Ai Editorial: Chargebacks a cost of doing business, not an apt assessment

First published on 7th April, 2017

Ai Editorial: A meticulous approach needs to be attempted to target every source of chargeback. The role of data along with human expertise needs to be optimized, writes Ai’s Ritesh Gupta

 

Fraud threats are constantly changing and expanding. As fraud detection technology evolves, criminals alter their tactics—what worked for them in the past might not work today.

When it comes to fraud and chargeback management, agility is one potent weapon.

Be it for counting on new technology or human expertise or ensuring earning potential isn’t being curbed, airlines, like any merchant, need to be spot on with their moves.  

The consolidated figure for airline chargebacks is estimated to be $1.5 billion on annual basis. The financial consequences include dealing with fraudulent orders, expenditure incurred on fighting fraud and turning down valid orders. What’s typically the chargeback rate for an airline or a travel e-commerce entity that processes millions of card-not-present transactions on annual basis? Is it 0.8%, how can it be brought down to 0.7%? What’s the timeline and how can it improve the financial situation? This way travel e-commerce organizations not only keep the rate in control, but they are also striving to improve with pragmatic goals.

Here we assess some of the initiatives that can help in prevention of chargebacks.

Addressing the real issues: Airlines need to rely on technology, machine learning, and human forensics, or the blend of all to ensure one knows the real source of each chargeback. Otherwise one can never get to the core of the problem. The reason being a customized action, as part of a robust prevention strategy, is required to combat each chargeback source. Otherwise airlines won’t be able to target the right problem at an opportune time.

In this context, getting into details related to criminal fraud (how to cut down on unauthorized transactions that get processed?), friendly fraud (difficult to detect at time of purchase and issuers usually accept a customer’s assertion) and merchant error (it could be that even up to 40% of chargebacks could be cause by the merchant’s own mistakes, oversights, or shortcomings) is must. Also, airlines can’t only consider basic tools. At the same time, one can’t also feature every offering available for managing risk exposure. For instance, any merchant who uses Address Verification Service along with card security codes or 3D Secure is technically using multiple solutions to prevent fraud. Other options include card security codes, geo-location, device authentication, proxy piercing, biometrics etc. So airlines need to work out a meticulously constructed fraud mitigation plan.

 

 

Experts recommend that a move such as enforcing blacklists (featuring fraudsters) post an attack (rather than preventing the unauthorized transactions) isn’t an ideal move. Rather look at non-technical and API integration options, and act “faster”. Look out for the real source of each chargeback. Sort out areas like uncertain merchant error.

Coming to grips with the problem in time: The industry today is improving the acceptance rate with an integrated system for pre-authorization fraud scoring/ screening and post-authorization chargeback mitigation/ fraud recovery.

The travel industry is also relying on the efficacy of a machine learning engine that evaluates fraudulent users in real-time. Data is analyzed instantly, linking seemingly unconnected signs left behind by fraudsters. Other than detecting fraud, data is also playing its part in ensuring “genuine” orders do not get declined owing to any uncertainty around the transaction.

Alerts have emerged as a viable, faster alternative to the chargeback process. It is about how to do away with the need for a chargeback. And the key here is to stop processing of a chargeback in time.  As shared by ethoca during one of our conferences, upon notification from issuers, the company transmits an alert to the merchant. For their part, airlines can refund the passenger to avoid chargeback. Alert outcome is passed on to the issuer. Result: merchant and issuer liable losses recovered by card issuer on first contact. What this also means is companies can be in better control of things to come, preventing instances of fraud in the future. And companies can also use link analysis to eradicate related fraudulent orders.

Making the most of human expertise: Artificial intelligence or AI can extract anomalies and identify patterns from real-time data but human intelligence is still needed. According to Kount, it’s not just quality of data, its accuracy or the number of datasets that only matters, but human capabilities, too, are needed to communicate, strategize, and guide machines to the optimum business result.

Working in unison: There are multiple stakeholders at risk when it comes to chargebacks. 

Fraudulently filed chargebacks affect each stakeholder in the payment chain.

·          For merchants, a multi-layered approach is best. Today’s solution must be agile and diverse, coupling an evolving defence with effective representment strategies. 

·          Acquiring banks can help reduce the effects of fraud by establishing internal blacklists and developing chargeback triggers for advanced alert notifications.

·          Processors who undergo the most stringent underwriting procedures to maximize their KYC (Know Your Customer) compliance will ultimately reap the benefits through helping to ensure their merchants are following best practice methods that work alongside operational efforts to prevent friendly fraud.

·          For issuers, additional due diligence is key.  Despite the temptation to rapidly resolve a cardholder dispute, additional effort will pay off in the long run for those who consciously work to prevent bad habits from forming in the first place.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: New weapons for combating false positives – are airlines ready?

First Published on 29th March, 2017

Ai Editorial: False positives have never been easy to identify. But with machine learning, 3D Secure 2.0 and data intelligence, airlines can be in better control of the situation, writes Ai’s Ritesh Gupta    

 

The denial of a digital service that is routine or legitimate is annoying.

For instance, as a credit card user, if I intend to access my statement on  bank’s website, and if even after filling of details and password (which most users tend to detest), the access to the same is denied then it disappoint us in a big way. Similar is the experience of a genuine digital transaction that either gets denied or takes longer than expected duration to finish due to seemingly stringent security measures.  

