Cybercriminals may exploit Web coupons

With growing amount of data on discount coupons, attackers may run scams to obtain personal data rather than hack user PCs, Sophos expert warns.
Written by Vivian Yeo, Contributor

Shoppers need to be judicious about Web-based discount coupons as such schemes may be exploited by cybercriminals, a security expert has warned.

The danger lies in the form of a new breed of Web coupons, which have the ability to contain a substantial amount of customer information within their barcodes, The New York Times (NYT) reported last month. Such coupons, printed from the Internet or downloaded to mobile phones for use at stores, could let coupon providers know not only personal details but information that includes search keywords used to derive the offer or the time the redemption was made.

Already, there is no lack of examples where people have fallen prey to "too-good-to-be-true" offers. One case in point was an iPad scam which promised users they could sign up as iPad testers and keep the device for free thereafter. The scammers were, in fact, harvesting mobile numbers for subscription to a premium-rate cellphone service.

Paul Ducklin, Sophos' head of technology for the Asia-Pacific region, told ZDNet Asia in a phone interview that rather than attempt to hack into user computers, cybercriminals may opt to run a coupon scam to benefit from the poor online or privacy habits of consumers.

"One obvious concern about Web-based 'coupons' is that the coupon issuer may have a bit more leverage to exert against your personal data. For example, they may offer a bit more discount if you authorize them to access your Facebook data, or if they can mine your Twitter followers and so forth. [This] may encourage you to take bigger privacy risks than is possible with the more traditional loyalty cards," he said.

The issuer in any coupon program--whether traditional or Web-based--is "effectively buying something off" the customer, Ducklin pointed out. This can include contact numbers, address or permission to send promotional offers via e-mail or SMS (short message service). In return, the issuer sells a benefit such as a discount to the consumer.

According to Ducklin, Web coupon operators may not necessarily embed huge amounts of information on the coupon itself. However, some coupons could contain customer data immediately accessible to the retailer.

"This ought to be declared in the privacy policy of the coupon operator," he said.

In any case, the solution to avoiding such scams is, in reality, very simple, said Ducklin. "If you don't like the sound of the privacy policy, if it isn't clear or you can't find it, why not simply forgo the discount?

Users, he advised, ought to read the fine print first and find out by searching online how other people have fared when taking up those offers. The general rule of thumb is "if in doubt, leave it out",he added.

Most of the time, customers can achieve the same discount by just showing up at the store and haggling face-to-face, Ducklin noted.

Editorial standards