By Reason Cybersecurity
on Mon Dec 28 2015
There’s nothing that says “Sorry buddy, I just couldn’t think of anything to get you“ quite like a gift card. Perfect for people you don’t really know or for those of us who just can’t be bothered to pick something out, gift cards are the ultimate “easy way out” in the holiday season.
And then there are membership loyalty cards. Loyalty cards are stores way of holding on to just a bit more of your money as you check out at the register. A cashier will ask if you have a membership card and will proceed to rattle off all the benefits of having such a thing. Before you know it, you are a card-carrying fan club member of whatever store it was, entitling you to some discounts and benefits. Oh, what fun!
We all love Gift Cards and Membership Loyalty Cards…and so do hackers
From a marketing perspective, gift cards and membership loyalty cards are a great tool because once you have bought someone a gift card or have opened your own membership, your money is as good as locked down. From the buyers perspective they are great because they are so convenient and fun. And make a great gift in a pinch.
Well, it turns out that hackers and scammers love gift cards and loyalty cards too. In many ways these credit card look-alikes function just as credit cards do. The user sets up an account to which their card is linked. Those accounts often contain just as much sensitive information as do credit card accounts, including dates of birth, and email and physical addresses. These accounts are typically not thought of as much of a security risk so people tend to use weaker passwords and fewer security measures. Often, people just rely on four character PIN numbers to secure their accounts and hardly anyone bothers using two factor authentication.
Points = $$$
Michael Smith, a managing partner of Information Airlines says that “For several years, I’ve been telling anyone who will listen that they should think of their points and miles as money”. Hackers love loyalty points because they are so flexible when it comes to selling them on the darkweb. According to creditcard.com, after a recent hack involving Hilton Hotels and American Airline cards, the hackers posted an ad on a darknet forum stating that with these stolen points/miles, a buyer could:
-Sell points/miles to online mileage buying businesses
-Redeem for physical gift cards, electronics and other goods through the e-tailer’s website
-Book hotels and flights
-Exchange points on point-exchange websites.
Fraud using gift and loyalty cards is particularly appealing to criminals because these cards are so difficult to track digitally and can be exchanged for physical goods so easily. And gift cards can even be converted into cash.
That’s a whole lot of hacked caramel brulee lattes
In March, British Airways saw their frequent-flyer loyalty program hacked. While no information was exposed, it did ground would-be flyers for some time while the airline fixed the breach. Then the Starbucks gift card/loyalty card program was hacked. The card can be used to give gifts to other cardholders or to earn points. Users have the option of linking it to their PayPal accounts or filling it with up to $500 in advance. As of last September, ads were showing up on bitcoin forums advertising $100 in Starbucks points in exchange for $35 in bitcoins.
According to theregister.com “loyalty card fraud is a “significant” and growing problem.” According to James Chappell, co-founder of security firm Digital Shadows “We do see a lot of forum activity and various discussions about people talking about monetising loyalty cards. Some brands are certainly targeted more frequently than others.”
If you simply can’t handle the thought of ditching your loyalty cards (and can’t be bothered to actually pick out a gift for your Aunt Tillie) there are some things you can do to keep your accounts safe:
So maybe on second thought you don’t want to get/give gift cards this year. When Grandma asks what you want for your present, just tell her you want an itchy knitted holiday sweater. Or maybe just cold hard cash.
Neither of those can get hacked.