Retailer loyalty programs – a popular target of hackers – eCommerce Magazine


Companies and brands are fighting for attention and customer loyalty. Anyone who has managed to retain a large number of customers through a loyalty program has valuable data. Because such programs bind the customers to the company, enable one successful direct communication, reduce marketing costs and increase sales. Often times, loyalty programs with special offers for customers are the most important reason to visit a brand on the Internet. Due to the Covid-19 crisis and the associated decline in sales, retailers have invested heavily in loyalty programs, expanded them or created them to improve the relationship with their customers.

Cyber ​​attacks on loyalty programs run into the billions

Actually, it should go without saying that loyalty programs are intensively protected, because hacked data often also leads to a loss of trust and customer churn. But the retail sector, and thus its loyalty programs, remain a preferred target for hackers. According to the State of the Internet – Retail and Hospitality Fraud report, between July 2018 and June 2020 more than $ 100 billion were made Credential stuffing attacks registered, of which more than 63.8 billion in retail, travel and hospitality. More than 90 percent of attacks in retail were targeted at the retail industry.

Behind this are attacks with stolen login data that are used to attempt to log into other accounts, take them over and siphon off their data. Most of the time, these attacks are carried out by a botnet. For example, bots are programmed to find accounts that are susceptible to being taken over because of weak passwords. During the Q1 2020 lockdown, criminals circulated dozens of combination password lists and old login lists for identifying new accounts.

Passwords are the biggest weak point

Credential stuffing attacks address a major problem: passwords. Recycled passwords, shared passwords, and easy-to-guess passwords can lead to a successful attack. Over the years, criminals have adapted to various technological changes and started targeting APIs directly to carry out these attacks.

API, or Application Programming Interface, describes an interface of a software system that is made available to other programs for connection. The best-known APIs for the web are used to integrate Wikipedia, Facebook, Twitter, DHL, PayPal or Google Maps into an online shop. Once the hackers have overcome the APIs, they can usually access the servers directly and commit data theft.

Loyalty programs: Cyber ​​attacks on registration portals

Cyber ​​criminals continue to attack login portals: To improve their chances of success, they use collections of passwords generated by the Testing of password variations be systematically expanded. Because unfortunately people tend to vary words they can remember well with simple additions. If, for example, an older data theft contains the password Circus2019, it makes sense to also try Circus2020 or Circus2018 or other derivatives.

For this reason, using dictionary words or patterns is generally a bad idea. Long, random, strong passwords that a password manager generates for every new website are much better. If such passwords are also combined with two-factor authentication, credential stuffing attacks are usually useless.

Urgent need for protective measures

Security companies have developed and improved many security solutions and defense strategies over the years. But cyber criminals are creative and at the same time develop new forms of attack. Also means the presence of Security solutions not necessarily that these are actually used. Even large companies often only require a cell phone number or a numeric password to identify their customers for the respective loyalty program. And the servers used are often inadequately secured. Therefore there is still an urgent need for better identity controls and countermeasures on the corporate side.

In general, customer data should not be stored on retail servers. Cloud solutions, combined with appropriate security applications, are the far better solution here, for example to prevent websites from being exposed to distributed denial-of-service (DDoS) attacks. Every retailer fears this, because if their online shop collapses under the onslaught of millions of data packets, this could lead to a high loss of sales. Between July 2019 and June 2020, retail was exposed to an average of 125 DDoS attacks every day, 90 percent of them in retail and the remainder in the travel and hospitality sector.