Identity thieves target customer loyalty websites
TOKYO - Websites for customer loyalty programs have seen a rise in illegal access to customer accounts and a growing number of thefts of member program points.
The cases involve illegal access to loyalty program sites of airlines, home electronics makers, credit card companies and other firms. In some instances, online thieves have exchanged stolen points for gift certificates without the genuine holders knowing.
Affected companies and Internet crime experts say that some of the hackers appear to have used lists of user IDs and passwords, because in some cases the success rate of login attempts was unusually high.
"The best defense measure is changing passwords regularly and not using the same passwords for different websites," one security expert noted.
An official of My Sony Club, Sony Corp.'s loyalty program site, explained the method used in one of the online theft cases, saying: "One member account was accessed with only a single attempt. They showed unbelievable accuracy."
Through the series of account break-ins, the perpetrators exchanged the points of 273 members for $7,415 worth of gift certificates.
The break-ins occurred between April 19 and 29. Program members are required to set passwords between six and 12 characters in length, but the perpetrators illegally accessed the site using the correct passwords.
The stolen points were exchanged for gift certificates, including Play Station tickets with which game products can be bought.
The gift certificates consist of 12-character code numbers delivered electronically. The system allows users to access and use their codes immediately for online shopping and other services by inputting codes.
Under the system, points can be spent by a third party, and the proper users have no way of knowing unless they somehow notice their missing points.
The company verified records of failed access attempts due to incorrect passwords, and found the perpetrators had a success rate of greater than 10 percent on average.
According to research by the Information-technology Promotion Agency (IPA), an independent administrative institute, the success rates of such break-ins last year was around 1.35 percent at the highest.
Experts assume that the perpetrators obtained passwords used at other websites through underground websites, or guessed passwords from user information posted in other sites, such as social networking sites to make lists pairing passwords with IDs, with which they can intrude into websites.
"Groups of perpetrators have improved list accuracy by deleting passwords and other information that failed in previous break-in attempts. The risk of illegal logins has gradually risen," said Kenji Tanaka, an IPA research fellow.
In addition to Sony, illegal logins occurred at Japan Airlines' frequent flier miles site in February. In that case, the accumulated miles of 65 members were exchanged for gift certificates at major online retailer Amazon.com.
Life Card Co., a major credit card firm, also suffered from hundreds of illegal logins, in which stolen points were exchanged for gift certificates at Amazon.com.
In March, All Nippon Airways' frequent flier miles site was attacked, and 1.46 million miles from 11 members were exchanged for gift certificates for downloading music.
Some companies, including JAL, have suspended the option to exchange points for gift certificates.
Tanaka said: "Users should stop using the same password in different sites as a general rule. When users change their passwords, I'd like to see them mix uppercase letters, lowercase letters and numerical figures as far as possible.
"If users feel it is difficult to memorize passwords, they should use password-managing software. Old-fashioned methods, such as writing passwords down in a notebook can sometimes be effective against illegal access by hackers."