Ai Editorial: How safe are ecosystems such as Amazon and Alibaba from the threat of ATO?

First Published on 21st June, 2018

Ai Editorial: What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering, writes Ai’s Ritesh Gupta

 

The recent media reports pertaining to Amazon accounts getting hacked is a disturbing development. Considering how many consumers and the extent to which they rely on these ecosystems, the threat of fraud and its implications on various stakeholders involved needs to be assessed.

A plenty is at stake since a single platform can be used to access multiple services.  

If we considering an ecosystem such as Tencent’s WeChat, the Chinese company has gone beyond primary services of messaging and social networking over the years. Mobile wallet, bill pay, P2P transfers, merchant services, ticketing, insurance, wealth management and mutual fund management are among the services that WeChat is associated with. Similarly, the likes of Amazon and Alibaba, too, are proving to be a lucrative option for fraudsters as a single account on the black market can give fraudsters access to a treasure trove of data, including multiple stored payment methods, bank account information, usernames and passwords. In fact, as highlighted by Sift Science, in May this year, an Amazon customer became a casualty as she found in her email statement related to shopping of goods that she hadn’t bought. The amount totaled $1,640 in total purchases. As it turned out, a fraudster had gained access to her account without her permission and eventually Amazon (not a pleasant experience for customer and the reputation took a beating) suffered due to this account takeover (ATO) attempt.  

What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering. A case in point is the growth in mobile payment systems, which fraudsters can easily exploit by adding stolen credit cards or making unauthorized transfers of credits from compromised accounts. With a growing connectivity of data, fraudsters can have unparalleled access to multiple services with just one single account. A case to examine is Amazon, where one single account may be used to access multiple services including Amazon Prime, Alexa, cloud storage, music streaming and more. Plus, the company is already expanding and introducing different services. For e. g. Amazon uses Amazon Pay as a virtual wallet system to be used within the app.

“With a growing connectivity of data in a world of frictionless payments, Amazon is at risk of various fraud scenarios such as having unauthorized transfers of Amazon Pay credits from compromised accounts,” says Justin Lie, CashShield’s CEO. “Once a single account is compromised, it would be difficult to have damage control on all possible endpoints that could benefit the fraudster. For instance, the fraudster could have access to the card-on-file to make purchases, or have access to the user’s information, or worse, in the case of IoT (e.g. Alexa), spy on the users in their homes.”

Dealing with vulnerability 

Fraudsters no longer only make unauthorized payments with stolen credit cards, but are also carrying out promo abuse with the creation of multiple accounts, making unauthorized transfer of funds, and making unauthorized top up of credits.

One way to safeguard such accounts includes a two-step verification, requiring users to fill in a security code whenever they access an account from a new device. Currently, fraud protection for accounts are still far behind, especially compared to the systems designed to secure payments. Most enterprises rely on static verification measures such as two-factor authentication (2FA) and multi-factor authentication (MFA), but is easily bypassed by fraudsters (e.g. via SIM hacks or SIM swaps) and creates unnecessary friction for users. Unfortunately, more must be done in terms of ensuring user accounts are secure from fraud. It is pointed out that many merchants struggle between striking a balance between improving security and maximizing user experience, which is difficult if their only known option is to either deploy 2FA/MFA or not. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted.

Lie recommends that an end-to-end approach is needed to cover it all - to monitor transactions across multiple channels and devices in real time, at every stage of the process. From front-end filters detecting fraudulent logins to machine automation preventing fraudulent purchases and chargebacks through illegitimate account takeovers, these ecosystems must consider deploying sophisticated end-to-end solutions that can cover their bases.

It is time that ecosystems and even other companies make rapid progress since account takeover is indeed occurring more frequently - according to the 2018 Javelin Strategy & Research Report, account takeovers tripled in 2017, which resulted in $5.1 billion in associated losses.

When data breaches occur, consumers have no control. Yet when it comes to account takeovers, customers are told to play an active role in prevention by being vigilant and having complex passwords, even though a data breach would leak all passwords, no matter how complex it is. Lie says it is up to the merchant’s end to adopt stricter security protocols in storing and encrypting their data, to minimize the damage in case of a data breach. Considering that it is impossible to build the perfect defense, merchants could also aim to mitigate the damage done by ensuring that the stolen data cannot be used. One way to achieve this is to deploy real-time active surveillance on every login to filter out potential threats and prevent attackers from gaining unauthorized access to accounts.

 

Hear from airlines and other industry executives about ATO at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: Time for airlines to leverage both supervised and unsupervised ML for curbing fraud

First Published on 14th June, 2018

Ai Editorial: Deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning (ML) -  would better equip merchants to deal with fraud management, writes Ai's Ritesh Gupta

 

The travel industry needs to dig deeper to understand the efficacy of machine learning and its role in curbing payment fraud as well as the rising issue of account takeovers.

Machine learning often encompasses different types, and simply using one type (predictive analytics) is insufficient.

Supervised machine learning is considered to be a reactive approach to treat fraud. It has contributed in combating fraud to a certain extent – automating some processes, garnering more data to evaluate, but the industry has to capitalize on real-time machine learning as well.

Without real-time learning, supervised machine learning is unable to forecast and offset unfamiliar fraud attacks, since it is dependent only on the data on previous fraud attacks. Also, these systems can only generate probability scores for each transaction, therefore still involving manual reviews.

Many fraud solutions on the market are built with machine learning, but they are built with only one machine learning model (e.g. Random Forest) and the belief that relying on one model will be sufficient in allowing them to detect and prevent coordinated fraud attacks, says Justin Lie, CashShield’s CEO.

