Let’s talk about your loyalty, cards, passwords, and MFA

That card is in your wallet next to those credit cards, but is probably less protected. Yes, everyone sees the value in loyalty programs – and that includes criminals – so why haven’t you MFAed (activated multi-factor authentication) on that account?

A recent hack of over 600,000 members of U.K. supermarket giant Tesco has Clubcard loyalty program is drawing attention to the unappreciated and under-protected accounts of loyalty programs. While no members are reported to have points stolen on this occasion, back in 2016, Tesco Bank was hit by an attack that resulted in a direct theft of  over £2 million and a fine from regulators of over £16 million.

Loyalty programs – like those for regular customers at the grocery store or an airline’s frequent flyer – are a known way to reward consumers. It’s a logical strategy: Record customer activity and provide benefits to customers when they’ve used a certain level of your services. Studies show that these programs work and people attach real value to them and the rewards they can provide.

A question of situational ethics

Securing loyalty programs is complicated by a perception problem of both providers and users. Companies with loyalty programs often don’t give the data in loyalty accounts the same level of protection given to other financial account information – even though there is still often a significant amount of Personal Identifiable Information contained in them.Users also operate with a similar mindset. While loyalty programs provide users with real benefits and even real toys, these benefits are not seen the same way as money in a checking account. Even the IRS does not see them as taxable income.

The practical result is that people often don’t spend much time of effort in securing their various loyalty accounts. They might never even check the accrued benefits. It’s a problem where the loyalty program is valued, but certainly not as valued as cash.

Cybercriminals see the value in your loyalty

Companies and their customers are not the only ones seeing value in loyalty programs – so are the cybercriminals. Loyalty programs with gift cards are especially vulnerable. The most common method is gain password credentials through a phishing email – which then enables the hackers to transfer accrued points to an electronic gift card for easy monetization.

In the recent Tesco case, the company believe the cybercriminals were able to hack the accounts using login credentials which had been stolen from other websites. This strategy has them using two primary strategies — reapplying the list of favorite passwords such as “12345” or trying variants of already used and hacked passwords linked to the specific individual.

There is a password solution to your account issues 

For Tesco’s Opencard users, there were no reported losses. But, there are a few basic lessons to be learned from the situation – even for people that never shop at Tesco’s in the UK.

  1. If you have a loyalty program that accrues benefits, pay attention to the balance.
  2. Don’t recycle passwords between any accounts. Just don’t. And don’t even try to amend them slightly by adding a 1 or 2 to the front.
  3. If you  are hacked in one account and recycle passwords, it’s time to change the passwords in all of your accounts. And I suggest getting a password manager to help you pick more secure passwords and securely synche them between your devices.
  4. Use multi or two-factor authentication (2FA or MFA) or whenever possible. This reduces the chances of an account being tampered with or hacked by a phenomenal 99.9% according to Microsoft business study. With odds like that, this is a recommendation worth listening too.
As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.