Behavioural biometrics proves key in preventing loyalty fraud

Companies across retail and other industries are bolstering their security, as hackers become more sophisticated by constantly changing their attack vectors. Their latest target: loyalty programs. The cost of data breaches is anticipated to hit USD 2.1 trillion globally by 2019. The cost of loyalty fraud can be as high as USD 8,000 for one instance. With 3.8 billion loyalty memberships nationwide, loyalty programs are proving to be a lucrative source for cybercriminals.

Rewards points often sit unused for long periods of time. An estimated USD 238 billion in rewards go without ever being redeemed. A customer at “store XYZ” might save their points to cash out on a big-ticket reward item but never use them. At least 44% of customers do not monitor accounts for suspicious activity. What’s worse, account holders often will not know they’ve been hacked until they log in.

The value of loyalty points for hackers

From tiered rewards programs to miles, loyalty points of all kinds are essentially the equivalent of cash. Rewards can be redeemed for products, free shipping, flights and hotel stays. The value these loyalty programs have across industries is tremendous. But most still rely on weak usernames, passwords and PINs that leave accounts vulnerable to cyberattacks. About 20% of people choose their birth year as their PIN. About 72% of airline loyalty programs have experienced fraud, while retailers consider loyalty fraud to be one of the most harmful threats.

In the airline industry, fraudsters have imitated travel agents, turning stolen miles into tickets that are sold to consumers, who remain unaware until they attempt to claim frequent flyer miles, finding their account significantly depleted.

Grocery stores are no exception. In Ottawa, a man was caught in February 2017, stealing shoppers’ PC Plus points used to redeem money off their grocery bill, totalling near USD 5,000.

On the black market, fraudsters trade customer loyalty points for cash. Stolen retail rewards can sell between USD 2 to USD 10 per account on the dark web; airline points, as high as USD 200. Credit card loyalty programs tend to be valued higher than most other types, going for as much as USD 65,000 per account, as they have a larger variety of offerings for customers. Credentials attached to these accounts can offer access to bank accounts, and other personal information that can be used to apply for new lines of credit.

Employees sometimes rig systems to allot more points to themselves and people they know. Hackers also gain access to loyalty accounts, using phishing scams or bots that can quickly crack usernames and passwords, take over accounts, or acquire credit card information. Hackers can obtain cardholder information in bulk, then deploy a botnet attack to buy numerous tickets with an airline of choice. Thousands of loyalty points are accumulated through these transactions, which a hacker can cash in or transfer before they’re caught.

Gift cards are also vulnerable to fraud. On a standard 16-digit card number, the first 12 digits are a non-random, the last four digits are random. A fraudster can steal unloaded gift cards and run random numbers to find the last four digits that belong to sold cards with real value. Fraudsters use this to make purchases and clone valid cards by reprogramming blank cards with new numbers.

Does a solution for preventing loyalty fraud truly exist?

It’s clear that loyalty fraud must be taken seriously. Consumers can update their passwords and monitor accounts more frequently but this puts the burden on consumers. Businesses must invest in new, stronger authentication processes. Passwords, pins and fingerprints are not enough to secure accounts. Behavioural biometrics offers a practical solution to address the fraud problem.

The technology behind behavioural biometrics is driven by AI and machine learning algorithms that quickly and continuously learn a customer’s behaviour patterns, building personalised models per user. Rather than relying on static fingerprints or iris scans, models derived from behavioural biometrics are based on the specific way an individual interacts with their devices and apps, encompassing the way a user types, swipes and taps – down to the hand they prefer to hold their device in. The technology harnesses “un”-predictive analytics by evaluating these behavioural models. These models are analysed to observe even the smallest deviation in “normal” behaviour, detecting fraudulent activity and avoiding account takeover. This can also be used to differentiate between a true user and fraudster, human or bot.

Behavioural biometrics will play a pivotal role in preventing loyalty fraud. It removes the need for customers to constantly monitor their accounts, while saving businesses from the costs of fraud. This authentication method makes it virtually impossible to replicate customer behaviour in real-time and easily fits into existing identity and access management platforms.

About Deepak Dutt

Deepak is a seasoned technology entrepreneur and CEO of Zighra, an AI-powered behavioral authentication and fraud detection platform. As the former CEO/CTO of Intsyx, Deepak spent over a decade as a security scientist at Nortel and Newbridge Networks. Deepak has authored over 15 patent applications, and is a recipient of Ottawa Business Journal and Ottawa Chamber of Commerce’s Top 40 Under 40 Award.

About Zighra

Zighra offers an AI-powered continuous authentication and threat detection platform. Providing a suite of intelligent analytics to create highly personalized models to authenticate the user in a transaction, Zighra’s solution is accessible across web, mobile and sensor-based devices. Zighra’s patented, light-weight technology tracks over 900 human and environmental traits including device, network, social, location, behavioral and biometric intelligence, as well as human-machine and machine-machine interactions.