"Most travel e-commerce merchants still rely on this single disciplinary approach, requiring historical data to make correlations detect anomalies. However, as fraudsters become increasingly sophisticated, using machine learning for their attacks, they can get ahead by flooding systems with so much fake data that they pass through undetected," cautioned Lie.

Lie added, "As such, deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning -  would better equip merchants to deal with fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks. Thereafter, predictive analytics may still be used to run the probabilities of fraud, giving a risk score."

Unsupervised machine learning is able to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour, and is effective in identifying genuine customers as much as identifying fraudsters. Specialists recommend that pattern recognition, deep learning and stochastic optimization are also necessary for an optimized yes or no decision in real-time.

Making it work

Lie explained how the combination of unsupervised machine learning and supervised machine learning can work best in curbing fraud. He mentioned:

  • Supervised machine learning relies on historical data to predict and prevent further possibilities of fraud based on past fraud. The data set is labelled based on previous observations of fraud, and is described as either fraudulent or genuine. With this data set, there is a historical representation of fraud and transactions can then be determined if they are fraudulent based on these labels. If a fraudster uses a known attack, fraudulent patterns can be identified and stopped before it happens.
  • As for unsupervised machine learning, the data is unlabelled and the machine looks out for transactions which deviates from the norm. These transactions are classified into clusters and patterns across this are tracked, then determined if they are indicative of fraud. This new data is then labelled as either fraudulent or genuine. By learning on the fly, unsupervised machine learning is able to detect new forms of fraud and does not rely on historical examples. By analyzing millions of patterns in real-time, it is able to self learn and recognize new attack techniques, stopping fraud before it happens.

Blend of big data and machine learning

The combination of big data and machine learning allows more effective fraud prevention.  Big data is first used to garner details about the user’s behaviour on the website (for e. g. the movement of the mouse) which  is combined with machine learning. There is use of pattern recognition to configure this user's behaviour to tally it either with authentic or fraudulent behaviour. Along with this predictive analytics comes into play to record the positive/ negative behaviour and avail that on future transactions for probable signs of fraud. Finally, an optimized fraud risk algorithm needs to be counted upon to make decisions on whether or not to accept a transaction based on calculated risks to best optimize sales while controlling fraud and chargeback rates.

"Big data allows for more data collected - but relevant data is more important than collecting more data. Collecting data from the merchant’s website and behavioral data beyond payment data will be useful for analysis on the user’s behavior - whether good or bad," mentioned Lie.

A transaction may be sliced into multiple data points, where it may then be combined with real-time machine learning to match patterns through the permutations and combinations of the data points, as well as to identify when fraudsters make micro-changes between transactions (such as changing the device from iOS to Android between transactions to seem like the transactions come from a different source). As it turns out, most systems are still relying on a single disciplinary approach, and a multi-disciplinary approach that combines big data, predictive analytics and real-time machine learning would be more effective in detecting coordinated fraud attacks, recommended Lie.

Act and take charge

Travel merchants need to defend themselves adequately by using machine learning, and at the same time there needs to be reliance on rules and the human component (intervention and feedback) as well.

Merchants should learn to discern and understand the different types of machine learning, and be sure to know if the fraud solution uses only predictive analytics or covers more bases with more than one kind of machine learning. Machine learning technologies are yet to be deployed commonplace to secure accounts, even though machine learning, especially real-time machine learning can be applied on account protection.

Lie concluded with a word of caution for merchants: Many merchants are also still reliant on manual reviews, which means that even if they were able to improve their machine learning algorithms and systems, they would always still be held back by the end process of manual reviews and human errors.

 

Hear from airlines and other industry executives about travel fraud at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: How to stop fraud rings from using stolen or synthetic identities?

First Published on 29th May, 2018

Ai Editorial: The issue of identity theft or payments fraud isn’t new. But the functioning of fraud rings, in which fraudsters band together in organized groups, continues to get sophisticated, writes Ai’s Ritesh Gupta.  

 

Merchants are used to enticing online shoppers on their digital platforms, letting them select their preferred product via filters, visualize their shopping cart and eventually wrap it up via a frictionless check-out process. Now imagine the merchant being an illegitimate seller of stolen credit card details and extending the same shopping experience on the dark web! The nexus of fraud rings and their way of functioning is streamlining selling of credit cards and other associated information for $10 or so. Specialists point out that a sense of security is the worst possible sign that the likes of airlines and other travel merchants can hang on to.

Continuous and a bigger threat

The team at Riskified highlights two pertinent points related to fraud rings. First, at the end of the day no entity is safe from the assault of fraud rings. Second, these groups “tend to strike big, and have access to technology and resources that are unavailable to solo or less professional fraudsters”. From automated bot attacks to organized account takeovers, fraudsters are working out new ways to dupe and that too at a rapid pace.

As for one of the routes chosen to dupe genuine customers, these fraud rings find a way to verify fraudulent transactions by contacting phone/ mobile service provider to swap a victim’s phone number on to a new SIM card the scammers own. Criminal cases have indicated that fraudsters have spotted a major vulnerability in the way banks are using their customers’ mobiles to identify them. (A couple of days ago one such case emerged in the U. K. where a victim had  his £17,000 mortgage deposit cleared out of his bank account as fraudsters managed to change his  number on to a new SIM). Such incidents indicate fraud rings have access to detailed information about victims –could be  via data breaches or from the dark web, gaining batches of credit card numbers, complete with CVV, expiration date etc. So the stakeholders involved need to go for a stringent authentication mechanism. As for how fraud specialists like Riskified are helping retail companies, they observed that such transactions feature first time customers and were initiated using a particular phone carrier and a relatively small and uncommon ISP. There is a way to turn down all resulting fraud bids without impacting authentic orders.

