By
Colin Eastman
August 19, 2024
 |
Passwordless

Password-Based Loyalty Programs are a Hacker’s Paradise

Frequent flier mile programs and travel rewards have long been popular for consumers and the travel brands that manage them. Unfortunately, hackers love them, too. 

The travel industry was among the first to embrace loyalty programs, dating back to the 1980s.  Some 40 years later, brand leaders across industries use a variety of point systems and rewards to increase customer engagement and ultimately deepen loyalty. 

However, many of these “loyalty” programs are built upon dated authentication technology — membership numbers and passwords — that have become easy targets for hackers. And those hackers do the most disloyal thing possible, systematically stealing points and rewards that don’t belong to them and turning them into free vacations, services, and goods. 

As one Forbes article recently pointed out, “Cybercriminals are taking databases of login credentials exposed in website breaches and using bots to test them en masse. … They’re taking advantage of one of the most common security mistakes people make online: using the same password in multiple places.”

The good news? There’s one fix that would prevent many of these hacks: Replacing those membership numbers and passwords with passkeys and biometric authentication.

Loyalty programs and the password problem 


Loyalty programs in the modern era have become increasingly more sophisticated. Mobile apps and digital wallets have made it easier for consumers to track and redeem rewards. Companies use data analytics to personalize offers and improve customer engagement.

Unfortunately, authentication technology has lagged behind. Ongoing database breaches, and the somewhat easy access to usernames and passwords, make these increasingly popular programs more valuable targets for hackers. 

Meanwhile, hackers are getting more sophisticated with their efforts. In a recent discussion with our team, one retail leader shared their concern about bots — which was a motivator to move to passkey-based authentication technology. These bots, automated scripts or software programs, try large numbers of username and password combinations, sometimes sourced from previous data breaches. Since many users reuse passwords across different services, hackers can gain unauthorized access to accounts.

Notable examples of loyalty hacks


Here are a few notable examples of rewards programs that have been hacked:

  • Starwood Hotels — In 2018, Marriott International disclosed a massive data breach affecting up to 500 million guests, including names, addresses, phone numbers, email addresses, passport numbers, and loyalty account information. 
  • British Airways — That same year, British Airways experienced a significant data breach in 2018, where hackers stole the personal and financial details of approximately 380,000 customers. The breach included sensitive information from the airline's Executive Club loyalty program, impacting frequent flyers.
  • Wyndham Hotels — Between 2008 and 2010, multiple breaches compromised data, including the loyalty program, from more than 600,000 Wyndham customers. 
  • Dunkin’ Donuts — In 2018, Dunkin' reported that hackers gained access to DD Perks loyalty accounts using credential stuffing attacks. The attackers used usernames and passwords obtained from other breaches to access Dunkin’ loyalty accounts, putting customer data at risk.
  • Hilton Honors — In early 2020, Hilton Honors members reported unauthorized access to their accounts, resulting in the theft of points and personal information. This was attributed to credential stuffing attacks, where hackers used previously leaked login credentials to gain access to the loyalty accounts.
  • Best Buy — In 2018, Best Buy experienced a data breach through a third-party vendor. While the breach primarily impacted payment information, it also compromised details related to Best Buy's loyalty program, My Best Buy.
  • Sephora — In 2019, a Sephora customer data breach exposed personal information, including names, email addresses, and loyalty program information from Sephora's Beauty Pass members.

Three ways passkeys can lock down loyalty programs


In 2023, notable hacker Sam Curry wrote a blog post that captured the attention of many digital leaders. He detailed his team’s effort to breach the security of a rewards platform used by many in the airline industry. User credentials — usernames, passwords, and membership numbers — were among the worst violators. 

Passkeys, and biometric authentication, which are rapidly gaining adoption, can help lock down loyalty programs and improve user experience in these ways: 

  • Enhanced security: Passkeys and biometric authentication (e.g., fingerprints, facial recognition) are more secure than traditional passwords because they are harder to steal or replicate.
  • Resistant to credential stuffing: Biometric authentication and passkeys are not susceptible to credential stuffing attacks, in which hackers and bots use stolen usernames and passwords from other breaches.

