First Published on 17th November, 2017
Ai Editorial: Airlines continue to struggle to avert the danger of friendly fraud. There are new developments, ones related to machine learning and biometric authorization, but are they robust enough to protect merchants? probes Ai’s Ritesh Gupta
Criminal Fraud, friendly fraud and merchant error are all major sources of chargebacks. The utility of data and technology in combating various forms of fraud is coming to the fore.
As for friendly fraud, it remains probably the biggest challenge and quite often the significance of an effective fraud mitigation strategy is underlined.
Friendly fraud refers to “fraud that is committed when an individual had knowledge of and/or was complicit with and/or somehow benefited from the transaction on their own account, although the individual reported the transaction as unauthorized”.
This type of fraud is a major issue for merchants as it can be tough to detect at the time of purchase, the chargeback process does not adequately address friendly fraud, and also it is time consuming to fight against the same.
Functioning of the industry
“The predicament (pertaining to friendly fraud) is getting worse,” says a senior executive.
The executive pointed out that the available data is limited. Merchants definitely suffer from industry-wide lack of transparency. Their stance is feeble as there are plenty of factors outside merchants’ control that influence their reluctance to make a more substantial effort. “There is hardly enough information available pertaining to chargebacks and friendly fraud. This means there isn’t a strong foundation to bank on, to comprehend the situation. It’s challenging to amass authentic information on the matter without substantial contribution from banks, card networks, and merchants,” added the executive.
As highlighted by Chargebacks911 in one of the interviews with us, until there is a reason code labelled ‘friendly fraud,’ merchants will forever be engaged in a guessing game—is this claim legitimate or friendly fraud? This uncertainty is what drives merchants’ inaction.
It is also pointed out that issuing banks and card networks decline to divulge critical data or specific numbers on chargebacks such as: dispute win rates. They typically don’t keep the kind of comprehensive records on the subject that would enable a broader view of the matter. Merchants need to blend professional assistance with chargeback management technology specifically designed to identify the true source of the transaction dispute.
One can question policies and regulations set forth for the entire industry. Issuers usually accept a customer’s assertion, and there is hardly any scope in terms of collaborating with issuers. It is clear that ecommerce wouldn’t prevail if card networks and issuers hadn’t taken initiatives to step up the buyer confidence when it comes to payment card use and liability. By abating cardholder’s fears about potential losses tied to fraud, networks and issuers have enabled entities to experience optimum profitability via card-not-present transactions. However, by advertising zero liability, issuers have inadvertently incentivized friendly fraud.
Airlines tend to be at the receiving end, for example, a cardholder buys airline tickets but intends to change the itinerary at a later stage. This could be due to any reason. Since the traveller doesn’t qualify for a full refund from the airline, the same passenger files a friendly fraud chargeback and points out that buy wasn’t authorized—when in fact, it was. So how to cope up with such cases where airlines suffer? In terms of sophistication, fraud prevention specialists are finding ways to evaluate the behavior of consumers and relying on machine learning for the same.
For instance, Nethone, a data science company, highlights that by identifying distinctive behavioural characteristics of each user, one can craft their digital profile and relate the same with behavioural profiles of previously identified fraudsters. The company, in one of their recent blog posts, stressed that it is viable to discover behaviour demonstrating that someone else than the rightful account owner is logged in, before the transaction is done. And this way merchants can secure transactions by activating a conditional authentication layer. Analysis can be around the purchase log from the past, taking into account the frequency of shopping, their average order value, in case there were any chargeback request previously, too, etc. Also, device fingerprinting, too, can be taken into account whether a given device has previously featured before for a fraudulent transaction. Importantly, Nethone also added that any level of additional authentication or “friction” should be added only where it’s essential and the probability of fraud is high.
The industry is also counting on biometric technology and additional layers of security and authentication.
From friendly fraud perspective, biometric authorization can used as a proof that at a customer did validate a transaction.
But this kind of authorization isn’t a complete solution on its own.
Yes, questioning a chargeback hinges on the merchant’s capacity to establish that the cardholder validated the transaction and that the merchant was in compliance with all applicable regulations. Biometrics can end up being a constructive part of evidence for merchants; the fact that biometrics are intrinsically tough to deceit is sound proof that a cardholder did, in fact, validate a transaction. But, as explained by Chargebacks911, the issue is that policies and standards laid down by the card networks do not keep up with the fast development of consumer authentication technologies. Biometrics can show that a cardholder almost definitely authorized a transaction, but if the card network won’t accept biometric data as evidence, that knowledge is useless.
In many ways, card network regulations are stuck in the past, unable to adapt to the rapidly-changing realities of ecommerce and the payments industry,” points out Chargebacks911’s COO, Monica Eaton-Cardone.
