We hope you found Michael Smith (MS) and Luke Dynan’s (LD) session on “Fortifying Loyalty: Navigating the Perils of Cybersecurity” at last week’s Loyalty Conference both insightful and engaging. We received many excellent questions, and we’re pleased to provide the answers below:
QUESTION: What’s the biggest blunder you’ve seen a fraudster make?
ANSWER:
(MS) I would say there are two big ones. The first is they get greedy. One gift card fraudster got charged and convicted of an almost US$30 million scam and he probably would have gotten away with it if he had stopped much sooner. The second is that they share how to do the fraud with lots of others, which then alerts the programs to what is going on and if they aren’t caught, then the possibility of continuing the fraud is closed off.QUESTION: How do you approach the synthetic creation of multiple accounts?
ANSWER:
(MS) The creation of synthetic accounts is a big challenge. Luke is probably better qualified to answer this. That said, there are a range of cybertools that can spot ghost accounts being created at that level and often fraudsters (even with bot help) are lazy so there are repeating patterns in the likes of an email address or other synthetic elements that are being created.(LD) With the right tools and technologies, there are multiple ways in which the synthetic creation of multiple accounts can be identified including Email Analysis, IP Analysis: Similar, Behavioral Analysis: Velocity Checks, Link Analysis, Biometric Verification, Cross-Referencing Data and Machine Learning Models.
QUESTION: Where is a good source location to keep up to date with the latest fraud approaches?
ANSWER:
(MS) One place would be the Loyalty Security Alliance (LSA) has webinars, conferences and in various sectors active groups of people that meet to discuss and share best practice.
(LD) I would also suggest the Merchant Risk Council as well Merchant Advisory Group, both of whom are industry associations that provide resources, advocacy & community collaboration to help businesses address payment fraud and risk management effectively.
QUESTION: What’s your best approach with staff helping customers fraud?
ANSWER:
(MS) This is a really interesting area. Given that staff can sometimes be in on the fraud – for example being overly generous with service recovery points – and sometimes unwittingly helping a fraudster. The fraudsters, for example, know that call centres can often be a much easier place to get round anti fraud processes. In one recent case fraudster called in to a call centre and got the agent to merge two accounts – the account with lots of value didn’t belong to the fraudster. The agent was probably trying to be helpful rather than being in on the fraud. One way of looking at this is to start getting a database of agent/staff work arounds. Rather than saying we are compiling an anti fraud database, if that’s pitched as sharing best customer service practice it might be an eye opening process and not just from a fraud perspective!
(LD) Employee fraud is real and presents a constant threat to merchants. Effective merchant fraud prevention systems, whether they are provided in-house or externally, should be capable of picking up this activity which also extends to employee policy and promotion abuse.QUESTION: Put on your “fraudster” hat – what’s the most interesting example of loyalty program fraud you’ve seen?
ANSWER:
(MS) It never cease to be amazed at the lengths people will go to steal/commit fraud. The one that always makes me chuckle is the one where a hotel loyalty program had lots of its members’ accounts taken over and redeemed for free hotel nights. Perhaps nothing interesting per se with the choice of reward….it was just that it was an organised crime syndicate that was behind it and they were using the rooms for their prostitution business. Talk about maximising your margin..QUESTION: What vertical is most at risk?
ANSWER:
(MS) The ones that have the highest value! Whilst there are people on the dark web selling $10 Pizza Hut Reward vouchers, anything that has a high value that can be turned easily in to cash or near cash are the ones that attract the bots and Account Take Over.
QUESTION: What is your #1 recommendation to loyalty brands to prevent data fraud?
ANSWER:
(MS) I have a few that are interlinked. If you think of Prevention and Detection as two areas. Prevention means that when you are designing the program in terms of rules and procedures you have fraud on your checklist. And part of that checklist is to get to know your cyber colleagues as your eyes will be opened as to what is happening in that area (and sometimes in shock – and this isn’t just to do with loyalty!) Then when you design new features and benefits you can at least have the conversation with the cyber teams about what the law of unintended consequences could be. One scheme in Canada that merged two programs might have prevented some of the major fraud issues they had if they had had that conversation. The second is that this fraud will happen – whether it is traditional fraud and/or Account Take Over, so you need real-time monitoring systems to detect all of these things. I am sure that Luke can tell you more about that detection angle.
(LD) From a loyalty perspective, I would also add Account Creation/Registration as we often see fraudsters creating many fake accounts to be used in events such as that shared by Michael above. In terms of the most effective ways to detect & prevent fraud in the loyalty space, I would recommend the following steps: Implement Strong Authentication, Regularly Monitor and Audit Accounts, Educate Customers, Use Advanced Analytics and Machine Learning.
QUESTION: What could be some of the consequences of ‘friendly fraud’ if it’s not legally considered fraud for the consumer? And how can you limit the risk of this type of fraud as an organisation?
