Nancy MacArthur is trying to figure out how someone infiltrated her online PC Optimum rewards account and stole 390,000 points — worth $390.
According to her account records, the thief spent the points on March 4 at a Shoppers Drug Mart in Chestermere, Alta. MacArthur lives in Charlottetown.
“I felt totally victimized,” she said “You take it personally. You think someone went in and targeted you.”
Turns out, it wasn’t personal. In recent years, loyalty rewards programs have become a hot target for cyber criminals.
Last week, dozens of PC Optimum members told CBC News that they each recently had more than 100,000 points stolen from their account. According to one member’s records, the theft just happened on Friday. Owner Loblaws hasn’t said how many of the program’s six million members have been affected.
Last year, loyalty programs Air Miles, Quebec’s SAQ liquor-store chain, and PC Optimum’s predecessor — PC Plus — all had problems with thieves stealing members’ points.
Industry experts say scammers are increasingly targeting loyalty programs because they may be easier to infiltrate than say, your carefully guarded bank account, and they offer great rewards — stockpiles of unused points.
“Bad guys generally are looking for the lowest hanging fruit and in a lot of ways, loyalty programs are just that,” said Matt Schulz with the credit card information site, CreditCards.com.
A 2017 report by marketing agency Bond Brand Loyalty estimated that Canadians are sitting on a whopping $16 billion worth of rewards points — ripe pickings for fraudsters.
“An awful lot of rewards points go unused and people forget that they have them,” said Schulz.
Stolen points can also be easy to redeem. In the PC Optimum cases, thieves spent them on products at Loblaws-owned stores.
According to MacArthur’s records, someone named “Alex” briefly infiltrated her online account. She believes he also accessed her PC Optimum phone app, which includes her virtual rewards card that can be used to redeem points.
“I don’t know whether he screenshot it or or what he did, but he was in my profile,” she said.
MacArthur says PC Optimum told her that “Alex” cashed in her points at Shoppers for a video game console — an item that could be easily be resold for cash.
Some programs make it even easier for fraudsters because they allow collectors to redeem their points for goods online. “You can log into a website, take those points and, with a couple of clicks, you can buy yourself a gift card,” said Schulz.
If thieves want to avoid contact with a rewards program, they have another option: they can sell the stolen points online via legitimate websites that — for a fee — pay money for unwanted gift cards or loyalty points.
“There is a very vibrant and robust community out there for converting these various loyalty accounts into cash,” said Brian Krebs, author of the cybersecurity news site, KrebsonSecurity.
How do they get access?
So how are cyber crooks getting their hands on members’ points? They either hack into a program’s data system, or infiltrate individual accounts, says Robert Hudyma, an information technology management professor at Ryerson University.
“There’s a vulnerability anywhere where the system’s used,” he said.
A 2018 trend report by London-based cybersecurity firm Aon predicts that companies offering loyalty programs will have to beef up security as cyber criminals increasingly set their sights on members’ stockpiled points. That may include two-factor authentication before people can access their accounts.
Loblaws told CBC News that PC Optimum has strong security measures in place.
To provide another layer of protection, experts say members need to treat their loyalty programs with the same importance as their other financial accounts.
That means checking your points balance on a regular basis just as you would your bank account, and creating passwords that are tough to crack.
“People will often use their dog’s name or their telephone number or simply the number: 1,2,3,4,5,6, and this is the first thing some malevolent individual is going to try,” said Hudyma.
Cybersecurity expert Krebs says people should also avoid using the same password for different accounts. That’s because, if one of your accounts gets hacked, the culprit may then try to monetize your password.
“There’s a very good chance that that data is going to wind up for sale in the cybercrime underground,” he said.
MacArthur says she used a strong, unique password for her PC Optimum account, and has since changed it to something even more robust.
She’s still waiting for the program to return her stolen points. When she gets them back, she plans to adopt what she hopes is a guaranteed way to protect her points.
“I’m going to spend them right away because I’m scared of this happening again.”