It is pointed out that card networks need to make biometric authorization a cornerstone of the dispute process.
Also, the stance of various stakeholders toward friendly fraud definitely needs to evolve, as much as new technologies can help.
Follow Ai on Twitter - @Ai_Connects_Us
First Published on 3rd November, 2017
Ai Editorial: Specialists point out that if a merchant isn’t being able to accept payments via WeChat Pay and Alipay then the acquirer needs to be questioned, ensure they explain any barriers and how to fix the issue, writes Ai’s Ritesh Gupta
Is accepting payments via Alipay or WeChat Pay a smooth process?
Irrespective of the answer, it is imperative for any travel e-commerce player focused on Chinese travellers to come to grips with payment processing as far as Alipay or WeChat Pay are concerned. The adoption of e-wallets/ mobile wallets in China is being driven by the ubiquity of indigenous Internet giants – Alibaba (Operated by Ant Financial Services Group, Alipay currently has over 520 million active users) and Tencent (combined monthly active users of Weixin and WeChat app is already over 965 million). Merchants across the globe are looking at in-app web-based payment, QR Code payment, in-app payment and payment at a particular location, say onboard aircraft or at the airport.
Is it really tough or just wrong notion?
“Payment is quite wide and diverse (in the Asia Pacific region). And China is indeed a unique market in the whole of Asia. It’s almost that you can think of China as one area, and can segregate it from the rest,” Trevor Spinks, Head of Sales and Distribution, Scoot-Tigerair mentioned during one of our conferences in Singapore.
“Scoot flies to 18 destinations in China, and that’s a significant part of our network. We will be offering WeChat as a payment option soon. The complexity for WeChat pay is huge. It doesn’t use normal software language. WeChat Pay have their own language. So one needs to work with WeChat or 3rd party experts,” says Spinks. It is important as a massive chunk of population uses WeChat. “So it is about using what they use every day to fly Scoot. But, yes, China has very requirements, and different rules and regulations.”
Referring to a diverse region such as the Asia Pacific, Spinks mentioned that in terms of how an airline manages and works around a variety of options to pay in this region, consider an airline which flies to 10 countries and each country has 5 forms of payments. “And if all forms of payments are different from all the other markets, then there would be 50 forms of payments. You do need payment providers and acquirers. We work with a global specialist. They are already working with a number of payment distribution capabilities in several countries, and when airlines reach a certain point, they can work with one specialist and this allows an airline to straightaway tick, say 30 out of 50 payment methods, at one go. At times, there is a need to work directly with 3rd party suppliers. WeChat is a great example. We might have to work directly with WeChat to work it out for us. So it is a very diverse and hard area to manage. There is a need for a dedicated person within the airline to look after this. Also, you need expertise within each of the market to understand, whether say is 7-Eleven convenience store a viable option or is the popularity decreasing and in two years time no one would be interested in paying via this option. So then no point in investing in that payment method,” explained Spinks.
As a specialist in this arena, Chargebacks911’s COO, Monica Eaton-Cardone says, Alipay and WeChat have authorized partners, and these entities specialise in managing cross border payments and dependent on your geographic location there are several options to provide partnership.
“Alipay works with a variety of financial institutions including MasterCard and Visa. Outside of China, WeChat will only accept credit cards to link to the account. As an e-commerce entity if you are already have the functionality to deal with cross border payments through other payment rails then you have the knowledge and experience to deal with WeChat and Alipay,” she said. “E-commerce companies already have numerous rails to accept payments. Accepting payments via WeChat and Alipay would not be challenging anymore than your existing network of payment channels. If you deal with Paypal you can deal Alipay and WeChat Pay. If payment isn’t accepted then your acquirer needs to be questioned, ensure they explain any barriers and how to fix the issue. Both Alipay and WeChat are a form of e-wallet which are funded via a variety of payment options including international payment/ credit cards as well as Chinese domestic bank cards/ accounts.”
Issue of fraud
Spinks mentioned that fraud becomes a bigger problem, bigger the airline becomes.
“So when we were small, we weren’t worried about fraud, we had relatively bigger issues (to sort). But now we have around 40 aircraft, and flying to 18 different countries, fraud can be a big “number” annually. So a partner such as Adyen or Worldpay can also help with fraud solutions. But what you need here and what generally falls under the finance department, you need people would be measuring and tracking fraud. So if one country had a fraud value of 1% and the norm is 3%, then its fine. And another one had a value of 10%, so there are significant issues in that country and you have got to measure it. And the onus also lies on the 3rd party partner to sort it out. And of course, fraudsters also find new way of cracking the system, so it is always a cat and mouse game,” he said.
Referring specifically to Alipay and WeChat Pay, Eaton-Cardone said as with any platform the prospect of fraud is real.