Synthetic identity fraud

Another alarming trend as far as fraud rings are concerned is related to the issue of synthetic identity fraud. This type of fraud doesn’t feature taking over existing identities and emerged since financial institutions improved how they prevent and detect traditional identity fraud. This forced fraudsters to nurture synthetic identity fraud. It is initiated by using a blend of fake information, such as a fictitious name, along with real data, to set up fraudulent accounts.  For instance, “Social security numbers” (in the U. S.) that get targeted most are ones infrequently used or ones those are less likely to use their credit actively. So scammers set up such fake identities using potentially valid social security numbers with wrong personally identifiable information (PII). So there could be a real address and the social security number may seem authentic, but the number, name, and date of birth sequence do not match with any one person.

A major problem is the fact that it often is not identified as fraud and the crime can go undetected for an indefinite period. Criminals and other fraudsters rely in large part on the credit reporting system to create and use these synthetic identities.

The account can remain active, and possibly fraudsters capitalize on credit line increases and enhanced credit standing. Finally they max out the credit line and vanish without a hint. For those who get or potentially could get impacted, synthetic identify fraud isn’t easy to identify and prevent. According to a last year’s report released by the United States Government Accountability Office, banks can lose an estimated $50-$250 million in a year from synthetic identity fraud -related unpaid debt. The report also highlighted that fraudsters also exploit credit bureau procedures to improve their credit history by getting legitimate credit users to act as accomplices and add synthetic identities as “authorized users” on accounts in good standing. Over a period that can span months and years, identity thieves may make small charges and clear them, too. This way they set up a decent credit score and gain higher credit limits. In the end, they typically they charge the maximum amount on credit cards for transactions such as airline tickets and this stage is known as the “burst out”. 

The industry is on look-out for astute detection tools to detect and prevent such type of fraud. Advanced data analytics and biometrics are being recommended as solutions for the same.

Key takeaways to curb the activity of fraud rings:

·          Focus on how devices and accounts are connected in order to competently unearth the activity of fraud rings. Device behavior analytics includes transactions from TOR, high-risk locations, IPs, and ISPs, geo-location, IP address, and time zone mismatches etc.

·          Investigate anything that seems unusual or suspicious.

·          Explore how collaboration such as a cross-industry approach or contributing in fraud intelligence can help law enforcement identify, investigate and prosecute fraud.

·          How can unsupervised machine play its part in ascertaining correlations and linkages to find fraud rings? How can the combination of unsupervised and supervised machine learning help? How are specialists evaluating unconventional data points, integrating different data streams that were structured, unstructured, real time etc. and relying on machine learning models to curb the threat of fraud rings?

·          Insert analytical details around uncommon conduct and usual trends as features in technical fraud discovery procedure.

 

Hear from airlines and other industry executives about travel fraud at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

 

 

Ai Editorial: Why consumers are proving to be the weakest link in ATOs?

First Published on 4th May, 2018

Ai Editorial: The level of awareness about hacking and data breaches has gone up, but a feeble approach towards password management is paving way for hackers to steal confidential information, writes Ai’s Ritesh Gupta

 

Coming to grips with the issue of account takeover (ATO) isn’t a straightforward task, and a major reason behind the same is poor password hygiene.

Consumers are proving to be the weakest link in the fight against ATO fraud. According to the findings of a recent analysis, initiated by password management specialist LogMeIn’s LastPass, nothing much has changed over the last two years when it comes to creating and handling of passwords. This is important as password stealing means all account-based online services are under a threat.

The level of awareness about hacking and data breaches has gone up, but a feeble approach towards password management is paving way for hackers to steal confidential information. In their Psychology of Passwords research, LogMeIn has referred to following traits of individuals representing society at large and explains why people are falling short of taking action:

The issue of same passwords: Majority of 2000 respondents have between one and 20 online accounts for work and personal use. When it comes to password creation, nearly half indicate there is no difference in passwords created for these accounts. This attribute is dangerous and helpful for hackers in doing their job. Let’s say a customer has an account in both Starbucks and Lufthansa. If there is a data breach at Starbucks, and although Lufthansa hasn’t faced any attack and are safe from that perspective, but if a user happens to use the same login credentials for both the companies, then the credentials are vulnerable for illegitimate use at other places. The fear of forgetfulness is the major reason behind using the same password for multiple accounts. Despite being aware of the security risks owing to weak passwords or even breaches, people tend to avoid any action. They stick to the same passwords and don’t change them often. Even the millennials, a group supposedly well-versed with technology, mostly reuse passwords because of fear of forgetting and commonly use a variation of 1-2 passwords they can remember. 

On the positive side, according to the same study, more users are opting for more secure password storage and automated password resets to overcome the anxiety of failing to recall.

 

Onus on merchants 

The scale and sophistication of breaches is ascending, and this is resulting in more ATOs. These takeovers are increasingly performed at scale by bots, as well as manually. Hackers work on scripts that try out different groupings of stolen usernames plus probable passwords across numerous websites and apps, until they find a way in. Travel e-commerce companies suffer owing to chargebacks, loyalty fraud, resources spent on resolving issues etc. Companies like Google highlight that enterprising hijackers are persistently looking for, and are able to gain access to, a plethora of platforms’ usernames and passwords on black markets.

Specialists such as Sift Science recommend that airlines and other travel companies need to be proactive, especially considering that “every one’s credentials have already been compromised”. The company recommends following measures:

Ø  Work out planned evaluation of models and rules to ensure they are updated once bad signals are uncovered.

