Why Loyalty Apps Need to Be Protected - and How to Do it
Approov Mobile Security
Zero-Trust for Mobile Apps and APIs - iOS, Android and HarmonyOS
My favorite local sushi restaurant has just introduced a loyalty program so I can get discounts after I have ordered enough meals. But guess what - I have to download yet another mobile app to manage my points and enter my personal information. Also most of us use airline miles and often use credit cards which add miles and points to our airline and hotel loyalty programs. There is a problem with all this - loyalty and rewards apps are not secure.?
Why Are Loyalty Apps Exposed?
Here is the downside - hackers go after loyalty points and travel credits because people don’t protect them like they would a credit card or bank account. In most cases, people just don't check their loyalty accounts and frequent flier accounts for fraud in the ways they check their financial accounts. Adding to the risks, these programs are often tied to mobile payment systems and store credit card numbers and other personal information.?
In fact, loyalty program points can really be as valuable and untraceable as cash, and can easily be traded on the dark web. Fraudulent activity in these accounts causes damage to brand reputation and direct monetary losses to merchants and consumers. In addition, customers may be less likely to tolerate security measures that add friction when accessing hospitality and travel accounts. This in turn leads down a dangerous path where businesses prioritize user experience and view security as a compromise.
What Are the Threats to Loyalty Apps?
Here are five ways hackers go after loyalty apps:
Attacks Can Be Multipronged
Attackers use combinations of techniques to extract information In one example, an attacker exploited unauthenticated APIs to gain sensitive information, including customer names, email addresses, account numbers and account balances. Gaining information on account balances enabled the attacker to identify the most valuable accounts to target.?
Cross-referencing this data with dark web credentials obtained from previous data breaches, the attacker used a credential stuffing attack to try out username/password pairs to log in to the mobile or web application. Finally for accounts that were not compromised via credential stuffing, the attacker tried social engineering, using information they had collected to trick customer service representatives into thinking they were dealing with the account holder.
Never underestimate the ingenuity of hackers.?
Recent Examples of Breaches
Points.com manages points transactions for a number of airlines including Virgin Atlantic and United: In April 2024, researchers reported a bug impacting United Airlines, where an attacker could generate an authorization token for any user account, only by knowing their rewards number and surname. It was then possible for an attacker to transfer miles to themselves and authenticate as the member on multiple apps related to United MileagePlus.?
领英推荐
It was also reported that Qantas in 2024 has had both a technical issue allowing a mobile app to access different people accounts, and a breach by airport contractors who were diverting points to their account.
Hotel loyalty points have been under attack also: Both Marina Bay Sands in Singapore and Marriott/Starwood have had breaches in the last year. Hilton Honors has also reported a credential stuffing attack via their mobile app.?
Similar breaches of rewards programs have been previously reported by numerous other companies including Best Buy and Dunkin’ Donuts. The issue is widespread.?
Best Practices
To mitigate these risks in mobile loyalty apps, companies must implement security measures:
These examples and mitigation strategies highlight the importance of robust security measures in mobile loyalty applications to protect both the users and the companies from potential fraud and data breaches.
Approov Can Secure Your Loyalty App and APIs
Approov RASP prevents attacks on loyalty apps by ensuring, continuously at run time, that only legitimate mobile apps can interact with APIs. By verifying app integrity and ensuring proper API usage, Approov blocks unauthorized access, credential stuffing, and data scraping attempts.
This helps companies secure sensitive customer data and prevent financial losses, safeguarding their brand reputation and customer trust. Continuous validation of the app and its API communications ensures that even as the mobile app evolves, it remains protected from emerging threats.
Approov also prevents unauthorized third-party apps from abusing API keys, thereby reducing cloud costs, minimizing operational distractions, and protecting the brand’s reputation.?
Conclusion?
With the API landscape constantly changing, it is key to implement continuous monitoring and verification, ensuring new services and API endpoints are secure from day one. This proactive approach allows companies to eliminate hidden vulnerabilities and mitigate risks before attackers can exploit them.
Approov are experts in securing apps and APIs. We can secure your loyalty and rewards apps.