Cybercriminals target loyalty programs in search of easily traded data
Consumer loyalty programs in the retail, hospitality and travel industries rely on gathering information about their users. For criminals this can offer everything they need to get started in a number of crime-related ventures, from account takeovers, to straight-up identity theft.
A new report from Akamai reveals more than 63 billion credential stuffing attacks on the commerce category -- comprising the retail, travel, and hospitality industries -- over the last two years, 90 percent of them against retailers.
"Criminals are not picky -- anything that can be accessed can be used in some way," says Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. "This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft."
Credential stuffing isn't the only attack vector though, Akamai also recorded more than four billion SQL injection attacks over the same period, again with a large majority (83 percent) targeting the retail sector.
As we approach a holiday season likely to be dominated by online shopping, loyalty points that deliver discounts or other perks become an increasingly attractive target. Businesses should be doing more to protect these schemes.
"All businesses need to adapt to external events, whether it's a pandemic, a competitor, or an active and intelligent attacker," Ragan adds. "Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources."
The full report is available from the Akamai site and there will be a webinar to discuss the findings on October 22nd at 11am ET. There's also an infographic summary of the findings below.
Photo Credit: Daniel Krason/Shutterstock