Ø  Keep on informing and educating customers about the significance of passwords. There might not be anything new in these instructions but nevertheless the importance of strong passwords can help. For instance, constructing unique passwords that include a sequence of upper and lowercase letters, numbers and special characters. Directing users not re-use same passwords. The database of passwords needs to be secure, too.

Ø  Create awareness about the root cause of ATOs: Fraudsters get access to stolen credentials from a number of sources. These include:

·          From data breaches, sold on the dark web

·          Phishing with fake websites

·          Malware, trojans, spyware

·          Social engineering

·          Hijacking a mobile device

Ø  Stringent verification: Keep a vigil on aspects like IP, cookie, device ID, session history, event velocity, and key-logging. In case there is a sign-in from a device a user hasn’t used or a location that isn’t associated with an account, companies need to seek additional information before allowing access to accounts. Verification is a blocking event: once sent, the respective activity (login or another) cannot proceed until with the verification is successfully completed. Dynamic challenges feature two-factor authentication on all doubtful logins, while allaying the danger of account lockout.

Ø  Looking beyond passwords: Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.

 

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

 

 

Ai Editorial: Why having a core data asset isn’t enough?

First Published on 6th April, 2018

Ai Editorial: In the wake of recent concerns related to data privacy or even ongoing cases pertaining to a breach, leak or attack on personal data, it is imperative for travel companies to take a stringent action, writes Ai’s Ritesh Gupta

 

The significance of a company-owned core data asset can’t be undermined, but this also means there is an additional onus on travel companies to look at critical areas, be it for privacy of customers, data privacy laws or even the action that needs to be taken in case there is a breach, leak or attack on personal data.

This would be a key topic of discussion at the upcoming 12th edition of Ai’s Ancillary Merchandising Conference, slated to be held next week in Edinburgh, Scotland. Considering the recent incidents such as the fiasco featuring Facebook and Cambridge Analytica or The General Data Protection Regulation or GDPR (the deadline for compliance is May 25th, 2018), travel companies have to ensure they abide by data protection rules across Europe or other parts of the world.

Getting the basics right

Here are some of the areas that need to be taken care of:

Responsibility towards travellers: Travel companies need to provide consumers with control over how their data is used. It is time travel companies find ways to request, receive and capture customer consent to the use of their personal data.

In fact, in case of the GDPR, coverage of legal bases must feature a “freely given, specific, informed and unambiguous consent by clear affirmative action”, and also a right to withdraw consent, which must be brought to their attention. In case of GDPR, there is a need for explicit and informed consent from EU residents for collecting and using their personal data.

In case of a customer data platform, as we highlighted in one of our recent articles, travel companies need to be aware of registered consent when accessing customer data (so data coming from any touchpoint and system, the related computation or processing of data is to be done in sync with consent, assess how the data is being used, what data is being used and for how long that data can be used), address data audits in a speedy, exhaustive manner (say who has been accessing data) and ensure there is consent across all touchpoints (including integration with consent registration databases). The core data asset, say a customer data platform, needs to collect, manage, and store personal data responsibly. This is where the upcoming regulation, GDPR, comes in.

(Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018). For more info, click here)

Understanding the responsibility as an enterprise: Other than consent, organizations need to assess several other areas. And here also, GDPR, is an apt benchmark to assess the preparedness.

  • What is the definition of personal data?
  • Who all are liable, for instance, GDPR extends liability to all organizations that touch personal data.
  • Understand the implications of being checklist for data controllers and data processors. What’s the checklist? For instance, as explained in the GDPR, controllers have to adhere to compliance measures to cover how data is collected, its use, the tenure for which the same is going to be retained and making sure consumers have a right to access the data held about them. As for data processors, controllers must bind them to certain contractual commitments to ensure that data is processed safely and legally.   
  • Processing must be paused if objection is raised by an individual.
  • What is an organization is probed/ summoned/ asked to perform a data audit for a specific customer?
  • How can a customer data platform help in making the most of the available data while complying with both the contractual and technical challenges posed by GDPR?

 

Other recent articles on GDPR:

Ai Editorial: As trust around “personal data” wanes, hopes hinge on a stringent regulation

Ai Editorial: How is your GDPR transformation process coming along?

 

 

 

 

 

 

 

Ai Editorial: As trust around “personal data” wanes, hopes hinge on a stringent regulation

First Published on 21st March, 2018

The uproar about the reported “data breach”, featuring Facebook and Cambridge Analytica, a political data analytics entity, has raised concerns around the handling of “personal data”, writes Ai’s Ritesh Gupta  

 

Trust around the way personal data is being managed has taken a beating over the few days, post reports about how data featuring “Facebook users” was used for targeting of political ads mainly to aid then-U.S. presidential contender Donald Trump to forecast and tilt choices in one’s favour at the ballot box. According to a report by Reuters, Scott Vernick, a partner and an expert in privacy and data security at the Philadelphia law firm Fox Rothschild, said that Facebook “lost control of the data and wasn’t adequately monitoring what third-parties were doing”. Facebook stated that people knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked. Even though Facebook has defended their position, the impact of GDPR or General Data Protection Regulation on organizations of Facebook’s stature as well as the way personal data is collected and managed is coming to the fore. This regulation places greater emphasis on consumer consent and transparency in the collection and use of personal data.  

As we highlighted in one of our recent articles, travel e-commerce companies have been assessing their existing level of data protection compliance, as GDPR comes into force on 25th May this year.

Data being illegally acquired and used

The impact of this regulation would be extensive, as it applies not just to entities based in Europe, but to any organization that holds or processes personal data of individuals residing within the European Union (EU).