Airlines need to invest in apt user experience strategy and an integral part of the same is to work out right acceptance gap for payments so that revenue generation doesn’t get impacted in a negative away. Conversion rate in commerce isn’t just about getting traffic to digital platforms, but what also matters is not turning away authorized orders and how companies deal with false positives.

Also, from a business perspective, any travel company can’t afford to have a poor profile i. e. being bracketed as a high-risk merchant. Any business with low transaction volumes needs to be wary, as even a single chargeback will be termed as a significant development to the issuing bank than it would for an airline with relatively higher transaction volumes.

So airlines need to be vigilant of the new developments, and make incisive moves to deal with this problem.

·          Finding ways to distinguish real buyers from fraudsters: It is time digital enterprises evaluate the limitation of automated responses from rule-based filters. KPIs for authentication for CNP transactions include historic chargeback data, card acceptance rates, cart abandonment, issuer declines, merchant reversal declines, interchange cost etc. But areas like how online anti-fraud technology impacts false positives need to be assessed. Airlines can dig deeper into the efficacy of rules-based authentication, seeking control over their transactions, and also sort out the manual review problem as human analysis can’t be done away with.

Today negative attributes are being assessed in a dynamic manner and this is where machine learning can contribute when it comes to dealing with constantly evolving patterns. At the end of the day, the list of potential offenders can’t be too restrictive, and at the same time, airlines can be lenient with fraud prevention as well. Machine learning can cut down on unauthorized transactions while also reducing the risk of denying a genuine payment. Key here is the fact that the model keeps training through regular feedback. How? With information about traffic (based on behavioral, identity, and network patterns), and more of the same being garnered, more precise predictions can be. This results into fewer false positives. Also, this analysis can also pave way for customized checkout experience with lesser number of fields or even the fastest possible processing for authentic travellers.

·          Counting on data intelligence: Rigidity due to pre-constructed rules can now be combated with data sharing and data intelligence. And the release of 3D Secure 2.0 specifications, too, needs to be followed for the same. One way to ensure the decline rate is relatively lower could be via availability of quality data. Giving issuers a chance to interject themselves into the checkout can improve upon the risk assessment. So what was being done sporadically can be done in a widespread manner i. e. enabling issuers to amend their authorization risk settings and tie the authorization to the authentication.

Enriched data flow provides stakeholders with a better ability to approve “good” transactions.

As indicated by CardinalCommerce, in the past, merchants and issuers relied on “relatively simple data points in making authentication decisions”. But by relying on emerging sources of data and data intelligence, there is a chance to cut down on fraud and false positives. Legitimacy can be verified via purchase history, device and behavioral information, relevant social media details etc. So airlines better lookout for extra authentication data elements that are available at the time of the transaction so that both the merchant and the issuer can make a more informed and precise decision as whether or not to complete or deny a card-not-present transaction.

(Related article: How Amtrak worked out 99.85% acceptance rate, significantly better than the airline industry 96.3% acceptance rate).

·          Impact of 3D Secure 2.0:  The new specification when officially launched is being tipped to contribute in a big way. 3D Secure 2.0, with plans for early adoption in mid-2017, supports new transaction attributes, and this is expected to curb the level of false positives.  

The objective of new specifications is to aid verification on the basis of data elements pooled through the protocol with focus on a frictionless shopping experience for card users. Also to make the message interface and authentication flows agreeable to mobile platforms.

3-D Secure 2.0 will enable increased use of risk-based and dynamic authentication.

The risk-oriented outcome will be shaped up by uniform and extended set of data elements.

Owing to risk-based authentication method, issuers relying on static or partial passwords have to mull the improbability that consumers will memorize or easily use their passwords if these are only used for 3D Secure and are occasionally called for.

So be prepared for abandonment and failure rate. Accordingly issuers need to find ways for authentication.  

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Protecting a passenger’s identity in a connected world

First Published on 24th March, 2017

Ai Editorial: Operationalizing digital identity assessments is one initiative that every e-commerce enterprise needs to manage diligently, writes Ai’s Ritesh Gupta

 

Airlines, like any merchant, need to safeguard their users’ personal details saved. Imagine a situation where flyers open a personal account on an airline’s digital platform to access speedy bookings and swift flight check-ins, and at some point such data gets stolen, forces breakage in access to digital services and even results in negative publicity. This is indeed going to be a dreadful situation.

E-commerce entities require data to serve personalised offerings, but if they become a victim of a data breach then even a project like digital transformation receives a major setback. No airline can fathom breach of loyalty miles, and hacker selling account credentials to redeem the miles for tickets!

While e-commerce entities like Ryanair are looking at account personalization in a big way, this also means fraudsters can count on user identities to access personal and payment details. The reason being: use a trusted credit card saved in a valid customer account.

There is no scope for traditional ways of securing accounts or fraud prevention, for instance, savvy digital entities, focused on enrolling customer details in new ways to personalise their offerings, now consider static information being stored as a potential threat to being breached. The level of security or layers needs to be evaluated as fraudsters can hijack legitimate login sessions. Do seek a tighter measure against malware or social engineering attacks.

In fact, the threat of being breached can have detrimental impact on a bunch of airlines at one go. How? Experts don’t rule out multiple airlines systems being breached at the same time: when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

Bigger threat with “connected” world

Today’s intricately connected world means airlines have to work on their IT infrastructure, data management, digital interfaces etc. to ensure there is consistency in interactions. But this digital first approach also calls for stringent protection.