She said fraudsters target new payment channels or newly implemented processes as they are easier to exploit and find weaknesses until you plug the holes.
“However with effective fraud monitoring this can be managed. Review of transactions and fraudulent behaviors using reporting tools, analytics of customer spending, how transactions were initiated, time of day which device was used, analysis of chargebacks will all help mitigate fraud issues. If monitoring is done at every available stage you will manage fraud issues. This is where we come in as we can help provide these skills and products to help,” she said.
Eaton-Cardone also mentioned that if there is an effective fraud monitoring process in place, then the ecosystem, say Alipay or any other, wouldn’t matter as one can apply this to wherever the payments are being generated. “When reviewing mobile transactions check your order data: What was the device used? Was a mobile phone number provided? Is there a GPS location? Does the GPS location it differ than the shipping/billing address? Don't rely on IP geolocation. Review the time of usage, tablets tend to be used more in the evening and with higher spends. Know your customer, review their typical spending pattern? Do they have a history of denying transactions.”
Follow Ai on Twitter: @Ai_Connects_Us
Developments related to chatbots continue to intrigue. Not too long ago the utility of chabots was being questioned, about their ability to understand tone, language and intent or the value they can offer. And today certain travel companies, including established airlines, are gearing up to accept payments within the conversational/ messaging interface, and hence calling them transactional chatbots. So are AI chatbots finally living up to their intelligent branding?
The situation needs to be assessed from the perspective of who is the real user of such offering? It is already being pointed out that the mobile-first lifestyle or the tendency to interact with a connection via a messaging platform, especially in the case of a “Millennial”, is one major driving force.
So be it for a conversational travel insurance chatbot or a flight search chatbot, the use of artificial intelligence to interact with travellers in a conversation style is on the rise. And expectedly, “seamless” payment option via chatbots is emerging as a possibility. As Kaivalya Paluskar, Solutions Consultant, APAC, Ingenico ePayments mentioned, the users largely have been redirected to a new page till date, but now this is evolving gradually.
What it means is – the user would never be sent to a website to finish the transaction.
The team at Ingenico has worked on what it describes as an “in-built” solution, where the user “doesn’t go out of the chatbot to make the payment”, said Paluskar. “We can facilitate this for different platforms, including Facebook or any open API platform,” he said.
According to specialists, there could be an instance, where microsite opens when a user attempts to make the payment for the first time, but that would be just a one-time occurrence. Consequently, the user would remain within the chatbot interface for completing transactions.
Airlines are relying on partners to step their capabilities in natural language processing, and accordingly, stepping up the user experience.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 4th September, 2017
Engaging people from China on Tencent’s WeChat or Alibaba demands an unwavering effort in order to make the most of these unique ecosystems. Foreign travel brands need to be proactive, rather than being reactive, since consumers in China purse “hot” trends and the likes of Tencent, Baidu and Alibaba are quite progressive in terms of introducing new initiatives or features.
“Alibaba and Tencent are almost coming across as “two different types of Internets”. (The challenge) is that these ecosystems don’t talk to each other,” says Matthew Brennan, co-founder, China Channel. So what this means for e-commerce players or the advertisers is that they are sort of locked in a data ecosystem, which is not transferable. So this becomes a case of a “walled garden” – you can’t get data out of an ecosystem.
There is no dearth of peculiar developments in case of WeChat, for instance, a fashion blogger selling 100 limited edition MINI Coopers, worth $42000 on WeChat in 5 minutes or the release of new style QR codes for Mini Programs. Even as questions are being raised how the usage of the WeChat app can be scaled up from the current level of 963 million users (at the end of Q2), there is no denying that WeChat remains a popular destination for shoppers in China.
WeChat Key Opinion Leaders or KOLs, WeChat search, Mini Programs, WeChat Pay, Official Accounts…if you are well-versed with Tencent’s WeChat, then you would definitely know these are some of the features of how a brand can get associated with this ecosystem.
“WeChat is neither just social media, nor just WhatsApp nor just payments either. Rather think of it as an operating system, akin to Android or iOS,” says Brennan.
By Ritesh Gupta
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 30th August 2017
Ai Editorial: Paying for ancillary products at the airport or limited payment options for in-flight shopping havent been as streamlined as some of the other options. Ai’s Ritesh Gupta learns how Amadeus is sorting these issues out.
Security and convenience are two key aspects of completing a transaction that make a traveller comfortable and assured about paying an entity.
But this has been one big hurdle for airlines as far as payments within the airport environment is concerned. Despite airlines selling more services at the airport, until now there has been no way to pay that is optimal for both the traveller and the airline. For instance, it is common for travellers to hand over their payment card to the check-in agent to use an infrastructure that’s shared by many airlines. The safety of such transactions can be questioned.
