Empirical Analysis of Security Threats and Issues in Loyalty cards of Saudi market

preprint OA: closed
Full text JSON View at publisher
Full text 99,909 characters · extracted from preprint-html · click to expand
Empirical Analysis of Security Threats and Issues in Loyalty cards of Saudi market | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Article Empirical Analysis of Security Threats and Issues in Loyalty cards of Saudi market Suliman A. Alsuhibany, Waleed Albattah This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-6841317/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract A loyalty program (LP) is a common marketing strategy business owners use to increase profit and improve marketing experiences. In particular, services for point exchange or redemption are now offered globally because of businesses' efforts to build consumer loyalty and increase business profitability. Since both customers and attackers are drawn to these services, identifying their security threats can enhance the prevention of attacks as loyalty cards are easy to produce, and customers use them frequently with less attention, unfortunately. Therefore, this study analyzes the security and privacy vulnerabilities of using such a method on both sides: customers and merchants. That is, the study empirically investigates several real local loyalty programs. The results revealed some critical threats and vulnerabilities in the current loyalty programs. To overcome these threats and help business owners to improve their practices, a set of appropriate practical recommendations are proposed. Business and commerce/Information systems and information technology Social science/Finance Social science/Science technology and society loyalty security analysis attacks cost usability Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 1 Introduction With the rapid technological advances in commerce, loyalty cards have increased. That is, stores offer different types of loyalty and smart cards used for collecting points, performing electronic purchases, or having special rates and discounts. The process of providing such cards just takes only a few seconds. Because of such benefits provided to the customers, people use them regularly. However, such cards still lack enough security, making them vulnerable to different illegal behaviors such as altering points balance or even modifying money balance. A Loyalty Program (LP) is a marketing technique created to motivate customers to keep using the products or services of a company that participates in the program [ 1 ]. Most commercial activities are covered by these programs, each with features and incentive structures. These include banking, entertainment, hospitality, retail, and travel. Due to a highly competitive market and a wide range of services available to customers, the market approach has changed from product-centric to customer-centric; as a result, marketing strategies must prioritize expanding a sustainable business and raising customer satisfaction [ 2 ]. To participate in an LP, a customer must first open an account with the operator of the program, who then issues a loyalty card, also known as a rewards card, points card, advantage card, or club card. This card can be made of plastic or paper, which looks like a credit card, and belongs to the customer. Although some are chip cards or proximity cards, cards may feature a barcode, magnetic stripe, or both to make scanning them easier. However, some recent cards are based on touch technology (i.e., contactless smart cards). This study focuses on magnetic stripe-based cards as they are the most common ones. Customers often receive a discount on their current purchase or points allocation and rewards to apply toward future purchases when they present their cards. Most businesses find it extremely difficult to keep current consumers for an extended time due to increased competition and the availability of a wide range of superior service and product providers [ 2 – 6 ]. For this, the goal of an LP is to maintain a long-term relationship with consumers to boost profitability [ 7 – 10 ][ 33 ]. Both small and large organizations utilize LPs to predict future improvement initiatives. The LP emphasizes services and goods that are easily customizable and can be efficiently tailored to customers' requirements and desires [ 11 – 13 ]. However, looking at LPs from a security perspective is worthwhile. That is, commercial organizations collect customers' data to increase their market share and increase their profitability. Some information is so important to collect, such as names and addresses, but other information, like customer behavior, is another side customers might not like to be collected. Another issue is that the loyalty cards' information might not be secured enough, making them vulnerable to illegal alterations. This study focuses on investigating the security level of loyalty cards. It presents some experiments on different loyalty cards from the local Saudi market to understand to what extent such cards are secured. In particular, this investigation mainly focuses on the aspects of copying cards and modifying their data. Unfortunately, the results showed that the security-level needs some improvements, as changing the information on such cards was possible. For this, some appropriate practical recommendations are proposed. The research paper is organized as follows. Section 2 presents a literature review, followed by the method and materials used in Section 3 . Section 4 introduces the results and discussions about the study. Section 5 highlights some crucial recommendations to improve the security level in loyalty programs. Section 6 concludes the paper. 2 Background This section discusses the literature review, three pillars tradeoff and contributions. 2.1 Literature Review The American Marketing Association [ 14 ] defined LPs as "continuity incentive programs a retailer offers to reward customers and encourage repeat business." To promote customer satisfaction, LPs aims to reward customers who make repeated purchases from the same business [ 15 ]. Commercial organizations have conceptualized the design of LPs utilizing several characteristics, including tired, discounts, pragmatic, and experiential LPs [ 16 – 18 ]. Customers want value for their money; therefore, getting the greatest price possible is a disadvantage. In addition, the value of customer recognition is referred to as a smooth advantage [ 19 ]. Moreover, marketing professionals employ LPs as a crucial customer relationship management (CRM) tool to find, reward, and keep profitable customers. The development of LPs began in the 20th century with the emergence of the industry among airlines and stores. Since the beginning of LPs, the concept that rewards devoted customers has not changed [ 20 ]. LPs are a multi-billion-dollar industry, and the digital revolution accelerates their development [ 21 ]. The number of LP memberships in the United States grew by 15% between 2015 and 2017, reaching approximately 4 billion dollars [ 22 ]. Nastasoiu and Vandenbosch [ 23 ] explored how to create effective customer LPs that benefit participants and are difficult for competitors to copy. Their attention was divided between three critical areas of improvement: personalization, incentive categories, and extra services. By personalizing offers, businesses can take advantage of the information they already have about their customers and create deals that are interesting and relevant to them. Alshurideh et al. [ 24 ] studied the most common LP flaws from theoretical and practical standpoints. The study examines several planning issues with LPs and some execution-related issues, such as the need for clear objectives, the design of LPs, budgeting, and experienced staff participation. Recent technologies have increased the opportunities for LP management and its improvements. However, such advances also have challenges (e.g., security, privacy, data integrity, etc.). Even though LPs have been investigated in different business aspects, little interest has been devoted to their security aspects. Jenjarrussakul and Matsuura [ 25 ] investigated the Japanese loyalty programs by focusing on their liquidity, security efforts, and security level. They concluded that if proper security standards are met, security incidents decrease. Similarly, the implications of LP-point liquidity on the costs associated with security breaches are examined using an empirical analysis based on Japanese data. Shinoda and Matsuura [ 26 ] reviewed the empirical models in which the variables chosen—damage, investment, vulnerability, and threat—are motivated by the Gordon-Loeb formulation of security investment. Considering other LP security incidents, they re-examined the liquidity concept. They investigated hypotheses using newly defined proxies relating to the threat and other refined proxies to draw additional implications that assist LP operators in managing partnerships. Purohit and Thakar [ 27 ] created a conceptual model that encourages a more comprehensive and overall perspective on the function of information and communication technology (ICT) in managing LPs. Using relevant LP effectiveness literature, it is possible to see how some of the most recent technologies might be used in the LP lifecycle. Then, using this paradigm as a platform, various relevant issues deserving of more study are found and presented. Business experts and consumer associations have criticized LPs for the loss of privacy of consumers. Blanco-Justicia and Domingo-Ferrer [ 28 ] introduced a protocol for privacy-preserving LPs that enables consumers to remain anonymous and gives them control over how much of their profile they expose to the vendor while also allowing the companies to profit from loyalty. The protocol ensures consumers' and their purchases' anonymity while still allowing for negotiated consumer profiling. It is based on partially blind signatures and generalization techniques. According to a survey and social media analysis [ 29 ], more than half of consumers acknowledged that they had dropped at least one LP. Given the information, it can also be highlighted that most LPs have previously been shown to be underutilized and useless. Therefore, studying the weakness and drawbacks of such programs from the security and privacy perspectives can fill the gap and provide a valuable addition to the field of LP management. The current study considers such programs a win-win relationship between retailers and customers. Thus, the study contributes to the area by highlighting the security and privacy issues that retailers must be aware of to keep such programs successful and meaningful for customers and retailers. 