Loyalty Frauds Exposed
According to a report by CyberSource (a Visa subsidiary), 90% out of 120 respondents that run complex loyalty programs experienced fraud in 2016. Of these, 84% described the issue as somewhat or very significant . What is even more concerning is that these figures, together with potential financial loss and reputational damage, are most likely to grow as popularity and access to loyalty programs rise. In order to mitigate these risks, program operators must realize the scale of the issue and secure their loyalty offerings as soon as possible.
Although it is quite challenging to define fraud in the loyalty program context, the most commonly reported fraudulent activities include:
1. Site staff accruing points by using their own cards when a non-member makes a purchase
2. Item returns, transaction reversals or misconfiguration of point refunds, leading to money being refunded to a member without properly deducting their loyalty points accrued for the sale
3. Exploiting a misconfiguration or a flawed POS integration that allows a discounted sales transaction, but with the full amount of loyalty points accrual
4. Site staff or contact center agents making unauthorized manual point corrections, point transfers or account mergers
5. Exploiting technical or configuration-related loopholes to either speed up the point accrual process, or to ensure qualification for a higher recognition tier or a bonus reward
6. Loyalty account takeover or identity theft
7. Multiple people using the same loyalty card (fraudulent only if the program terms and conditions do not allow this)
Below is a list counter-measures typically used to either mitigate or detect these fraudulent activities:
1. Customer personal data
|A de-duplication mechanism should be in place as part of the enrollment process, in order to ensure that both the newly created and edited customer profiles are unique and genuine.|
|Identified and confirmed fraudulent accounts should be blacklisted both in terms of the member’s personal data as well as details such as the originating IP address or physical address of the device used for enrollment.|
|One of the best ways of verifying whether the member’s address used for enrolment is genuine is to use address banks or special APIs allowing verification of whether, for example, a house number exists on a given street or the post code matches the other address components.|
Email or phone verification
|Email or (preferably) phone verification is an absolute must as a part of the enrollment process, in order to avoid mass account creation fraud and to ensure that the registering member is an actual person. Combined with the de-duplication mechanisms, this is a pretty good starting point for a secure member enrollment process.|
2. Program configuration
Suggestions in this section may not be applicable to all loyalty programs, as program configuration may vary significantly depending on the industry and use case. Nevertheless, it is important to consider all of the potential risks that these proposed counter-measures address at the program configuration level.
Delayed point booking
One of the easiest methods for preventing a wide spectrum of fraudulent activities is to delay loyalty point booking. This means that, after point accrual, there is a configured period of time during which these points cannot be used for redemptions or any other operations. In the vast majority of confirmed frauds resulting from either misconfiguration or a technical loophole, members tend to use their points very soon after earning them. A typical point accumulation period is much shorter for the fraudulent account compared to the program average.
Anonymous/ghost accountsIf the program allows anonymous/ghost loyalty accounts, where a loyalty identifier is used but the member has not yet completed the enrollment process, it is recommended that additional limitations are configured for these accounts. For example, no redemptions allowed before completing enrollment, shorter point expiration period, no point transfers or account mergers allowed, etc.
Limiting the allowed number of transactions per member
Although rule-based fraud prevention mechanisms have their limitations, it is still essential to configure some of the basic limits on particular transaction types. These can differ depending on the type of program, but will often include metrics such as maximum number of redemptions per member per day, a limit on the number of points accrued from a single transaction, a maximum number of identifiers linked to a single account, daily limits for point corrections and transfers, etc. The easiest way to establish these limits is to look at the historical data (for example, the highest number of daily redemptions for an individual member in the preceding year) and then to set a limit which is 110-120% of this value. This straightforward mechanism will prevent any significant deviations from the norm and may therefore prevent a number of potential fraudulent activities resulting from exploitation of a technical or configuration-related vulnerability.
Refunds, transaction reversals and item returns
In order to mitigate risks related to these processes it is recommended to have them clearly planned out with the proper procedures in place. It is crucial to establish all possible scenarios, including edge cases. For instance, what should happen if a member accrues 100 points through a purchase, redeems 80 points for a reward, and then decides to return the purchased item? Should the system allow for a negative point balance? If yes, then should there be a lower boundary?
3. End-point security
End-point security includes all loyalty platform access points for users and members. Commonly deployed end-points include web portal and/or mobile application for members, administrator and contact center applications (web or desktop) and some kind of reporting or business intelligence platform.
Member and user authentication
Regular security audits
No matter what kind of technology and procedures are implemented, new technical vulnerabilities emerge every day. A well-secured platform requires cyclical security audits and penetration tests, preferably by a third-party organization.
An important point to consider is that simple CAPTCHAs are insufficient to eliminate the risk of a web crawler, scraper, spider or any other type of undesired automated bot from gaining access to the protected contents of a loyalty member portal. Program operators or system providers should consider using honeypots and IP blacklists, regularly changing their webpage’s source code, and monitoring the web server logs for any suspicious activity.
4. User management
Minimum required access
Whenever user profiles are created and their corresponding privileges are assigned, it is important to follow the minimum required access rule. This means that users should be given just enough privileges within the system in order to do their jobs, and nothing more. In a vast majority of cases, site staff do not require anything more than being able to carry out basic balance checks or apply points when processing a sale transaction. Any other operations should be restricted in order to mitigate the internal fraud risks.
Additional approvalAnother good practice is to implement a four-eyes principle for certain risky activities such as manual point corrections over a configured limit, account mergers and point transfers, etc. This can help to prevent potential fraudulent activities committed by the staff, and reduces the risk of human error that would otherwise be tricky to roll back.
Lastly, it is crucial for the system owner to monitor key loyalty program indicators such as periodic volume of enrollments, accruals and redemptions, member distribution amongst recognition tiers and partner balance reconciliations. Spotting an unusual peak or an outlier on a report or a diagram is a very good start for a potential fraud investigation. This is relatively straightforward at the macro (program) level, but it gets very challenging or even impossible to detect anomalies manually at the micro (member) level. This is an area where machine learning/artificial intelligence algorithms may help, as they are capable of processing enormous volumes of transactional data in real time to prevent a fraudulent transaction from causing any damage in the first place.
 CyberSource Corporation, „Loyalty Fraud Report,” CyberSource Corporation, 2017.