Over the last 3 years, loyalty programs have become an attractive target of digital fraudsters. In fact, it was reported that 48 percent of businesses were hit by account takeovers (ATO), which cost companies more than $2.3 billion worldwide. Delta, Air Miles, Marriott, and PC Optimum loyalty programs were all hit by fraud with thieves reportedly hacking into accounts, stealing points, and going on shopping sprees. As fraudsters become more sophisticated in their techniques, companies need to be more sophisticated in their approach to fraud prevention and detection.
Here are 3 ways program operators can guard against loyalty fraud or gaming of the system:
1. Prevention: Multiple security features will safeguard loyalty programs
Consumers are willing to share more data with brands than ever before but expect their information to be protected. Our latest research found that 8 in 10 members want programs to use more of their data to personalize and improve the experience. To protect member data, the first line of defense in fraud prevention and ATO (Account takeover) is a solid password policy. Have an ongoing review of your password processes and rules to determine if you need to update or enhance them. Password rules can include requiring special characters or a certain password length, and not allowing the use of the member’s name or all-too-common passwords such as “Password1234” or “123456.” A 4-digit pin or allowing a member to provide simple and replicable passwords are insufficient. Best practices include highlighting the strength of the password to the customer so they recognize the potential risk.
To ensure members are who they say they are, operators should implement two additional security layers: email address validation, which requires users to confirm their email address, and two-factor authentication (or 2FA), which requires two ways to confirm a user’s identity. This is typically a password and a temporary authorization code that can be received through e-mail, text or phone. Two-factor authentication doesn’t need to be implemented for every interaction, but for certain activities such as redeeming points for digital gift cards, updating account information, and logging in from an unrecognized device, this is a best practice.
Your program business rules can also provide a simple way to control the potential for gaming. Place controls that are explicit in your terms and conditions. For example, you can place a cap on the number of points a member can earn for non-transactional activities such as completing a product rating and review or a survey. Another example is limiting the number of birthday promotions or gifts in a 12-month to one regardless of whether a customer changes their birth date during the course of the year.
2. Detection: Monitoring and detecting unusual activity allows operators to take action.
While fraud prevention is critical, no business can be 100% secure as fraudsters are constantly finding new ways to attack your program. To detect fraudulent activity, program operators need to better understand individual members’ and administrative users’ behaviors. Predictive models or algorithms can monitor and identify unexpected, abnormal or undesired patterns and behaviors.
Based on velocity rules, alerts are triggered when behaviors stray from expected patterns. For example, a program might be flooded with new memberships from fraudsters trying to take advantage of benefits that are accessible right away, such as birthday gifts. Using Captcha as part of the registration process for programs is a simple but important step to prevent fraudulent registrations along with velocity alerts that flag an issue. Flexible controls allow velocity rules to stop certain activities automatically, or they can alert operators to anomalies that may need further investigation. Further to this, plan to track an identity confidence score for each customer; essentially the confidence you have in the user’s identity based on various inputs, including but not limited to their actions, IP address, device ID, etc. If someone is logging in from an unrecognized device, this reduces the score. If unusual activity is causing an identify score to lower, this can then set off appropriate alerts and also trigger the need for 2FA to validate the customer’s identity.
When suspicious activity arises, program operators need to have the ability to implement quick blocks for individual users’ IP addresses and IP blocks. For example, if 99.9% of a program’s user activity takes place in North America, but there’s an unusual amount of activity from another country, that country can be blocked.
While loyalty fraud prevention is an important area of investment, program operators need to find the right balance between risk and experience and understand where experience outweighs risk. For example, a program could require all reward redemptions to be shipped to the address on file, but that would cause member dissatisfaction. Having said that, over the last number of years, we’ve seen more and more brands increase measures to protect their customers’ data—the most obvious being with 2FA and additional notifications to customers about log-ins occurring from unexpected devices. You see this with Netflix, Apple, and many other brands. Consumer expectations continue to evolve and program operators should track, flag or hold certain actions when appropriate and ensure their practices are evolving.
When you implement additional security measures, it’s important to communicate to members that you’ve taken these steps to protect them and their data. And if loyalty fraud should happen despite your efforts, act and communicate quickly to remedy the situation.
Fraud schemes will continue to evolve, so make sure your security practices evolve along with them and keep your members’ data and hard-earned points safe.