Ai Editorial: 6 stringent measures for dealing with loyalty fraud

First Published on 18th February, 2019

Ai Editorial: Rather than relying on archaic methods, travel companies should look at dynamic multi-factor authentication, behavioral analytics and machine learning to combat loyalty fraud, writes Ai’s Ritesh Gupta    


The threat of account takeover (ATO) is being keenly followed and one of the reasons is the overall damage that it can cause to loyalty programs. 

No doubt the focus of fraudsters is now set on loyalty points/ miles. According to Connexions Loyalty, travel accounts make an attractive proposition on the dark web and airline loyalty accounts: $3.20-$208 each.

Fraudsters get access to stolen credentials from a number of sources:

• From data breaches, sold on the dark web

• Phishing with fake websites

• Malware, trojans, spyware

• Social engineering

• Hijacking a mobile device

Fraudsters can choose to either redeem the points for rewards for a travel product or sell the points for cash or transfer the points into a shell account. They can also use saved payment details if available.

The mayhem being created is multi-layered, and airlines are suffering on various counts.

Loyalty fraud isn’t just about an account being accessed or taken over illegitimately. A fraudster can complete a transaction via stolen credit card information, garner points/ miles for the transaction and eventually redeem the same for an airline ticket. On one hand, the airline has to face the chargeback process and loses out the transaction amount generated through the airline ticket transaction. They end up paying chargeback fees if purchases were made with fraudulent credit cards. On the other, the airline has to salvage the situation as it to ensure the loyalty currency accrued remains with the FFP member since it wasn’t used by them.


Also, as airlines look for more redemption options, the loyalty currency can be used for a variety of product categories. So ATOs and loyalty fraud are becoming more attractive for fraudsters.

With all this, trust the traveller has reposed breaks and it is extremely tough for any brand to salvage the association that has gone sour. Other than brand damage, the negative impact can also be measured in terms of revenue loss and operational costs.

Putting apt measures in place 

According to CashShield, one of the reasons that ATO attempts are rising is not only due to the growing value of FFPs, but also because of lack of stringent security. The problem arises owing to the fact that a FFP isn’t checked frequently. Connexions Loyalty highlights that 1 out of 3 customers will log in to check their accounts once every few months. According to Kount, 34% of loyalty program consumers only log into their accounts every few months and 23% check account balances even once a month, providing a huge window of opportunity for fraudsters to operate undetected for weeks. So if it gets hacked, gets manipulated or misused, then the chances of the real owner raising an alarm are low.

Fraud prevention specialists are recommending several measures:

1.     Username/ password combination isn’t enough. Imagine the number of data breaches that have taken place over the past few years. Since users don’t really change passwords and have same ones for multiple accounts, one hack means the combination of email ids and username/ password can be cracked for a loyalty program, too. Explaining how it works, Ravelin states that credential stuffing depends on ‘combo lists’ - lists of passwords and emails generally gathered from various data breaches. The combinations are then routinely run against a login with any successful attempts logged. This is usually referred to as account ‘cracking’.

It is vital to keep a vigil on accounts for anomalies to effectively notice the behavior of genuine and fraudulent customers. According to companies like CashShield and CyberSource, companies should analyze user behavior throughout the entire journey- including account creation and login, any account activity and also at the point of transaction such as redemption of points. Forter rightly points out that from the moment a customer logs onto a website, to redeeming loyalty points or entering a coupon code, their shopping journey is rich and simultaneously vulnerable to new methods of exploitation.

Ravelin recommends that targeting other tools that may indicate suspicious activity such as headless browsers, VPN, proxies etc. can be relied on as well.

2.     Machine learning technologies are emerging as an astute option to secure accounts. The efficacy of machine learning, especially real-time machine learning, can be explored for account protection. Rely on both supervised and unsupervised machine learning to comprehend both the historical patterns of use, as well as identify anomalies. According to CashShield, behavioral analytics with pattern recognition will be able to accurately filter fraudsters away from genuine users.

3.     Identity authentication: Technologies like behavioral biometrics, device fingerprinting etc. need to be focused upon for stringent screening. As Kount points out, these technologies allow a level of identify authentication to ensure that the person behind the screen is the real consumer. It is time to capitalize on options that enable a merchant to come into a situation where they can accept, reject, or challenge the users to authenticate themselves – before the event can occur.

4.     Avoiding unnecessary friction: Merchants are relying on two-factor authentication (2FA), but 2FA is not completely foolproof (susceptible to SIM hacks, SIM swaps) and unnecessarily impacts the user’s experience. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted. Companies like iovation recommend a dynamic, context-aware multi-factor authentication solution, which post integration with a mobile app, features multiple parallel authentication methods such as validating possession of a customer’s phone, pin codes, text verification, fingerprint scan etc. The focus is on deep analysis of the login device to make sure it is one that is registered to the account.  

5.     Beware of archaic methodologies: Sift highlights that measures such as putting a limit on how customers can earn points and spending requirements to accrue points shouldn’t be looked at. If an airline continues to deploy inefficient methods, then it would mean weak operational efficiency. This would result in a failure to ensure that more transactions can be processed without delay. Plus, a risk-averse manual reviewer, fearing increased chargeback rates, will reject borderline transactions as well. This is where the combination of humans and technology, for e. g., using machine learning to go through massive data sets and flag out potentially fraudulent behavior, is must. The call for full-machine automation can’t be ignored but it would depend upon the overall risk appetite of the merchant.

As Ravelin asserts, fraud never stays still. So merchants need to make swift progress to shield themselves from loyalty fraud.

6.     Dealing with intricate data environments: Airlines are scrutinizing and even executing plans to embrace cloud transformation, banking on open-source offerings rather being bogged down by proprietary technology. Enterprises must take on responsibility for ensuring data protections like encryption, tokenization, and masking within their environments or ensuring its protection when the data moves between SaaS applications or migrates to another application. 


Hear from senior executives about loyalty fraud at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK  (7-9 May, 2019).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us