For instance, the Internet of Things (IoT) assumes that information and data will flow seamlessly and securely from one device or one party to another, where it can be accessed and used immediately. If the IoT keeps tracks of the items you intend to purchase, it can automatically tally the payment and process the payment as soon as it connects to the nearest payment terminal or app and verifies the customer's information and data. But wouldn’t this call for a stronger protection?

Fraudsters can work out near perfect identities from the digital detritus that digital entities and consumers are providing.  As ThreatMetrix aptly states: “It is identity, not passwords or payment details, that is the cybercrime currency of 2017: near perfect, yet terrifying, simulacrums of you and I that can be used to open new accounts, hack into existing ones, and monetize fraud attacks.”

According to ThreatMetrix’s Q4 Cybercrime Report, few of the alarming trends that need to be watched out for include:

·      New account originations continue to be the riskiest transactions with nearly 1 in 10 rejected.

·      Considering a spate of data breaches,  organizations can’t rely on static data elements. Dynamic information featuring a user’s digital identity will be critical in distinguishing “good customers from bad”. 

·      Fresh assaults will target collection of more details to strengthen stolen identities, rather than immediate monetization.

Attack from several quarters

Airlines need to consider the fact that one doesn’t distinguish between identities penetrated from behind a network/ firewall or via an account compromise. It is a big blow, one that, propelled by convincing identities as formulated by fraudsters, can fuel large-scale attacks. 

Organized crime

This stolen data is traded by organized and networked crime networks via certain websites, apparently made accessible via specialized encryption software and browser protocols that conceal the location of cybercriminals who are part of such sites.

Recently, a cybercriminal was reportedly sentenced to 50 months in prison for identity theft. This fraudster was caught selling personal data of victims on a cybercrime platform, AlphaBay.

Definition of being safe

When we talk of digital first for a seamless, personalised experience, the safety of identity or account data to needs to be prioritized as well.  Also, considering the lightening speed with which consumers expect every digital interaction to shape up,  airlines need to validate customer identities without any friction.

Bot detection, ID verification, device check, cookie erasing etc. are coming into use.

Specialists assert that it is critical to evaluate every digital identity, one shaped up by dynamic, shared intelligence unearthed from a variety of sources rather a specific organization a user transacts with. Time one looks at blending static identity data with dynamic, real-time intelligence from current and historical transactions. In order to gain better results and minimize friction, specialists are counting on behavioral biometrics , analytics and a predictive model based on past behavior and transaction data to authenticate transactions. The plan is to relate user and device interactions in the present session to past user and device interactions, and look at the gamut of attributes associated with the user, device and connection.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us

  

Ai Editorial: Assessing exploitation of connected devices for DDoS attacks

First Published on 15th March, 2017

Ai Editorial: DDoS or distributed denial of service are damaging for all e-commerce entities, and IoT-based botnets are only adding to the threat of disruption to services, writes Ai’s Ritesh Gupta

 

Businesses need to gear up for the era of Internet of Things (IoT), make the most of tokenization offering for contextual commerce, realign the flow of work across the business to service customers better…pressure is immense on organizations, including airlines, to evolve and embrace digital disruption.

But an inherent weakness in a technology or devices can result in a cyber assault, and airlines need to be wary of the same.  

A prime example is IoT continuously being exploited and used in cyber criminal activity. It is important to assess how to counter concerns such as IoT fuelling future DDoS (distributed denial of service - a host of compromised systems launch an assault on one target, thereby triggering denial of service for users of the targeted system) attacks.

This point is being raised as the number of attacks, the severity of such strikes and even the revelation of vulnerabilities can throttle a move towards change. This is not to discourage what an airline needs to do to embrace digital transformation, but rather prepare for any move in a meticulous manner.

Be it for online banking, retail or travel, e-commerce as a sector has to counter such malicious moves.

Relatively easier to hack now

At a time when passengers expect a real-time answer or action on their feedback, what airlines need to be wary of a break in any of the touchpoints and tighten their security.

The more devices an airline connects to the Internet, the more exposed this carrier would be to potential attacks.

It is being highlighted that the technical proficiency needed to perform cyber attacks is on the decline. Malware and services such as DDoS are easily acquired on the dark web. Other than DDoS, ransomware on connected watches, fitness trackers and TVs is expected to pose another challenge.

In their recently released report, National Cyber Security Centre (NCSC), the national technical authority for cyber security in the UK, stated that the degree of cyber threat varies from technical skills being “bought” to persistent threats involving custom-built malware designed to compromise specific targets.

Being digital first also means tighter security

If we talk of mobile-first engagement, attacks such as the one reportedly featuring Tesco Bank in the UK (it was reported that either Tesco’s internal systems or their mobile application were breached) put a question mark over the security of mobile apps. There are steps that airlines definitely need to focus on – additional layer of security in the form of biometric recognition or facial recognition, end-to-end encryption, working on mobile app security testing as part of the software development lifecycle etc. As for mobile-related threats, specialists point out organizations need to be wary of elevated permissions to install further malware such as keyloggers which could be used to steal login credentials, SMishing often proving to be more effective than traditional PC phishing campaigns etc.

But even as mobile malware is growing (surely can’t be ignored), it is the IoT that is proving to be a bigger concern. It has expanded the risk to all customer devices becoming compromised or attacked. Poor security practices in connected devices is coming to the fore. With feeble security, IoT devices are resulting in DDoS attacks. Not surprisingly, the list of vulnerable areas now features attacks on building blocks on which the Internet runs.  

