Ai Editorial: Botnet attacks on loyalty programs, how to negate them?

First Published on 21st July, 2017

Ai Editorial: Airlines need to guard themselves against data server breaches, malware or phishing programs in order to protect a loyal traveller’s login credentials and account, writes Ai’s Ritesh Gupta


Fraudsters attacking loyalty program isn’t new, but the threat is stronger than ever before.

The use of sophisticated bots is one reason why airlines and travel merchants need to be wary of the situation today. These are small applications that execute automated tasks. The fact that once a malware has infected a machine and it can be forced to turn infected machines into botnets is a serious concern. Bots are now at the forefront of triggering online fraud at large, and they can be deployed to test login credentials to take over user accounts. Considering that digital shoppers are sharing their personal details and not expect them to fill again while they transact or shop using their favourite loyalty currency, all of this needs to be guarded. Botnets are being counted upon to step up the efficacy of malicious attacks – most commonly account takeover and distributed denial-of-service attacks.

Overall, travel merchants need to guard themselves against data server breaches, malware or phishing programs in order to protect a loyal traveller’s login credentials. 

Bots and loyalty fraud

The situation is precarious as fraudsters or hackers are equipped to using artificial intelligence for accessing sensitive data that bots use to serve customers, including for transactions. Such attacks mean once personal information of members is obtained in a nefarious manner and a botnet attack is unleashed to complete illegitimate transactions, for instance, air tickets. Miles are accrued and the fraudster further capitalizes on the loyalty currency for more illegal transactions. Main focus as far as redemption is concerned is on - digital gift cards, tickets and expensive merchandise that is easy to resell. Cybercriminals are adept at comprehending the configuration/ structuring of gift card numbers, and botnets are part of their plans to target gift cards. When a card is breached, they steal the stored value. As the team at Chargebacks911 points out, the actual peril of loyalty program fraud is that the damage is already done by the time airlines come to grip with the fact there had been a breach. If the breach is spotted too late, airlines can’t resell tickets. Also, one has to deal with applicable chargeback fee. What happens to loyalty currency affiliated to an account that has been redeemed? Too many complications resulting from such malicious attacks. 

Vulnerable areas

Experts point out that the availability of compromised identity credentials on the dark web in big numbers is major indicator of the fact that the authentication mechanism tends to be poor or at least there is no room for archaic authentication system. For cybercriminals or fraudsters, one of their main weapons is to identify vulnerabilities. So airlines need to identify the ways in which account information can potentially be accessed, in all probability via a blend of phishing scams, identity theft, and cracking of feeble passwords. This unauthorized account takeover results in misuse of the loyalty currency.

So what kind of attacks are these and is the current fraud prevention set up enough to combat botnet attacks, signs of which could be, for instance, abnormal traffic patterns. Fraudsters or cyber criminals work out these attacks to appear like authentic traffic. One of the major issues is coming to grips with low volume, low frequency attacks. Web application firewalls struggle since this layer was devised to avert attacks against web services and not against customer identities. Web application firewalls count on IP reputation services and IP address velocity filters to identify bots. This arrangement is futile considering that botnets rotate IP addresses and have access to previously leaked user credentials.

As for controlling the same, first of all, merchants need to detect any contextual aberration in the way users generally user their respective device, or even there is a signal of deviation based on other dynamic data points such as behaviour, location, networks etc.; identify whether devices or connections have been corrupted with malware; if there is a case of unusual traffic patterns.  

According to digital identify specialist, ThreatMetrix, behavioral profiling and analytics constantly record all the actions pertaining to a device, account or persona. This paves way for identification of low volume, low frequency attacks, even if they are distributed.

A rule set to check for an IP address related with numerous email accounts offer information about traffic being botnet related or not.

Other than web application firewalls and aberration from usage pattern based on other dynamic data points, travel e-commerce players also need to count on shared intelligence that is real-time and is accumulated from various industries and markets, botnet proxy detection (new generation of private botnet proxies do not appear on public proxy lists) and keep a vigil on application integrity and malware detection to monitor all devices connecting to digital assets.

Be it for processing transaction data or managing users’ profiles and accounts, data security is a critical part of any loyalty program. It is imperative for airlines to shield their loyal members – right from account creation to managing account/ accrual of miles to redemption of points. All of this shouldn’t hamper the experience at any touchpoint. The fraud prevention initiative, via behaviour analytics, device identification and tightening of data and IT infrastructure, needs to offer protection to loyal members, even if the fraudster knows their password. If I can access my loyalty program account easily, can fraudster be denied a chance to do so? Loyalty fraud security needs to evolve to match today’s threats.


Hear from experts about loyalty fraud at the upcoming 2017 APAC Loyalty Fraud Prevention Workshop, to be held in Singapore on 23rd August this year. For more, click here


Attend Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more, click here

Follow Ai on Twitter: @Ai_Connects_Us