We're Hiring!
Request Demo

Why Loyalty Apps Need to Be Protected - and How to Do it

Pearce Erensel
Oct 28, 2024 11:39:18 PM

Loyalty program apps

My favorite local sushi restaurant has just introduced a loyalty program so I can get discounts after I have ordered enough meals. But guess what - I have to download yet another mobile app to manage my points and enter my personal information. Also most of us use airline miles and often use credit cards which add miles and points to our airline and hotel loyalty programs. There is a problem with all this - loyalty and rewards apps are not secure. 

Why Are Loyalty Apps Exposed?

Here is the downside - hackers go after loyalty points and travel credits because people don’t protect them like they would a credit card or bank account. In most cases, people just don't check their loyalty accounts and frequent flier accounts for fraud in the ways they check their financial accounts. Adding to the risks, these programs are often tied to mobile payment systems and store credit card numbers and other personal information. 

In fact, loyalty program points can really be as valuable and untraceable as cash, and can easily be traded on the dark web. Fraudulent activity in these accounts causes damage to brand reputation and direct monetary losses to merchants and consumers. In addition, customers may be less likely to tolerate security measures that add friction when accessing hospitality and travel accounts. This in turn leads down a dangerous path where businesses prioritize user experience and view security as a compromise.

What Are the Threats to Loyalty Apps?

Here are five ways hackers go after loyalty apps:

  • Account Takeover / Credential Stuffing: This is one of the top threats for mobile loyalty apps. Attackers use stolen credentials acquired on the dark web to systematically try to log on to loyalty program accounts through mobile apps. They often use scripts and automation to attempt thousands of logins at once.
  • Fake Apps: Counterfeit versions of legitimate loyalty and rewards apps are created and distributed directly or even via official app stores. These apps can then be used to facilitate ATO attacks to steal loyalty points directly from users. Read more about the issue of fake apps
  • Bot Attacks: Automated scripts or bots are used to attack APIs directly using stolen credentials, generate fraudulent activities, or scrape loyalty points within mobile apps. Read more about blocking mobile bots.
  • Device Spoofing: Attackers manipulate or emulate mobile devices to create fake accounts or duplicate actions, targeting APIs and bypassing security checks in loyalty apps. 
  • Social Engineering: Fraudsters use Phishing and other techniques to trick users into revealing login credentials or approving fraudulent transactions.

Attacks Can Be Multipronged

Attackers use combinations of techniques to extract information In one example, an attacker exploited unauthenticated APIs to gain sensitive information, including customer names, email addresses, account numbers and account balances. Gaining information on account balances enabled the attacker to identify the most valuable accounts to target. 

Cross-referencing this data with dark web credentials obtained from previous data breaches, the attacker used a credential stuffing attack to try out username/password pairs to log in to the mobile or web application. Finally for accounts that were not compromised via credential stuffing, the attacker tried social engineering, using information they had collected to trick customer service representatives into thinking they were dealing with the account holder.

Never underestimate the ingenuity of hackers. 

Recent Examples of Breaches

Points.com manages points transactions for a number of airlines including Virgin Atlantic and United: In April 2024, researchers reported a bug impacting United Airlines, where an attacker could generate an authorization token for any user account, only by knowing their rewards number and surname. It was then possible for an attacker to transfer miles to themselves and authenticate as the member on multiple apps related to United MileagePlus. 

It was also reported that Qantas in 2024 has had both a technical issue allowing a mobile app to access different people accounts, and a breach by airport contractors who were diverting points to their account.

Hotel loyalty points have been under attack also: Both Marina Bay Sands in Singapore and Marriott/Starwood have had breaches in the last year. Hilton Honors has also reported a credential stuffing attack via their mobile app. 

Similar breaches of rewards programs have been previously reported by numerous other companies including Best Buy and Dunkin’ Donuts. The issue is widespread. 

Best Practices

To mitigate these risks in mobile loyalty apps, companies must implement security measures:

  • Use Runtime Application Self-Protection (RASP) to prevent app tampering and emulator-based attacks
  • Implement anti-bot protections to distinguish legitimate app traffic from malicious bots
  • Apply geo-compliance measures to ensure accurate and authentic geo-location of mobile devices
  • Incorporate social engineering protections to guard against phishing and imposter scams
  • Employ data encryption and code obfuscation to protect stored loyalty points and prevent reverse engineering
  • Consider using passkeys and biometric authentication instead of traditional passwords to enhance security

These examples and mitigation strategies highlight the importance of robust security measures in mobile loyalty applications to protect both the users and the companies from potential fraud and data breaches.

Approov Can Secure Your Loyalty App and APIs

Approov RASP prevents attacks on loyalty apps by ensuring, continuously at run time, that only legitimate mobile apps can interact with APIs. By verifying app integrity and ensuring proper API usage, Approov blocks unauthorized access, credential stuffing, and data scraping attempts.

This helps companies secure sensitive customer data and prevent financial losses, safeguarding their brand reputation and customer trust. Continuous validation of the app and its API communications ensures that even as the mobile app evolves, it remains protected from emerging threats.

Approov also prevents unauthorized third-party apps from abusing API keys, thereby reducing cloud costs, minimizing operational distractions, and protecting the brand’s reputation. 

Conclusion 

With the API landscape constantly changing, it is key to implement continuous monitoring and verification, ensuring new services and API endpoints are secure from day one. This proactive approach allows companies to eliminate hidden vulnerabilities and mitigate risks before attackers can exploit them.

Approov are experts in securing apps and APIs. We can secure your loyalty and rewards apps.

Set Up a Discussion with Approov

API Security, Retail, Mobile App Security

Pearce Erensel

- Global VP of Sales, Approov
Pearce’s cybersecurity experience stems from 7 years of securing mobile apps in highly regulated industries like banking, automotive, and medical device manufacturing. His client-focused approach has helped companies successfully tackle significant challenges in mobile app and API security. Pearce lauds Approov's innovative, seamless, and adaptable approach, recognizing its potential to revolutionize mobile app security.

Read On

Comprehensive Guide to Integrating MAST & RASP for Mobile App Security

Securing API Keys: Why It Should Be Your Top Priority Now

The Importance of OWASP MAS and Why Major Vendors Should Support It

Request a Demo

Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your APIs

 

Get a Trial

Approov offers a complimentary 30 day trial (no credit card necessary) to give you immediate and valuable insight into the security risks of your mobile apps and the devices they run on.