For instance, the looming threat from the Mirai botnet. This botnet is being monetized today by cyber criminals for a large DDoS. It scan IP addresses across the internet looking for insecure devices. As per the information available, Mirai, a malware infecting vulnerable, connected devices, scans for 68 user name and password mishmash when attempting to infect and control a connected device.

The emergence of botnets means cyber attacks are only getting sophisticated. If we talk of “threat actors”,  there is this trend of learning from, hiring and working with one another. Akamai recently highlighted that the largest DDoS attack in their network came from Spike, a malware that has been around for over 24 months. This points to the fact that botnet operators take the emergence of Mirai botnet as a challenge, and try to compete and prove more hazardous with their next attack!  

What to consider?

Protecting the disparate components of the IoT ecosystem is vital.

Such devices need to be protected considering that they are operating in a digital environment. Equally important is the security of data transfer featuring the IoT devices and the platform. Data and privacy breaches continue to be on the rise. Also, a secure API platform is must.

Specialists also have been clarifying some of the misconceptions. According to Imperva, a data and application security specialist, even high bandwidth won’t shield a site from concentrated packets-per-second (PPS) and application layer attacks (no amount of bandwidth can guarantee 100 percent uptime), and there in no point in relying on a pre-existing appliance to block an incoming DDoS assault.

E-commerce entities, be it for airlines or online travel agencies, need to look beyond common vulnerabilities such as SQL injections or Local File Inclusions. So be it for working out scalable threat prevention security for any cloud - public, private and hybrid or trained staff or to working out right security architecture as well as documenting all networks with known traffic flows and shielding all disparate components of the IoT ecosystem, a detailed preparation is needed to protect the digital assets.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Contextual commerce – are airlines ready for it?

First Published on 9th March, 2017

Ai Editorial: One click payment for an airline ticket from the interface you prefer the most – say Facebook Messenger app, WeChat, WhatsApp etc. ? This is the sort of commerce infrastructure airlines need to prepare for, writes Ai’s Ritesh Gupta

 

What can lead to a conversion based on even one signal that a digital consumer today gives to go for a product or service? These signals aren’t mere search keywords or clicks on a website/ app. It’s about the interplay of context, location, interface as well as the device being used and payment facilitation.    

For instance, a group of friends are interacting via Facebook messenger app, they decide on meeting at a particular venue location (exact location is shared via a link/ map), and all of them avail an on-demand service without leaving the chat or the interface. No app was downloaded. Similarly, a passenger starts the shopping journey with interaction with a chatbot or initiates a search for a flight via a digital assistant, moving on to a meta-search environment and eventually completing a transaction without leaving the conversation. 

This is just a glimpse of how commerce is evolving.

What stands out is what’s working in the “background” to seamlessly process payments.

All of this is crucial for travel brands to assess, as one can’t ignore the prowess of ecosystems such as Facebook, Google, Apple, Alibaba etc. or the popularity of social and messaging apps.

Dealing with friction

The significance of letting a travel shopper wrap up a transaction without the friction of leaving a site or an app can’t be ignored.

Airlines need to make the most of tokenization offering that works in the “background” to ensure they are part of contextual experiences - search, social interactions etc. – and end up aiding a potential traveller to shop with them. Intermediaries like meta-search engines have been relying on APIs to ensure bookings are done within their environment, irrespective of the airline’s payment processor. APIs are playing a vital role in countering the intricacies of moving payment data between different stakeholders involved in the shopping journey, could be for retailing or travel-related buy. The end result here is the seamless movement towards buying an air ticket or an ancillary with an optimized checkout flow.

Travel may not be a frequent buy, but still a major plus is speedy checkout experience that customers expect as they don’t need to re-fill or share information again and again.

Skyscanner is reaping benefits related to better conversion rate. The team has been working on their direct booking offering that allows airlines to offer a fully localized booking experience, letting users to research, select and instantly book itineraries within their environment without having to re-direct to supplier sites. As for airlines, they process the requests and retain all of the passenger’s details.

 

Securely moving payment data

It is also imperative to assess the security of such initiatives. How secure is an RFID band that functions as both a ticket and a wallet? How Facebook is equipped to safely part with its own stored payment data with an entity like Uber and yet ends up ensuring Facebook Messenger users sustain control over their information? Specialists like PayPal have progressed swiftly, stating that sharing of customer, payment, and other data is done securely with PCI Level 1 compliant parties while keeping an entity vault protected, and also equally secure is sharing of data within their network of merchants.

But airlines still need to be wary of couple of issues.

Rather than rushing and joining the bandwagon, do look at risk mitigation.

As a specialist in this arena, Chargebacks911 explains that if the industry does not take basic safety measures before going for new technologies, then such initiatives can be more of a liability than a benefit.

For instance, referring to wearable payments, the team points out that it may turn out to be more secure when compared with standard payment options. “Wearable payments make use of the same kind of tokenization technology as other payment methods, like digital wallets and EMV chip cards, which may prove to function just as well on wearable devices,” says Chargebacks911’s COO, Monica Eaton-Cardone. She says one needs to be wary of family fraud and friendly fraud. In a recent blog post, she raised a pertinent point, “What will issuers accept as compelling evidence when merchants attempt to dispute chargebacks? The chargeback process is archaic—it can’t keep up with all the developing technologies. Networks will not have considered the different types of data that will be associated with these technologies and, therefore, will not recognize valuable information as valid forms of evidence. It will be years until the data associated with these wearable devices will be recognized by the card networks, leaving merchants liable for billions in losses from undisputable, illegitimate chargebacks.” She added that as of now, merchants already lose as much as $40 billion each year due to chargebacks.