2.2 Three Pillars Tradeoff Designing systems that are both usable and secure creates essential issues when it comes to balancing security and usability appropriately. It can be challenging to strike the correct balance between these two quality features. Under the topic of this paper, security is an essential factor in a system's quality. Also, usability is yet another vital factor for using the system. A common misunderstanding is that security is only a design issue isolated from usability. Both factors are related, and a tradeoff between them must be achieved. Different standards have different definitions of usability [ 34 ], [ 35 ], and [ 36 ]. The emphasis on various sets of usability elements, such as effectiveness, efficiency, learnability, or user satisfaction, varies across the board in these standards. As a result, a complete definition of usability should incorporate usability traits linked to both processes and products, such as effectiveness, efficiency, satisfaction, security, and learnability [ 37 ]. Another essential factor that we believe is also related to these two is the cost. The cost is a third factor in the tradeoff triangle that must be considered during the system development journey. In other words, all three factors are so related that putting all the focus on one will affect the others. Thus, all the three factors must be monitored to satisfy the system’s quality by balancing and keeping an eye on them. For example, focusing only on security and usability might create a costly system, which is not welcomed. Also, keeping an eye on security and costs only might lead to a weak usable system. To sum up, all three factors need to be considered by developers during the system development. Otherwise, we might face a low-quality system in one or more areas. Figure 1 presents the three factors in a graphical presentation to emphasize the role that balancing them is crucial and not a choice. In this paper, we found some issues regarding these factors. The architectural design of all the studied loyalty systems suffers from security issues in favor of usability and costs. As discussed in the following sections, the studied loyalty programs' usability and costs were practical. However, the security was way below the proper level. The following sections will discuss this issue in more detail. 2.2 Contributions Despite the positive economic impact of loyalty programs on organizations' profitability, the literature lacks research efforts in investigating the security aspects of such programs. Few studies have explored the security threats that such programs might face, yet more to dig into. This study aims to investigate the common tool of loyalty programs in Saudi Arabia, which are based on magnetic cards. It is believed that the current study has focused on the security issues of such cards by presenting the potential threats and their possible solutions. We believe that treating these issues seriously will increase the security of loyalty systems and protect their information. To the best of our knowledge, the literature lacks such study either in the context of Saudi Arabia or somewhere else. 3 Method and materials The study aims at investigating the real threat of loyalty cards. Thus, real loyalty cards from local stores were examined, and a real dataset was collected. The following sections present more details about the experiments' procedure and tools. This section describes the magnetic card, magnetic stripe, card reader, dataset, and experiment. 3.1 Magnetic Card Different loyalty cards were examined. Typically, these cards are magnetic stripe cards where their stored data are encoded by altering the magnetism of the particles on an iron-based magnetic strip. This card type is widely used in different facilities, such as transportation tickets, identification cards, and credit cards [ 29 ]. Magnetic stripes commonly found on the back of the card and can be read by dragging them across a read head carry digitally encoded data that can be read by pushing them across a read head. The magnetic stripe's characteristics, coding mechanism, and magnetic track placements are specified in ISO standard 7811 [ 32 ]. Figure 2 shows the location of the track on the card as well as the standard size properties [ 30 ]. 3.2 Magnetic Stripe in the Card The magnetic stripe can have up to three tracks and more than 1000 bits [ 29 ]. The standard version is shown in Fig. 3 [ 31 ]. Each track is dedicated to storing certain information specified by the standard. The account number and the account holder's name are reserved in Track 1, which has 79 alphanumeric characters. Track 2 has 40 numeric characters and records account information such as the account number and expiration date. Track 3 can store additional information but is mainly used in financial transactions, whereas Tracks 1 and 2 are frequently only used [ 31 ]. A magnetic stripe is made up of three horizontally stacked tracks. Each track runs the entire length of the credit card. On the other hand, the data on each track is unique and can contain a wide range of information. It may include the credit card account number, cardholder's name, card verification code, service code, and expiration date. Only the first two tracks on the magnetic stripe usually carry credit card information in the case of credit cards. The third track is rarely used, but when it is, it contains information like the currency code or country code. The magnetic stripe reader reads the data, which detects changes in the magnetic field induced by flux reversals on the badge's magnetic stripe. 3.3Card reader To analyze the selected cards, we used a card reader that shows the card's data. In particular, we utilized the Misiri V4.01 reader as one of the commercial readers available off-the-shelf. Figure 4 shows the used card reader, while its software interface is shown in Fig. 5 . 3.4 Dataset As mentioned previously, the magnetic stripe can have up to three tracks and more than 1000 bits; thus, once the reader shows the card's data, each track's data will be considered. Figures 6 – 8 show the standard of each track according to [ 31 ]. Accordingly, data in each track is collected. Four loyalty cards are selected: C1, C2, C3, and C4 from different sectors of Saudi market, as shown in Table 1 . It is worth noting that the cards are given symbolic names to preserve the stores' privacy. Table 1 Dataset No Card Sector 1 C1 Entertainment 2 C2 Home Appliances 3 C3 Clothes retailer 4 C4 Food retailer 3.5 Experiments To test the hypothesis that loyalty cards have such security threats, we conducted an experiment in which selected loyalty cards were tested. The hypothesis under test is: H 0 – Loyalty cards of Saudi stores are secured enough, and they do not need security features to improve their robustness against possible attacks In this experiment, rejecting the null hypothesis indicates that there is a security threat in the loyalty cards under investigation. It is worth to point out that the selected cards are only samples, as our experiment can be generalized to other loyalty cards. 3.5.1 Experiment Setup The system explained in Section 3.3 is utilized to analyze the selected cards and collect data. We used the Microsoft Surface Pro 7 devise to show the read data and store the results. The four selected loyalty cards are models of loyalty cards in general. Adding more cards may generalize the results of the study. 3.5.2 Experiment Procedure The experiment procedure has two phases: recognizing and modifying the card data. First, the reader reads the card data stored in different tracks and analyzes them. In the second phase, we modify the card's data by manipulating each track's data. This includes copying a card to another blank card, random change in the card's tracks, and replacing a card with another card. Figure 9 shows an example of replacing C1 card data with C2 card data. 4 Results and Discussion The results indicate that all selected cards are vulnerable to potential illegal threats. These vulnerabilities can be illegally exploited. For example, the balance on the card can be modified. Such a threat can lead to the failure of the loyalty program and decrease its profitability. Therefore, this result invalidates the hypothesis H 0 that Loyalty cards of Saudi stores are secured enough, and they do not need security features to improve their robustness against possible attacks . In the following, recognition and modification results are discussed. 4.1 Recognition results All selected cards were read successfully, and their data was retrieved and recognized. Table 2 presents an example of data from the C1 card. All cards have three tracks. However, not all tracks have data. For instance, in the C1 card, track 3 has no data. However, we could still access other tracks and modify the data. Table 2 Derived results of each card's data from the recognition process Card Track Recognized data C1 Track 1 %6009 = 3214971717999532768? Track 2 ;6009 = 0000000009006453? Track 3 No Data 4.2 Modification Results Blank cards were prepared, and data were copied from the selected cards to the blank cards. The copying process has been done successfully for all cards. Interestingly, after copying, the new card works properly. For example, Table 3 presents the results of simulating the C1 card's data. Table 3 Derived results of each card's data from the modification process Card Track Old card track data New card track data Results C1 Track 1 %6009 = 3214971717999532768? %6009 = 3214971717999532768? Working without issue Track 2 ;6009 = 0000000009006453? ;6009 = 0000000009006453? Track 3 No Data No Data Moreover, one of the modifications is making a random change in the card's tracks to test the possibility of manipulating the card's data. Interestingly, changing a specific part in Track 1 randomly is possible, and the card is still working. For example, Fig. 10 shows changing Track 1, which is shown in Table 2 (i.e., changing the digits 27 at the end by 90). Also, a change can be applied to Track 2, but this will lead to showing that the card belongs to another person. Figure 11 shows an example of changing Track 2, which is shown in Table 2 (i.e., changing the digit 4 by 5. Furthermore, one of the modifications is replacing a card with another to see to what extent data might be protected. Surprisingly, it can be possible to replace a used card's data with another one, and the card is working correctly. For example, moving data from the C2 card to the C1 card results in having C2 working properly on the C1 system but not on the C2 system. It would be essential to note that some cards have only one track with data, while others are empty. For example, the C3 card has only track 1 that has data, as shown in Table 4 . Once we analyzed this card, we found that the data refers to the owner's information and the points balance. Table 4 The C3 card's tracks information Track Data Track 1 %1700000229211391? Track 2 No Data Track 3 No Data As an attempt to modify track1's data randomly, surprisingly, we found that the modification possibly belonged to someone already registered. However, if the change is for an expected new customer, the system will indicate this card has not been registered yet. Furthermore, the C4 card also has one track with data, track 2, shown in Table 5 . As an attempt to modify track1's data randomly, surprisingly, we found it possible if the modification belonged to someone already registered. However, if the change is for an expected new customer, the system will indicate this card has not been registered yet. Table 5 The C4 card's tracks information Track Data Track 1 No Data Track 2 ;93201797? Track 3 No Data Returning to the null hypothesis introduced in section 3.4 , the result of the examined null hypothesis is rejection since Loyalty cards of Saudi stores were not secured enough, and they do need security features to improve their robustness against possible attacks. 