On Monday 11 November 2019, I was invited on the BBC Radio Gloucestershire breakfast show to discuss loyalty card fraud, in response to a few listeners who had reported having loyalty card points stolen. Protecting loyalty cards may not be something which immediately springs to mind when we think of cyber securty, but many people collect a great deal of points and the run up to Christmas is often when people are looking to spend them. Some estimate that $1billion is lost to loyalty card fraud every year and other research, from Forter, suggests that the crime has increased by 89%.
What is loyalty card fraud? Many supermarkets, retailers, airlines and coffee shops offer loyalty schemes in which consumers can earn points for the money that they spend, with the ability to then spend those points on other goods or services. Loyalty card fraud is, quite simply, when those points are stolen and spent by criminals.
What enables loyalty card fraud - and how can you better-protect your points? There are a few ways in which criminals may carry out these attacks.
Stolen or weak credentials: this is essentially account compromise - the criminals are using people's usernames and passwords to access their loyalty cards either by stealing the details from the loyalty card provider (the supermarket, for example) or cracking people's passwords, which is pretty easy for them to do if the passwords are weak. This is why it is important to use a different password for each of your online accounts, and to make those passwords strong. If you are using a weak password (such as a dictionary word, well known phrase or person's name), unfortunately it is easy for criminals to crack these using computer programmes. If you are using a password you use elsewhere, it only takes the criminal compromising the password once to potentially have access to every account that you use it for. Check out our password guidance for more information.
Use two-factor authentication where it is available: 2FA adds a second layer of security to your accounts, so you are not just relying on your passwords. 2FA most commonly works by having a passcode send to your phone when you go to log in to an account from a device that you haven't used to access that account before. So, if a criminal is trying to get into your account and they have your password, they would still need to get their hands on the code that is sent to your phone. Take a look at our guidance on 2FA to find out more.
Phishing: one way that criminals get hold of people's usernames and passwords is via phishing emails, calls or messages. They may send an email or a text message, for example, that looks like it comes from the loyalty card provider and prompt you to click a link to enter your username and password. When you enter your username and password, you believe you are on the legitimate site (and it may look very convincing) but you are actually entering your details on a site owned by the criminals and therefore, without realising it, you are handing your details over to them. If you are contacted and asked for your username and password - don't share them. Instead type the website address into your browser and log in there. If you need to take action on the account, updating your details for example, you will be prompted to do so when you log in. Alternatively, give the company a call, using a number that you know you can trust, for example from the back of the card.
Card cloning: a card skimmer is a device which a fraudster can use to swipe your card and steal the details from it. Cloned cards can then be made using the details, allowing the fraudster to spend any points on the card. Never hand your cards over to someone, even someone working in a store or coffeeshop; always swipe it yourself.
Two other tips to protect yourself from fraud:
Be careful with the apps you download on your phone or tablet and check that they are reputable, trusted apps before you install them. This is because criminals sometimes spread malicious software via apps, which can potentially be used to steal your data, including your usernames and passwords. The iPhone app store scrutinises apps more rigorously than Android, so be especially careful if you use an Android device.
Keep your devices updated: updates aren't just about getting the latest emoji, but also making sure that known vulnerabilities are fixed. When an update becomes available, it is often because security bugs in software and apps have been found and fixed, so make sure you install the update as soon as you can.
The good news is that this advice doesn't just apply to loyalty card fraud; following these top tips will help you stay secure online in general.