So emerging technologies can augment the customer experience with seamless transactions, but areas like security and privacy, and chargebacks can also hamper the same.

 

Gain an insight into intriguing issues at Ai’s 11th Airline & Travel Payments Summit (ATPS) this year.

Date: 3 May - 5 May 2017   

Location: Berlin, Germany

For more info, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Managing account takeover fraud – a must in era of personalisation

First published on 24th February, 2017

Ai Editorial: Airlines need to move fast to be ahead of the curve and protect themselves against account takeovers, writes Ai’s Ritesh Gupta

 

The benchmark for completing a digital transaction – the moment when you are about to pay - is one click or swipe.   

Of course, in order to deliver one-click checkout experience, travel e-commerce players have to garner personal information, store chosen payment method and keep it secure. This transaction-related information is a vital component of overall account personalisation that businesses are keenly looking at today.

But what needs to be noted is that account takeover is the latest fraud tactic that is troubling merchants, and airlines, too, can be victims as merchants.

Account takeover fraud happens when a fraudster/ hacker misuses a user’s personal details saved with a merchant in order to take control of an existing account. Fraudsters bank on stolen credentials and phishing schemes to hack into or take over legitimate user accounts. They are capable of gaining access to accounts via malware, SQL injection attacks, spyware etc. And this can surely have a detrimental impact on trust and loyalty among valued customers.

Being wary of fraud as account personalisation picks up

As we highlighted in one of our recent articles, account personalisation is on the rise. One area where progress is being made is speedy bookings and swift flight check-ins on airline-owned platforms. Ryanair took an exemplary initiative last year, one related to account personalisation. This way the carrier chose to enable passengers to share their travel preferences by setting up a personal profile, and saving passport details etc. The users can also store their payment information.

So if on one had such initiatives are bound to make trip planning, booking and even servicing simpler, more efficient, then on the other  one needs to be wary of the situation where such data related to a user’s account gets stolen. 

Data breaches are dreadful, and this trend can also end up in a massive threat for airlines.

It is becoming common for cyber criminals to hack data, and then reuse the list of email addresses and passwords they have obtained on multiple sites. So here is what would happen - when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

Similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.

Identifying suspicious behavior

Account takeover security comes into action from an early stage – keeping a vigil on new account creation and the way these accounts tend to be used. This helps in assessment of risk with certain level of accuracy. In term of prohibiting fraud from happening, a fraudulent activity say a transaction is stopped before it takes place. Here a flexible rules engine highlights a dubious activity based on users’ behaviour and device attributes. As CyberSource states – an organization can then choose to accept, reject, or challenge the users to authenticate themselves – before the event can occur. One can also spot valuable returning customers.

A user’s device and Internet connection information can prove handy in managing such fraud. The device-based customer authentication can add a layer of defence against account takeover. This is important when assessing whether the real account owner is accessing the account or not. A way to do it is via evaluating a cookie associated with the stored payment method. If the same is missing when the payment method is used, then this person can be asked to re-fill the card number or provide verification code. So if a fraudster is trying to skip recognition by masking their IP address or spoofing geolocation, one can verify the real IP address and compare that to the stated IP to detect risky activity.

Recently, when I forgot my Apple ID password, I was asked to share the ID, filled in a code twice, and then could retrieve password via registered email or by filling out answers to questions registered earlier. And eventually guided about how to work out a strong password. But is it enough for account protection? The best answer is to make sure there is enough human expertise within an organization. And do keep an eye on any new stringent way of security. Behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. It is also being suggested that behavioral biometrics, which spots patterns in human activities, needs to be looked upon for continuous authentication, and looked beyond the two-factor authentication (2FA) method. So as airlines analyse more and more data (for example, device authentication, device ID, device fingerprinting etc.), fraudsters will struggle to fully to pass off as genuine. These new measures are must as hackers/ fraudsters are working on machines for getting around these security measures.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

How to share industry fraud data on a trusted private cloud platform

Travel companies have survived a massive threat to their existence by learning to share sensitive data on a private cloud platform, writes our guest columnist JJ Kramer, Chairman of Perseuss Steering Group

A decade ago, airlines operated in the usual silos of secrecy. The competitor was always the enemy. The competitor was trying to eat the other airline's lunch. But gradually they realised they had a common enemy who was trying - and frequently succeeding - to eat everyone's lunch.

The fraudster

International fraud gangs, stealing and abusing credit card data, were repeatedly ripping off one airline after another. Profitability was plunging and the situation was getting worse. The need to share information about fraudsters, legally, became apparent to all operators.

Now in 2017, travel companies are in a much better place. They have identified that there are four key steps which industries must take to fight fraud. Curiously, they all involve trust.

1. Build trust in your peers

The fightback started with pairs of airlines sporadically meeting to swap experiences and known fraudster information. Personal relationships formed and the trust between them became the bedrock of further progress. 