5 Security Recommendations Legitimate loyalty program owners need to be aware of the vulnerabilities in their systems and take precautions to strengthen them. The practices listed below can help you avoid such vulnerabilities. Based on the above discussion, we found that the data on magnetic stripe cards are not protected. The study shows that the data were vulnerable to illegal modification with a simple card reader. Therefore, it is highly recommended to protect such cards with passwords where data can only be modified by a specific loyalty system using a password. Additionally, the study found that cloning the cards was possible in most situations since all the required data for cloning were available on the original card. Therefore, a summary of the found vulnerabilities and the suggested solutions are presented in Table 6 . We believe that applying these recommendations can improve the security level of these cards as well as extend their resistance to such attacks. Table 6 Security recommendations Card Modification Threats Recommended Solution C1 Copy it to the C2 card and copy it to the blank card, random change on tracks 1 and 2. - When copied to multiple cards, the copied cards were working in C1 Land (Modification). - When we changed Track 2, the card still worked, but the ID had changed and belonged to someone else (Fabrication). One of the most effective solutions is to link the loyalty program with the smart video surveillance system. Awareness and training of employees well about what is allowed and not allowed and how to detect fraud and deal with it because they are the first line of defense for loyalty programs. Urging customers to monitor their accounts periodically and verify their balances. Monitor loyalty program accounts to detect any suspicious activity. To prevent the copied card from using it as a real card, use a one-time password (OTP) code by connecting the personal profile with a mobile number. C2 Write a C1 card on it. Became working as a C1, we lost C2's points (Interruption). C3 Copy it to a blank card and change it randomly on Track1. A change in Track1 made the card invalid in the Home Center rewards system (Modification). C4 Copy its data to a registered card - Moving points 6 Conclusion This study has drawn researchers’ attention to the possible threats and issues of the current loyalty programs in the Saudi market. This issue might be available in markets of other countries as well. The experiment results have revealed some illegal practices that might affect the objectives of such programs, making them useless or harmful in some cases in terms of business financial considerations. For study purposes, only four loyalty programs from the local market of Saudi Arabia were investigated. Unfortunately, all the studied programs were vulnerable to illegal practices. However, the results can be generalized by exploring other loyalty methods and approaches. It can be concluded that such loyalty programs must be improved in terms of security perspective, and business owners must pay more attention to threats that might affect their businesses sooner or later. We hope that the results and recommendations help make such a sector more secure. Declarations Acknowledgement: Removed for anonymization purposes in accordance with journal policy. Funding Statement: The author(s) received no specific funding for this study. Author Contributions: study conception and design: S. A.; data collection: S. A.; analysis and interpretation of results: S. A. and W. A.; draft manuscript preparation: S. A. and W. A. All authors reviewed the results and approved the final version of the manuscript. Availability of Data and Materials: The data that support the findings of this study are available from the corresponding author upon reasonable request. Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study. Competing interests: The authors declare no competing interests. Ethical approval: This study did not involve any research with human participants conducted by the authors. Informed consent: This article does not contain any studies with human participants performed by any of the authors. References Sharp, Byron; Sharp, Anne (1997),"Loyalty programs and their impact on repeat-purchase loyalty pattern", International Journal of Research in Marketing, 14 (5): 473–486, doi:10.1016/S0167-8116(97)00022-0 Fook, Andy Chin Woon; Dastane, Omkar (June 2021)."Effectiveness of Loyalty Programs in Customer Retention: A Multiple Mediation Analysis". Jindal Journal of Business Research. 10 (1): 7–32. doi:10.1177/22786821211000182 Agarwal, R., Mehrotra, A., & Misra, D. (2022). Customer happiness as a function of perceived loyalty program benefits-A quantile regression approach. Journal of Retailing and Consumer Services, 64, 102770. Feliz, S., & Maggi, C. (2019). What is the impact of increased business competition? International Monetary Fund. Fritsch, M., & Changoluisa, J. (2017). New business formation and the productivity of manufacturing incumbents: Effects and mechanisms. Journal of Business Venturing, 32(3), 237–259. Winer, R. S. (2001). A framework for customer relationship management. California Management Review, 43(4), 89–105. Ali, S., & Ali, M. (2018). Impact of consumer relationship management on consumer satisfaction, loyalty programs and customer retention in banking sector of Pakistan. Oman Chapter of Arabian Journal of Business and Management Review, 34(6112), 1–13. Kamau, L. W. (2017). Effect of loyalty programs on customer retention: A case of Nakumatt Supermarkets Kenya [Doctoral dissertation]. United States International University Africa. Khalil, S. M., Ullah, O. B. A. I. D., & Khalil, D. S. H. (2018). The effect of customer loyalty programs on customer retention in Pakistan. Journal of Business and Tourism, 4(2), 237–251. Rahimi, R. (2007). Feasibility study of application and implementation of customer relationship management (CRM) in hotel industry: Case of Ham game Arya Group Hotels [Master thesis]. Lulea University of Technology. Karakostas, B., Kardaras, D., & Papathanassiou, E. (2005). The state of CRM adoption by the financial services in the UK: An empirical investigation. Information & Management, 42(6), 853–863. Kim, J. (2019). The impact of different price promotions on customer retention. Journal of Retailing and Consumer Services, 46, 95–102. Koo, B., Yu, J., & Han, H. (2020). The role of loyalty programs in boosting hotel guest loyalty: Impact of switching barriers. International Journal of Hospitality Management, 84, 102328. American Marketing Association. (2016). Dictionary. https://www.ama.org Yi, Y., & Jeon, H. (2003). Effects of loyalty programs on value perception, program loyalty, and brand loyalty. Journal of the Academy of Marketing Science, 31(3), 229–240. Dorotic, M., Bijmolt, T. H., & Verhoef, P. C. (2012). Loyalty programmes: Current knowledge and research directions. International Journal of Management Reviews, 14(3), 217–237. Fullerton, G., (2003). When does commitment lead to loyalty? Journal of Service Research, 5(4), 333–344. Mimouni-Chaabane, A., & Volle, P. (2010). Perceived benefits of loyalty programs: Scale development and implications for relational strategies. Journal of Business Research, 63, 32. Nunes, J. C., & Drèze, X. (2006). Your loyalty program is betraying you. Harvard Business Review, 84(4), 124. Chen, Y., Mandler, T., & Meyer-Waarden, L. (2021). Three decades of research on loyalty programs: A literature review and future research agenda. Journal of Business Research, 124, 179-197. Jones, B. (2016). New revenue recognition rules: How will they affect loyalty programs? PWC. Retrieved from https://www.pwc.com/us/en/insurance/publications/assets/pwc-loyalty-programs-revrec.pdf. Fruend, M. (2017). The 2017 COLLOQUY loyalty census – An in-depth analysis of where loyalty is now... and where it'ss headed. COLLOQUY. Retrieved from https://colloquy.com/resources/pdf/reports/COLLOQUY_2017_Loyalty census.Pdf. Nastasoiu, A., & Vandenbosch, M. (2019). Competing with loyalty: How to design successful customer loyalty reward programs. Business Horizons, 62(2), 207-214. Alshurideh, M., Gasaymeh, A., Ahmed, G., Alzoubi, H., & Kurd, B. (2020). Loyalty program effectiveness: Theoretical reviews and practical proofs. Uncertain Supply Chain Management, 8(3), 599-612. Jenjarrussakul, B., & Matsuura, K. (2014, June). Analysis of Japanese loyalty programs considering liquidity, security efforts, and actual security levels. In The 13th Workshop on the Economics of Information Security. Shinoda, S., & Matsuura, K. (2016). Empirical investigation of threats to loyalty programs by using models inspired by the Gordon-Loeb formulation of security investment. Journal of Information Security, 7(2), 29-48. Purohit, A., & Thakar, U. (2019). Role of information and communication technology in improving loyalty program effectiveness: a comprehensive approach and future research agenda. Information Technology & Tourism, 21(2), 259-280. Blanco-Justicia, A., & Domingo-Ferrer, J. (2014). Privacy-preserving loyalty programs. In Data privacy management, autonomous spontaneous security, and security assurance (pp. 133-146). Springer, Cham. Barton, S., & Cecily Raiborn, P. H. D. (2019). Customer loyalty program fraud. Strategic Finance, 101(6), 32-39. Rankl, Wolfgang, and Wolfgang Effing. Smart card handbook. John Wiley & Sons, 2004 Morgan, D. Security of Loyalty Cards Used in Estonia. Diss. MSc thesis, Tallinn University of Technology, 2017 Q-Card, "ISO Magnetic Stripe Card Standards" Q-Card, 06 May 2015. [Online]. Available: https://www.q-card.com/about-us/iso-magnetic-stripe-card- standards/page.aspx?id=1457. [Accessed 18 April 2025] Chang, H. H., & Chen, S. W. (2009). Consumer perception of interface quality, security, and loyalty in electronic commerce. Information & management, 46(7), 411-417. International Organization for Standardization (1998) ISO 9241-11: "Ergonomic requirements for office work with visual display terminals (VDTs - Part 11: Guidance on Usability". International Organization for Standardization: ISO/IEC 9126-1:2001 Edition 1; Software product Evaluation – Quality Characteristics and Guidelines for the User, Geneva (2001). Institute of Electrical and Electronics Engineers (IEEE): 1061-1998 IEEE Standard for a Software Quality Metrics Methodology (1998). Braz, C., Seffah, A., & M’Raihi, D. (2007, September). Designing a tradeoff between usability and security: a metrics based-model. In IFIP Conference on human-computer interaction (pp. 114-126). Springer, Berlin, Heidelberg. Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-6841317","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Article","associatedPublications":[],"authors":[{"id":494897995,"identity":"a8d28e21-804a-4cc6-b2df-479cda5d54c3","order_by":0,"name":"Suliman A. Alsuhibany","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA90lEQVRIiWNgGAWjYFAC5gYGxgaJBCCL8QFY4ABBLYxwLcwGpGhhAGlhkyBKi3z7webPvDss8vhn95hVvG1jkOO7kcD84QceLQZnEtukec9IFEvcOWN2c24bg7HkjQQ2yR58WhgS25h52yQSG27kmN3mbWNI3ADUwsCDz2H9D4EOA2qZD9RSDNRSD9TC/PEPPs/cSGyQBmnZANQCtI4hweBGAoM0PlsMbjxsk5zbJlFseCOtWHLOOQnDmWcetknL4HVY8uEPb9vq8uRuJG/88KbMRp7vePLhj2/wOQwBOAyAvgZFDTCaiATsD/AG1CgYBaNgFIxcAAAxClGkX+upnAAAAABJRU5ErkJggg==","orcid":"","institution":"Qassim University","correspondingAuthor":true,"prefix":"","firstName":"Suliman","middleName":"A.","lastName":"Alsuhibany","suffix":""},{"id":494897996,"identity":"12ec5fa0-72dc-4581-a1a9-8be81f74d478","order_by":1,"name":"Waleed Albattah","email":"","orcid":"","institution":"Qassim University","correspondingAuthor":false,"prefix":"","firstName":"Waleed","middleName":"","lastName":"Albattah","suffix":""}],"badges":[],"createdAt":"2025-06-07 07:38:22","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-6841317/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-6841317/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":88345563,"identity":"5c7de909-bb34-4b65-aeed-a166dd366525","added_by":"auto","created_at":"2025-08-05 13:35:07","extension":"jpg","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":17881,"visible":true,"origin":"","legend":"\u003cp\u003eThree pillars: security, cost, and usability\u003c/p\u003e","description":"","filename":"1.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/388e3f8e5649615643b068bd.jpg"},{"id":88345564,"identity":"ae289299-2a7a-48b5-aa9b-772254ba0f28","added_by":"auto","created_at":"2025-08-05 13:35:07","extension":"jpg","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":50960,"visible":true,"origin":"","legend":"\u003cp\u003eLocation of the magnetic stripe on the Magnetic-Stripe Card\u003c/p\u003e","description":"","filename":"2.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/f4be989e940b20e92272d7e4.jpg"},{"id":88346747,"identity":"c38b38cb-7b2e-4eed-95dd-c9e9ffc0225c","added_by":"auto","created_at":"2025-08-05 13:43:07","extension":"jpg","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":65772,"visible":true,"origin":"","legend":"\u003cp\u003eMagnetic-stripe cards Standards\u003c/p\u003e","description":"","filename":"3.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/5e4f53668a7bc310bf530976.jpg"},{"id":88346874,"identity":"791a1f35-b9c9-4dd7-8d3a-adf1221a7a3b","added_by":"auto","created_at":"2025-08-05 13:51:07","extension":"jpg","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":35394,"visible":true,"origin":"","legend":"\u003cp\u003eThe used magnetic card reader\u003c/p\u003e","description":"","filename":"4.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/1d68ffa398f7ee61a986d003.jpg"},{"id":88346875,"identity":"39f650bc-3b82-4449-885a-9aabd260d0c9","added_by":"auto","created_at":"2025-08-05 13:51:07","extension":"jpg","order_by":5,"title":"Figure 5","display":"","copyAsset":false,"role":"figure","size":78997,"visible":true,"origin":"","legend":"\u003cp\u003eThe reader's software interface\u003c/p\u003e","description":"","filename":"5.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/5b13ab67afef02cf55d48449.jpg"},{"id":88345574,"identity":"a8efd3c3-58ae-4178-bd2b-5d932ce7b5c9","added_by":"auto","created_at":"2025-08-05 13:35:07","extension":"jpg","order_by":6,"title":"Figure 6","display":"","copyAsset":false,"role":"figure","size":59837,"visible":true,"origin":"","legend":"\u003cp\u003eTrack 1 Standards\u003c/p\u003e","description":"","filename":"6.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/b062043711dc473bd6c94081.jpg"},{"id":88346750,"identity":"19bdf338-4dd0-49ce-ad5d-acb41278ddf5","added_by":"auto","created_at":"2025-08-05 13:43:07","extension":"jpg","order_by":7,"title":"Figure 7","display":"","copyAsset":false,"role":"figure","size":59472,"visible":true,"origin":"","legend":"\u003cp\u003eTrack 2 Standards\u003c/p\u003e","description":"","filename":"7.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/93b8358615c64d81ecdc2ad7.jpg"},{"id":88345572,"identity":"fdde462d-14b7-45a1-b0f4-26f654c0f418","added_by":"auto","created_at":"2025-08-05 13:35:07","extension":"jpg","order_by":8,"title":"Figure 8","display":"","copyAsset":false,"role":"figure","size":65039,"visible":true,"origin":"","legend":"\u003cp\u003eTrack 3 Standards\u003c/p\u003e","description":"","filename":"8.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/87a7d12dc7faa18143a3dce6.jpg"},{"id":88345592,"identity":"d4bf1534-1922-476b-a42c-22f1e6e67012","added_by":"auto","created_at":"2025-08-05 13:35:07","extension":"jpg","order_by":9,"title":"Figure 9","display":"","copyAsset":false,"role":"figure","size":138984,"visible":true,"origin":"","legend":"\u003cp\u003eSample of card data alteration\u003c/p\u003e","description":"","filename":"9.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/a0f1dfb68574a15eec26c299.jpg"},{"id":88346876,"identity":"41a96c23-a982-4ab2-ade2-b7aa64d97771","added_by":"auto","created_at":"2025-08-05 13:51:07","extension":"jpg","order_by":10,"title":"Figure 10","display":"","copyAsset":false,"role":"figure","size":79659,"visible":true,"origin":"","legend":"\u003cp\u003eChanging Track 1 that is shown in Table 2\u003c/p\u003e","description":"","filename":"10.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/a4445f1c1026b6df1084e664.jpg"},{"id":88345582,"identity":"ad4fdb74-91e5-4e9a-bf91-ae6ffac2e064","added_by":"auto","created_at":"2025-08-05 13:35:07","extension":"jpg","order_by":11,"title":"Figure 11","display":"","copyAsset":false,"role":"figure","size":80367,"visible":true,"origin":"","legend":"\u003cp\u003eChanging Track 2 that is shown in Table 2\u003c/p\u003e","description":"","filename":"11.jpg","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/56294f9668233881e6cc323b.jpg"},{"id":99793234,"identity":"87415cf9-152c-4ac2-8d8e-85c00ff4585c","added_by":"auto","created_at":"2026-01-08 13:31:13","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":1417379,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-6841317/v1/de7c74c4-11cd-470d-af7f-8f949e0dafb9.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Empirical Analysis of Security Threats and Issues in Loyalty cards of Saudi market","fulltext":[{"header":"1 Introduction","content":"\u003cp\u003eWith the rapid technological advances in commerce, loyalty cards have increased. That is, stores offer different types of loyalty and smart cards used for collecting points, performing electronic purchases, or having special rates and discounts. The process of providing such cards just takes only a few seconds. Because of such benefits provided to the customers, people use them regularly. However, such cards still lack enough security, making them vulnerable to different illegal behaviors such as altering points balance or even modifying money balance.\u003c/p\u003e\u003cp\u003eA Loyalty Program (LP) is a marketing technique created to motivate customers to keep using the products or services of a company that participates in the program [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e]. Most commercial activities are covered by these programs, each with features and incentive structures. These include banking, entertainment, hospitality, retail, and travel. Due to a highly competitive market and a wide range of services available to customers, the market approach has changed from product-centric to customer-centric; as a result, marketing strategies must prioritize expanding a sustainable business and raising customer satisfaction [\u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eTo participate in an LP, a customer must first open an account with the operator of the program, who then issues a loyalty card, also known as a rewards card, points card, advantage card, or club card. This card can be made of plastic or paper, which looks like a credit card, and belongs to the customer. Although some are chip cards or proximity cards, cards may feature a barcode, magnetic stripe, or both to make scanning them easier. However, some recent cards are based on touch technology (i.e., contactless smart cards). This study focuses on magnetic stripe-based cards as they are the most common ones. Customers often receive a discount on their current purchase or points allocation and rewards to apply toward future purchases when they present their cards.\u003c/p\u003e\u003cp\u003eMost businesses find it extremely difficult to keep current consumers for an extended time due to increased competition and the availability of a wide range of superior service and product providers [\u003cspan additionalcitationids=\"CR3 CR4 CR5\" citationid=\"CR2\" class=\"CitationRef\"\u003e2\u003c/span\u003e\u0026ndash;\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e]. For this, the goal of an LP is to maintain a long-term relationship with consumers to boost profitability [\u003cspan additionalcitationids=\"CR8 CR9\" citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e\u0026ndash;\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e][\u003cspan citationid=\"CR33\" class=\"CitationRef\"\u003e33\u003c/span\u003e]. Both small and large organizations utilize LPs to predict future improvement initiatives. The LP emphasizes services and goods that are easily customizable and can be efficiently tailored to customers' requirements and desires [\u003cspan additionalcitationids=\"CR12\" citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e\u0026ndash;\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eHowever, looking at LPs from a security perspective is worthwhile. That is, commercial organizations collect customers' data to increase their market share and increase their profitability. Some information is so important to collect, such as names and addresses, but other information, like customer behavior, is another side customers might not like to be collected. Another issue is that the loyalty cards' information might not be secured enough, making them vulnerable to illegal alterations.\u003c/p\u003e\u003cp\u003eThis study focuses on investigating the security level of loyalty cards. It presents some experiments on different loyalty cards from the local Saudi market to understand to what extent such cards are secured. In particular, this investigation mainly focuses on the aspects of copying cards and modifying their data. Unfortunately, the results showed that the security-level needs some improvements, as changing the information on such cards was possible. For this, some appropriate practical recommendations are proposed.