You can get paid for 'buying' items you’ve already returned.
April 16, 2026
Original Paper
Refunded but Rewarded: The Double Dip Attack on Cashback Reward Engines
SSRN · 6576014
The Takeaway
Most people assume credit card companies have foolproof systems to take back reward points when you return a purchase. However, researchers found a 'double dip' flaw where timing gaps between the refund and the reward 'clawback' allow users to extract value deterministically. It’s a systemic security hole in how digital wallets and banks talk to each other that effectively lets people print money. For the financial industry, it reveals that their most popular consumer features—cashback and rewards—are being treated as marketing perks rather than secure transactions. This leaves them wide open to simple exploits that most people didn't even realize were possible.
From the abstract
Cashback and loyalty reward programs now serve as central instruments in the competitive landscape of cards, digital wallets, and payment platforms. Despite their financial significance, the business logic governing these programs is seldom treated as a security critical surface. In this paper, we study a class of reward abuse attacks that arise from flaws in how reward systems accrue, redeem, and adjust incentives when underlying transactions are reversed through refunds. Using controlled, smal