Loyalty points fraud: A real risk for a virtual currency

Author: Ryan Yuzon, Director of Consulting, RFi Group  

As busy payments and banking professionals, many of us travel the globe fairly often for business, racking up tens of thousands (if not millions) of frequent flyer points. Now imagine that you’ve finally decided to take some time off and want to take the family overseas. You go to log in to your frequent flyer account, expecting to see your six digit points balance (for which you’ve spent innumerable nights crammed into an economy class seat), only to find that your entire balance has been wiped out! No amount of tears nor banging your fists on the keyboard will bring back those points, lost forever to a new breed of fraudster. With the aggregate value of these programs ever increasing and holding points worth billions of dollars, what can be done to ensure the security of members’ points balances?

Trillions of Points and Billions of Dollars at Stake

Starting with the like of Green Shield stamps and morphing into the modern format with the launch of the American Airlines AAdvantage program in the early 1980’s, in a bid to encourage customer loyalty, most airlines, hotels, supermarkets, and other retailers have created extensive loyalty programs – which have become a de facto virtual currency (well before the advent of Bitcoin). Although hard to quantify, it was estimated in 2012 that there were almost 24 trillion unredeemed loyalty points on issue worldwide.[1] When rumours were swirling in 2014 that Qantas was considering selling off its Frequent Flyer division to raise short-term capital, valuations as high as $3 billion (AUD)[2] were assigned to the business, almost half of the total value of the airline today. The value of an individual point depends on how it is redeemed.

Typically, the best value per airline point can be derived from booking a first class seat – as long as you can manage to book one, given limited availability. At the other end of the spectrum, the least value per point is a redemption for consumer goods from the provider’s catalogue, such as for electronics or appliances. This is due to the fact that the program providers buy the goods in bulk at wholesale prices, offer them for redemption at retail prices, and pocket the margin. In general, the average value of a point in an airline program can be considered to be around one cent, across the variety of redemption options. Given the 23.8 trillion in points estimated to be on issue, this equates to roughly $238 billion in value sitting as a liability on the books of airlines, hotels, and other program owners.

These programs have established a comprehensive supporting ecosystem for earning points with a variety of partners, mechanisms for transferring points between programs, and opportunities for redemption for goods and services. Members of airline programs can earn points from flying (with bonuses for different classes of tickets), credit card spend with co-brand partners and bonuses for spending at certain merchants, hotel stays with affiliated properties (e.g., Hilton guests can earn United Miles), taking online surveys, opting in to certain marketing programs, renting cars, grocery shopping (e.g., Qantas points at Woolworths), booking cruises or vacation packages online, buying points outright, and myriad other ways. Once the points are accumulated, members can then transfer them between programs (e.g., airline to airline, airline to hotel, credit card to airline, etc.), to family and friends, or even to complete strangers. Finally, the points can be redeemed in a variety of ways including for flights (with or without the taxes and surcharges), flight upgrades, hard goods (e.g., toasters and DVD players), gift cards, donations to charitable causes, club lounge memberships, or even to define a once-in-a-lifetime custom reward (e.g., Starwood Preferred Guest Moments). This proliferation in ways to earn, transfer, and redeem points has given members almost unlimited flexibility and choice in their interaction with the brands to which they are most loyal. With this increased opportunity, however, comes increased risk that fraudsters will take advantage of weaknesses in the system to gain access to something that has real value.

With Increasing Value Comes Increasing Risk

The law of unintended consequences states that the actions of people (or more specifically in this case loyalty providers) always have effects that are unanticipated or unintended. Although seemingly benevolent, the issuance of loyalty points is largely in the self-interest of the provider, with the expectation that customers will be more loyal to a provider if they are accumulating rewards that can be redeemed for value. In order to maintain the value in the points program, providers must create new ways to earn and burn the points. The unintended consequence of providing these new avenues for usage, however, is that fraudsters will mercilessly exploit any loopholes in the system, loopholes that the providers themselves never imagined existed.


Recent high-profile cases include fraud incidents involving Hilton Honors and Starwood Preferred Guest accounts. Until recently, users could log in to their Hilton Honors using only their account number and 4 digit PIN. With the aid of automated programs (“bots”), brute force methods could be employed to crack the PINs and gain account access. Starwood account compromises occurred largely as a by-product of other program breaches, simply by re-using the credentials from another website fraudsters could gain access to Starwood accounts since people often use the same email address and password combinations.

Loyalty points fraud falls into three main categories:

  • Internal Fraud – where employees or other insiders of the loyalty program provider perpetrate fraud from within the organisation, due to insufficient controls.
  • External Fraud – where fraudsters attempt to take over accounts using false identities or stolen credentials (or transfer points or generate fake points or whatever clever new concept they have recently developed).
  • Friendly Fraud – where the true owner of the loyalty points account willingly perpetrates fraud with points earned either legitimately or illegitimately. The case where family members take over another family member’s account also falls into this category (although it might not be too “friendly” if the fraudster is an ex-spouse).

Examining each of these in turn can illuminate some of the ways in which fraudsters are taking advantage of loyalty providers.