\u003c/p\u003e\u003cp\u003eThe research paper is organized as follows. Section \u003cspan refid=\"Sec1\" class=\"InternalRef\"\u003e2\u003c/span\u003e presents a literature review, followed by the method and materials used in Section \u003cspan refid=\"Sec5\" class=\"InternalRef\"\u003e3\u003c/span\u003e. Section \u003cspan refid=\"Sec13\" class=\"InternalRef\"\u003e4\u003c/span\u003e introduces the results and discussions about the study. Section \u003cspan refid=\"Sec16\" class=\"InternalRef\"\u003e5\u003c/span\u003e highlights some crucial recommendations to improve the security level in loyalty programs. Section \u003cspan refid=\"Sec17\" class=\"InternalRef\"\u003e6\u003c/span\u003e concludes the paper.\u003c/p\u003e"},{"header":"2 Background","content":"\u003cp\u003eThis section discusses the literature review, three pillars tradeoff and contributions.\u003c/p\u003e\u003cdiv id=\"Sec2\" class=\"Section2\"\u003e\u003ch2\u003e2.1 Literature Review\u003c/h2\u003e\u003cp\u003eThe American Marketing Association [\u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e14\u003c/span\u003e] defined LPs as \"continuity incentive programs a retailer offers to reward customers and encourage repeat business.\" To promote customer satisfaction, LPs aims to reward customers who make repeated purchases from the same business [\u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e15\u003c/span\u003e]. Commercial organizations have conceptualized the design of LPs utilizing several characteristics, including tired, discounts, pragmatic, and experiential LPs [\u003cspan additionalcitationids=\"CR17\" citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e\u0026ndash;\u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e18\u003c/span\u003e]. Customers want value for their money; therefore, getting the greatest price possible is a disadvantage. In addition, the value of customer recognition is referred to as a smooth advantage [\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eMoreover, marketing professionals employ LPs as a crucial customer relationship management (CRM) tool to find, reward, and keep profitable customers. The development of LPs began in the 20th century with the emergence of the industry among airlines and stores. Since the beginning of LPs, the concept that rewards devoted customers has not changed [\u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e20\u003c/span\u003e]. LPs are a multi-billion-dollar industry, and the digital revolution accelerates their development [\u003cspan citationid=\"CR21\" class=\"CitationRef\"\u003e21\u003c/span\u003e]. The number of LP memberships in the United States grew by 15% between 2015 and 2017, reaching approximately 4\u0026nbsp;billion dollars [\u003cspan citationid=\"CR22\" class=\"CitationRef\"\u003e22\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eNastasoiu and Vandenbosch [\u003cspan citationid=\"CR23\" class=\"CitationRef\"\u003e23\u003c/span\u003e] explored how to create effective customer LPs that benefit participants and are difficult for competitors to copy. Their attention was divided between three critical areas of improvement: personalization, incentive categories, and extra services. By personalizing offers, businesses can take advantage of the information they already have about their customers and create deals that are interesting and relevant to them. Alshurideh et al. [\u003cspan citationid=\"CR24\" class=\"CitationRef\"\u003e24\u003c/span\u003e] studied the most common LP flaws from theoretical and practical standpoints. The study examines several planning issues with LPs and some execution-related issues, such as the need for clear objectives, the design of LPs, budgeting, and experienced staff participation.\u003c/p\u003e\u003cp\u003eRecent technologies have increased the opportunities for LP management and its improvements. However, such advances also have challenges (e.g., security, privacy, data integrity, etc.). Even though LPs have been investigated in different business aspects, little interest has been devoted to their security aspects.\u003c/p\u003e\u003cp\u003eJenjarrussakul and Matsuura [\u003cspan citationid=\"CR25\" class=\"CitationRef\"\u003e25\u003c/span\u003e] investigated the Japanese loyalty programs by focusing on their liquidity, security efforts, and security level. They concluded that if proper security standards are met, security incidents decrease. Similarly, the implications of LP-point liquidity on the costs associated with security breaches are examined using an empirical analysis based on Japanese data. Shinoda and Matsuura [\u003cspan citationid=\"CR26\" class=\"CitationRef\"\u003e26\u003c/span\u003e] reviewed the empirical models in which the variables chosen\u0026mdash;damage, investment, vulnerability, and threat\u0026mdash;are motivated by the Gordon-Loeb formulation of security investment. Considering other LP security incidents, they re-examined the liquidity concept. They investigated hypotheses using newly defined proxies relating to the threat and other refined proxies to draw additional implications that assist LP operators in managing partnerships.\u003c/p\u003e\u003cp\u003ePurohit and Thakar [\u003cspan citationid=\"CR27\" class=\"CitationRef\"\u003e27\u003c/span\u003e] created a conceptual model that encourages a more comprehensive and overall perspective on the function of \u003cem\u003einformation and communication technology\u003c/em\u003e (ICT) in managing LPs. Using relevant LP effectiveness literature, it is possible to see how some of the most recent technologies might be used in the LP lifecycle. Then, using this paradigm as a platform, various relevant issues deserving of more study are found and presented. Business experts and consumer associations have criticized LPs for the loss of privacy of consumers. Blanco-Justicia and Domingo-Ferrer [\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e28\u003c/span\u003e] introduced a protocol for privacy-preserving LPs that enables consumers to remain anonymous and gives them control over how much of their profile they expose to the vendor while also allowing the companies to profit from loyalty. The protocol ensures consumers' and their purchases' anonymity while still allowing for negotiated consumer profiling. It is based on partially blind signatures and generalization techniques.\u003c/p\u003e\u003cp\u003eAccording to a survey and social media analysis [\u003cspan citationid=\"CR29\" class=\"CitationRef\"\u003e29\u003c/span\u003e], more than half of consumers acknowledged that they had dropped at least one LP. Given the information, it can also be highlighted that most LPs have previously been shown to be underutilized and useless.\u003c/p\u003e\u003cp\u003eTherefore, studying the weakness and drawbacks of such programs from the security and privacy perspectives can fill the gap and provide a valuable addition to the field of LP management. The current study considers such programs a win-win relationship between retailers and customers. Thus, the study contributes to the area by highlighting the security and privacy issues that retailers must be aware of to keep such programs successful and meaningful for customers and retailers.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec3\" class=\"Section2\"\u003e\u003ch2\u003e2.2 Three Pillars Tradeoff\u003c/h2\u003e\u003cp\u003eDesigning systems that are both usable and secure creates essential issues when it comes to balancing security and usability appropriately. It can be challenging to strike the correct balance between these two quality features. Under the topic of this paper, security is an essential factor in a system's quality. Also, usability is yet another vital factor for using the system. A common misunderstanding is that security is only a design issue isolated from usability. Both factors are related, and a tradeoff between them must be achieved. Different standards have different definitions of usability [\u003cspan citationid=\"CR34\" class=\"CitationRef\"\u003e34\u003c/span\u003e], [\u003cspan citationid=\"CR35\" class=\"CitationRef\"\u003e35\u003c/span\u003e], and [\u003cspan citationid=\"CR36\" class=\"CitationRef\"\u003e36\u003c/span\u003e]. The emphasis on various sets of usability elements, such as effectiveness, efficiency, learnability, or user satisfaction, varies across the board in these standards. As a result, a complete definition of usability should incorporate usability traits linked to both processes and products, such as effectiveness, efficiency, satisfaction, security, and learnability [\u003cspan citationid=\"CR37\" class=\"CitationRef\"\u003e37\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eAnother essential factor that we believe is also related to these two is the cost. The cost is a third factor in the tradeoff triangle that must be considered during the system development journey. In other words, all three factors are so related that putting all the focus on one will affect the others. Thus, all the three factors must be monitored to satisfy the system\u0026rsquo;s quality by balancing and keeping an eye on them. For example, focusing only on security and usability might create a costly system, which is not welcomed. Also, keeping an eye on security and costs only might lead to a weak usable system.\u003c/p\u003e\u003cp\u003eTo sum up, all three factors need to be considered by developers during the system development. Otherwise, we might face a low-quality system in one or more areas. Figure\u0026nbsp;\u003cspan refid=\"Fig1\" class=\"InternalRef\"\u003e1\u003c/span\u003e presents the three factors in a graphical presentation to emphasize the role that balancing them is crucial and not a choice.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eIn this paper, we found some issues regarding these factors. The architectural design of all the studied loyalty systems suffers from security issues in favor of usability and costs. As discussed in the following sections, the studied loyalty programs' usability and costs were practical. However, the security was way below the proper level. The following sections will discuss this issue in more detail.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec4\" class=\"Section2\"\u003e\u003ch2\u003e2.2 Contributions\u003c/h2\u003e\u003cp\u003eDespite the positive economic impact of loyalty programs on organizations' profitability, the literature lacks research efforts in investigating the security aspects of such programs. Few studies have explored the security threats that such programs might face, yet more to dig into. This study aims to investigate the common tool of loyalty programs in Saudi Arabia, which are based on magnetic cards. It is believed that the current study has focused on the security issues of such cards by presenting the potential threats and their possible solutions. We believe that treating these issues seriously will increase the security of loyalty systems and protect their information. To the best of our knowledge, the literature lacks such study either in the context of Saudi Arabia or somewhere else.