The Loyalty Security Association (LSA), recently hosted its Spring Conference in London. LSA was formed to help the loyalty industry fight back against cybercrime, fraud, and account takeover (ATO) attacks. As consumer loyalty programs and rewards continue to grow as key elements of merchants’ business strategies, LSA is focused on helping merchants understand the key elements of Prevention, Detection, and Remediation – to stay one step ahead of the fraudsters.
Forter Senior Product Marketing Manager, Daniel Shkedi attended the conference. He was a panelist in a discussion moderated by Chris Staab, CEO & Co-Founder of LSA, on “Defining What is Loyalty Fraud: From “Friendly Fraud” and Gaming to Loopholes,” and later led a session entitled: “Points-as-a-Currency (PaaC): The Value of Stolen Airline Points in Dark Web Markets.”
During the panel, Daniel spoke about emerging trends in loyalty fraud – specifically the growing specialization in this area and the emergence of sophisticated fraud rings. Online criminals are banding together and forming specialized fraud rings targeting specific industries and regions.
Fraud Ring Breakdown of Responsibilities:
- The Data Harvester. One individual in the fraud ring is typically responsible for gathering and harvesting data from victims. To gather this data, this individual will often launch phishing attacks (gaining sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication), through keyloggers (covertly recording the keys struck on a keyboard by a victim), or through purchasing breached data via dark web markets. This criminal is typically seated in one location removed from other members of the fraud ring.
- The ATO Attacker. This individual is working from a second location and is in charge of actually taking the details collected by the data harvester and using them to launch account takeover (ATO) attacks. This criminal will break into accounts using automated techniques, bot attacks, or brute force copy and paste methods. Once the accounts are hacked, the criminal will transfer points from legitimate accounts into fake accounts created by the fraud ring.
- The Money Guy. An additional actor within the fraud ring is responsible for the monetization of these efforts. This actor will create a funnel – similar to money laundering. The legitimate accounts and real points need to be funneled into other good accounts to hide the nefarious activities. To monetize the points, this criminal can use mule accounts and 1) redeem the points and then resell goods or gift cards, 2) steal and sell the raw data (points), or 3) barter or exchange services, using the points as bargaining currency to pay other criminals with stolen points.
Loyalty fraud is unique. It falls under the umbrella of policy abuse, wherein the abuse is perpetrated by good customers (or those who may look like “good” customers), for their own benefit. This creates a very real dilemma for merchants. When dealing with payment fraud, things are very black and white. Within the structure of policy abuse things are a bit more grey. Your business is dealing with good customers and how you approach curbing the abuse impacts your most valued shoppers. Should you add stricter policies to protect your business it will impact the loyal customers and overall customer shopping experience. If you simply look at abuse as “the cost of doing business,” you’re leaking potential revenue.
In the second session, Daniel led a discussion on “Points-as-a-Currency (PaaC): The Value of Stolen Airline Points in Dark Web Markets.” This session discussed the economic engines and market dynamics in dark web markets regarding stolen points/airline miles.
Do you know how much your points and airline miles are going for on the dark web?
In order to answer this question, scientific data was needed. To create a realistic sample an automated Torr was used to crawl the dark web for 48 hours, index pages, and then created a sample (based on specific criteria).
- The average price per point on the dark web was 5.8% of the real value. In other words, points are being sold for a 94% discount on the dark web.
- 1.2 billion points sold on the dark web and 21% of these accounts have credit cards attached to them.
- 74% of the sampled data was in North America.
- 21 different airlines were captured in the sample. Many were low cost domestic carriers that are more highly targeted for fraud because the rewards programs are less fleshed out and under-protected.
Persistent data breaches and under-protected loyalty programs are creating a new and lucrative vulnerability for airline merchants. In order to better protect their business and their most loyal and valued customers, merchants need to ensure they have the proper solution in place.
Interested in learning more about the details of Loyalty Program fraud vectors and the potential impacts to your business? Read our Loyalty Fraud White Paper.