Passkeys: Restoring trust and loyalty


Loyalty programs are beloved by customers — when they work. But there’s nothing that will destroy your trust in a company more than knowing your personal information was breached and has fallen into the wrong hands. 

I recently had a friend who had built up loyalty points with their health insurance company based on fitness and health-related activities. But their account got hacked and someone else redeemed their points for an Apple Watch. 

Fortunately, we can help. Our passkey and biometric authentication technology not only vastly reduces security vulnerabilities, but it improves user experience. Contact us today for a demo.


Colin Eastman is a seasoned professional with over 15 years of experience in software sales, specializing in Customer Identity for the last decade.  He has held leadership roles at the likes of Experian, Gigya and SAP and has partnered with many enterprise eCommerce companies and Fortune 500s on deploying their Customer Identity and Digital Commerce technology and strategy.


Previous:
This is some text inside of a div block.
Next:
This is some text inside of a div block.
7 Passwordless Approaches for B2C Websites
What is a Magic Link? How Magic Links Authentication Work? & Is It Secure?
How to easily enable passwordless authentication on your Firebase site
Google, Apple, and Microsoft to expand support for FIDO passwordless standard
Add Fingerprint & Biometric Authentication to Your Node.js + Express Site
Ten amazing free tools for web developers
Add Passwordless authentication to your JAVA backend
Secure TFA with a great user experience: Is it possible?
How To Implement Passport.js in Nest.js: An Easy Tutorial
Improving Your Drop-Off Rate: A Comprehensive Guide
iOS Passkey: Apple & iPhone Passwordless Solution Overview
Goodbye, passwords; hello, passkeys. Where can you use them today?
The impact going passwordless with Passkeys can have on your website
10 Ways to Tackle Cart Abandonment
How to Implement a QR Code Authentication System: Scan to Login
Eliminating Passwords: The Impact on User Experience and Conversion Rates
Why You Should Adopt Passwordless Authentication for Your Application
The Power of Connected Customers: Why They're More Valuable Than You Think
Embracing the Passwordless Revolution: Google's Passkeys and the Future of Authentication
And now TikTok has passkeys, yet…
Is Passwordless Login More Secure? Why It’s Safe and Improves Security
The Broken Bridge Between User Experience and Security: Unveiling the Password Predicament
Passwords Cracked: The Security Gaps in the U.S. Department of the Interior's System
Authentication in 2024: Transitioning from Social Login to Biometrics & Passkeys
The End of Passwords Is Just the Start of the Customer Journey
Why One-Click Authentication Can Help Unlock Customer Loyalty Programs
Online Retail Leaders Share Excitement About Personalization — But Admit They Aren’t There Yet
The End of Third-Party Cookies is (Finally) Near
The Passkey Revolution is Happening. But What Is It?
‘We All Hate Friction’ – Insights from Digital Leaders
‘It’s a Headache’: Why the Choice to Build vs. Buy a Passkey Solution is Painfully Obvious
The ROI of Passkeys and Passwordless Authentication Technology
How A Global Sports Brand Turns ‘Forgot Password’ into Happy Customers
It’s Time to End Using Social Login. I Would Know — I Helped Develop It
6 Reasons Why Brands are Slow to Adopt Passkeys — and Why They Should Push Ahead Anyway
Password-Based Loyalty Programs are a Hacker’s Paradise
Company
About UsProductCustomers
Resources
Press & MediaDocsBlog
Connectors
Adobe Commerce CloudSalesforce Commerce CloudSAP Commerce CloudShopify PlusAzure AD B2CWooCommerceOktaAuth0

Subscribe to stay up-to-date on passwordless:

Terms of ServicePrivacy PolicyTerms of Use (end-users)CCPA Privacy Notice