Among those pioneers was JJ Kramer, Chairman of Perseuss Steering Group. According to him, fraud thrives in an atmosphere of fear and mistrust. People have to start the fight against fraud by building a new atmosphere of cooperation and confidence in each other. Essential to building that trust was people meeting in person, not online. Face-to-face meetings were vital.

2. Build trust in your platform

But things soon begin to grow and it was obvious that the use of technology was also necessary. Who could be trusted to build the infrastructure? Who would govern it?

The airlines eventually selected an independent IT company with known competence to build the platform. The platform had high levels of security and the user community was 'members only'.

Airline fraud analysts were able to submit data about known fraudsters and check suspect data against the database. Fraud was being identified and reduced.

 

 

3. Build trust in your data

The airlines can now tackle the small, but important matter of the data. Who owned it? Who controlled it? Was shared data owned by everyone, once it was pooled? Chairman of Perseuss Steering Group stated that it was commonly agreed that fraud data is owned by the company who submitted it and it can be deleted by them at any moment. This decision increased the community's trust in the platform because they knew they controlled it, not the other way round.

4. Choose leaders you know and trust

As the user community grew to over 100 companies and welcomed in non-airline businesses (like online travel agencies, railway and retail companies), the management team adapted itself. A Steering Group was formed. People chose representatives they had met in person, regardless of the size of the company they worked in. Personal contact was, again, an important aspect that was taken into account. As Chairman of Perseuss Steering Group mentioned, the Steering Group channels and prioritizes the development process and that is the proof that the users are in charge, not anybody else.

About Jan-Jaap Kramer

JJ has been involved in the battle against airline card fraud for over 15 years. In his previous role as Manager Cashier Department/Credit Cards for Dutch airline Martinair (a subsidiary of KLM Royal Dutch Airlines) from 1999 to 2011 he was responsible for the security of the company's ecommerce and call centre passenger bookings. In 2011 he established his own consultancy company to help business and industry fight fraud. Soon after that he was elected chairman of Perseuss, the travel industry’s anti-fraud organization.

About Perseuss

Perseuss is the global travel industry’s own solution to the battle against fraud. It was founded in 2008 by a small group of airlines and soon became an industry standard for data-sharing. Today, the community has participants from around the globe including airlines, travel agents, railway, and retail companies. Its flagship offering is an online shared negative database, recently updated to include email age verification and artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals. Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.

 

Ai Editorial: Finding the right blend of data and machine learning for combating fraud

First Published on 13th February, 2017

Ai Editorial: The quality of data as well as making the most of different types of machine learning are vital for fraud prevention, writes Ai’s Ritesh Gupta

 

Fraud prevention isn’t just about one algorithm being used or acting only on historical data. One can fall woefully short with an ill-conceived approach. Airlines need to check valuable pointers – are chargeback rates under control? Even if the fraud system is indicating very low fraud rate, is it still resulting in high abandonment and rejection rates of the users?

Airlines are acknowledging the limitations of traditional rule-based fraud solutions, one of them being overly focused on bringing down the fraud rate as close to zero as possible. This tends to be a risk-averse approach, and one needs to negate rules when positive behaviour is detected. So how can big data and machine learning contribute?

Here we assess some of the critical aspects related with data strategy and machine learning that can contribute in fraud prevention:

·          Only predictive analytics isn’t enough: Predicting future fraud based on historical data isn’t enough. For instance, when transactions with no historical data are submitted into the system, the possibility of missing out on suspicious behavior is there.  

Unsupervised machine learning manages to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour.

With pattern recognition, even without any prior historical data, the machine is able to discover patterns across various transactions and establish if the transaction showed bot behaviour or human behaviour. Information collected from big data is vital here. It is initially used to garner information about the user’s behaviour on the website and these details are blended with machine learning, which uses pattern recognition to chart the pattern of this user’s behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/ negative behaviour and uses that on future transactions for potential signs of fraud. Also, behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. Specialists are tracking mouse movements and clicks in context and meaning while becoming increasingly more accurate over time.  

·          Relevant data: While data is important, what is more important is the quality and relevance of the data. Big data is receiving greater popularity and used more widely than ever, but it is not about how big the data is. Relevant data is necessary to improve fraud prevention, as well as to improve the machine. For instance, if the machine is regularly receiving non-relevant data, the resultant output will be non-relevant decisions.

In addition, the way the data is processed must also be relevant when making probabilities of fraud risk.  Algorithms are designed with biases. If the fraud system’s algorithm is centred towards eliminating fraud entirely, the decisions will compile results of a very low fraud rate, but also high abandonment and rejection rates of the users. Instead, if the fraud system is focused on maximising revenue per risk of fraud, it is possible that a slight allowance of letting the fraud rates up by 0.1% could increase acceptance rates by 10%.

·          Keeping pace with technological developments: Airlines, just like any other e-commerce business, need to cater to a variety of payment methods, currencies and devices. Each new technological development introduces new venues for this fraud, meaning detection and prevention efforts need to be just as agile.  Expect more creative modes of fraud to appear. So there is a need to shift to active surveillance by deploying big data user and entity analytics to understand the user behaviour behind each transaction. Considering that most fraud attacks come as a coordinated attempt from a single script, automated to maximize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters.

·          Airline-centric approach: As we highlighted in one of our recent articles, the e-commerce set up of airlines is distinctive, and it would be highly desirable to have a tailored data strategy.

For instance, how to capitalize on custom data fields be it for flight details, loyalty miles claims (to detect abnormalities) etc.

