Why identity thieves love loyalty cards
Loyalty cards are 'puzzles' that hackers can solve to gain access to online content associated with the card that could lead to more serious identity theft.
Tue, Jul 24, 2012 at 05:55 PM
I bought new sneakers a few months ago, and when I went to the checkout counter, the clerk asked me if I had a Dick's card.
I'm asked if I have a Weis card when I shop for groceries, a Best Buy card when I buy electronics, an Office Depot card when I pick up office supplies, and so on.
My keychain, my wallet and my smartphones match those of many Americans. They're littered with a stack of store loyalty cards, also called affinity cards, each of which gets scanned at cash registers as I pay.
Everything I purchase is entered into a store's computer system. In exchange for giving that information, I get discounts, rebates and points redeemable for dollars off a gallon of gas.
It's easy to think that loyalty programs are harmless. Some people have privacy concerns because the stores keep track of what you're buying, and somewhere your name and address are attached to that data.
But in most cases, your personal information isn't anywhere on the cards, and it isn't like a credit card or debit card, which is tied to your financial records.
While you probably wouldn't sign up for a new credit card at your favorite store — tempting as it might be to save an initial 10 percent on your purchases — you might not think twice about getting an loyalty card for a store you'll probably never visit again, just to save $3 on your grocery bill while on vacation.
Nothing is really free
However, those loyalty cards aren't as harmless, or as secure, as you might think.
When my husband went to redeem our gas points at our regular gas station, his loyalty card was rejected. The clerk double-checked; our points had already been used.
No other family members are on our account, and I hadn't used them. The store discovered that the points had been used at a gas station 150 miles from our home in a town we had never visited.
We, apparently, were the victims of loyalty-card fraud.
"Affinity-card fraud is different than regular credit-card fraud," said Philippe Benitez, vice president of marketing and business development at Gemalto, a digital-security provider based in Amsterdam.
"In most cases, the loyalty account is linked to a phone number or other account number, which can be displayed on a plastic card in the form of a barcode, or encoded onto a magnetic stripe," Benitez said.
"So when thieves obtain account information, they are not getting anything all that valuable," he said. "The account number cannot be used to make purchases per se."
Your identity for a discount
But, Benitez added, the cards can still be used for identity theft.
"The information connected to the card is not intrinsically valuable, in that the card cannot be duplicated and then used to extract money, but stolen data could lead to fraudsters hacking the system," he said. "The data on the card are pieces of the puzzle that a fraudster can use to impersonate that cardholder to breach the online system."
Such information is not that difficult to gather, either.
"These cards track everything you buy and when you buy it. This data is available online, so a thief could track your movements somewhat as well as your purchases," said Tim Lynch, owner of Psychsoftpc, a maker of high- performance personal-computing systems in North Quincy, Mass. "If you're a creature of habit, the thief will know when you are at the store and when you're not home."
"Most of these checkout scanners are tied to WEP secured (lowest encryption) or unsecured Wi-Fi, so that's a vulnerability," Lynch added.
Handle with care
Finding out if someone has accessed the data from your loyalty card isn't easy. My husband and I never would have known had we not tried to redeem our gas points, for instance.
If you do discover something is amiss, the first thing to do is to report it to the store. If you access your card's account online, immediately change passwords.
"It is important to not only change the password of the account that has been stolen, but [to] also change any account that was tied to the same user name (email, phone number, etc.) and used the same password," Benitez said.
"Then remember to check all the security options and settings on the account. Fraudsters can potentially change your preferences once they have access to your account, making it easier for them to gain access again, even if you change the password."
The best way to keep your loyalty cards secure is to be cautious of the information you provide on the cards. Provide the minimum amount possible.
If the card issuer requests information you aren't comfortable giving out, ask why providing it is necessary or consider not signing up for the card.
As with credit cards, the fewer loyalty cards you have, the better. It makes sense to have loyalty cards on hand for stores you frequent often, but close the accounts of cards you haven't used in a while and don't sign up for cards at stores you don't plan on returning to.
Just remember: The couple of bucks you save on the giant bag of pretzels and 12-pack of soda will mean nothing if you get hit by identity thieves.
Related on SecurityNewsDaily:
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved.