Hackers target passwords and loyalty cards

Susan Tompor | USAToday

Beware: Cyber crooks apparently are now eyeing the loyalty cards dangling on our key fobs.

I received a "Security Update" last week via e-mail regarding the rewards program that I signed up for several years ago at Toys R Us.

Given all the scams, I wondered whether this notice was some kind of trick. But it was legitimate. My worn-out Toys R Us rewards card — which has been used for birthdays, holidays and just-because-we're-out-together shopping days — seems to be valuable to crooks.

We're seeing more warnings that cyber crooks will go after whatever moves — or has a password that you might use somewhere else.

"They're willing to hack into anything where they can get anything of value for nothing," said Adam Levin, chairman and co-founder of Credit.com and IDT911.com.

Going forward, consumers could be hearing more about rewards points hacks. Late last year, American Airlines and United Airlines began notifying customers through e-mails that hackers stole usernames and passwords from a third-party source. Some customers lost miles as a result.

Hilton Honors loyalty program warned last year that hackers managed to access some accounts and cash out some rewards points. Some members had reported points being used to buy merchandise, according to the Loyalty Lobby blog.

Who would have ever imagined this one? We've heard of hacking to get our Social Security numbers to file fake income tax returns that cook up extra rich refunds. We've heard of hacking for our credit card data at stores like Target and Home Depot.

But our rewards points? Sorry, maybe I'm a little naïve, but initially I couldn't see why some con artists would want my points to load up on boxes of Lego Bionicles. After thinking about this, of course, I realize that the crooks would probably figure out a way to load up on Microsoft Xboxes to sell on the black market.

If your key ring is anything like mine, you're carrying around all kinds of rewards points, too. I've got 21 fobs on my key ring alone, including Rite Aid, Panera, Hallmark, Kroger, Blockbuster (why do I still carry that one?), Petco, CVS, PetSmart and Godiva.

We're willing to give away some personal information to get those ever-important discounts. At Godiva, I get one free truffle a month. Why wouldn't I give away my e-mail and address? Almost without blinking, I joined another loyalty program just last weekend at a shoe store that I'm unlikely to visit all that much in the future. But, hey, I wouldn't mind the catalogs and an extra discount in the month of my birthday.

Retailers, of course, build sales on rewards programs. Kohl's Corp. launched a loyalty program via a mobile wallet last year and has enrolled 25 million shoppers. It's a shift from only offering exclusive deals to store credit-card users.

What happens, though, if hackers do go after rewards points? Would we then reconsider some of this easy access to our personal information?

For me, the Toys R Us issue proved to be a small one. I went to the store a few days after the alert and was able to easily use my rewards for some early Easter gifts for little ones. As far as I could tell, I still had all my points.

Kathleen Waugh, vice president of corporate communications for Toys R Us, confirmed in an e-mail that no points were lost for customers.

She said the retailer sent the security update e-mail to a "small percentage" of Rewards R Us members requesting a password change.

"We suspect this activity was due to large breaches at other companies — not Toys R Us — where user log-in names and passwords were stolen and then used for unauthorized access to other accounts, such as Rewards R Us accounts, where a user may use the same log-in name and/or password," according to the e-mail sent to some rewards members.

Toys R Us said it was able to identify an attempt to gain unauthorized access to a small percentage of the rewards accounts from Jan. 28 to Jan. 30.

The e-mail that was sent to me to alert me to change my password said Toys R Us did not believe that my account was accessed nor that my password was compromised. But it was suggested that I reset my password.

All this, of course, is yet another reminder that we should not use the same passwords for every account. If a rewards program is hacked, you might be giving away a password for a bank account, if you're using the same password everywhere.

One report indicated that 55% of those surveyed admitted they use the same password for most, if not all, websites, according to a study by Ofcom, a communications watchdog in the United Kingdom.

I'll be honest, I don't use the same passwords. But sometimes, I cannot remember which password I did use.

The cyber crooks, though, aren't giving up. So we all have to be more diligent about the passwords we use. If we sign up for a discount, we could be rewarded with some security alerts down the line, too.

Contact Susan Tompor: 313-222-8876 or stompor@freepress.com

More on rewards and security

• Do not use the same password for a variety of websites. Using one password for everything gives cyber crooks an old-fashioned skeleton key that can open any door to your accounts.

• Never use a boiler-plate password for bank accounts or other important financial accounts.

• Be careful with the loyalty cards on your key chain. If you no longer shop somewhere, you don't need to carry around their loyalty card. Some older cards could have your name on them.

• Change passwords frequently.

• Make sure to monitor credit card purchases regularly in case of any security breaches.