Attackers are finding new ways to steal data and sensitive information, such as credit card details and identity, from databases to, in Panera Bread’s case, loyalty reward programs. According to KrebsOnSecurity, Panera Bread had leaked information from the MyPanera online loyalty program for at least eight months.
The exploit exposed names, email and physical addresses, birthdays, and the last four digits or credit card numbers. In addition, loyal card numbers were also exposed, allowing scammers to potentially abuse prepaid accounts. While Panera’s estimates put the figure at 10,000 customers affected by the leak, KrebsOnSecurity has put the number closer to 37 million.
The Ease of Stealing Loyalty Points
The Washington Post noted that the true number of compromised experts may never be fully known, but in any case, the loss of data from MyPanera is significant enough raise questions about security. In an age of e-commerce, people are managing their personal banking on mobile apps. There is the convenience of ordering goods online, but every relationship and transaction raises the possibility of a data breach.
Loyalty programs might offer convenience in the form of free items or deals, but personal data stored in those programs is far from secure. Security expert Dylan Houlihan, who contacted Panera Bread regarding the leak back on August 2nd, 2017, said that the company uses sequential integers for account IDs. In other words, if someone wanted to gather as much information as they could about someone, they could simply increment through the accounts and collect as much data as they like, up to and including the entire database.
KrebsOnSecurity reported that, in spite of Houlihan’s correspondence with Panera Bread, the latter of whom confirmed and acknowledged the issue in a response email, the flaws have still yet to be addressed as of April, 2018. Across the 49th parallel, Charlottetown resident Nancy MacArthur had her online PC Optimum rewards account broken into, losing 390,000 points, or 390 Canadian Dollars, in the process. Her account records show that the attacker spent the points on March 4th at a Shoppers Drug Mart in Chestermere, nearly 3000 miles away from Charlottetown. MacArthur said that the attacker used the cashed-in points to purchase a game console, something that could easily be resold for cash. The development comes as a time when dozens of PC Optimum members recently had more than 100,000 points stolen from their accounts.
As with Panera Bread, security behind loyalty programs are lax, unlike bank accounts and other tightly secured accounts. Some programs even allow fraudsters the convenience of redeeming stolen points for goods online. Even if they had to avoid contact with the rewards program in question attackers can sell the stolen points online via legitimate websites that pay money for unwanted gift cards or loyalty points, albeit for a nominal fee.
A Possible Solution
The CBC article mentioned that experts are advising people to treat loyalty programs with the same importance as their other financial accounts. Examples include checking one’s points on a regular basis, creating strong passwords, and not using the same password for multiple accounts. While these security practices are prudent, yet another layer of security could also be implemented.
Mobile payment solutions such as Apple, Samsung, and Google Pay utilize tokenization, whereby a token is requested or provided to replace personal information. In other words, instead of name or a card number, a randomized number is sent to complete the transaction. As security on regular payments is being tackled head on with the advent of EMV chip cards, Personal Identification Numbers (PIN), 3D Secure, and tokenization, fraudsters are looking for the path of least resistance. Hence, fraudsters are targeting value added services such as loyalty programs where security is laxer. It naturally follows that, in addition to better security practices on the user end, loyalty reward programs could benefit from tokenization to deter attackers.