The fact that the ICO (Information Commissioner Office), the UK’s independent body set up to uphold information rights, is looking at investigating the use of personal data for political campaigns (with reference to the acquisition and use of Facebook data by Strategic Communication Laboratories, psychology professor at the University of Cambridge named Dr. Aleksandr Kogan and Cambridge Analytica), shows the organizations need to ensure that they don’t get embroiled in any controversy pertaining to data being illegally acquired and used. Elizabeth Denham, Information Commissioner stated that it is important that the “public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy”.

Considering that businesses have to keep a vigil on possible criminal and civil enforcement actions owing to any irregularity, it is better to gear up for a regulation like GDPR in an earnest manner. So it would be better to study budgetary, IT, personnel, governance and communications implications of GDPR at this juncture. This would mean businesses not only defend themselves against any potential fine or penalty, but they also ensure the trust of their customers doesn’t get broken.

Time to embrace accountability

There is a checklist for data controllers and data processors.   

Certain companies are going to process personal information as both a controller and a processor. So in such cases it is recommended that they complete the required assessments, both for a controller as well as a processor.

According to the ICO, organizations might as well get into the details of the new regulation, and how the same would potentially affect their business model and accordingly work on the planning process.

Some of the areas that travel e-commerce companies can dwell on are:

·          Senior management needs to be aware that the law is changing to the GDPR and by preparing in a diligent manner it could help them to be accountable possibly for other regions, too.

·          Be in control of what personal data an organization holds, the source and if it is going to be disclosed to other parties/ partners, who they are.

·          Clarify and account for basis for processing the data, and the period for which the same is going to be retained.

·          Be aware of an individual’s rights. According to the ICO, in case of the GDPR, rights for individuals include the right to be informed; the right of access; the right to rectification; the right to restrict processing etc.

·          Be ready to effectively detect, report and investigate a personal data breach.

Before organizations commit any error, knowingly or unknowingly, better would be to dig deeper into the way personal data is being collected, the source, the processing etc. to ensure they are in control of the situation. And a regulation such as GDPR could well prove to be a new benchmark in areas such as training employees about the new regulations and impacts on data handling and breach notification.  GDPR has come at a stage when there is a lack of trust among customers (concerns about privacy, lack of trust in brands among the most etc.). It is also expected to raise awareness among customers about data collection and eventually would encourage them to trust brands.

  

Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here

                        

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

 

 

Ai Editorial: Is machine learning showing e-commerce the “money”?

First Published on 13th March, 2018

Ai Editorial: Be it for having a bigger say in the inspiration phase or coming up with relevant recommendations on a mobile device in real-time or improving the conversion rate, machine learning is playing a bigger role than ever, writes Ai’s Ritesh Gupta

 

Airlines are finding ways to have a bigger say in the booking funnel, and one critical way to bolster the same is via machine learning, a technology where computers identify patterns in data.

What it essentially means is airlines are taking a comprehensive look at all user activity on their digital assets and then acting on the resulting data to eradicate hurdles in the shopping journey. For instance, how to single out a real shopper who is about to complete a transaction from a fraudster who is trying to trick the system and commit a fraudulent activity? Another area is how to come up with a recommendation about a trip that in all probability would garner the attention of the traveller and get them close to completing a booking on airline.com. So be it for early part of the booking funnel to closing stages of a transaction, machine learning is playing its part in a deeper way than ever.

Here we look at couple of areas that can result in better control over the passenger experience:    

Inspiration phase: It is being highlighted that inspiration leads to conversion. As LikeWhere states, airlines facilitating travellers in the inspiration and planning phase will be best positioned at the booking phase. So rather than offering loads of content, build on a layer of intelligence and display destination images, videos etc. as per the trip motive, lifestyle preferences etc.

Of course, for this airlines need to focus on 1st party data. Carriers, too, realize that they can capitalize on the richness and size of data sets quite unique to their own organization. The ideal situation would be to generate enough data within your own user ecosystem to truly understand where and why people are planning to travel. “Once you have a user-specific data, you can understand the purchase journey and also what to recommend. Once you work on a profile of a user, you can understand travel habits and accordingly recommend something relevant, contextual,” points out Gillian Morris, CEO, Hitlist. When it comes to recommending, a way to build affiliation is by focusing on personalizing destination discovery. Here machine learning contributes by letting airlines to match locations with the lifestyle preferences of their customers. The key here is to deliver a nuanced recommendation, to “humanise” the available data.  As for what to recommend or what to consider before offering something to the traveller, Morris says, “People aren’t going to a destination, they’re going on a trip. In addition to destination and price, equally important are timing (say weekend vs. weekdays) and social context (family, individual, colleagues etc.).”

If airlines don’t act fast (on their own or by integrating their interface with a machine learning specialist), then they are bound to lose. Why? Because Google, Facebook etc. are in an advantageous position, just like Alibaba and Tencent in China. And then online travel groups like Ctrip.com are getting sophisticated with every passing day. For instance, the team at Trip.com, the Palo Alto, California-based company acquired by Ctrip late last year, is counting on their predictive artificial intelligence (AI) to understand various traits of a traveller - personality, interests, style and budget. So what attracted Ctrip in Trip.com? Travis Katz, Trip.com’s co-founder and CEO, referred to – predictive AI technology behind recommendations for travel, based around a bunch of contextual signals, and an engaged community, which has contributed content that complements the core technology.

(Read how JetBlue is capitalizing on artificial intelligence for trip planning (via partnership with Utrip, a destination discovery and planning platform that helps in crafting a personalized, hour-by-hour vacation itinerary) and lot more).

