Fraud when collecting points

Supermarket apps are designed to increase customers' loyalty and shopping mood. But fraudsters can take advantage of this passion for collecting points. Find out how this works and how you can protect yourself here.

Reading time:

5 min

Share

Collecting points and making bargains - supermarkets use supermarket apps to try and increase customer loyalty and the mood to buy. But fraudsters can take advantage of this passion for collecting points. We show how consumers can protect themselves.

Collect points - get a bargain

Many supermarkets use their own apps to manage bonus points and discounts. This works as follows: Anyone who buys certain designated products receives bonus credit in return, which can be redeemed from the next purchase. And with every purchase of designated products, the credit increases further. For particularly large purchases, there are also discounts, e.g. a few percent off the next purchase.

The problem: points theft through app takeover

But these points can be stolen - and that even without the particular cell phone having to be stolen! This is what happened recently with the REWE customer app in Germany. Some customers had the unpleasant experience of having their loyalty points redeemed without them doing anything.

An account is attached to every app

But how can this work? As with almost all apps, you have to create an account to use the supermarket apps. This means that the user must register at least once with a combination of e-mail address and password. If a stranger obtains this data, they can log in to the relevant app without much effort. And thus has full access to the points and discount campaigns of the corresponding customer.

Many apps, many accounts, few login data

As already mentioned, many users use many different apps and also have several other online accounts - but only remember a few passwords. As a result, many accounts are protected by very few combinations of email address and passwords. This behavior is called password reuse.

Account takeovers through stolen passwords

If one of these combinations of email address and password is published (e.g. through a phishing attack or a data leak from one of the services), the leaked access data can be tried out on all kinds of services - including a supermarket app, for example. This procedure is also known as credential stuffing If the attempt is successful, the user usually has full access to the relevant data and options offered by the app.

This is exactly what happened to many users of the REWE app recently. The WDR program Markt reported on the phenomenon.

How can I protect myself?

One way for end users to protect themselves against app and account takeovers is to regularly check whether their own email addresses and passwords appear in data leaks. We recommend using the Leak Inspector. We have already described the range of functions of the Leak Inspector in a separate blog article.

To operate the Leak Inspector, we track down stolen data records on the Internet. To do this, we search the deep and dark web, collect data there, process it in compliance with data protection regulations and make it available to consumers and affected companies. We have already collected more than 55 billion data records and 300 million new ones are added every week.

You can also set up two-factor authentication for some apps. Once this has been done, you need a second factor, such as a code that is sent to you by text message, email or a special app, to log in to the relevant service. The problem with this, however, is that two-factor authentication is time-consuming and presents an additional hurdle when using the app.

Otherwise, you should regularly check your apps for unusual activity. However, it should be noted that it may already be too late in this case. But here at the latest: be sure to change your password!

<div><ul>

How can the app operator protect me?

But wouldn’t it be much easier for the app user if the app operator could ensure that their own access data is secure? Certainly! And Identeco offers products to do just that. In fact, PAYBACK, the industry leader in the field of loyalty point systems, has been successfully relying on our solutions for several years.

Fully automated protection of app users

We use the same database behind the Leak Inspector, i.e. over 55 billion leaked credentials, to fully automatically protect app users, such as loyalty point programs, from app takeovers. We transmit anonymized data to our customers and enable the comparison of access data in our customers’ infrastructure. This does not require any exchange of user data.

Behind every app is a relationship

Loyalty point apps in particular symbolize the retailer’s relationship with its customers. These apps in particular and the accounts behind them should therefore enjoy special care and protection. With Identeco solutions, at least account takeovers through leaked access data are a thing of the past.

Conclusion

Supermarket apps offer real added value for customers through bonus points and discounts - but at the same time they also open a new gateway for fraudsters. The danger: anyone who uses weak or reused passwords risks attackers gaining access to personal loyalty points via stolen access data - as recently happened with the REWE app.

Consumers can protect themselves by using strong, unique passwords, activating two-factor authentication and regularly using services such as the Leak Inspector. It is even better if app operators also take responsibility and automatically detect and block compromised access data - as PAYBACK, for example, is already doing successfully with the help of Identeco.

Loyalty programs should strengthen customer loyalty - not jeopardize trust. For this to succeed, technical protective measures are needed on both sides: by the users and the platforms themselves.

Any questions

If you would like to know more about how we can secure user accounts, we are happy to help. Simply contact us via our contact form, book an appointment or send us an email.