MFAed (activated multi-factor authentication) on that account?
A recent hack of over 600,000 members of U.K. supermarket giant Tesco has Clubcard loyalty program is drawing attention to the unappreciated and under-protected accounts of loyalty programs. While no members are reported to have points stolen on this occasion, back in 2016, Tesco Bank was hit by an attack that resulted in a direct theft of over £2 million and a fine from regulators of over £16 million.
Loyalty programs – like those for regular customers at the grocery store or an airline’s frequent flyer – are a known way to reward consumers. It’s a logical strategy: Record customer activity and provide benefits to customers when they’ve used a certain level of your services. Studies show that these programs work and people attach real value to them and the rewards they can provide.
Securing loyalty programs is complicated by a perception problem of both providers and users. Companies with loyalty programs often don’t give the data in loyalty accounts the same level of protection given to other financial account information – even though there is still often a significant amount of Personal Identifiable Information contained in them.Users also operate with a similar mindset. While loyalty programs provide users with real benefits and even real toys, these benefits are not seen the same way as money in a checking account. Even the IRS does not see them as taxable income.
The practical result is that people often don’t spend much time of effort in securing their various loyalty accounts. They might never even check the accrued benefits. It’s a problem where the loyalty program is valued, but certainly not as valued as cash.
Companies and their customers are not the only ones seeing value in loyalty programs – so are the cybercriminals. Loyalty programs with gift cards are especially vulnerable. The most common method is gain password credentials through a phishing email – which then enables the hackers to transfer accrued points to an electronic gift card for easy monetization.
In the recent Tesco case, the company believe the cybercriminals were able to hack the accounts using login credentials which had been stolen from other websites. This strategy has them using two primary strategies — reapplying the list of favorite passwords such as “12345” or trying variants of already used and hacked passwords linked to the specific individual.
For Tesco’s Opencard users, there were no reported losses. But, there are a few basic lessons to be learned from the situation – even for people that never shop at Tesco’s in the UK.