Internal Fraud

The most common type of internal fraud is when employees of the loyalty provider (e.g., airline or hotel) take advantage of customers who have not opted-in to the loyalty scheme. There have been numerous cases where a flight attendant swipes their own loyalty card for duty free purchases whenever a customer does not present credentials of their own. In other cases, agents at the check-in desk will insert their own frequent flyer account into a passenger’s record if the passenger himself does not have one. As a final example, third party travel agents also have the opportunity to insert their own frequent flyer account numbers in passenger bookings, if not provided one by the customer.

External Fraud

There are numerous ways fraud can be perpetrated by individuals with no relation to the victim. A common scheme is setting up a fake travel agency that buys tickets with stolen points (or points bought on the black market); the tickets can be sold later for cash to unsuspecting travellers. Fraudsters have been known to sign themselves up for “family sharing” plans, linking their accounts to unwary (and unrelated) victims. Once the connection is established, points can be transferred between “family members” into the fraudsters account. This method, combined with “funnelling” (setting up multiple accounts and sweeping the points into a single master account) can help to obfuscate the transfers and make it more difficult to detect. One airline loyalty program identified 180 fake memberships having been established by one fraudster, and used to funnel stolen points from family transfers worth several hundred thousand dollars through the network of accounts, then out into virtual gift cards – worth “real money”.

Enterprising fraudsters have even taken boarding passes left in airline seat pockets to later claim the mileage (if the boarding pass does not have a frequent flyer account number printed on it, then the fraudster can set up a new account in that name, apply for the points earned on that flight, and then sweep the points into their own account). Retail partnerships rewarding purchases with points have also attracted fraudsters, who, for example, buy 10 flat screen TVs and then return the TVs to the store after the points have been deposited in the loyalty account.

Typically, the points gained through external fraud are redeemed and used immediately, making enforcement difficult. Compounding the risk of external fraud is the fact that loyalty points accounts are not protected with the same level of security as found in financial accounts.

Friendly Fraud

The last category of fraud involves people violating the terms and conditions of the programs, or family members “stealing” the points balances from each other. Cases of children or spouses redeeming points without the owner’s permission are common. Even more damaging are cases where individuals sell their points balances for cash (there are several forums established for this purpose) to ticket brokers who sell the tickets to “unsuspecting” travellers.

 

Complacency is Dangerous

To date, there have been few high-profile cases of loyalty points fraud, but loyalty providers (including banks with their own loyalty schemes) should not be lulled into a false sense of complacency, as this type of fraud could break out at any given time. Anytime there is an aggregate store of value (in this case worth billions of dollars), it is guaranteed that fraudsters will be scheming to find ways to break in and corrupt the system. Loyalty providers need to be careful and prepare now to protect their programs.

Many of today’s solutions and fraud prevention policies are reactive, rather than proactive. Some airlines admit to stranding a passenger midway through their journey if they are found to be traveling on tickets acquired with fraudulent points. However, in many cases, the traveller is “innocent”, having unknowingly purchased from an unscrupulous ticket broker (though some may argue that these travellers are not exactly completely blameless, for if it seems “too good to be true” it usually is…).

By improving security practices now before loyalty fraud becomes a headline-grabbing major problem, providers can avoid brand-destroying incidents in the future. Some potential ideas include:

  • Remove frequent flyer account numbers from boarding passes, or truncate the full number. Financial institutions do not send bank account numbers over email or send them “in the clear” – the value in your stored loyalty account should be afforded the same (minimal) level of protection;
  • Limit the number of allowable points transfers between accounts to stop funnelling and obfuscation. Some providers already limit transfers (100,000 points annually, in the case of Qantas), while others have not closed this avenue for potential fraud;
  • Apply more stringent security to loyalty account logins and transactions. This could include requiring 2-factor authentication to logins (requiring two of the following: something you know, something you are, or something you have), and/or adding Captcha authentication. Both of these measures would help to stop brute force attacks and guessing passwords;
  • Consider third party solutions specifically aimed at reducing loyalty points fraud such as Perseuss and Cell Point Mobile (cited merely as examples; not reviewed nor endorsed by RFi);
  • As a customer of these loyalty programs, users should minimise the re-use of login credentials across different sites, or at the very least ensure that passwords are different between their financial services websites and social media websites, in order to reduce the risk of account compromise.


Of course, the prudent loyalty program provider must weigh the inconvenience burden imposed on the customer against the incremental fraud risk reduction. Air France has recently implemented a policy that would seem to over-shoot the mark. In light of increased fraud incidents, Air France now requires some awards flights to be redeemed in person at an Air France agency, a major inconvenience for customers in countries without Air France agencies (such as the US). In addition, Air France customer service agents have not been properly briefed on the new ticketing policy, leading to confusion at the point of sale – a problem that engenders the exact opposite of customer loyalty.

Brand Loyalty Includes Brand Trust

Companies spend millions of dollars engendering customer loyalty to their brands. Inherent in this loyalty is trust in the brand, for if customers do not trust the provider then there is little chance they will remain loyal. As such, proactive investment in protecting the trillions of points on issue is money well spent in the interest of customer loyalty, profitability, and longevity.

--------------------------------------------------------------------------------------------------------------------------------------------------------------
[1] Sources: International Travel News, The Economist, and WebFlyer
[2] Source: www.smh.com.au/business/qantas-frequent-flyer-program-daunting-20140921-10jywj.html

 

If you have any questions regarding this article, please feel free to contact the author:
Ryan Yuzon, Director of Consulting, RFi Group
+61 2 9146 5954
ryuzon@rfintelligence.com