With more and more data analysed, it is harder for hackers to hide their tracks fully to pass off as genuine.

·          Assess liability shift: Airlines must expect better results at this juncture, considering that machine learning has evolved. For instance, improving fraud management doesn’t only mean lowering fraud rates, but it also about ensuring that the system does not hinder revenue growth. So better technology (big data, machine learning) is important, but how these systems are designed, and the KPI it keeps to is more important.

If we talk of liability shift, specialists point out that with pattern recognition, deep learning and stochastic optimization – seek an optimized yes or no decision in real time.

Based on calculated risks, the system passes the optimized number of transactions while ensuring that chargeback rates are still under control. As a result, borderline genuine transactions can be passed and unnecessary rules and bans are lifted, improving sales greatly. The efficacy of these “calculated risks” need to be scrutinized by airlines. It is being asserted that switch from predictive models of machine learning towards real-time machine learning is few years away.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Miles, account takeover, credit card…threat of fraud gets severe

First published on 13th January, 2016

Ai Editorial: Account takeovers and frequent loyalty program miles fraud in addition to credit card fraud are now demanding stringent measures for fraud prevention, writes Ai’s Ritesh Gupta

 

Every piece of customer data and information is under scrutiny. One can put a price tag on stolen account info – Uber, Facebook etc. and air miles. Today fraud prevention isn’t just about credit cards.

According to Sift Science, account info can yield more money “on the dark web than simple credit card details”. The team indicates that the threat of account takeovers (ATO) needs to be negated.

In fact, findings from the soon-to-be-published Sift Science 2017 Fraud-Fighting Trends report reveal that 48% of respondents observed a rise in ATO last year.

Travel e-commerce – an attractive proposition

Travel e-commerce is a common vulnerable target for cybercriminals as most of their offerings are large ticket purchases. Other than digital goods, this similar mode of thought or reason for hacking can also be found when we look at luxury good providers (also big ticket purchases), or for products that have a high resale value in the black market. Also, since travel e-commerce entities offer digital goods, it requires instant approval delivery to satisfy customers, yet would also open the gates to more fraud. Furthermore, the volatility of the item prices (which changes every minute based on consumer demand) means that merchants cannot afford to deploy manual reviews. Most OTA players simply accept suspicious transactions, absorbing the chargeback losses, instead of declining transactions and risk tarnishing their brand and losing out to the heavy competition.

Too much information up for grabs

Before we delve deep into what threat today looks like, if one were to assess the vulnerability level of travel booking systems, then where do they today and has anything changed?

“Not much hacking is required, as there’s less vulnerability here!” This recent remark from experts, Karsten Nohl and Nemanja Nikodijevic, aptly sums the brittle nature of “global distribution systems” operated by the travel industry today. 

According to details shared at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany in late December (video available here), the industry suffers owing to brittle authentication and web services. The authenticator printed on boarding passes and luggage tags is up for grabs rather easily. “Any person able to find or take a photo of the pass or tag can access the traveller’s information – including e-mail address and phone number – through the GDS’s or airline’s website,  stated Security Research Labs. The company goes on to add: “…many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.” And, too, many people can access information when a booking is generated. For instance, staff the agency, travel providers, GDS involved in any part of the PNR etc. Fraudsters can travel for free, create havoc with one’s frequent flyer account, use payment info etc. Security Research Labs suggests there is a need for “brute-force protection in the form of Captchas and retry limits per IP address” to start off, and bookings need to be protected with appropriate authentication, at the very least with a changeable password.

The point here is how much is being given away to a fraudster.

New areas of concern

There are two relatively new areas of concerns for travel e-commerce entities, according to Justin Lie, Group CEO, CashShield:

·          Account takeovers; for example, when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

·          Frequent loyalty program miles fraud; similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.

“As such, it is advisable for travel e-commerce entities to apply big data and real time machine learning not only on securing payments, but also for securing accounts and monitoring loyalty miles claims,” said Lie.

Tackling issues

Lie says companies should take control of their payment data, which should not be restricted by default. This data can be combined with big data (such as those data fields collected on their websites), so that they can derive a strong data strategy not only for fraud prevention, but also to get a better understanding of the user profiles that surf their website.

Also, fraud is becoming increasingly complicated and sophisticated very rapidly.

“This is especially so as credit card companies push for the adoption of the EMV chip, making it more difficult for card present fraud, thus forcing fraudsters to go online. Instead of implementing a fraud prevention strategy that requires long gaps in training machines with data sets, travel companies should shift towards real time machine learning (or real time automated) fraud systems to get ahead of the fraudsters,” said Lie.

Companies should also move fast to be ahead of the curve and protect themselves against account takeovers and loyalty fraud as well. 80% of all cyber attacks have a financial motive, and it is expected that more fraud syndicates will shift to online fraud, since it is so lucrative.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Shielding card-not-present transactions with customized KPIs

First Published on 2nd January, 2017

Ai Editorial: Airlines need to create their own fraud mitigation strategy, set up customized KPIs in conjunction with detailed data analysis to protect themselves, writes Ai’s Ritesh Gupta

 

Are merchants, acquirers, issuers etc. equipped with necessary arsenal to combat card fraud? Is the card-not-present environment still susceptible to fraud?

