(New York Times) – The punch cards stuffed in your wallet know next to nothing about you, except maybe how many frozen yogurts you still need to buy to get a free one.
But loyalty programs, as they shift from paper and plastic to apps and websites, are increasingly tracking a currency that can be more valuable than how much you spend: personal data. As a result, the programs know things about you that some of your friends may not, like your favorite flavor (mango), when your cravings strike (early afternoon) and how you pay (with your Visa), in addition to billing details and contact information.
Hackers are in close pursuit.
One loyalty-fraud prevention group estimates, conservatively, that $1 billion a year is lost to crime related to the programs. As a share of fraud not involving a physical payment card, such schemes more than doubled from 2017 to 2018, according to the Javelin Strategy & Research firm.
Some criminals use stolen credentials to impersonate customers, breach loyalty profiles and then tap into separate accounts. Others deplete balances or sell points on dark web marketplaces. One hacked Southwest Airlines rewards account with at least 50,000 miles was advertised for $98.88, according to the cloud security company Armor.
In a data breach revealed last year as one of the largest ever, thieves attacked Marriott’s Starwood unit, stealing the personal information — including five million unencrypted passport numbers — of more than 350 million customers and Starwood Preferred Guest members. Data stored in Dunkin’ Donuts’ DD Perks program was also exposed in an attack disclosed last year.
This year, several McDonald’s customers in Canada complained that criminals had breached their accounts on the chain’s loyalty app, My McD’s, and placed unauthorized orders, some totaling more than $1,000. A McDonald’s spokesman said that the company was aware of “some isolated incidents” involving fraudulent purchases but was “confident in the security of the app.”
Loyalty programs are “almost a honey pot for hackers,” said Kevin Lee, a risk expert for the digital security firm Sift. They tend to be, he said, “the path of least resistance”: easy to sign up for, shielded by flimsy passwords and often neglected by users. The programs, and their appetite for data, have grown, but security has not kept pace.
Daniel Najera was hit twice.
On April 9, he received a series of emails about his Hilton Honors account. Within an hour, the account had been linked to Amazon and all 80,000 of his Hilton points had been used to make purchases.
He said he had not taken those steps, and he feared that his Hilton account information, including his credit card number, might have been stolen.
Hilton said it had “the appropriate security and fraud protection measures in place.” The company also said it had reinstated Mr. Najera’s points after he reported the intrusion.
Mr. Najera, a chef who lives in Saginaw, Mich., said something similar had happened to his Buffalo Wild Wings loyalty account earlier this year. Signing into the app to participate in a March Madness contest, he saw that all 9,700 of his points had been spent in Fresno, Calif.
Alison Glenn, a spokeswoman for the chain, said it was aware of “a small number of robotic attempts to hack passwords” that appeared to have failed. Mr. Najera said the company had replaced his points.
“It kind of makes you wonder whether you still want to do this, whether it’s safe,” he said. “These programs try to get you to put all this information in there, and it’s worrisome.”
There are at least 3.8 billion rewards memberships in the United States, more than 10 per consumer, according to research from LoyaltyOne, a loyalty advisory company.
Companies use the programs to tailor deals and services to faithful patrons willing to divulge birth dates, payment card numbers, location data — even shoe sizes and favorite vacation spots. The information is analyzed for insight into how to appeal to customers individually to encourage even more spending.
In the past year, Exxon Mobil, PetSmart, Victoria’s Secret and Uber have started or revamped loyalty programs. Hospitals, utilities, wineries and publishing houses are experimenting. Jaguar Land Rover, in a test, rewards drivers with cryptocurrency if they enable data-transmission technology in their cars.
Rewards memberships have become “the single best source of individual customer data relevant to developing personalized marketing,” said Thomas O’Toole, executive director of the Kellogg School of Management’s data analytics program at Northwestern University.
“That’s where the ballgame is heading,” he said.
It’s not hard to see why, given how lucrative loyalty can be. Before Nordstrom started its Nordy Club last fall, the 10 million members of the program’s previous incarnation outspent nonmembers four to one, the retailer said.
The 10-year-old rewards program at Starbucks accounts for 40 percent of purchases at the company’s United States stores, and membership has surged more than 25 percent in the past two years. Last month, Starbucks added tiers of rewards that can be redeemed more quickly than in the past. Members may receive personalized ordering suggestions, like cold brew infused with nitrogen bubbles for customers known to drink the regular version.
Some brands have hooked their rewards to other companies. Walgreens offers points to shoppers who connect their accounts to Fitbit fitness trackers. In March, Chipotle briefly promoted a new loyalty program with cash prizes for consumers who also used the social payments app Venmo. Participants submitted the phone number associated with their Venmo accounts on a website created by Chipotle.
Companies are collecting so much data that it is often “more than they can actually use,” said Emily Collins, an analyst with Forrester Research.
“They’ve got oceans of data and puddles of insight,” she said.
As consumers hand over more data, many of them fail to monitor their accounts closely. More than half of the rewards memberships in the United States are inactive, and more than $100 billion a year in rewards points go unredeemed, according to the marketing firm Bond Brand Loyalty.
Tate Holcombe, a photographer in Arlington, Va., said he was usually “pretty religious about changing passwords and multiple verifications,” especially for accounts linked to payment data. With rewards programs, he was much more lax.
“Of course, that’s the one place I got hacked,” he said.
On March 23, Mr. Holcombe woke up at home to a 3 a.m. notification from his Domino’s loyalty account: His pizza was ready for pickup in Santa Clarita, Calif.
Someone had hacked his profile and used a coupon for a free pizza, he said. Personal details, like his phone number and address, had been overwritten with gibberish. When he complained, the company replaced his coupon.
Jenny Fouracre, a Domino’s spokeswoman, said the chain had “significant controls around the protection of loyalty accounts.” Although recycling a password across multiple accounts makes many customers vulnerable, she said, “information secured by us has never been compromised.”
After experiencing repeated attacks, credit card companies and banks “have battened down the hatches” and become harder to breach, said Marti Beller, the president of Kobie Marketing, which designs rewards systems. She said loyalty programs needed to do the same because “they have real currencies with real values.”
Some brands are strengthening their defenses with stricter login requirements like two-factor authentication and facial recognition. McDonald’s said its app replaced payment card information with a series of randomly generated numbers that protect accounts from data theft, but not from fraudulent purchases.
Many companies are also hiring digital security firms like Sift.
About 34,000 websites and apps use the company’s services. Sift has access to troves of data its clients collect on loyalty programs and can track the individual customers’ behavioral patterns across multiple accounts, analyzing them for possible fraud.
It is data protection fueled by data. When someone orders a latte from a cafe chain’s app, Sift can tell that the person is in New York using the same iPhone linked to past purchases. If, two minutes later, a clothing store account registered to the same person shows activity from an Android phone in Florida, Sift flags the transaction as suspicious.
Sift’s omniscience might feel invasive, as if consumers were pledging loyalty at the expense of privacy. But to security experts like Mr. Lee, the trade-off could be worse.
“Fraudsters are collaborating on the dark web about the different ways to exploit loyalty programs,” he said. “We’re leveling the playing field on the other side.”