Monetization: Companies like LikeWhere assert that by engaging right from the inspiration phase, airlines can go for a fruitful association in the form of monetizing clicks. “Once we establish certain parameters with a customer we use machine learning to add value, through informing more contextual recommendations. Our product (recommendation engine) enables airlines to begin their customer lifecycle earlier in the inspiration phase which positions them for the booking/ancillaries – that’s where the monetization is,” says Matt Walker, Chief Storyteller at LikeWhere.

By preparing to serve content in an earnest manner, airlines can also benefit to have deeper association that goes beyond air and air-ancillaries. For instance, if an airline knows a traveller is in the middle of a trip (better if the passenger booked the flight itinerary with them), then they can use contextual signals provided by a mobile device to come up with recommendations. So for example, at 8AM the app knows you are most likely looking for breakfast or coffee, and can show you things nearby versus 9PM where it understands you are either looking to go out or plan your next adventure, and adapts the content accordingly. Similarly, if it’s raining where you are, the app understands this, and recommends things to do indoors. These are all signals that are taken into the account. And the ideas are offered in real-time.

Improving the conversion rate and managing fraud: If airlines adopt a risk-averse approach to managing card-not-present fraud, then sales can suffer tremendously. Limitations of the traditional rule-based fraud offerings and reliance on manual reviews are coming to the fore. With machine learning, the system understands when to skip rules when positive behaviour is detected. Moving towards machine learning allows airlines to remove all these unnecessary rules that would have otherwise blocked genuine customers. The combination of big data and machine learning allows more effective fraud prevention.

With data, including a set that is garnered from airlines, specialists focus on signals that aren’t just related to transactions, but also related to buying pattern, post booking behavior etc. Specialists churn the data through various permutations and combinations to identify potential fraud patterns that may be left behind by fraudsters, who have made micro-changes between transactions in one coordinated fraud attack to trick the system. Using real time pattern recognition, even micro-changes can be proactively identified and tagged to the same fraud pattern group. The data that Sift Science leverages includes attributes associated with the identity of a user, behavorial (browsing patterns, keyboard preferences etc.), location data, device and network data, transactional data, decisions (business actions taken), 3rd party data (geo data, currency rates, social data etc.) plus custom data that is specific to a particular merchant. So the purpose of maximizing legitimate transactions as well as avoiding fraudulent transactions is being served by machine learning.

 

Hear from experts about machine learning and e-commerce at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here                    

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: How is your GDPR transformation process coming along?

Ai Editorial: General Data Protection Regulation or GDPR compliance is a complex journey. It demands enterprise-wide introspection, be it for keeping a tab on the use of personal data or breach prevention or training of employees, writes Ai’s Ritesh Gupta

 

Travel e-commerce companies have been assessing their existing level of data protection compliance, as GDPR comes into force on 25th May this year. The impact of this regulation would be extensive, as it applies not just to entities based in Europe, but to any organization that holds or processes personal data of individuals residing within the European Union (EU).

What makes meeting compliance challenging is the fact that there is no silver bullet and there is no shortcut to be GDPR compliant. For instance, security experts can help in ensuring the unprotected PII data is identified, whereas marketing technology specialists would ensure how personal data is being used and how to put in place registered consent when accessing customer data.

The travel industry will be impacted due to the large volume of personal and sensitive data it processes about travellers.

The regulation, which places greater emphasis on consumer consent and transparency in the collection and use of personal data, impacts those entities engaged in administering/ managing personal data within the EU or the European Economic Area (EEA). There are more aspects as for the impact of GDPR on travel organizations, including offering services to citizens in this area, scrutinizing the conduct/ behavior of people as part of data strategy etc. Going deeper, organizations within Europe that are associated with or avail the services of 3rd party companies based outside of the EU/ EEA have to ensure their partners/ vendors comply by the enforcement of GDPR or on behalf of these businesses. To summarize, this regulation impacts data controllers (garner data) and data processors (process data on behalf of a data controller). In November last year, law specialist firm Axiom indicated that that global companies had millions of contracts that needed to be identified and remediated by May 2018, at a cost of over more than $1.06 billion, referring to contracts between controllers and processors.

One way to evaluate the significance of the European Union’s GDPR is the failure on the part of an organization’s to meet the requisite compliance. It can result in bad PR plus a hefty penalty, too. It can touch an upper limit of €20 million or 4% of annual global turnover – whichever is higher. But more importantly, in terms of being data-centric and connecting the dots along a traveller’s entire journey, it offers an even bigger opportunity. Here are few aspects that are being discussed as of today:

  • Impact on the ownership of data: Before delving into how the GDPR impacts companies focused on data, the definition of personal data needs to be understood. It isn’t only about conventional personally identifiable information, say a name or an email id. Rather it also features identifiers that may, when combined with other data, identify an individual. Of course, airlines are getting used to this definition of personal data. Businesses have been keen on counting on any signal or identifier that helps them to stitch a profile and know the preferences/ behavior of their customers. So this new ruling will definitely have an impact on how travel companies collect, manage, and store personal data. Considering that we are in the era of a single view of passengers/ travellers, one in which airlines are looking at what’s happening across a user’s every search, what they browse, their booking and journey, airlines need to re-examine  the way they manage data, and plan for new processes and technologies enabling the consumers right to “own” their data. GDPR is not only about winning the trust of customers, but it is also having an impact on enterprise-wide functioning. In fact, GDPR is fuelling drive towards the initiative of digital transformation. Also, better compete with data-rich ecosystems or companies, be it for Alibaba, Google, Facebook etc.
  • Winning over the trust of customers: GDPR has come at a stage when there is a lack of trust among customers (concerns about privacy, lack of trust in brands among the most etc.). Plus companies are also pursuing personalization in a big way. But for this to work, data is of paramount importance and consumers won’t share data with companies they don’t trust. GDPR will raise awareness among customers about data collection and eventually would encourage them to trust brands. Expect competition to go down from companies that mishandle/ misuse data. Also, rather than considering security and customer experience separately, this development paves way for a more holistic view of the customer experience.

