Akamai Diversity

Akamai Security Intelligence
& Threat Research

State of the Internet/Security: Loyalty For Sale

Criminals aren't afraid to use our loyalty against us. As we've said in previous reports, password reuse is a significant problem in all industries. This latest edition of the State of the Internet/ Security report dives deep into how loyalty programs are targeted and exploited in the retail & hospitality industries.

Loyalty programs have the additional problem with perception, as many consumers don't think of them as high risk, and are more likely to use weak passwords or mirror accounts they're using with another organization. 

Even if your compromised account isn't used to book travel or your points aren't spent on products, the accounts themselves are a valuable product that can be sold to other criminals in the dark markets. 

The retail, travel, and hospitality industries were deeply impacted by the COVID-19 pandemic. 

These industries, known for their focus on customer service and face-to-face interaction, either augmented or created several programs to support their customers. 

However, these measures -- including point extensions on various loyalty programs, bonus rewards, etc. -- couldn't stop the drop in business during the first half of 2020. When the world came to a standstill for several months, it led to staffing and operational cuts. 

Criminals seized the moment and started targeting the retail, travel, and hospitality sectors with attacks of all types and sizes. Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks, and more than 63 billion of them targeted retail, travel, and hospitality. 

 

Credential stuffing wasn't the only type of attack. Criminals also targeted the retail, travel, and hospitality industries online at the source, using SQL Injection (SQLi) and Local File Inclusion (LFI) attacks. In fact, between July 2018 and June 2020, Akamai observed more than 4 billion web attacks against retail, travel, and hospitality, accounting for 41% of the overall attack volume. 

 

The retail, hospitality, and travel industries are consistently targeted by criminals, because they have access to assets that are easily turned into commodities. These assets could be personal information, financial information, brand-based loyalty programs, or all of them combined. 

Defenders have developed, improved, and redeveloped defenses and defense products over the years to deal with attacks. But the criminals are just as innovative, and just as creative, so their attacks continue. 

This is why it is essential to keep customers protected, by requiring strong passwords and multi-factor authentication. Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources. 

The constant back-and-forth between defenders in the retail, travel, and hospitality industries and criminals isn't going away.

 Read more in the latest SOTI/Security.