PYMNTS-MonitorEdge-May-2024

Cyberthieves Target Rewards Points

Payments professionals invest a lot of time and money protect payment card data and shopper PII specifics, but thieves are now zeroing in on an apparent soft spot: rewards points, especially points that can easily be converted into cash.

“Many companies give customers the ability to earn loyalty or award points and miles that can be used to book travel, buy goods and services online, or redeemed for cash. Unfortunately, the online accounts used to manage these reward programs tend to be less secured by both consumers and the companies that operate them, and increasingly cyber thieves are swooping in to take advantage,” noted a story in Krebs On Security. “Brendan Brothers, a frequent traveler from St. John’s in Newfoundland, Canada, discovered a few days ago that his Hilton Honors account had been relieved of more than a quarter-million points, rewards that he’d accumulated using a credit card associated with the account. Brothers said the fraudsters were brazen in their theft, using his account to redeem a half-dozen hotel stays in the last week of September, booking rooms all along the East Coast of the United States, from Atlanta, GA to Charlotte, N.C. all the way up to Stamford, CT. The thieves reserved rooms at more affordable Hilton properties, probably to make the points stretch further, Brothers said.”

The best part? “When they exhausted his points, they used the corporate credit card that was already associated with the account to purchase additional points.”

Krebs strongly encourages companies offering reward points to layer on additional security, “such as the ability to secure accounts with multi-factor authentication (e.g. via Security Keys or Google’s Authenticator mobile app).”

PYMNTS-MonitorEdge-May-2024