Readiness

GDPR compliance is a complex journey. A couple of areas that demand attention include keeping a close tab on the use of personal data and breach prevention.

  • Personal data: According to NGDATA (conducted a webinar this week, titled “Maximize the value of customer data within the boundaries of GDPR”), there is a need to be aware of registered consent when accessing customer data (so data coming from any touchpoint and system, the related computation or processing of data is to be done in sync with consent, assess how the data is being used, what data is being used and for how long that data can be used), address data audits in a speedy, exhaustive manner (say who has been accessing data) and ensure there is consent across all touchpoints (including integration with consent registration databases).
  • Breach prevention: It becomes extremely important for airlines to come to grips with their technical and organizational security measures, and appraise their respective cyber insurance policies to ensure they sufficiently cover the costs of a data breach. It is also being highlighted that the regulation requires data controllers to inform their national regulator of a data breach within 72 hours of discovering it, “if the breach is likely to result in a risk to the rights and freedoms of individuals.” As highlighted by Foregenix, the potential fines suggest that “any form of negligence or poor governance where data breaches are concerned is likely to prove extremely costly. And that's without factoring in the cost of legal representation to defend your position”.
  • Being responsible: It is vital to train and educate employees about the new regulations and impacts on data handling and breach notification, and every individual has a responsibility to ensure their role doesn’t contribute to the leakage of PII. According to Foregenix, being aware of what data a business requires, how it is used and how it flows around the organization will be essential for achieving and maintaining compliance with GDPR. Also, security awareness training modules including one for GDPR can help in preparing the whole team.

 

Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here

                        

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: Blacklists and fraud prevention - not an ideal match for sure

First Published on 27th February, 2018

Ai Editorial: Blacklists rarely work because hackers will never use the same credit card information twice, while whitelists are inaccurate since whitelisted customers can be compromised anytime, writes Ai’s Ritesh Gupta

 

The introduction of new fraud prevention methods is keenly followed in the travel e-commerce sector. Cutting down on the vulnerability, be it for data breaches or friendly fraud or card not present fraud (CNP), is high on the agenda of travel merchants.

On the flip side, if the fraud prevent strategy ends up being too defensive, then predicament pertaining to blocking of genuine customers surfaces. One area that needs attention is the usage of blacklists.

The rejection of legitimate travel shoppers is indeed a big issue, especially considering the fragmented nature of shopping in this category which tends to culminate after heavy research spanning over multiple sessions in case of a typical holidaymaker. And from the customer experience or conversion perspective, if such rejection takes place on airline.com then it would mean losing out on the shopper after battling for the same with OTAs, meta-search engines etc.!

A case in point: a Singapore-based traveller, who is a tennis enthusiast, intends to visit San Francisco. He has finalized his trip and keen on shopping for tennis-related goods. He decides to get them delivered at a hotel in San Francisco he has chosen to stay. Why? Because he would save on shipping-related expenditure by choosing this option. So what might have been a crucial to-do-list of a holidaymaker’s much-awaited trip, it simply gets ruined due to inefficient fraud detection system. Specialists point out that such authentic buyers can suffer and their orders do get declined as certain shipping addresses can pose glitches for fraud review systems. As it turns out, a number of seemingly dissimilar orders all being shipped to a particular address can be considered to be an aberration. And if one bad or illegitimate order is shipped to one such property, then this address might end up being marked on a blacklist.

Dealing with the issue of blacklists

Initiatives related to spotting suspicious shopping and keeping them at bay by evaluating all the transaction details and adding them to a blacklist isn’t a new practice. This is generally done for cases where a merchant had to face a chargeback, and to block such shoppers again, they are blacklisted and prevented from placing another order in the future.

But such initiatives, where businesses are even automating blacklists i. e. to define rules and automatically block suspicious attempts, needs to be looked upon. It could be about declining a genuine transaction from the same email or IP address that had been marked in the blacklist previously. In such scenario, filters keep a tab on a transaction’s legitimacy by scrutinizing and inspecting a traveller’s IP address, location/ area, credit card number, e-mail id etc. So how this method is failing? In case, one email id is debarred, there is no guarantee that a fraudster can’t find a way around it. This is because a fraudster can amend it to a permutation that isn’t identifiable. For example, in case of Hotmail, users can add a period anywhere in the email address. The average blacklist isn’t able to spot This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. are all the same email address. It is quite common to create a similar-looking email address and circumvent the controls enforced by a system.

 

As the team at Riskified points out, blacklists can be useful in certain cases, for instance stopping spam email. But when it comes to CNP, it isn’t spam. The team asserts that an airline or any travel merchant using blacklists needs to probe and assess the overall false decline rate, the frequency of analyzing and updating their respective blacklists and to what their top-line revenue is getting impacted.

Counting on real-time machine learning

Blacklists rarely work because hackers will never use the same credit card information twice, while whitelists (skip the review process and are instantly approved – often result in high chargeback rates) are inaccurate since whitelisted customers can be compromised anytime. Whitelists can be an oversimplified solution to improving fraud review accuracy. Also, historical data (which blacklists are categorised as) lose relevance very quickly in the face of unknown cyber threats, since it is difficult for the machine to predict new fraud attacks without any prior information. According to CashShield, real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.

The team at Riskified underlines that a healthier way to combat fraud is to proactively spot fraudulent patterns using dynamic tagging and linking, and focus on sophisticated fraud detection models.