\u003c/p\u003e\u003c/div\u003e"},{"header":"3 Method and materials","content":"\u003cp\u003eThe study aims at investigating the real threat of loyalty cards. Thus, real loyalty cards from local stores were examined, and a real dataset was collected. The following sections present more details about the experiments' procedure and tools.\u003c/p\u003e\u003cp\u003eThis section describes the magnetic card, magnetic stripe, card reader, dataset, and experiment.\u003c/p\u003e\u003cdiv id=\"Sec6\" class=\"Section2\"\u003e\u003ch2\u003e3.1 Magnetic Card\u003c/h2\u003e\u003cp\u003eDifferent loyalty cards were examined. Typically, these cards are magnetic stripe cards where their stored data are encoded by altering the magnetism of the particles on an iron-based magnetic strip. This card type is widely used in different facilities, such as transportation tickets, identification cards, and credit cards [\u003cspan citationid=\"CR29\" class=\"CitationRef\"\u003e29\u003c/span\u003e]. Magnetic stripes commonly found on the back of the card and can be read by dragging them across a read head carry digitally encoded data that can be read by pushing them across a read head. The magnetic stripe's characteristics, coding mechanism, and magnetic track placements are specified in ISO standard 7811 [\u003cspan citationid=\"CR32\" class=\"CitationRef\"\u003e32\u003c/span\u003e]. Figure\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e shows the location of the track on the card as well as the standard size properties [\u003cspan citationid=\"CR30\" class=\"CitationRef\"\u003e30\u003c/span\u003e].\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec7\" class=\"Section2\"\u003e\u003ch2\u003e3.2 Magnetic Stripe in the Card\u003c/h2\u003e\u003cp\u003eThe magnetic stripe can have up to three tracks and more than 1000 bits [\u003cspan citationid=\"CR29\" class=\"CitationRef\"\u003e29\u003c/span\u003e]. The standard version is shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig3\" class=\"InternalRef\"\u003e3\u003c/span\u003e [\u003cspan citationid=\"CR31\" class=\"CitationRef\"\u003e31\u003c/span\u003e]. Each track is dedicated to storing certain information specified by the standard. The account number and the account holder's name are reserved in Track 1, which has 79 alphanumeric characters. Track 2 has 40 numeric characters and records account information such as the account number and expiration date. Track 3 can store additional information but is mainly used in financial transactions, whereas Tracks 1 and 2 are frequently only used [\u003cspan citationid=\"CR31\" class=\"CitationRef\"\u003e31\u003c/span\u003e].\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eA magnetic stripe is made up of three horizontally stacked tracks. Each track runs the entire length of the credit card. On the other hand, the data on each track is unique and can contain a wide range of information. It may include the credit card account number, cardholder's name, card verification code, service code, and expiration date. Only the first two tracks on the magnetic stripe usually carry credit card information in the case of credit cards. The third track is rarely used, but when it is, it contains information like the currency code or country code. The magnetic stripe reader reads the data, which detects changes in the magnetic field induced by flux reversals on the badge's magnetic stripe.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec8\" class=\"Section2\"\u003e\u003ch2\u003e3.3Card reader\u003c/h2\u003e\u003cp\u003eTo analyze the selected cards, we used a card reader that shows the card's data. In particular, we utilized the Misiri V4.01 reader as one of the commercial readers available off-the-shelf. Figure\u0026nbsp;\u003cspan refid=\"Fig4\" class=\"InternalRef\"\u003e4\u003c/span\u003e shows the used card reader, while its software interface is shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig5\" class=\"InternalRef\"\u003e5\u003c/span\u003e.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec9\" class=\"Section2\"\u003e\u003ch2\u003e3.4 Dataset\u003c/h2\u003e\u003cp\u003eAs mentioned previously, the magnetic stripe can have up to three tracks and more than 1000 bits; thus, once the reader shows the card's data, each track's data will be considered. Figures\u0026nbsp;\u003cspan refid=\"Fig6\" class=\"InternalRef\"\u003e6\u003c/span\u003e\u0026ndash;\u003cspan refid=\"Fig8\" class=\"InternalRef\"\u003e8\u003c/span\u003e show the standard of each track according to [\u003cspan citationid=\"CR31\" class=\"CitationRef\"\u003e31\u003c/span\u003e].\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAccordingly, data in each track is collected. Four loyalty cards are selected: C1, C2, C3, and C4 from different sectors of Saudi market, as shown in Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e. It is worth noting that the cards are given symbolic names to preserve the stores' privacy.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab1\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 1\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eDataset\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"3\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCard\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eSector\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eEntertainment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eHome Appliances\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eClothes retailer\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e4\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC4\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eFood retailer\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec10\" class=\"Section2\"\u003e\u003ch2\u003e3.5 Experiments\u003c/h2\u003e\u003cp\u003eTo test the hypothesis that loyalty cards have such security threats, we conducted an experiment in which selected loyalty cards were tested. The hypothesis under test is:\u003c/p\u003e\u003cp\u003eH\u003csub\u003e0\u003c/sub\u003e \u0026ndash; \u003cem\u003eLoyalty cards of Saudi stores are secured enough, and they do not need security features to improve their robustness against possible attacks\u003c/em\u003e\u003c/p\u003e\u003cp\u003eIn this experiment, rejecting the null hypothesis indicates that there is a security threat in the loyalty cards under investigation.\u003c/p\u003e\u003cp\u003eIt is worth to point out that the selected cards are only samples, as our experiment can be generalized to other loyalty cards.\u003c/p\u003e\u003cdiv id=\"Sec11\" class=\"Section3\"\u003e\u003ch2\u003e3.5.1 Experiment Setup\u003c/h2\u003e\u003cp\u003eThe system explained in Section \u003cspan refid=\"Sec8\" class=\"InternalRef\"\u003e3.3\u003c/span\u003e is utilized to analyze the selected cards and collect data. We used the \u003cem\u003eMicrosoft Surface Pro 7\u003c/em\u003e devise to show the read data and store the results. The four selected loyalty cards are models of loyalty cards in general. Adding more cards may generalize the results of the study.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec12\" class=\"Section3\"\u003e\u003ch2\u003e3.5.2 Experiment Procedure\u003c/h2\u003e\u003cp\u003eThe experiment procedure has two phases: recognizing and modifying the card data. First, the reader reads the card data stored in different tracks and analyzes them. In the second phase, we modify the card's data by manipulating each track's data. This includes copying a card to another blank card, random change in the card's tracks, and replacing a card with another card. Figure\u0026nbsp;9 shows an example of replacing C1 card data with C2 card data.\u003c/p\u003e"},{"header":"4 Results and Discussion","content":"\u003cp\u003eThe results indicate that all selected cards are vulnerable to potential illegal threats. These vulnerabilities can be illegally exploited. For example, the balance on the card can be modified. Such a threat can lead to the failure of the loyalty program and decrease its profitability. Therefore, this result invalidates the hypothesis H\u003csub\u003e0\u003c/sub\u003e that \u003cem\u003eLoyalty cards of Saudi stores are secured enough, and they do not need security features to improve their robustness against possible attacks\u003c/em\u003e. In the following, recognition and modification results are discussed.\u003c/p\u003e\u003cdiv id=\"Sec14\" class=\"Section2\"\u003e\u003ch2\u003e4.1 Recognition results\u003c/h2\u003e\u003cp\u003eAll selected cards were read successfully, and their data was retrieved and recognized. Table\u0026nbsp;\u003cspan refid=\"Tab2\" class=\"InternalRef\"\u003e2\u003c/span\u003e presents an example of data from the C1 card. All cards have three tracks. However, not all tracks have data. For instance, in the C1 card, track 3 has no data. However, we could still access other tracks and modify the data.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab2\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 2\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eDerived results of each card's data from the recognition process\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"3\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCard\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrack\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eRecognized data\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\" morerows=\"2\" rowspan=\"3\"\u003e\u003cp\u003eC1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrack 1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e%6009\u0026thinsp;=\u0026thinsp;3214971717999532768?\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrack 2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e;6009\u0026thinsp;=\u0026thinsp;0000000009006453?\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrack 3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eNo Data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec15\" class=\"Section2\"\u003e\u003ch2\u003e4.2 Modification Results\u003c/h2\u003e\u003cp\u003eBlank cards were prepared, and data were copied from the selected cards to the blank cards. The copying process has been done successfully for all cards. Interestingly, after copying, the new card works properly. For example, Table\u0026nbsp;\u003cspan refid=\"Tab3\" class=\"InternalRef\"\u003e3\u003c/span\u003e presents the results of simulating the C1 card's data.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab3\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 3\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eDerived results of each card's data from the modification process\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"5\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCard\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrack\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eOld card track data\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eNew card track data\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003eResults\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\" morerows=\"2\" rowspan=\"3\"\u003e\u003cp\u003eC1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrack 1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e%6009\u0026thinsp;=\u0026thinsp;3214971717999532768?