Daniel Najera's rewards account was recently hacked. Photo / Brittany Greeson, The New York Times
The punch cards stuffed in your wallet know next to nothing about you, except maybe how many frozen yogurts you still need to buy to get a free one.
But loyalty programmes, as they shift from paper and plastic to apps and websites, are increasingly tracking a currency that can be more valuable than how much you spend: personal data. As a result, the programmes know things about you that some of your friends may not, like your favorite flavour (mango), when your cravings strike (early afternoon) and how you pay (with your Visa), in addition to billing details and contact information.
Hackers are in close pursuit.
One loyalty-fraud prevention group estimates, conservatively, that US$1 billion a year is lost to crime related to the programmes. As a share of fraud not involving a physical payment card, such schemes more than doubled from 2017 to 2018, according to the Javelin Strategy & Research firm.
Some criminals use stolen credentials to impersonate customers, breach loyalty profiles and then tap into separate accounts. Others deplete balances or sell points on dark web marketplaces. One hacked Southwest Airlines rewards account with at least 50,000 miles was advertised for $98.88, according to cloud security company Armor.
In a data breach revealed last year as one of the largest ever, thieves attacked Marriott's Starwood unit, stealing the personal information — including 5 million unencrypted passport numbers — of more than 350 million customers and Starwood Preferred Guest members. Data stored in Dunkin' Donuts' DD Perks programme was also exposed in an attack disclosed last year.
This year, several McDonald's customers in Canada complained that criminals had breached their accounts on the chain's loyalty app, My McD's, and placed unauthorised orders, some totaling more than $1,000. A McDonald's spokesman said that the company was aware of "some isolated incidents" involving fraudulent purchases but was "confident in the security of the app."
Loyalty programmes are "almost a honey pot for hackers," said Kevin Lee, a risk expert for digital security firm Sift. They tend to be, he said, "the path of least resistance": easy to sign up for, shielded by flimsy passwords and often neglected by users. The programmes, and their appetite for data, have grown, but security has not kept pace.
Daniel Najera was hit twice.
On April 9, he received a series of emails about his Hilton Honours account. Within an hour, the account had been linked to Amazon, and all 80,000 of his Hilton points had been used to make purchases.
He said he had not taken those steps, and he feared that his Hilton account information, including his credit card number, might have been stolen.
Hilton said it had "the appropriate security and fraud protection measures in place." The company also said it had reinstated Najera's points after he reported the intrusion.
Najera, a chef who lives in Saginaw, Michigan, said something similar had happened to his Buffalo Wild Wings loyalty account earlier this year. Signing into the app to participate in a March Madness contest, he saw that all 9,700 of his points had been spent in Fresno, California.
Alison Glenn, a spokeswoman for the chain, said it was aware of "a small number of robotic attempts to hack passwords" that appeared to have failed. Najera said the company had replaced his points.
"It kind of makes you wonder whether you still want to do this, whether it's safe," he said. "These programmes try to get you to put all this information in there, and it's worrisome."
There are at least 3.8 billion rewards memberships in the United States, more than 10 per consumer, according to research from LoyaltyOne, a loyalty advisory company.
Companies use the programmes to tailor deals and services to faithful patrons willing to divulge birth dates, payment card numbers, location data — even shoe sizes and favorite vacation spots. The information is analysed for insight into how to appeal to customers individually to encourage even more spending.
In the past year, Exxon Mobil, PetSmart, Victoria's Secret and Uber have started or revamped loyalty programmes. Hospitals, utilities, wineries and publishing houses are experimenting. Jaguar Land Rover, in a test, rewards drivers with cryptocurrency if they enable data-transmission technology in their cars.
Rewards memberships have become "the single best source of individual customer data relevant to developing personalised marketing," said Thomas O'Toole, executive director of the Kellogg School of Management's data analytics programme at Northwestern University.
"That's where the ballgame is heading," he said.
It's not hard to see why, given how lucrative loyalty can be. Before Nordstrom started its Nordy Club last fall, the 10 million members of the programme's previous incarnation outspent non members 4-to-1, the retailer said.
The 10-year-old rewards programme at Starbucks accounts for 40 per cent of purchases at the company's US stores, and membership has surged more than 25 per cent in the past two years. Last month, Starbucks added tiers of rewards that can be redeemed more quickly than in the past. Members may receive personalised ordering suggestions, like cold brew infused with nitrogen bubbles for customers known to drink the regular version.
Some brands have hooked their rewards to other companies. Walgreens offers points to shoppers who connect their accounts to Fitbit fitness trackers. In March, Chipotle briefly promoted a new loyalty programme with cash prizes for consumers who also used social payments app Venmo. Participants submitted the phone number associated with their Venmo accounts on a website created by Chipotle.
Companies are collecting so much data that it is often "more than they can actually use," said Emily Collins, an analyst with Forrester Research.
"They've got oceans of data and puddles of insight," she said.
As consumers hand over more data, many of them fail to monitor their accounts closely. More than half of the rewards memberships in the United States are inactive, and more than $100 billion a year in rewards points go unredeemed, according to marketing firm Bond Brand Loyalty.
Tate Holcombe, a photographer in Arlington, Virginia, said he was usually "pretty religious about changing passwords and multiple verifications," especially for accounts linked to payment data. With rewards programmes, he was much more lax.
"Of course, that's the one place I got hacked," he said.
On March 23, Holcombe woke up at home to a 3am notification from his Domino's loyalty account: His pizza was ready for pickup in Santa Clarita, California.
Someone had hacked his profile and used a coupon for a free pizza, he said. Personal details, like his phone number and address, had been overwritten with gibberish. When he complained, the company replaced his coupon.
Jenny Fouracre, a Domino's spokeswoman, said the chain had "significant controls around the protection of loyalty accounts." Although recycling a password across multiple accounts makes many customers vulnerable, she said, "information secured by us has never been compromised."
After experiencing repeated attacks, credit card companies and banks "have battened down the hatches" and become harder to breach, said Marti Beller, president of Kobie Marketing, which designs rewards systems. She said loyalty programmes needed to do the same because "they have real currencies with real values."
Some brands are strengthening their defences with stricter login requirements like two-factor authentication and facial recognition. McDonald's said its app replaced payment card information with a series of randomly generated numbers that protect accounts from data theft, but not from fraudulent purchases.
Many companies are also hiring digital security firms like Sift.
About 34,000 websites and apps use the company's services. Sift has access to troves of data its clients collect on loyalty programmes and can track the individual customers' behavioral patterns across multiple accounts, analysing them for possible fraud.
It is data protection fueled by data. When someone orders a latte from a cafe chain's app, Sift can tell that the person is in New York using the same iPhone linked to past purchases. If, two minutes later, a clothing store account registered to the same person shows activity from an Android phone in Florida, Sift flags the transaction as suspicious.
Sift's omniscience might feel invasive, as if consumers were pledging loyalty at the expense of privacy. But to security experts like Lee, the trade-off could be worse.
"Fraudsters are collaborating on the dark web about the different ways to exploit loyalty programmes," he said. "We're levelling the playing field on the other side."
Written by: Tiffany Hsu
Photographs by: Brittany Greeson
© 2019 THE NEW YORK TIMES
'This decision has not been made lightly'.