Dunkin’ Donuts and Marriott hacks: loyalty apps are vulnerable to hackers
I was recently conned into downloading a rewards app for a ramen place I go to at most once a year. A sign in the restaurant informed me that I could get a free seasoned egg, or maybe even a noodle refill, once I spent a certain amount of money and hit a certain number of points. This is apparently all it takes for me to hand over my data to a ramen place.
It’s not the only rewards app on my phone, nor is it the only one I’ve downloaded and used just once or twice, if at all. And according to a new report by the New York Times, my thirst for rewards makes me a giant sucker — and possibly a vulnerable target for hackers.
For customers, loyalty apps may make financial sense — it’s like getting free stuff for spending money they were going to spend anyway — and may be more convenient than a physical rewards card. (For what it’s worth, my wallet is full of rewards cards for at least half a dozen coffee shops and restaurants. Sometimes I lose them, which means losing all my hard-earned rewards.) For businesses, these apps are an easy way to encourage customers to spend more money while handing over valuable data on their consumption habits.
But according to the Times, this data may not be as useful as companies think. “They’ve got oceans of data and puddles of insight,” Emily Collins, an analyst with Forrester Research, told the paper. And these oceans of data are apparently extremely vulnerable to breaches.
Loyalty apps, one security expert told the Times, are “almost a honey pot for hackers.” Lots of people (like me!) don’t take privacy or security on these apps as seriously as they would for, say, their social media or email logins.
The result? Hackers can easily infiltrate these accounts, either to use the points themselves or to sell them on the dark web. One hacker prevention group told the Times that an estimated $1 billion a year is lost to reward app hacking.
Last November, Dunkin’ Donuts said a hacker had gained access to information on its rewards app, called DD Perks, including some users’ login information. And in January, Marriott revealed that hackers had breached its reservation system and accessed several million customers’ information, including passport numbers and credit card numbers.
This isn’t the only way hackers take advantage of loyalty apps. Last year, Motherboard reported on the people who buy and sell luxury vacation packages for a few hundred dollars’ worth of bitcoin on the dark web, often by manipulating miles, points, and other rewards programs. “[I]t involves booking with points in a way that makes it indistinguishable to a legit booking,” read one listing on Dream Market.
Some of these listings, Motherboard reported, involve stolen points. One listing for hacked JetBlue points warns customers that “there is no replacement if the account has [two-factor] verification?” because “it’s part of the game.” Motherboard found more than a dozen airlines and hotel chains that may have been targets of loyalty point fraud, including Delta.
Though the Motherboard report focused on airlines, hotel chains, and other companies with big-ticket points systems, the Times also spoke to people whose accounts for smaller purchases were hacked. Customers have had their accounts on the Domino’s Pizza, Buffalo Wild Wings, and Hilton apps hacked, the publication reports.
People who use lots of loyalty apps, like yours truly, would do well to change their passwords and set up two-factor authentication if at all possible. A better solution, though, would be to get rid of accounts you don’t use. There may be more to lose from them than there is to gain.
Want more stories from The Goods by Vox? Sign up for our newsletter here.
Gloss