As a specialist in this arena, Chargebacks911’s COO, Monica Eaton-Cardone says payment card fraud will always be an issue—it will never be completely mitigated. “Wherever there is a chance for profitability, there will be criminal activity. And, each new technological development introduces a new avenue for fraud, meaning detection and prevention efforts need to be just as agile,” she says. Despite all this, she believes current security situation is the best we’ve seen it since the inception of payment cards. “Our society in general is well aware of the threat and is eager to address it. We aren’t denying the danger—which I think is an important step. The real challenge is to ensure attention to security spans all channels and all sales methods. Unfortunately, to date, security efforts have been inconsistently applied. EMV technology effectively mitigates card-present risks. Biometrics make mobile wallets virtually fraud-proof. But very little effort has been made to protect the card-not-present environment.”   

Improving upon traditional way of securing payments

Just a month back, a research by the Newcastle University in the U. K., indicated that working out the card number, expiry date and security code of any Visa credit or debit card “can take as little as six seconds”.  

For their part, Visa stated that this study didn’t consider other layers of security such as its Verified by Visa system.

Michael Roche, Vice President, Consumer Authentication, CardinalCommerce mentioned that Visa does have mechanisms that track frequency of payments across Card-Present (CP) and Card-not-Present (CNP) orders. “Unfortunately it’s limited by the information within the ISO8583 authorization spec. What Visa is doing though is exposing a whole host of risk and authentication capabilities. You can get to all of these through Visa Checkout right now. In the future you should be able to get direct access. (Checkout Visa Developer). Visa also supplements all their network data through the 3DS protocol. The 3DS protocol provides visibility into all the important info that the ISO8583 spec does not. CVV2 and AVS are antiquated solutions and once you deploy 3DS you’re reliability on them will be reduced. I do agree that these checks are past their prime,” said Roche. He added, “If you have a Rules Based Authentication (RUBA) 3DS solution and you are transacting with a Risk Based Authentication (RIBA) issuer you only need to rely on that RIBA issuers authentication response and it’s yes or no. Doesn’t get any better than that online.”

It’s every ecommerce player for themselves

Monica says it is not advisable for merchants to rely exclusively on card schemes for a safe and secure payment processing environment. “Just like everyone else in the industry, the card networks were initially caught off guard with the explosion of ecommerce growth and were ill-equipped to handle emerging threats,” she says. “Unfortunately, right now, it’s every ecommerce player for themselves. Retailers, airlines, OTAs, PSPs, banks—everyone needs to critique their own individual risk exposure and create a customized mitigation plan. Fortunately, there is an abundance of effective products and services available to choose from that will help ensure success.” In doing so, it is important to consider a few necessities. First, individual tools or solutions need to be incorporated into a comprehensive strategy and evaluated against a profitable level of risk exposure. Second, risk mitigation needs to be dynamic—what worked yesterday might not work tomorrow.   

Hackers are getting better

In the advent of greater tech advances, hackers themselves are also relying on machines to write algorithms to hack systems and crack codes, and they are getting better and quicker at it, Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, says. Other than capitalizing on vulnerabilities of a credit card or a debit card, hackers are also creating fake accounts on e-commerce sites to run hacks on the stolen credit cards. Therefore, much greater effort is needed to strengthen the current infrastructure, and it will have to be a combined effort between card schemes, PSPs and merchants to prevent cybercriminals from getting away too easily. Currently, there is a lack of information and transparency between merchants, PSPs and card schemes, while merchants receive almost no protection against fraud losses, since they have to bear the cost whenever unauthorized chargebacks are filed. “This broken line of communication should be fixed, while each stakeholder must understand the fragility of payment card security and where they stand in the ecosystem, or it would be difficult for the situation to improve. In the meantime, merchants themselves should also invest in identity management in authenticating fraudulent accounts (or hacked accounts) to protect themselves,” says Lie.

What to fix?

Monica admits that merchants definitely suffer from the industry-wide lack of transparency. “But I’d actually argue everyone involved in card-not-present transactions experiences consequences. I’ve been saying this for years: a lack of consistently applied standards and compliance with those standards is increasing costs and causing needless revenue loss. This is the problem we need to fix.”

Airlines and OTAs absolutely need to create their own fraud mitigation strategy.

Fortunately, the travel industry has a distinct advantage over many other industries, says Monica. “There is an abundance of personal information available for data analysis. Everything from frequent flyer accounts and past itineraries to in-flight purchases and travel companions can make fraud detection much more successful. Establishing and monitoring customized KPIs in conjunction with detailed data analysis can produce significant results.”

 

Ai is set to conduct the 11th Airline & Travel Payments Summit (ATPS) this year.

Date: 3 May - 5 May 2017; Location: Berlin, Germany

For more info, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Editorials

  • Ai Editorial: “Where is Palma de Mallorca?” the airline doesn’t know, Google knows it! +

    First Published on 25th April, 2017 By Ritesh Gupta, in Palma de Mallorca   The tag of “laggards”  isn’t a nice one, but airlines aren’t willing to move on. Whatever Read More
  • Executive Interview: JR Technologies’ Ryan Harris on what is impeding “transformation” +

    First Published on 24th April, 2017 Airlines need to look at several areas, including the organizational impact, IT, issues associated with access to data and their innate nature to detest Read More
  • Ai Editorial: Cart abandonment email is evolving, are you? +

    First published on 20th April, 2017 Ai Editorial: Automation, personalisation and data-driven marketing in addition to certain basics such as content and timing are lending a new dimension to the Read More
  • 1
  • 2
  • 3
  • 4
  • 5