In this context, the roll-out of Amadeus Airport Pay, starting with the Lufthansa Group a couple of months ago, is set to help carriers to take secure payments at check-in desks. It is a combined software-hardware solution which is wireless, making it completely independent of the common use check-in infrastructure found at the airport.
“Amadeus Airport Pay is the first wireless solution in the industry, which accepts EMV chip card or EMV compliant smart wallet payments and can be used by multiple airlines and ground handlers, and multiple banks, in any airport across the world,” says Dan Greaves, Senior Manager, Marketing, Payments, Amadeus IT Group.
According to Amadeus, it is also the only EMV solution that can be integrated with the Departure Control System, booking and ticketing flow, meaning payments are faster, more accurate and automatically accounted for. Pocket-sized and wireless, the solution has brought real mobility to airport payments and helped to improve the passenger experience.
Countering the problem
The Chip and Pin cards are far more secure, and installing a Chip and Pin terminal which only needs to talk to one bank is a straightforward process. The problem in the airport environment has been that check-in agents may represent one airline for 3 hours during the morning then a completely different airline a few hours later. So they need to process transactions, which will be directed to many different banks.
“The problem is compounded by the fact that the providers of the shared infrastructure at airports are – understandably – reluctant to integrate third-party hardware. Until now there hasn’t been a Chip and Pin solution which is compatible with the number of different merchants and banks found in the airport environment,” said Greaves.
“That means that either check-in staff have to send customers to a different desk at the other end of the terminal to pay for ancillary services such as excess baggage, which is clearly not a great customer experience, or payments are processed by swiping the magnetic strip on the back of the card. This is the same technology as was used in the old cassette tapes and just as easy to copy so security is clearly an issue.”
As Amadeus explained, there were three basic challenges to enabling travellers to pay for additional services at the check-in desk:
· Security – While most of the world has migrated to EMV Chip and Pin payments in face-to-face environments, there are still many airport payments where the card data is entered via either magnetic swipe or, worse, manual entry.
· Multi-bank / multi acquiring – check-in desks are shared between airlines so a payment system must be able to identify which payment is for which airline and, process the payment accordingly to the relevant airline’s bank.
· Mobile – “It was not in our original solution. When first conceiving a solution we imagined it would be connected directly to the check-in desk. It was Lufthansa Group who suggested we “cut the cable!” to make a wireless solution. This makes the solution completely independent from the airport technology provider, making deployment much quicker, and enables airlines to take payment anywhere in the airport, not just at the check-in desk,” explained Greaves.
Amadeus’s payment platform, which provides the capability to process payments from different airlines each with different banks, has combined with Ingenico’s mobile payment gateway which gives access to a range of wireless EMV payment terminals.
Role of Ingenico
As for working with Ingenico, how did Amadeus go about the wireless gateway and meeting the contactless mandates from card schemes? According to Amadeus, as Lufthansa Group requested a wireless solution and at the same time Visa’s mandate requires contactless capabilities, the team had to find a partner to help achieve both these objectives. There was a need to set up the right architecture, which would ensure compatibility with these mandates, as well as providing with future proofing against as yet unseen developments.
“We achieved this by ensuring that the architecture was not dependent on the payment terminal itself; new, updated terminals can be swapped in as required,” shared Greaves.
The arena of on-board retail, especially with the rollout of on-board Wi-Fi, has opened interesting opportunities for both travellers and airlines.
“Definitely, on-board Wi-Fi opens up the opportunity to process onboard payments in a much more flexible way, much the same as payments are processed on airline websites today. This has the potential to reduce fraud, increase the number of inflight payment options and reduce the overall cost of payment for on-board transactions,” said Greaves.
In the aircraft, travellers typically have the option to pay by cash or by card. But when a transaction takes place mid-flight it is often an offline process, which means that the payment is only processed after landing. This can leave airlines vulnerable to fraud.
A lot of airlines are also limited in the number of payment methods they can accept for inflight sales – in the vast majority of cases, inflight payments are limited to cash and cards.
“But with the growth of new forms of payment there is growing demand for customers to be able to pay using payment methods such as Alipay, PayPal and others.
The growing availability of inflight Wi-Fi is solving some of these issues for airlines and travellers and opening up the possibility to manage inflight payments in the same way as payments are currently managed on an airline’s website,” mentioned Greaves.
Point-of-sale based malware has proven to be an area of concern in the retail industry. It has resulted in maximum credit card-related breaches.
