News flash: miles are not just distance traveled! In fact, they are a hot commodity on the black market: thousands of points from frequent flyer programs, such as Emirates Skywards and Delta SkyMiles, are being sold. Miles are so highly sought after that a staggering 72% of airline loyalty programs, including American Airlines and United Airlines, have been attacked. Frequent flyer programs are huge moneymakers- these programs actually generate massive revenues, contributing to as much as half of all airline profits. That is, if you do not have to suffer from the cost of fraud. Since you operate by a small profit margin, the loss from a single fraudulent booking can be painful. To get the most out of these programs, it is paramount to protect your frequent travelers from account takeovers (ATO).

Despite being highly targeted, these flyer programs lack security measures. Most rely on a password and PIN number, and only a third deploy two-factor authentication (2FA). We all know that passwords are feeble and PIN numbers can be easily bypassed, but the truth is even 2FA is inadequate in securing loyalty accounts. Let’s evaluate the true effectiveness of 2FA in addressing ATO in your frequent flyer program, and whether you should consider other fraud management solutions.   

Frequent flyer program ATO: when fraudsters fly under the radar

Number of airline customer records breached in 2018
Statistics from: Bloom, Identity Theft Resource Centre, Fortune

With data breaches occurring at a massive volume, fraudsters have access to a truckload of login credentials. They can then hack into frequent flyer accounts, or target travelers with phishing emails. After which, the fraudster can proceed to either sell the account or transfer the miles into another dummy account. These accounts are extremely lucrative- they make up 13% of the accounts for sale on one major dark market, and can sell for as much as $884. Otherwise, the miles can be used to redeem other goods and services, such as rental cars and international flights. Fraudsters can also use these illegally obtained miles to purchase air tickets, after which they pose as “travel agents” and sell them to unsuspecting customers.

The security of frequent flyer accounts

Generally, loyalty account authentication is lacking. Similarly, most frequent flyer programs do not have strict security measures because they are thought to be expensive to deploy and maintain, and a hindrance to user experience. Most retail partners also do not require much identification for members to redeem their air miles. Fortunately, the increase in attacks on frequent flyer programs has prompted some airlines, including Qantas and Singapore Airlines, to deploy 2FA.

As compared to the password or pin number protection that most frequent flyer programs are using, 2FA is undoubtedly more effective in increasing the security of the accounts. 2FA serves as a form of safeguard by requiring that users provide an extra form of authentication, usually through an SMS with a verification code. This takes place before they log in to their accounts or perform an activity, such as updating their address or redeeming their miles. 

Two factor authentication for loyalty program: limitations

While 2FA is certainly better than no protection, it is unfortunately inadequate as a loyalty account authentication. Let’s look at the ways that 2FA is limited in securing your frequent flyer accounts against ATO:

1. Weak authentication

2FA might be an authentication tool, but that does not make it a strong one. Particularly, cybercrooks can easily intercept the text message by exploiting weaknesses in the cellular network. This means that they can receive and use your verification code before you do. In fact, such hijacking services are commonly available on the dark market. Hackers can also easily perform a SIM swap, where your phone number is transferred to another SIM card, allowing them to receive the text message. Evidently, SMS-based 2FA is not a secure loyalty account authentication.

2. Limited scope of protection

What makes 2FA even more ineffective is that it is deployed sporadically. Here’s the thing: fraudsters can exploit loopholes at any point of the entire user journey. Let’s say that 2FA is only implemented at the point of login, which is the usual case. A fraudster who has bought a frequent flyer account from the dark web can simply bypass the 2FA and proceed to redeem the miles in the account, since there is no security measure implemented at the point of redemption. Therefore, a key issue with 2FA is that it is a one-time verification measure isolated to a certain point or a single transaction. This leaves you defenseless against fraudulent activity that can infiltrate the user journey at any one or more areas simultaneously.

3. Friction in user experience

Travelers’ participation in frequent flyer programs
Travelers’ participation in frequent flyer programs
Statistics from: Deloitte

This is a common complaint- 74% of organizations admits that 2FA is a dampener on user experience. Frequent flyer programs are a competitive business, and travelers have more options now than ever before. In fact, your members most probably belong to other frequent flyer programs as well. This means that building true customer loyalty is not just about the redeemable miles; it should be about rewarding them with a fantastic experience. More travelers are also making last-minute bookings, and want to redeem their miles fast. Unfortunately, 2FA could be quite the hassle for users. This is especially when one loses coverage while travelling and is therefore not able to receive the SMS. Your customers expect their miles to be safe, without having to endure security measures that are an inconvenience. Giving them a less than ideal user experience can therefore push them away.

Protecting accounts with a comprehensive fraud solution

In a nutshell, 2FA is not all that effective in guarding your frequent flyer accounts against fraud. Instead, we recommend a comprehensive fraud management solution that analyzes user behaviors throughout the entire loyalty journey, doing so passively in real-time. This ensures that you can identify and prevent fraudulent behavior, while engaging your customers and keeping them happy.

1. Stronger authentication

Rather than rely on an SMS-based 2FA as your loyalty account authentication, you should use behavioral biometrics to gain a more accurate insight into the user’s identity. Machine learning, paired with real-time pattern recognition, can analyze every transaction to identify fraudulent patterns based on millions of data points. By analyzing user behavior such as typing speed, mouse clicks and swiping patterns, the system can accurately differentiate between genuine and fraudulent users- even when a fraudster is trying to appear legitimate by taking over a real account. Given that travel bookings are perishable, real-time authentication is crucial. A flight booking that has been redeemed by an illegitimate account has to be detected and blocked before the date of the booking passes, and with enough time to resell the seat.  

2. End-to-end coverage

2FA is a one-time authentication measure, but fraudulent behavior can occur throughout the loyalty lifecycle. Thus, an end-to-end solution is needed to cover all points of entry for fraud, across multiple channels and devices in real time. Behavioral biometrics continuously authenticates users, monitoring and analyzing behavior from account creation to login to miles redemption, and all other activities in between. With loyalty programs increasingly offering mobile rewards apps, a sophisticated end-to-end solution is needed to adequately protect your frequent flyer program.

3. Frictionless user experience

Thankfully, you do not have to struggle to strike a balance between improving security and delivering a frictionless user experience. Rather than forcing every user to log in with 2FA, you should move towards a fraud solution that uses real-time active surveillance. With real-time analysis and behavior monitoring, the system can proactively detect and block out fraudsters in real-time. Since all this happens passively in the background, the user experience remains frictionless.

Take flight from fraud

Frequent flyer accounts might be prime targets for ATO, but you can protect your travelers by investing in the right loyalty account authentication. While 2FA can be a good place to start, it is ultimately inadequate in guarding accounts, and is an impediment to user experience. On the other hand, having a comprehensive fraud management solution will bring loyalty to the next level- by having a safe program that aims to deliver the best customer experience.