How to Safeguard Your Customer Loyalty Program from a Cyberattack

By: Melissa Canellis


When we hear about a major cybersecurity breach, it’s usually associated with a specific company—a large bank, healthcare organization, or even retailer. But sometimes, cybercriminals will focus their efforts on attacking organizations with loyalty programs, regardless of their size or industry. 

Why? Because loyalty programs are big business, with an estimated $48 billion in stored points and miles in the U.S. Additionally, they often house valuable data that can be sold on the dark net (i.e., online black markets). That includes customer names, usernames, passwords, and other highly sought-after information. Activities can range from the illicit use of stolen credit cards to purchasing rewards points to the manipulation of sign-up promotions. 

The good news for our users is that Punchh itself has never been hacked. Cybersecurity is extremely important to us, and we focus a considerable amount of brainpower on protecting our customers and their data. 

Punchh works hard to maintain an A+ report card when it comes to digital security, and we want to help you protect your business too. Here are four top threats restaurants and convenience stores with loyalty programs need to look out for, along with important recommendations to prevent a cyberattack. 

4 Most Common Cyber Threats to Restaurant Loyalty Programs

Although there are several ways in which cyber criminals attack people and businesses, there are essentially four methods hackers use to leverage loyalty programs.  

1. Account Takeover / Credential Stuffing 

This is the top threat we encounter. Attackers will systematically try to access loyalty program accounts using account credentials that have been compromised in another data breach. Usually, the perpetrators purchase lists from the dark web and use scripts and automation to try to access thousands of logins at once. Because users often maintain the same password across multiple accounts this information may then be accessed in these other places.  

It’s important to note that credential stuffing is a widespread problem across many loyalty programs. Okta, a global digital identification company, incurred 10 billion credential stuffing attempts on its platform in just the first 90 days of 2022, 80 percent of which were directed at the retail/eCommerce industry. 

2. Password Spraying 

These are more broad-brush attacks, a sort of shotgun approach to hacking. Using a set of “known good” credentials, attackers attempt to infiltrate multiple brands simultaneously, relying on the fact that many account holders use generic passwords like: “1234” or “password”. 

3. Credit Card Fraud

As the name says, this is the illicit use of stolen credit cards. Attackers use stolen credit cards to buy rewards points and transfer them to third parties. 

4. Account Signup Fraud

This attack involves exploiting sign-up promotions. Attackers create hundreds of accounts to benefit from sign-up promos or to launch secondary attacks. Oftentimes, criminals will also use this approach to create “designation wallets” for rewards that have been compromised from other accounts. 

Once a hacker is able to access a loyalty program account, they will try to illicitly redeem any stored points, buy merchandise to resell elsewhere, or simply transfer the rewards to another account and resell them to other criminals. 

How Punchh Protects Your Business and Your Customers

Punchh employs a robust suite of security and fraud prevention measures, ensuring secure and authentic user interactions. We use four different approaches to prevent attacks and limit exposure. They are: 

  • Rate Limiting:  We limit the number of requests a user or IP address can make within a specified time frame. This helps prevent automated bots from flooding our login system with credential-stuffing attacks.
  • Bot Management: We use sophisticated techniques to distinguish between legitimate traffic and bot activities, blocking any accounts making suspicious requests on the platform.
  • Detection of Exposed Credentials: To handle exposed credentials, Punchh implements stringent password management practices, including regular password resets, strong password policies, and ongoing monitoring for compromised credentials.
  • JA3 Fingerprinting using Cloudflare: Punchh leverages Cloudflare’s JA3 fingerprint tool, which creates a digital “fingerprint” of each device connected to the platform. This helps identify and block suspicious activity. We can also lock down certain accounts or restrict access to the platform from a handful of approved mobile devices. 

In addition, Punchh also deploys fraud detection and prevention tools, which enable us to analyze user behaviors, account transactions, and other key fraud indicators. This data can help us develop a model for each user’s behavior, allowing us to detect any suspicious patterns that may indicate fraudulent activity. 

Of course, we monitor our platform for fraud in real time, ensuring that we detect and respond to any suspicious activities immediately. The goal is to mitigate any dangers before they can do any serious damage. 

Last but not least, we build security right into our code as well as our hardware infrastructure. We follow a Secure Development Lifecycle (SDLC) that involves regular security assessments, code reviews, and implementing industry-standard secure coding principles. More than an afterthought, security is integrated from the start, reducing vulnerabilities and greater security. 

How to Prevent Cyberattacks on Your Restaurant Loyalty Program

One of the interesting phenomena about cybercrime these days is not only how vast it is, but how human-centric it is. That is, hackers often leverage psychology and human behavior to illegally obtain information or account access. The most secure software and hardware in the world is only as safe as its users’ behaviors.   

To that end, there are a handful of things your organization can do to protect itself and its customers. Remember that security isn’t just about protecting data. It’s about winning customer loyalty.  

  1. Keep Software Up to Date: This is the easiest one. You should always have the latest version of any mission-critical software your business relies on. This will ensure they have the most recent security updates and patches.
  2. Enable Security Settings:  You can prevent and discourage Sign Up Attacks through several backend settings in Punchh. This includes making sure to check the box to validate phone number uniqueness across guests and requiring email verification. Additionally, you can allow only one signup per device, ensuring that multiple signups don’t come from a single computer or mobile phone.
  3. Update Password Requirements: Ensure your users are choosing the safest possible passwords by setting password requirements to a minimum of eight characters, using one number, one letter, and one symbol.
  4. Send Notifications for New Device Sign-ins: Send an email to the account holder whenever their account is accessed by a new device. This will close the loop and alert them to any potential fraudulent access, giving them the option to sign out of all sessions and reset the password.  

Learn more about the Punchh Platform. Plus, stay in the know. Subscribe to our bi-monthly newsletter to receive proven loyalty strategies, offer management techniques, and new trends in your industry. Sign up today!  



Stay in the know. Subscribe to our bi-monthly newsletter to receive proven loyalty strategies, offer management techniques, and new trends in your industry. Sign up today!