\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e%6009\u0026thinsp;=\u0026thinsp;3214971717999532768?\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\" morerows=\"2\" rowspan=\"3\"\u003e\u003cp\u003eWorking without issue\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrack 2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e;6009\u0026thinsp;=\u0026thinsp;0000000009006453?\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e;6009\u0026thinsp;=\u0026thinsp;0000000009006453?\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrack 3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eNo Data\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eNo Data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eMoreover, one of the modifications is making a random change in the card's tracks to test the possibility of manipulating the card's data. Interestingly, changing a specific part in Track 1 randomly is possible, and the card is still working. For example, Fig.\u0026nbsp;\u003cspan refid=\"Fig9\" class=\"InternalRef\"\u003e10\u003c/span\u003e shows changing Track 1, which is shown in Table\u0026nbsp;\u003cspan refid=\"Tab2\" class=\"InternalRef\"\u003e2\u003c/span\u003e (i.e., changing the digits 27 at the end by 90).\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAlso, a change can be applied to Track 2, but this will lead to showing that the card belongs to another person. Figure\u0026nbsp;\u003cspan refid=\"Fig10\" class=\"InternalRef\"\u003e11\u003c/span\u003e shows an example of changing Track 2, which is shown in Table\u0026nbsp;\u003cspan refid=\"Tab2\" class=\"InternalRef\"\u003e2\u003c/span\u003e (i.e., changing the digit 4 by 5.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eFurthermore, one of the modifications is replacing a card with another to see to what extent data might be protected. Surprisingly, it can be possible to replace a used card's data with another one, and the card is working correctly. For example, moving data from the C2 card to the C1 card results in having C2 working properly on the C1 system but not on the C2 system.\u003c/p\u003e\u003cp\u003eIt would be essential to note that some cards have only one track with data, while others are empty. For example, the C3 card has only track 1 that has data, as shown in Table\u0026nbsp;\u003cspan refid=\"Tab4\" class=\"InternalRef\"\u003e4\u003c/span\u003e. Once we analyzed this card, we found that the data refers to the owner's information and the points balance.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab4\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 4\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eThe C3 card's tracks information\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"2\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrack\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eData\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrack 1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e%1700000229211391?\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrack 2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eNo Data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrack 3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eNo Data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eAs an attempt to modify track1's data randomly, surprisingly, we found that the modification possibly belonged to someone already registered. However, if the change is for an expected new customer, the system will indicate this card has not been registered yet.\u003c/p\u003e\u003cp\u003eFurthermore, the C4 card also has one track with data, track 2, shown in Table\u0026nbsp;\u003cspan refid=\"Tab5\" class=\"InternalRef\"\u003e5\u003c/span\u003e. As an attempt to modify track1's data randomly, surprisingly, we found it possible if the modification belonged to someone already registered. However, if the change is for an expected new customer, the system will indicate this card has not been registered yet.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab5\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 5\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eThe C4 card's tracks information\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"2\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrack\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eData\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrack 1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eNo Data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrack 2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e;93201797?\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrack 3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eNo Data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eReturning to the null hypothesis introduced in section \u003cspan refid=\"Sec9\" class=\"InternalRef\"\u003e3.4\u003c/span\u003e, the result of the examined null hypothesis is rejection since Loyalty cards of Saudi stores were not secured enough, and they do need security features to improve their robustness against possible attacks.\u003c/p\u003e\u003c/div\u003e"},{"header":"5 Security Recommendations","content":"\u003cp\u003eLegitimate loyalty program owners need to be aware of the vulnerabilities in their systems and take precautions to strengthen them. The practices listed below can help you avoid such vulnerabilities. Based on the above discussion, we found that the data on magnetic stripe cards are not protected. The study shows that the data were vulnerable to illegal modification with a simple card reader. Therefore, it is highly recommended to protect such cards with passwords where data can only be modified by a specific loyalty system using a password.\u003c/p\u003e\u003cp\u003eAdditionally, the study found that cloning the cards was possible in most situations since all the required data for cloning were available on the original card. Therefore, a summary of the found vulnerabilities and the suggested solutions are presented in Table\u0026nbsp;\u003cspan refid=\"Tab6\" class=\"InternalRef\"\u003e6\u003c/span\u003e.\u003c/p\u003e\u003cp\u003eWe believe that applying these recommendations can improve the security level of these cards as well as extend their resistance to such attacks.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab6\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 6\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eSecurity recommendations\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"4\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCard\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eModification\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eThreats\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eRecommended Solution\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eC1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCopy it to the C2 card and copy it to the blank card, random change on tracks 1 and 2.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e- When copied to multiple cards, the copied cards were working in C1 Land (Modification).\u003c/p\u003e\u003cp\u003e- When we changed Track 2, the card still worked, but the ID had changed and belonged to someone else (Fabrication).\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\" morerows=\"3\" rowspan=\"4\"\u003e\u003cp\u003eOne of the most effective solutions is to link the loyalty program with the smart video surveillance system.\u003c/p\u003e\u003cp\u003eAwareness and training of employees well about what is allowed and not allowed and how to detect fraud and deal with it because they are the first line of defense for loyalty programs.\u003c/p\u003e\u003cp\u003eUrging customers to monitor their accounts periodically and verify their balances.\u003c/p\u003e\u003cp\u003eMonitor loyalty program accounts to detect any suspicious activity.\u003c/p\u003e\u003cp\u003eTo prevent the copied card from using it as a real card, use a one-time password (OTP) code by connecting the personal profile with a mobile number.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eC2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eWrite a C1 card on it.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eBecame working as a C1, we lost C2's points (Interruption).\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eC3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCopy it to a blank card and change it randomly on Track1.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eA change in Track1 made the card invalid in the Home Center rewards system (Modification).\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eC4\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCopy its data to a registered card\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e- Moving points\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e"},{"header":"6 Conclusion","content":"\u003cp\u003eThis study has drawn researchers\u0026rsquo; attention to the possible threats and issues of the current loyalty programs in the Saudi market. This issue might be available in markets of other countries as well. The experiment results have revealed some illegal practices that might affect the objectives of such programs, making them useless or harmful in some cases in terms of business financial considerations. For study purposes, only four loyalty programs from the local market of Saudi Arabia were investigated. Unfortunately, all the studied programs were vulnerable to illegal practices. However, the results can be generalized by exploring other loyalty methods and approaches. It can be concluded that such loyalty programs must be improved in terms of security perspective, and business owners must pay more attention to threats that might affect their businesses sooner or later. We hope that the results and recommendations help make such a sector more secure.\u003c/p\u003e"},{"header":"Declarations","content":"\u003cp\u003e\u003cstrong\u003eAcknowledgement:\u003c/strong\u003e Removed for anonymization purposes in accordance with journal policy.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eFunding Statement:\u0026nbsp;\u003c/strong\u003eThe author(s) received no specific funding for this study.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAuthor Contributions:\u0026nbsp;\u003c/strong\u003estudy conception and design: S. A.; data collection: S. A.; analysis and interpretation of results: S. A. and\u0026nbsp;W. A.; draft manuscript preparation: S. A. and W. A. All authors reviewed the results and approved the final version of the manuscript.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAvailability of Data and Materials:\u0026nbsp;\u003c/strong\u003eThe data that support the findings of this study are available from the corresponding author upon reasonable request.