It is time travel merchants avoid taking steps that are in general reactive and probabilistic solutions. Rather there is a need to cut down on the probability of holding up transactions via a manual review or worse blocking them entirely. So rather than blacklisting, merchants can capitalize on intelligence, say unique data points that an email address provides. It could be name matching, IP address etc. In fact, email ids are part of essential details that are garnered for almost every transaction.

 

Hear from experts about e-commerce fraud at the upcoming “Getting Ahead in the Digital Age - 12th Airline & Travel Payment Summit”, to be held in Miami (24-26 April, 2018).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: 4 fraud-related issues that travel merchants need to handle diligently

First Published on 20th February, 2018

Ai Editorial: Loyalty fraud and account takeover, friendly fraud, inferior user experience and avoiding a risk-averse fraud strategy are areas that continue to garner maximum attention, writes Ai’s Ritesh Gupta

 

The Ai’s Travel Fraud Prevention Symposium in London, being held in London today, underlined the threats that travel merchants need to deal with.

We re-visit some of the issues that the industry is struggling with as of today:

  1. Threat of loyalty fraud looms large with data breaches and stolen credentials: Airlines need to prepare diligently for the threat of account takeover or ATO, especially considering their business falls in the “high ticket value, with a low margin” category. Why ATO is proving to be lucrative for fraudsters at this juncture? There are multiple reasons behind this. First, this type of fraud can be more valuable than credit card fraud. Second, organizations don’t have stringent measures in place to fight against ATO. As the team at Sift Science points out, the time available to exploit the information before detection is typically longer. Third, this type of cheating isn’t easy to detect. Since the account already exists and is related to a genuine customer, the fraud is relatively tougher to spot and the fraudster has more time to operate before they are caught.

ATO in the loyalty space (featuring airlines, hotels etc.) is coming under scrutiny owing to data breaches. Password stealing tactics pose a risk to all account-based online services.

Fraudsters get access to stolen credentials from a number of sources:

  • From data breaches, sold on the dark web
  • Phishing with fake websites
  • Malware, trojans, spyware
  • Social engineering
  • Hijacking a mobile device

Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Even as credentials have been stolen, it is imperative for organizations to bolster the authentication process. This way the risk of loyalty fraud can be minimized. So it comes to down to authentication and one of the tools is machine learning.

  1. Friendly fraud – a battle that still isn’t easy for airlines to cope up with: Friendly fraud remains probably the biggest challenge and quite often the significance of an effective fraud mitigation strategy is underlined. Friendly fraud refers to “fraud that is committed when an individual had knowledge of and/or was complicit with and/or somehow benefited from the transaction on their own account, although the individual reported the transaction as unauthorized”. This type of fraud is a major issue for merchants as it can be tough to detect at the time of purchase, the chargeback process does not adequately address friendly fraud, and also it is time consuming to fight against the same.

“The predicament (pertaining to friendly fraud) is getting worse,” says a senior executive.

The executive pointed out that the available data is limited. Merchants definitely suffer from industry-wide lack of transparency. Their stance is feeble as there are plenty of factors outside merchants’ control that influence their reluctance to make a more substantial effort. “There is hardly enough information available pertaining to chargebacks and friendly fraud. This means there isn’t a strong foundation to bank on, to comprehend the situation. It’s challenging to amass authentic information on the matter without substantial contribution from banks, card networks, and merchants,” added the executive.

  1. Managing transactions and fraud with new tools…be realistic with expectations: Managing revenue and fraud shouldn’t be about adding friction to transactions. One needs to set right expectations from initiatives such as Dynamic 3DS and biometric authentication. Many fraud prevention methods introduce dilemmas between maximising revenue and minimising fraud – e.g. with more rules, implementation of 2FA or multifactor authentication fraud rates can be lowered, yet more genuine customers will be blocked; on the other hand, with less rules and lax authentication to maximize revenue, merchants will be more vulnerable to fraud attacks. Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud. It is imperative for airlines and all other travel e-commerce players to study in detail the utility of emerging   tools and technologies.  What is going to be their role in managing criminal fraud, friendly fraud, chargebacks etc. and the same time how they impact the customer experience at the time of making a transaction.
  1. Trapped in risk-averse fraud strategy? Stop focusing only on rules-based approach!: The shortcomings of the traditional rules-based approach for fraud prevention continue to get highlighted. At a time when the efficacy of fraudsters and hackers in cracking areas of vulnerability is on the rise, it is imperative for merchants to improvise and sharpen rules on the fly. If an entity is heavily following rules-based methodology, then the main KPI would be to cut down the fraud rate as close to zero as possible. At the same time in many borderline genuine transactions would fail to pass through. Rather the focus needs to be on - rely on an algorithm to make decisions to optimize sales as much as possible while keeping fraud and chargeback rates under control.

Follow Ai on Twitter: @Ai_Connects_Us

Editorials

  • Ai Editorial: How safe are ecosystems such as Amazon and Alibaba from the threat of ATO? +

    First Published on 21st June, 2018 Ai Editorial: What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as Read More
  • Ai Editorial: Counting on user interface level API to optimize conversion rate +

    First Published on 18th June, 2018 Ai Editorial: Travel e-commerce players need to optimize their respective APIs, assessing aspects such as user experience, design, usage guidelines etc. to come up with Read More
  • Ai Editorial: Time for airlines to leverage both supervised and unsupervised ML for curbing fraud +

    First Published on 14th June, 2018 Ai Editorial: Deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning (ML) -  would better equip merchants to deal with fraud Read More
  • 1
  • 2
  • 3
  • 4
  • 5