In recent years Hannah White has become something of a loyalty fraud aficionado. In fact, over the course of a 45-minute interview for this story, she admits that she probably has enough material to talk about loyalty fraud for an entire day.
“This is exciting stuff that we’ve built, and the software is constantly evolving,” White says of Connexions Loyalty’s new security product, Rewards Shield. “And when you see it in action and you uncover instances of possible fraud, you really do get the feeling and reinforcement that the work we are doing is truly protecting people against criminals.”
As Director of Product at Connexions, White and her team have watched as fraud has reared its ugly head throughout the loyalty space and hackers turn their attention to rewards programs that, by some counts, are worth nearly $50 billion in points and miles inventories in the U.S. alone.
“Over the last year and a half, we have seen an increasing amount of fraud in the loyalty space,” says White, noting that EMV security and other measures have made hacking into credit cards and bank accounts extremely difficult for hackers. Loyalty programs have historically been less stringently monitored.
Rewards Shield launched in July and is the newest offering from Connexions, known for its loyalty suite (which is already PCI DSS compliant). While a standalone product, Rewards Shield is seen more as a complementary security measure for client companies, specific to loyalty programs. Rewards Shield detects, investigates and defends against fraud through more than 600 rules that alert fraud teams to deviations in legitimate customer behavior. These rules – built around protocols such as device ID, geolocation, velocity, context, and more – are regularly tuned and customized to a specific loyalty program’s activity.
One fundamental principle for implementing an additional layer of security, such as Rewards Shield, is to strike a balance between added customer and program protections without interrupting a clean, simple user experience. Security protocols should not interfere or make it difficult for a customer to login, redeem points, or carry out basic functions that ultimately drive business to the company.
“Our philosophy is that customer experience is a client of security,” White explains. “So whatever the customer experience needs, the security team needs to make that happen in a secure way and without impacting experience to achieve balance.”
Companies can do this in three ways:
- Communication between information security (IS) and marketing. If marketing wants to launch a holiday promotion, IS should know that an increase in redemption volume will begin around the holiday timeframe, as will activity on the website. So IS should know not to overreact if there’s an influx of traffic, yet also be diligent about fraudulent activity during that time as hackers will know that a promotion is running.
- Communication between information security and the user experience (UX) team. It is important for companies implementing security to understand what the user wants to accomplish, and figure out a way to make these actions secure, such as utilizing IP address detection. Security should not interrupt the customer experience with additional inputs (such as security questions, or PIN codes).
- Learn from other loyalty program breaches. Pay attention to other loyalty card incidents (set up Google Alerts or follow industry news). If you have these discussions in your organization, you will learn a lot from the mistakes of others.
White notes that the Rewards Shield system itself is ever-evolving to stay a step ahead of cyber-attacks, particularly by giving Connexions’ data analysis and fraud-detection teams an overarching view of deceptive activity across numerous industries and multiple clients.
“Each client we bring in to Rewards Shield really helps us with global visibility. While a client may know what is happening within their organization, they may not know what’s happening across industries or in other financial institutions, airlines, or hospitality companies like we do,” White says. “So if we learn about a bad IP address from one client, other clients benefit from that information. Rewards Shield truly is a knowledge share.”
For a legitimate customer, White stresses that there’s no interruption to the experience, nor are there any more major hoops to jump through in order to redeem rewards or conduct business. There may be a spot where a password is required for a second time, but most everything about Rewards Shield operates behind the scenes, keeping the program’s more than 600 rules firing silently and hidden from hackers.
“The one thing that customers can feel really comfortable with is that the product will get to know them and their behavior,” she says. “If you are a user and you should be in a certain place doing a certain activity, that's what the system will expect of you.”
For clients, implementing Rewards Shield won’t affect day-to-day operations, and in fact will streamline work for an internal fraud prevention team, or, if there is no internal team, remove the burden from marketing or customer service resources. “Each client is different, and we work in concert to present findings we glean from the product and share instances that may or may not be fraudulent,” White says.
For a checklist of additional steps that your organization can take to better protect customers against fraud, click here.