ANSWER:
(MS) So, what is often referred to as 1st party fraud – in other words the customer is in on it, can often meet the (numerous) legal test of fraud because they are obtaining benefits in a way that is “cyber shoplifting”. Most programs can see a number of flags in terms of loyalty fraud – so – for example, if the customer is claiming that they didn’t make the redemption, then things like IP address, the password all being entered correctly – or even the name of an airline program being a family member – then those are pretty straightforward. It is then what your T&Cs say – lots of programs have moved to ban the customers and forfeit any accumulated points if they think this is happening. However, it is very much on a case-by-case basis.
(LD) As noted in a previous response, First Party Misuse is a big challenge for many eComm merchants and by extension, loyalty businesses/departments. Adding to Michael’s comments above, the Schemes (Visa, Mastercard & Amex) are increasingly allowing for Compelling Evidence to be submitted by merchants as part of their defence. Compelling evidence in this instance can include such things as: Device ID / Fingerprint, IP Address, Customer Account / Login ID, Email Address, Delivery Address, Telephone Number, evidence of proof of possession such as photographs shared on Social Media, security footage showing merchant taking possession of merchandise, email correspondence etc.
QUESTION: How can loyalty program managers influence fraud protection when a lot of it sits within IT?
ANSWER:
(MS) We know from talking with lots of companies that the set-up and where things sit is different from business to business. Some have a fraud team within the program, for some, it is a separate loyalty fraud team, for others, it sits within general fraud. For some, it sits within cyber. Getting to know these people and discussing with them when changes are planned to features and benefits – so, do you plan on having a microsite for a promotion, allowing mileage pooling and transfers and asking them, ok, we know that fraud is a potential problem, how do we do all we can to stop this before it starts?
QUESTION: Are you seeing an increase in fraud due to current macroeconomic pressures?
ANSWER:
(MS) As the Loyalty Security Alliance we did a small survey to ask what was happening post covid. It was a mixed picture (off a small sample size) with some up and some down. What cost of living has done has got lots more people earning and we know that lots of the fraudsters are now “peeking” into accounts…..so they have access but not necessarily cashing out immediately and letting the account continue to earn. Part of the challenge is that these numbers are not reported and most programs are not exactly keen on broadcasting the numbers!
(LD) We are seeing fraud and abuse morph into different forms, particularly around excessive returns and refunds, something that is impacting retailers especially hard as well as first party misuse as consumers raise invalid claims on their purchases in order to secure a refund or payment reversal.
QUESTION: What would be your top tips to protect a program from fraud for a small business that does not have huge cyber security/ data teams etc?
ANSWER:
(MS) From what I understand there are some cyber tools that are more aimed at smaller businesses that at least give you some advance warning of what is happening with your core program data/servers. Some of it is the design of your program and being aware that certain elements (pooling of points, transfers in and out being two big ones) are likely to make things easier for fraudsters.
QUESTION: Which fraud theme is responsible for the highest percentage of fraud?
ANSWER:
(MS) Herein lies part of the challenge as there’s no agreed definition of loyalty fraud. Is gaming the system fraud or just poorly written rules/benefits/promotions? Even if you go with the broad definition of someone getting a benefit for which the program wasn’t designed to deliver, you are still going to have measurement issues. Having said that, the traditional frauds are still there and talking recently to several airline programs are increasing – partly driven by the increased ways that people can earn and redeem – so transfers in from other programs are increasingly popular – so, the fraudsters take over an account in one scheme and transfer out to another (where everything looks above board) and then cash out from there. Over the last few years, the sharp rise has been in Account Take Over (ATO) but publicly available numbers are non-existent. ATOs tend to be time and labour-consuming to put the customer back to where they were before and some of the traditional frauds tend to be less costly. For airline programs, mileage brokers (where people are selling their miles too) is a contentious area – happy to share more info on that if that’s of interest.
(LD) Agree with Michael’s comments, keeping in mind that whilst fraud attacks occur in many different ways, it generally results in a fraudulent payment, theft (shopping points, miles, status points, money, identity, personal identifiable information etc) or unfair access to goods and services that other members of the public cannot match. A growing problem for merchants is this concept of ‘Friendly Fraud’ (now known as First Party Misuse) where consumers claim products were never delivered or that the purchase was fraudulent in an attempt to obtain a refund or payment reversal. Many merchants find it challenging in presenting evidence refuting such claims and often proceed with either issuing a credit or accepting the Chargeback from their bank. We have seen that by using the right systems with the right evidence, merchants can achieve win rates greater than 70% on such claims.
QUESTION: Is it easier to mitigate risk with mobile apps vs. websites?
ANSWER:
(MS) Luke will be able to answer some of the technie parts of that – however, one British Airways hack directly related to their app (where it m+C20ade a call out to a third-party provider and there was a vulnerability in the design).
(LD) Not necessarily, an account can be as easily breached on a mobile device as it can be via a website. This is where device intelligence plays an important part in fraud detection in which an SDK can be integrated into a merchant’s mobile app to collect a range of device data whilst Java Scrip Collectors applied to a website can pick up similar information, all of which is used to detect risk real-time, amongst other data variables.
Authors
Luke Dynan, GM APAC, Accertify
Michael Smith, Managing Partner, AI Event – Airline Information