The punch cards stuffed in your wallet know next to nothing about you, except maybe how many frozen yogurts you still need to buy to get a free one.

But loyalty programs, as they shift from paper and plastic to apps and websites, are increasingly tracking a currency that can be more valuable than how much you spend: personal data. As a result, the programs know things about you that some of your friends may not, like your favorite flavor (mango), when your cravings strike (early afternoon) and how you pay (with your Visa), in addition to billing details and contact information.

Hackers are in close pursuit.

One loyalty-fraud prevention group estimates, conservatively, that $1 billion a year is lost to crime related to the programs. As a share of fraud not involving a physical payment card, such schemes more than doubled from 2017 to 2018, according to the Javelin Strategy & Research firm.

Some criminals use stolen credentials to impersonate customers, breach loyalty profiles and then tap into separate accounts. Others deplete balances or sell points on dark web marketplaces. One hacked Southwest Airlines rewards account with at least 50,000 miles was advertised for $98.88, according to the cloud security company Armor.