Acknowledging the same, Greaves mentioned that this is a critical point and one of the main drivers for developing the solution in the first place. “The credit card data is encrypted by the payment device itself and is not stored there. With this point-to-point encryption we assure that the credit card data cannot be compromised. In addition, Ingenico put – as part of their general terminal products – measures in place that prevent the Chip and Pin terminals from being manipulated. Amadeus Airport Pay uses EMV technology that has a high layer of security thanks to their embedded microchip, which authenticates the card and allows to authenticate cardholders via PIN. This makes them a lot harder to counterfeit than magnetic stripe cards, which contain static information in the magnetic strip and is overall an older, less secure technology, which is more susceptible to fraud. The payment card details are encrypted by the payment terminal and are not stored on the terminal; the credit card data does not pass through the airport workstation either, reducing the risk of data being compromised.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 26th August, 2017
Ai Editorial: Be it for cash for transactions or an ecosystem like WeChat or use of credit/ debit cards, payment in Asia remains wide and diverse. How are airlines gearing up for the same, explores Ai’s Ritesh Gupta
Any airline operating in the Asia Pacific region needs to diligently prepare for accepting payments. Working on such initiatives features many aspects that go beyond finalizing payment methods, and these include setting up processes and controls (currency management, currency heading, fraud prevention, and reconciliation and reporting), and compliance (PCIDSS, sensitive data protection, costs and reliability).
For instance, there are many markets such as cash-driven countries like Philippines where credit card acceptance simply cannot be compared with Singapore or Australia. And then China can be completely different, considering the popularity of payment options such as Alipay and WeChat Pay.
“Payment is quite wide and diverse (in the Asia Pacific region). Go back by five years there were only few forms of payment -cash, credit card, debit card…and that’s changed significantly over the last couple of years. Even if you consider just one country, say Singapore, where Scoot is based, it is a credit card, debit card-led market. And if one considers Philippines, more than 85% is via cash. For an international airline, with operations across Asia, one size doesn’t fit all,” says Trevor Spinks, Head of Sales and Distribution, Scoot-Tigerair.
Relying on local agents/ staff
So how an airline can gear up for Australia, a market which is credit card, debit card-led versus Philippines which is going to be different with cash being the preferred payment option?
“There is a need to remain close to your international markets. Do we have the correct strategy for payments in these countries? There are some countries where you need to cater to cash, there are some countries where an airline would need to take payment via 7-Eleven convenience stores. We have recently witnessed (the emergence of) Apple Pay, Samsung Pay coming in to the market, and expect Google Pay to available soon. So each market has a lot of different payment methods,” explained Spinks.
“So relying only on credit cards and debit cards as a method of payment as an international carrier is wrong. There is a need to work on a payment strategy for each country you are in. The best way to approach the same is seek feedback from GSAs (general sales agents) or country managers. They are ones who know their respective markets inside out and share popular payment methods and trends. So one can prioritize and be ready to accept payment via methods that are relevant, and can be fulfilled by airline websites or call centres.”
China is a unique market in the whole of Asia.
It’s almost that you can think of China as one area, and can segregate it from the rest. Facebook and Google aren’t really relevant or functional in China, and as Spinks, says payment methods are even more distinctive in this market.
“Scoot flies to 18 destinations in China, and that’s a significant part of our network. We will be offering WeChat as a payment option soon. The complexity for WeChat pay is huge. It doesn’t use normal software language. WeChat Pay have their own language. So one needs to work with WeChat or 3rd party experts,” says Spinks. It is important as a massive chunk of population uses WeChat. “So it is about using what they use every day to fly Scoot. But, yes, China has very specific requirements, and different rules and regulations.”
He further explained: “So in terms of how you manage and work around this diverse payments world in this region, consider an airline which flies to 10 countries and each country has 5 forms of payments. And if all forms of payments are different from all the other markets, then there would be 50 forms of payments. You do need payment providers and acquirers. We work with Worldpay. They are already work with a number of payment distribution capabilities in several countries, and when airlines reach a certain point, they can work with one specialist and this allows an airline to straightaway tick, say 30 out of 50 payment methods, at one go. At times, there is a need to work directly with 3rd party suppliers. WeChat is a great example. We might have to work directly with WeChat to work it out for us. So it is a very diverse and hard area to manage. There is a need for a dedicated person within the airline to look after this. Also, you need expertise within each of the market to understand, whether say is 7-Eleven convenience store a viable option or is the popularity decreasing and in two years time no one would be interested in paying via this option. So then no point in investing in that payment method.”
As for consumers, airlines need to study how smartphones are shaping up their payment choices. How age and gender play a role in payments and where does travel as a shopping category fits in.
As new payment types become culturally engrained, users initiate to count on them for higher value transactions such as travel.
Other factors that need to be considered are:
· Know the local requirements, such as whether airlines are required to partner with a local entity in order to start connecting with local consumers. What sort of benefits does a local payment gateway offer, other than meeting legal requirements? Can one partner facilitate different methods - convenience store (tend to be semi-digital payments - a consumer takes a code or a QR Code associated with a booking and pays), online banking etc.?
