.
- Those who redeemed for airline tickets, thinking the program had to buy those so they were safe, had their tickets voided.
- Those who redeemed for e-gift cards, such as to Amazon, and immediately used those e-gift cards for items that shipped same-day made out with thousands of dollars in merchandise.
The Easy and Low Cost Way That Programs Can Combat Hackers
The key to these successful frauds is the instant cash out. Which is why I’m surprised that programs continue to offer electronic gift cards with instant cashouts.
The easiest way to combat fraud, it seems to me, would be to slow down the redemption process for cash equivalents that are outside the core merchandise category of the program.
An airline can continue to allow travel up to departure, leveraging the government’s ID check procedures to know that only a small number of people will fake those documents and most will therefore be traceable if they redeem for actual tickets. But e-gift cards are sufficiently outside the core functionality of the program, and generally a poor value use of points anyway, that requiring a secondary verification or small wait before distributing could make liquidation too inconvenient.
A program doesn’t have to be perfectly secure to deter hackers, they just have to be less convenient to hack than other sites!
Right now loyalty programs which offer cash equivalent instant redemptions are tempting because bank and credit card security has improved though is far from perfect. So loyalty programs is, as Willie Sutton said, “where the money is” but are also easy marks.
How Members Can Protect Their Accounts from Hackers
Readers on my post about the Starwood hack had some good suggestions.
- Use a strong password for your laptop or other computing device. Then use a password manager, so that you only need to remember one strong password and let the machine remember it for various websites. You can enable two factor authentication for extra security.
- Use a strong password that you vary slightly by program. Say, “%&%aSBQS” that you won’t ever forget because you use it over and over, followed by ‘spg’ for starwood and ‘hilton’ for hhonors, etc. Now this won’t be hard to guess if someone were looking at your password and trying to modify it, but if they’re just running a list of email addresses and passwords in bulk against a given website it won’t work because your ‘strong password’ is different. On the other hand, that’s probbaly no better or different than just using the program name itself as your password (although guessable by an algorithm that’s testing common passwords).
Your laptop or other device should be encrypted. Password protection isn’t enough because a hacker can bypass or replace the operating system.
You should use a service like AwardWallet to track your accounts. You’re giving your passwords to a third party (although they offer the option of leaving your passwords resident on your computer rather than their servers). They’ve always seemed reasonably secure to me, here are details, and I like that they participate in a bounty program for hackers to identify flaws and also their encryption methods.
You won’t check all of your account balances every day without a service like this and the best thing you can to do protect yourself (for your own benefit rather than the program’s) is to be aware of any fraudulent draining of your account quickly.
I know there are security experts among my readers: what approach would you take?