Centralized rewards/loyalty program databases pose security risks

The primary security concern with loyalty and rewards programs using centralized systems is that they maintain custody of a centralized database that has critical customer data, including identifiable information and financial assets and loyalty point balances. The consumer doesn’t really have possession of their assets, but actually has an IOU from the centralized system’s operator who ultimately maintains possession of the user’s balance.

Furthermore, the primary way that a user is required to prove entitlement to their own assets/points is with a username and password. So, if a threat actor obtains the login info for entry into the loyalty system, either via a direct hack of that loyalty program operator’s system or by using a login reset for entry into the loyalty system by hacking into an email account, they can easily transfer or redeem points.

This is why blockchain technology will be critical to helping enhance security within the loyalty and rewards space. With a blockchain-based system, users don’t need to have a login to access a system operated by the loyalty program operator, as is the case with legacy programs.  The program operator only needs the public blockchain address of the loyalty program member, that they would then use to deposit points to as the user earns points.  The user is able to directly access the blockchain account and hold sole custody of their private key.

And, should a user inadvertently give someone access to their private-key, only the single user would be affected, as opposed to compromising all of the other users on the same blockchain.

Lastly, blockchain is a distributed ledger system that uses cryptography. This means that hacking and changing the historical records of a single ledger that is connected to a blockchain would not alter the data across the entire blockchain because that single ledger would be abandoned by the blockchain system.  If a centralized database system is hacked in real-time or a breach isn’t immediately identified, historical records won’t be changed and the system will continue to operate as is.