· What are the complexities of integrating with a particular alternative payment method? Is extra cross-channel payment interface design and development required if airline goes directly with local payment platform?
· Unlike credit card, each of the payment options in Asia has its uniqueness, e.g. transaction limit, availability of refund, no pre-authorization, chargeback rights. What is needed to design and implement necessary payment interfaces and processing flows?
· What is needed to consolidate payment transaction especially for more easier reconciliation and reporting of sales and settlements across payment options?
· Implement necessary payment controls according to the difference of processing by payment types (e.g. refund, void, capture).
· Implement fraud monitoring and prevention across payment options. “Fraud becomes a bigger problem, bigger the airline becomes. So when we were small, we weren’t worried about fraud, we had relatively bigger issues (to sort). But now we have around 40 aircraft, and flying to 18 different countries, fraud can be a big “number” annually. So a partner such as Adyen or Worldpay can also help with fraud solutions. But what you need here and what generally falls under the finance department, you need people would be measuring and tracking fraud. So if one country had a fraud value of 1% and the norm is 3%, then its fine. And another one had a value of 10%, so there are significant issues in that country and you have got to measure it. And the onus also lies on the 3rd party partner to sort it out. And of course, fraudsters also find new way of cracking the system, so it is always a cat and mouse game,” concluded Spinks.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 29th August, 2017
Ai Editorial: Managing revenue and fraud shouldn’t be about adding friction to transactions. One needs to set right expectations from initiatives such as Dynamic 3DS and biometric authentication, writes Ai’s Ritesh Gupta
Airlines, just like any other e-commerce business, need to cater to a variety of payment methods, currencies and devices.
As much as consumers experiment and embrace new forms of payment options, each new technological development introduces new avenues for fraud, meaning detection and prevention efforts need to be just as agile.
Airlines can’t afford to slip on one main count. Many fraud prevention methods introduce dilemmas between maximising revenue and minimising fraud – e.g. with more rules, implementation of 2FA or multifactor authentication fraud rates can be lowered, yet more genuine customers will be blocked; on the other hand, with less rules and lax authentication to maximize revenue, merchants will be more vulnerable to fraud attacks.
Avoid more friction for users
This dilemma only exists because airlines and travel companies are still relying on introducing more and more friction for users as a means of preventing fraud, says Justin Lie, CEO, CashShield. Citing an example, he says the new introduction of Dynamic 3DS promises greater conversions and less users blocked (on a case-by-case basis), but it still remains a rule-based system with restrictions that block users and introduce friction during payment.
The new version of 3-D Secure is being considered for supporting app-based purchases on mobile devices, and paving way for sharp risk-based decisioning for frictionless authentication. Other aspects include multiple authentication options, including passcode and biometrics, and integrating seamlessly into the checkout process. Even as this tool can play a part in combating illegal transactions and criminal fraud moves, airlines need to consider potential hurdles as well. As Lie points out, the problem with Dynamic 3DS is that it is controlled by card issuers and is therefore still working with the same set of data as before. “They are unable to tap on the merchants’ data for more information on fraud and are not as smart and flexible as they tout themselves to be. Therefore, merchants cannot expect Dynamic 3DS to be a be all and end all solution to solving fraud woes,” he says.
Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud.
As we highlighted in one of our recent articles, rather than hard rules, airlines should direct fraud prevention efforts on behavioural analysis instead, which is compatible with all various payment methods, currencies and devices. A further step in sustaining or even improving conversion rates for airline can be to develop a decisioning algorithm with the mandate of maximising revenue at an optimal level of fraud risk. This will make the airline’s fraud prevention methods truly agile at maximising revenue while minimising fraud. Specialists point out that rules-based systems are in general reactive and probabilistic solutions, which is why they are unable to prevent fraud before it happens. Probabilistic frameworks only seek to train the system on historical data, and do not possess the expertise to move beyond probability scoring for fully automated decisions, thus crippling the system on manual reviews. Because of the need for manual reviews, rules-based systems also start to show cracks at high volumes, and reduces the company’s ability scale on demand.
Being susceptible to unknown fraud attacks
Among other developments, the industry has also been focusing on Dynamic Authentication. It uses multifactor authentication, machine learning, fraud intelligence and advanced device recognition technology.
“While the intentions of Dynamic Authentication to stop fraud in it tracks may be applauded, it also introduces new problems for users and cannot be seen as the be all and end all. Multifactor authentication, dynamic passwords disrupts the user’s experience severely and are forms of unnecessary friction that will be especially felt by the older generations,” says Lie. He says at the same time, Dynamic Authentication’s use of machine learning technology is still heavily reliant and trained with historical data, using old (and dated) fraud patterns to predict future fraud. This means that even with Dynamic Authentication, travel companies can still be susceptible to unknown cyber fraud attacks.
