Editorial: Fighting fraud can’t be a competitive issue since criminals are not “brand loyal”. Just the way companies are fighting card payment fraud, there is a need to combat loyalty fraud in a similar manner, writes Ritesh Gupta
Revenue leakage, clean fraud, fresh fraud, criminal fraud…you may have heard of all of these. But there is one more type of fraud – loyalty fraud - that is now added to it.
Loyalty fraud isn’t a typical phenomena anymore. In fact, nothing is worse than companies haven’t come to grips with this menace.
This is exemplified by the fact that not only hackers, but current employees or ex-staff are also currently indulging in illegitimate activities related to Customer Loyalty Programs such as Frequent Flyer Programs (FFP's) and Hotel Guest Programs. Not only is there claiming or awarding of miles/points fraudulently, but the brand value as well as the trust of the customers takes a beating.
A couple of months ago Air India was embroiled in one such controversy. Type “Air India loyalty” on Google UK or Google India, then on the first page itself there is a news link about theft of passengers’ frequent flyer miles. This means any search about Air India’s loyalty program can have a detrimental impact on the brand, and negative impact on the association of a passenger with the airline or its FFP.
As it turned out, in case of Air India, FFP accounts were hacked and the bunch of fraudsters also featured an ex-employee. He apparently had access to Air India’s intranet and Internet-based systems.
“This is completely unacceptable (ex-staff gaining access even after not being associated with the organization),” stated Peter Maeder, Co-Founder & Secretary, Loyalty Fraud Prevention Association (LFPA), a new entity set up to fight loyalty fraud.
Stealing of points/miles is attractive
FFPs and Loyalty Programs worldwide continue to face capacity, regulatory, accounting and liability pressures, notwithstanding the fact that they compete for “share of mind” in an over-crowded loyalty environment.
Loyalty Programs have evolved, and as a result the earning and redemption options today are more than ever. Maeder says because of the new accounting rules introduced in 2008/2009, loyalty program managers are seeking more ways for their customers to redeem their points and miles. “Therefore, cash-like redemption programs are on the increase. As a result, stealing points/miles have become much more interesting for the criminal fraternity. Furthermore, so called “friendly fraud” - we should not talk about “friendly” fraud , fraud is a criminal act and can’t be friendly! - is very simply done by all people involved in loyalty programs (staff, but also travel agents or other third party organizations),” explained Maeder.
Simple measures first
Maeder says its imperative companies comprehend all possibilities of fraud - fraud by members, staff, travel agents, partners, data breaches/ hacks/ malware etc. and accordingly train relevant teams and find ways to forge reliability and security across the organization. “Rather than just dwelling on costly initiatives from the beginning, a solid foundation needs to be in place – enforcing certain values and creating awareness. Companies owe it to their loyal customers – protecting their data and shielding their reputation. This is absolutely mandatory at this juncture,” said Maeder. For example, a tendency to keep simple passwords is still there and this can result in a compromise of any IT system if the staff goes ahead with say “123456” as a password.
“Fighting fraud requires resources, both human (trained and dedicated staff) and technical (secure IT infrastructure). Many loyalty programs are being run on legacy IT systems, which are prone to hacking.
A professional organization is another requirement - Loyalty Programs are just starting to invest in developing teams and systems to respond adequately to the rapidly increasing threat. Not investing can cost even more money, but above all their reputation! Does it require media pressure, until the loyalty industry is waking up and starts taking the necessary steps to fight the phenomena?” questioned Maeder.
Companies with Loyalty Programs need to take simple measures first to ascertain the danger of cyber security and gradually move on to embracing high-level risk-based rule engines to monitor accounts for suspicious or unusual activity, and establishing automatic alerts for questionable activities.
For instance, Maeder referred to penetration tests. This evaluates the effectiveness of information security controls implemented in the real-world. Advantage of penetration testing: Knowing a system’s vulnerability before an invader gets to know it. This way areas susceptible to attack are exposed. Accordingly, remedial initiatives can be taken to foster a secure environment. Other than evaluating threat from outsiders, an internal assessment, too, can be done with the assistance of specially designed plug-computers to replicate an attack from within the client’s network.
Maeder referred to an important point when we talk of collective improvement.
“The credit card industry has long recognized that fraud is a significant cost facture to all parties involved in card payments. Therefore, they have set-up standards, guidelines and rules that have to be adhered to when accepting or transmitting credit card data (the Payment Card Industry Data Security Standards or PCI DSS).
To date, there is no body/organization that seeks to support the loyalty industry in a similar way,” pointed out Maeder. “Some companies have invested significant time and money to make their card payment infrastructure more secure and have been able to reduce their losses due to fraud. Unfortunately, similar efforts have not yet been undertaken so far and the hackers are clearly taking advantage of these “opportunities”.”
Hackers, who are usually a step ahead of the “good guys” have started to switch their activities to loyalty programs, which are not as well protected as card programs. Also, the airline industry, among other industries, is working together in fighting card payment fraud – work groups, data sharing, chat forums etc. “Nothing similar is available so far in the loyalty area,” said Maeder, who added that the objective of the LFPA is to provide guidelines, share best practices, offer training and exchange ideas about fighting loyalty fraud.
Collaboration is definitely going to be an important weapon in the armoury. Maeder made an important remark.
“Fighting fraud can’t be a competitive issue – the criminals are not “brand loyal”,” he said.
The LFPA will allow and encourage collaboration among industry professionals by running chat forums (open to registered members only), providing a data base of data elements that have been used in confirmed fraudulent transactions, workshops where best practices are being discussed and developed, webinars, conferences. “We are not reinventing the wheel, but are using the experience gaining in fighting credit card fraud. Membership is open to all parties in running loyalty programs. However, participation in work groups, chat forums, etc. is limited to registered members only,” he said.
A two-day event, Annual General Meeting - Loyalty Fraud Prevention Association (LFPA), is scheduled to take place in London (Nov 9-10) this year. The agenda: Is your loyalty program protected?
Join the Loyalty Fraud LinkedIn Group here: https://www.linkedin.com/groups/8551103