The early November hack of an unknown number of members’ rewards in Hilton’s HHonors™ program was a wake-up call to the travel industry about the looming threat of online hackers, who are now turning their attention to a valuable digital currency: the points, miles and rewards stored digitally in members’ loyalty programs.
NB: This is a viewpoint from Kristian Gjerding, CEO of digital payments and security firm CellPoint Mobile, and was the result of a conversation after our reporting on the HHilton program hacks.
In the Hilton instance of what’s known as “loyalty program fraud,” members’ stolen rewards were converted into gift cards, airline tickets, Bitcoins and other merchandise, and then offered for sale at prices far below the rewards’ market value.
In another common loyalty program fraud scenario, online brokers buy and pool unwanted miles from members, selling them for cash to other interested buyers, also often at less than market value.
Even though it falls into a “gray area” of online fraud legality, loyalty program fraud presents a large and potentially damaging financial risk for airlines, hotels and brands that sponsor loyalty programs for their frequent passengers and guests. Based on the current cash-in values of various rewards, market data research indicates the total value of outstanding points/rewards/miles is about $360 billion – a valuable asset and emerging commodity for the issuing travel brands and their members.
Unless loyalty program managers have cybersecurity measures and fraud-detection solutions in place, those rewards remain vulnerable to online hacks and ownership schemes in which they can be shifted to other brands, or converted to other products or merchandise, and then sold by their unscrupulous new “owners” owners at a profit.
Vulnerable…and valuable
Why are loyalty programs so vulnerable? Some are easy to hack because of unsufficient member account protection, simple PINs or passwords that can be cracked easily by computer processing programs that decode large amounts of data automatically. Other loyalty programs do not have the same levels of built-in security that protect bank accounts or other online accounts. What’s at risk is not only the financial value of these rewards to the brands that own them, but also the trust of consumers who want reassurances that their hard-earned points and miles are safe and secure, ready to be used when they need them.
The good news is that technology solutions can help thwart loyalty program fraud. For example, program managers can insist on more challenging passwords at account-sign-up, and they can deploy solutions and strategies that combine data to create a comprehensive profile for each member or passenger.
When online activity falls outside the norm for that person’s profile – for example, a change-of-address request from an unfamiliar email address, or a transaction linked to a mobile number different than that attached to the members’ account – automatic alerts, step-checks and multifactor authentication (one-time passwords) can be launched to temporarily halt a transactions until the member confirms its legitimacy. Activities that fall outside the automatic triggers can be held for deeper, manual investigation and research.
Protect and protect
A few practical strategies for protecting travel loyalty programs from hackers and fraud:
- Treat loyalty program “assets” as bank accounts, with the same levels of security and protection from unwanted activity or hacks. Miles and points are forms of currency, and they have value to brands that award them for loyalty, customers who hope to use them somebody for future travel, and outsiders who try to steal or manipulate them.
- Insist on secure, hack-resistant passwords and step-checks at sign-up so that from inception, members’ accounts are less vulnerable.
- Deploy fraud mitigation solutions that are tailored not only for loyalty program activities but for other mobile/digital activities as well, especially as travelers’ activities increasingly are conducted on mobile devices and on the go. With the eventual ability to mix-and-match cash, credit payments and rewards redemptions for financial transactions, airlines, hotels and retail brands will need comprehensive solutions that can detect, prevent and mitigate all types of fraudulent activities that occur in the complicated mobile payments ecosystem.
A broad-based approach to cybersecurity in the mobile-powered travel environment is critical for several reasons.
First the entire mobile/digital ecosystem continues to grow more complex in the travel arena, populated by numerous mobile devices, disparate technologies and operating systems, and various new payments providers.
Secondly, as airlines and brands become more astute at detecting loyalty program fraud, the hackers will also become more sophisticated, able to launch higher-level tactics to continue their cybersecurity attacks. Loyalty programs must be ready for what will most likely become an evolving problem.
And as passengers, guests and consumers become increasingly dependent on mobile devices for shopping, traveling and other on-the-go activities, the security trail needs to follow them at every step of the mobile journey, ready to intervene if suspicious activities arise.
NB: This is a viewpoint from Kristian Gjerding, CEO of CellPoint Mobile.
NB2: Metal bill image courtesy Shutterstock.