“Dynamic Authentication is very counterproductive, considering the added friction placed on users. On average, only 70% of dynamic passwords delivered are used, while merchants see a 40% reduction in purchase conversion rates after introducing Dynamic Authentication. Cart abandonment rates also grow significantly, but merchants do not track these dropout rates. Merchants must understand that even if fraud losses are mitigated, their business potential and opportunity costs have been restricted, since many genuine users are turned away constantly,” explained Lie.
As for biometrics, this technology can turn out to be an important proof in indicating that a shopper did authorize a transaction. At the same time, as Monica Eaton-Cardone, COO, Co-Founder of Chargebacks911 points out, this would be futile if the card network won’t consider biometric data as verification. In one of her blog posts, she mentioned that the industry “must revisit their policies before biometrics can be a truly effective method of fighting fraud and recovering revenue”.
“Card networks need to make biometric authorization a cornerstone of the dispute process,” asserted Eaton-Cardone.
So it is imperative for airlines and all other travel e-commerce players to study in detail the utility of emerging tools and technologies. What is going to be their role in managing criminal fraud, friendly fraud, chargebacks etc. and the same time how they impact the customer experience at the time of making a transaction.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 18th August, 2017
Ai Editorial: Airlines need to be realistic about the flaws and limitations of the rules-based systems - mainly on their hindrances to scalability and restrictions to instant delivery, writes Ai’s Ritesh Gupta
The shortcomings of the traditional rules-based approach for fraud prevention continue to get highlighted. At a time when the efficacy of fraudsters and hackers in cracking areas of vulnerability is on the rise, it is imperative for merchants to improvise and sharpen rules on the fly.
Before discussing problems associated with the traditional rule-based fraud method, it needs to be underlined that there are more refined ways of ensuring a genuine travel shopper’s experience doesn’t get hampered. Overall, it is must for merchants to identify user behaviour much more accurately, which is useful not only in turning away fraudulent transactions, but also in identifying positive behaviour (genuine customers, especially big ticket spenders) to allow them to pass through. In addition, taking away rules, buying restrictions, 2FA or other difficult verification procedures increases the shopping experience for users, therefore lowering cart abandonment rates.
Merchants can’t be risk averse
The problem with deploying hard rules and relying on manual reviews is the fact that this method tends to work around evaluating the typical fields.
So how does a fraudster manage to break the rule and find a way out? How do they manipulate and defeat the system?
For instance, a system has been set in a way that it doesn’t allow more than 4 transactions in 60 minutes. In this case, fraudsters have figured out the stipulated rules and one of them being a duration-based rule. Then an attempt is made to craft their program in a way that the same will confront the system and not interfere with the rule.
There are certain rules systems that initially seem easy to comprehend, indicating which orders will be accepted, rejected, and reviewed. These are enough to detect simple, non-changing, known patterns. But as the need arises to add more rules, probably hundreds of them, to be clear with what’s genuine and what possibly could be fraudulent then even an astute executive may find it an arduous, tedious task to sort out the overlap with increasing number of rules and taking time out for manual reviews. The moment more time needs to be spent in curating and arranging rules, how each rule is faring, what sort of permutations and combinations are not working, what is the impact on the average order value, the threshold of the limit set etc. then the job becomes tedious. Even in case a point system is followed for rules, then also it can be a gruelling task.
In one of their blog posts, Accertify asserted that all channels and products aren’t alike when it comes to fraud risk. Citing an example, the team stated: Rules may include IP address velocity but an IP address from a provider of telecommunications services like Verizon isn’t as user-specific when compared with Comcast. So if there is a doubt for one IP address, then velocity could be adjusted, but maybe not for mobile. So there is a need to apply rules specifically for certain channels and product lines while countering threats.
Rules that are based on a single channel behavior don’t pave the way for a complete picture of the shopper’s activity across multiple channels.
Find a way to ensure that erroneous and feebly coded rules don’t end up stepping up manual review queues.
In this context, the efficacy of machine learning offerings is coming to the fore, when compared with rules-based systems. Predictive analytics is a part of supervised learning in machine learning, and plays a part in predicting whether a cyber-criminal or a fraudster will repeat their act again in the future. At the same time, other types of machine learning – unsupervised learning – also have a role to play.
So what needs to be done?