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eConflicts of Interest:\u0026nbsp;\u003c/strong\u003eThe authors declare that they have no conflicts of interest to report regarding the present study.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCompeting interests:\u003c/strong\u003e The authors declare no competing interests.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eEthical approval:\u003c/strong\u003e This study did not involve any research with human participants conducted by the authors.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eInformed consent:\u003c/strong\u003e This article does not contain any studies with human participants performed by any of the authors.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\n\u003cli\u003eSharp, Byron; Sharp, Anne (1997),\u0026quot;Loyalty programs and their impact on repeat-purchase loyalty pattern\u0026quot;, International Journal of Research in Marketing, 14 (5): 473\u0026ndash;486, doi:10.1016/S0167-8116(97)00022-0\u003c/li\u003e\n\u003cli\u003eFook, Andy Chin Woon; Dastane, Omkar (June 2021).\u0026quot;Effectiveness of Loyalty Programs in Customer Retention: A Multiple Mediation Analysis\u0026quot;. Jindal Journal of Business Research. 10 (1): 7\u0026ndash;32. doi:10.1177/22786821211000182\u003c/li\u003e\n\u003cli\u003eAgarwal, R., Mehrotra, A., \u0026amp; Misra, D. (2022). Customer happiness as a function of perceived loyalty program benefits-A quantile regression approach. Journal of Retailing and Consumer Services, 64, 102770.\u003c/li\u003e\n\u003cli\u003eFeliz, S., \u0026amp; Maggi, C. (2019). What is the impact of increased business competition? International Monetary Fund.\u003c/li\u003e\n\u003cli\u003eFritsch, M., \u0026amp; Changoluisa, J. (2017). New business formation and the productivity of manufacturing incumbents: Effects and mechanisms. Journal of Business Venturing, 32(3), 237\u0026ndash;259.\u003c/li\u003e\n\u003cli\u003eWiner, R. S. (2001). A framework for customer relationship management. California Management Review, 43(4), 89\u0026ndash;105.\u003c/li\u003e\n\u003cli\u003eAli, S., \u0026amp; Ali, M. (2018). Impact of consumer relationship management on consumer satisfaction, loyalty programs and customer retention in banking sector of Pakistan. Oman Chapter of Arabian Journal of Business and Management Review, 34(6112), 1\u0026ndash;13.\u003c/li\u003e\n\u003cli\u003eKamau, L. W. (2017). Effect of loyalty programs on customer retention: A case of Nakumatt Supermarkets Kenya [Doctoral dissertation]. United States International University Africa.\u003c/li\u003e\n\u003cli\u003eKhalil, S. M., Ullah, O. B. A. I. D., \u0026amp; Khalil, D. S. H. (2018). The effect of customer loyalty programs on customer retention in Pakistan. Journal of Business and Tourism, 4(2), 237\u0026ndash;251.\u003c/li\u003e\n\u003cli\u003eRahimi, R. (2007). Feasibility study of application and implementation of customer relationship management (CRM) in hotel industry: Case of Ham game Arya Group Hotels [Master thesis]. Lulea University of Technology.\u003c/li\u003e\n\u003cli\u003eKarakostas, B., Kardaras, D., \u0026amp; Papathanassiou, E. (2005). The state of CRM adoption by the financial services in the UK: An empirical investigation. Information \u0026amp; Management, 42(6), 853\u0026ndash;863.\u003c/li\u003e\n\u003cli\u003eKim, J. (2019). The impact of different price promotions on customer retention. Journal of Retailing and Consumer Services, 46, 95\u0026ndash;102.\u003c/li\u003e\n\u003cli\u003eKoo, B., Yu, J., \u0026amp; Han, H. (2020). The role of loyalty programs in boosting hotel guest loyalty: Impact of switching barriers. International Journal of Hospitality Management, 84, 102328.\u003c/li\u003e\n\u003cli\u003eAmerican Marketing Association. (2016). Dictionary. https://www.ama.org\u003c/li\u003e\n\u003cli\u003eYi, Y., \u0026amp; Jeon, H. (2003). Effects of loyalty programs on value perception, program loyalty, and brand loyalty. Journal of the Academy of Marketing Science, 31(3), 229\u0026ndash;240.\u003c/li\u003e\n\u003cli\u003eDorotic, M., Bijmolt, T. H., \u0026amp; Verhoef, P. C. (2012). Loyalty programmes: Current knowledge and research directions. International Journal of Management Reviews, 14(3), 217\u0026ndash;237.\u003c/li\u003e\n\u003cli\u003eFullerton, G., (2003). When does commitment lead to loyalty? Journal of Service Research, 5(4), 333\u0026ndash;344.\u003c/li\u003e\n\u003cli\u003eMimouni-Chaabane, A., \u0026amp; Volle, P. (2010). Perceived benefits of loyalty programs: Scale development and implications for relational strategies. Journal of Business Research, 63, 32.\u003c/li\u003e\n\u003cli\u003eNunes, J. C., \u0026amp; Dr\u0026egrave;ze, X. (2006). Your loyalty program is betraying you. Harvard Business Review, 84(4), 124.\u003c/li\u003e\n\u003cli\u003eChen, Y., Mandler, T., \u0026amp; Meyer-Waarden, L. (2021). Three decades of research on loyalty programs: A literature review and future research agenda. Journal of Business Research, 124, 179-197.\u003c/li\u003e\n\u003cli\u003eJones, B. (2016). New revenue recognition rules: How will they affect loyalty programs? PWC. Retrieved from https://www.pwc.com/us/en/insurance/publications/assets/pwc-loyalty-programs-revrec.pdf.\u003c/li\u003e\n\u003cli\u003eFruend, M. (2017). The 2017 COLLOQUY loyalty census \u0026ndash; An in-depth analysis of where loyalty is now... and where it\u0026apos;ss headed. COLLOQUY. Retrieved from https://colloquy.com/resources/pdf/reports/COLLOQUY_2017_Loyalty census.Pdf. \u003c/li\u003e\n\u003cli\u003eNastasoiu, A., \u0026amp; Vandenbosch, M. (2019). Competing with loyalty: How to design successful customer loyalty reward programs. Business Horizons, 62(2), 207-214.\u003c/li\u003e\n\u003cli\u003eAlshurideh, M., Gasaymeh, A., Ahmed, G., Alzoubi, H., \u0026amp; Kurd, B. (2020). Loyalty program effectiveness: Theoretical reviews and practical proofs. Uncertain Supply Chain Management, 8(3), 599-612.\u003c/li\u003e\n\u003cli\u003eJenjarrussakul, B., \u0026amp; Matsuura, K. (2014, June). Analysis of Japanese loyalty programs considering liquidity, security efforts, and actual security levels. In The 13th Workshop on the Economics of Information Security.\u003c/li\u003e\n\u003cli\u003eShinoda, S., \u0026amp; Matsuura, K. (2016). Empirical investigation of threats to loyalty programs by using models inspired by the Gordon-Loeb formulation of security investment. Journal of Information Security, 7(2), 29-48.\u003c/li\u003e\n\u003cli\u003ePurohit, A., \u0026amp; Thakar, U. (2019). Role of information and communication technology in improving loyalty program effectiveness: a comprehensive approach and future research agenda. Information Technology \u0026amp; Tourism, 21(2), 259-280.\u003c/li\u003e\n\u003cli\u003eBlanco-Justicia, A., \u0026amp; Domingo-Ferrer, J. (2014). Privacy-preserving loyalty programs. In Data privacy management, autonomous spontaneous security, and security assurance (pp. 133-146). Springer, Cham.\u003c/li\u003e\n\u003cli\u003eBarton, S., \u0026amp; Cecily Raiborn, P. H. D. (2019). Customer loyalty program fraud. Strategic Finance, 101(6), 32-39.\u003c/li\u003e\n\u003cli\u003eRankl, Wolfgang, and Wolfgang Effing. Smart card handbook. John Wiley \u0026amp; Sons, 2004\u003c/li\u003e\n\u003cli\u003eMorgan, D. Security of Loyalty Cards Used in Estonia. Diss. MSc thesis, Tallinn University of Technology, 2017\u003c/li\u003e\n\u003cli\u003eQ-Card, \u0026quot;ISO Magnetic Stripe Card Standards\u0026quot; Q-Card, 06 May 2015. [Online]. Available: https://www.q-card.com/about-us/iso-magnetic-stripe-card- standards/page.aspx?id=1457. [Accessed 18 April 2025]\u003c/li\u003e\n\u003cli\u003eChang, H. H., \u0026amp; Chen, S. W. (2009). Consumer perception of interface quality, security, and loyalty in electronic commerce. Information \u0026amp; management, 46(7), 411-417.\u003c/li\u003e\n\u003cli\u003eInternational Organization for Standardization (1998) ISO 9241-11: \u0026quot;Ergonomic\u003c/li\u003e\n\u003cli\u003erequirements for office work with visual display terminals (VDTs - Part 11: Guidance on Usability\u0026quot;. International Organization for Standardization: ISO/IEC 9126-1:2001 Edition 1; Software product Evaluation \u0026ndash; Quality Characteristics and Guidelines for the User, Geneva (2001).\u003c/li\u003e\n\u003cli\u003eInstitute of Electrical and Electronics Engineers (IEEE): 1061-1998 IEEE Standard for a Software Quality Metrics Methodology (1998).\u003c/li\u003e\n\u003cli\u003eBraz, C., Seffah, A., \u0026amp; M\u0026rsquo;Raihi, D. (2007, September). Designing a tradeoff between usability and security: a metrics based-model. In IFIP Conference on human-computer interaction (pp. 114-126). Springer, Berlin, Heidelberg.\u003c/li\u003e\n\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"loyalty, security, analysis, attacks, cost, usability","lastPublishedDoi":"10.21203/rs.3.rs-6841317/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-6841317/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eA loyalty program (LP) is a common marketing strategy business owners use to increase profit and improve marketing experiences. In particular, services for point exchange or redemption are now offered globally because of businesses' efforts to build consumer loyalty and increase business profitability. Since both customers and attackers are drawn to these services, identifying their security threats can enhance the prevention of attacks as loyalty cards are easy to produce, and customers use them frequently with less attention, unfortunately. Therefore, this study analyzes the security and privacy vulnerabilities of using such a method on both sides: customers and merchants. That is, the study empirically investigates several real local loyalty programs. The results revealed some critical threats and vulnerabilities in the current loyalty programs. To overcome these threats and help business owners to improve their practices, a set of appropriate practical recommendations are proposed.\u003c/p\u003e","manuscriptTitle":"Empirical Analysis of Security Threats and Issues in Loyalty cards of Saudi market","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-08-05 13:35:02","doi":"10.21203/rs.3.rs-6841317/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"d2bf8669-c519-4c0e-b14c-b5b793a187c6","owner":[],"postedDate":"August 5th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[{"id":52557810,"name":"Business and commerce/Information systems and information technology"},{"id":52557811,"name":"Social science/Finance"},{"id":52557812,"name":"Social science/Science technology and society"}],"tags":[],"updatedAt":"2026-01-06T11:24:40+00:00","versionOfRecord":[],"versionCreatedAt":"2025-08-05 13:35:02","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-6841317","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-6841317","identity":"rs-6841317","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2025) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00