Gift cards and loyalty programs are used by retailers to increase customer traffic, build brand awareness, and gain new customers. However, they also attract the attention of fraudsters who exploit these systems, causing substantial financial losses and undermining customer trust. This blog explores the nature of gift card and loyalty program abuse and how proper cybersecurity measures – specifically API security and bot management – can mitigate these risks.
Gift card and loyalty program abuse and fraud typically involves unauthorized access to card numbers, account takeover, and/or balance theft. Attackers employ various attack techniques on relevant applications and their APIs (login, card processing, balance check, etc.) to perform carding attacks (testing stolen card details), account takeover, and balance theft. Attackers employ business logic abuse to try and get applications and APIs to do things they weren’t designed for, or simply brute force attacks that flood web applications and APIs with traffic. These attacks are often multi-faceted, involving several tactics and techniques, which makes identifying and preventing them difficult.
Gift card and loyalty program abuse and fraud are high priorities because they can directly cost businesses money while at the same time eroding customer confidence. If a customer attempts to make a purchase with a gift card only to find that their gift card, perhaps received as a gift for their birthday or other holiday, is empty, they would be understandably frustrated. The impact of these kinds of fraud can include:
As with most types of cyberattacks and online fraud, a muti-faceted strategy is best employed to protect the business and its customers. Using Cequence’s Discover, Comply, and Protect framework provides a holistic protection plan:
Discover
In order to protect your applications and their APIs, you need to uncover what APIs exist, and where they are located. Utilizing both an outside-in and inside-out approach, Cequence discovers internal, external, and third-party APIs ensuring organizations know where all of their APIs are and that they’re alerted when new APIs are deployed. Cequence provides a free assessment to show the attacker’s view of your network, and you can try it here.
Comply
Once you have a proper catalog of your APIs, you want to ensure that they are documented, tested, and assessed for risk. Cequence inventories all APIs, highlighting those without documentation. Cequence also provides API security testing to identify and remediate vulnerabilities either in the CI/CD pipeline or at runtime.
Protect
There are two critical parts to protecting against these kinds of attacks – detection and prevention. Identifying and monitoring the attacks is difficult due to the highly varied and frequent evolution of the attacker’s tactics. Cequence’s behavioral fingerprinting goes far beyond simple IP addresses as an identifier and includes the tools, infrastructure, and credentials used by the attacker to identify them and monitor them even as they change tactics to avoid detection.
Once the attacks are identified, you need some way to stop them and prevent them in the future. Most solutions require some sort of CAPTCHA or other method to “prove you’re human,” but that method requires changes to application code, doesn’t support APIs which can be attacked directly, and perhaps most importantly, causes customer friction. Cequence takes a network-based approach that provides native mitigation without any application changes, and offers mitigation options including logging, rate limiting, deception, and blocking.
A U.S.-based fashion retailer came to Cequence with a significant bot and gift card fraud problem. Their existing Web Application Firewall (WAF) was not scaling to meet the attack volume. Attackers were using the retailer’s systems to validate stolen credit cards, purchase gift cards, and then purchasing products with the fraudulent gift cards, directly costing the company money. They deployed Cequence, which accurately identified malicious traffic, ensured legitimate customer traffic would not be affected by any mitigation efforts, and blocked the fraudulent attacks – all without requiring application modification. Estimated cost savings were upward of $100 per customer account.
Cequence can help your business combat gift card and loyalty program abuse and fraud. Contact us to discuss your situation and how Cequence can help.
The post What is Gift Card and Loyalty Program Abuse? appeared first on Cequence Security.
*** This is a Security Bloggers Network syndicated blog from Cequence Security authored by Jeff Harrell. Read the original post at: https://www.cequence.ai/blog/bot-management/gift-card-and-loyalty-program-abuse/