
Rewards for loyal spenders are 'a honey pot for hackers' - bookofjoe
https://www.nytimes.com/2019/05/11/business/rewards-loyalty-program-fraud-security.html
======
bitwize
This doesn't surprise me. I spent a bit of time at one of the companies that
do loyalty programs on behalf of retailers (I would say that most if not 90%
of loyalty programs are outsourced). This one had some big-ticket clients
including a well-known coffee shop chain. Some things to note:

* In terms of culture, it was primarily a marketing company, not a technology company. Marketroids made up much of upper management. During new-employee orientation, one of these marketroids would attempt to sell you on the company's mission by redefining the word "loyalty" in such a way that it doesn't involve trust, faithfulness, or any other human virtue.

* The office was aggressively open-plan. Engineers sat shoulder-to-shoulder at long benches, with about enough room for their MacBook and one or two monitors, and that's it. There were no "focus rooms" or other quiet places to get work done, only a few conference rooms (and of course offices for upper management). Engineering shared the same office space with sales, marketing, and the other divisions and the place was constantly loud. Even the receptionist's area was out in the open like this. It was like some of the worst boiler-room recruitment firms I'd seen, but scaled up, and you were supposed to get technical work done there.

* The pace was also aggressive. There was an expectation that new features would be implemented and go into production quickly, and this is also the sort of company where you "commit" to work for the next sprint, you do not "forecast". If what you pledged to do by end of sprint isn't done, you will be given the turd-burgling stink eye at best.

With rewards programs being implemented in that kind of environment, is it any
surprise that proper care for things like security is not being done?

~~~
bookofjoe
Precisely why HN is like no other site: no matter what the subject or how
arcane the field, SOMEONE reading any post is an expert. It's like one of
those companies that finds you an expert for a price, except here it's free.

~~~
gumby
I am on the other end of those "find an expert for a price" (I'm the "expert")
and I always expect to be asked touch questions that are hard to answer.

Once -- once! -- I was contacted by a domain expert looking for someone else
to discuss some arcane tech issue (he was trying to decide if he should commit
to a new display technology for their next gen design, or if it was too risky.
I didn't make any decision for him or anything, just discussed the issues with
him).

Typically the questions I get are from people who aren't really sure about the
right question to even ask, typically in marketing or corporate strategy, and
typically mid level (not new hires but not the VPs or senior directors
either). They always have a particular question they want answered but don't
even know enough to phrase it properly ("we're looking into strategic
direction for our next level offering and our teams are recommending either
writing it in C++ or using the blockchain" \-- not an actual question!)

This actually makes sense. If they understood a bit about they domain they
would already have contacts, hopefully ones they trusted, to help them decide.
The kinds of people who pay (well, get their company to pay) to "speak to an
expert" are not idiots, merely domain-ignorant and smart enough to know so. So
what I end up giving is a kind of off-the-cuff interactive survey white paper
to someone who hopes I don't know who they actually are (well, where they
work).

~~~
lifeisstillgood
this might be tangential but how do they find you and perhaps more
importantly( given they are smart but domain ignorant) how do they trust you ?

~~~
gumby
It’s not tangential at all: they don’t hire me, they contract with a company
that has relationships with a ton of “experts” and that company makes the
connection, handles billing etc. they also have expert witnesses (often the
same folks) etc. I have no idea how those guys find me. Word of mouth I
presume.

~~~
tlear
I am really curious about the company that you work through. Place I contract
with right now really could use some of that expert advice(not software
engineering issue)

------
kazinator
Online reward programs are a "bonanza", "gold mine" for criminals, where they
can have a "field day", "orgy", "spree", ... consisting of "binging" on
personal information. Let's keep "honeypot" what it has come to be, though, in
connection with computer security.

[https://en.wikipedia.org/wiki/Honeypot_(computing)](https://en.wikipedia.org/wiki/Honeypot_\(computing\))

A honeypot is a decoy used to attract malicious activity, keeping it from
legitimate targets, and accurately identifying it.

Honeypots are deliberately promoted in such a way that legitimate users will
not find them, but criminals will end up harvesting their addresses. For
instance a honeypot e-mail address wouldn't be offered to legitimate users as
a contact, but only buried in some content where only a spammer will harvest
it. When the criminal uses the decoy identifier, their connection attempts are
subject to time-wasting pauses (the honeypot is "sticky"!), and their IP
address is put into a blacklist at the same time, so then the have a hard time
accessing non-decoy resources.

~~~
rsstack
"Honey pot" as a metaphor existed long before this. Just because in your
life's context the security-related is more dominant doesn't mean the dozen
other uses of "honey pot" need to be let go of.

What you're suggesting isn't "let's keep...", since at no point in time it
exclusively meant that one thing.

~~~
austincheney
I really get tired of non-security people entering a security discussion to
redefine known security terms to fit some irrelevant personal emotional
familiarity. Worse is when you point that out suddenly people are somehow
greatly offended.

~~~
sammorrowdrums
The way the term is used is correct in the article. Security people use based
on the common definition, it's just in security it is assumed that it is with
the intent of trapping the person going for the honey.

I agree that domain specific terminology, general language and another
domain's language is confusing.

I'm sure a developer at a toy company and management could get confused by a
conversation about models.

Doesn't mean either of them are right. Language is frequently ambiguous and we
avoid it internally in our domains where possible.

------
lifeisstillgood
i guess this is a silly question but a company that holds my Us Dollars in a
electronic account is called a Bank.

A company that holds my stocks and shares (which easily convert into US
dollars) in an account is called a Broker or a Bank

So why is a company that holds my loyalty points (which also convert to US
dollars) not also called a Bank (and regulated as such?)

~~~
gamblor956
Because most loyalty points don't convert to US dollars...

They have a USD/EU value _equivalent_ because they need to for legal reasons
but most companies will not honor requests to convert your points to dollars,
and the fine print in their loyalty program T&C has language to that effect.
They will only let you convert those points into their own goods or services.

(Credit card loyalty points are different, but they're also subject to
regulation.)

------
dqybh
Hmmm, from the title I thought this was going to be about how people exploited
the weaknesses of these reward programmes to get more stuff for free.