Even in case of machine learning, it is vital to distinguish between the various kinds of techniques deployed. Rather than just focusing on predictive analytics, there is a need to bank on pattern recognition, deep learning and stochastic optimization. Why? Because, if by focusing only on predictive analytics, there could a gap for the fraudster to capitalize upon. What if a new threat surfaces with no previous data? Unsupervised machine learning is able to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour, and is effective in identifying genuine customers as much as identifying fraudsters.
To increase the effectiveness of the fraud system, another form of machine learning must be used as well – pattern recognition.
If an entity is heavily following rules-based methodology, then the main KPI would be to cut down the fraud rate as close to zero as possible. At the same time in many borderline genuine transactions would fail to pass through.
Rather the focus needs to be on - rely on an algorithm to make decisions to optimize sales as much as possible while keeping fraud and chargeback rates under control.
Go beyond rule-based prevention
Rules cannot keep pace with the degree of data and variety of always-evolving fraud that exists as of today. Do count on algorithm-oriented modelling. Assess how to make the most of business rules based on input from fraud specialists and machine learning classifiers, and bank on risk scores in real time to identify high-risk transactions. How to track users across identities, devices, IPs and locations? Is there a mechanism to combat proxy detection?
Also, as we highlighted in our recent articles, airlines are being recommended to focus on industry data and unique merchant data to combat fraud.
Rather than hard rules, airlines should direct fraud prevention efforts on behavioural analysis instead, which is compatible with all various payment methods, currencies and devices. And a further step in sustaining or even improving conversion rates for airline can be to develop a decisioning algorithm with the mandate of maximising revenue at an optimal level of fraud risk. This will make the airline’s fraud prevention methods truly agile at maximising revenue while minimising fraud.
How is machine learning helping in combating fraud? Hear from industry experts at Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more info, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 15th August, 2017
Airlines need to make the most of industry data and unique merchant data to combat fraud. It’s time their data strategy deployed must be diverse and tailored, writes Ai’s Ritesh Gupta
Travel e-commerce players, including airlines, are trying to cut down on the margin of error in case of accepting or declining a transaction. So as they review an order they decide appropriately on what action to take.
In this context, the role of data that can help in combating fraud is coming to the fore. Data is being relied upon for answering key questions, for instance, why genuine customers are being blocked. Or how historical data can be used to improve the accuracy of any prevention strategy? How is transactional data being capitalized upon via one system and analysis model? How merchants are gearing up for automated, scalable fraud prevention?
Another area is how airline-specific data, be it for the activity on their respective websites or other digital assets or transactional data from direct and indirect channels, can result in better fraud prevention.
Collecting data from airlines
As for the sort of data that can be collected, it boils down to two types - industry data and unique merchant data, according to Justin Lie, who has built CashShield, a SaaS based self-learning fraud prevention solution for ecommerce.
Lie further explained:
· Industry data includes information on coordinated fraud attacks, which may be shared across different airlines as all airlines are equally vulnerable to coordinated hackers.
· Unique merchant data would vary from airline to airline, based on the individual information each airline collects or is able to provide.
When it comes to collecting more data, unique merchant data from Airline A may not be useful for information on the fraud risks Airline B would be exposed to.
“For unique merchant data, we will guide airlines to look for useful custom fields that can increase the accuracy of fraud detection. Also, we will allow airlines to data dump whatever data that may be collected, as more relevant data points can strengthen our real-time pattern recognition technology. Industry data on existing or current fraud attacks can also be useful information to share from airline to airline, but both types of data should be collected for analysis of anomaly detection,” shared Lie.
Airline-specific plan of action
As Lie pointed out in one of our previous interactions, a majority of fraud offerings have been worked out for mass markets, where most carriers are mainly required to garner data based on a template that evaluates only a restricted number of fields. He added that this isn’t enough. It also restricts an airline’s ability to craft an optimal data strategy and reporting for their performance/ return on investment. Unfortunately, not much useful data is returned to the merchant by default. Rather airlines need to go for better control of their data, including one related to a transaction.
“As each airline’s ecommerce website is unique, the data strategy deployed must be diverse and tailored,” asserts Lie. “It is vital to work with airlines and help them make use of all the data that is there on their respective websites.”
Lie says airlines can tap on smarter solutions that can customised unlimited data collection to maximize its fraud prevention, automation and false positive reduction capabilities.
“For instance, passive biometrics data including mouse cursor movements, keystrokes, words per minute or activity data including wishlists, purchase history or even seemingly insignificant data points like whether or not the user has chosen to subscribe to the newsletter can all be relevant information collected and used.
With the data collected, airlines can churn the data through various permutations and combinations to identify potential fraud patterns that may be left behind by fraudsters, who have made micro-changes between transactions in one coordinated fraud attack to trick the system. Using real time pattern recognition, even micro-changes can be proactively identified and tagged to the same fraud pattern group,” explained Lie.
“We should not be overly concerned about how each data point may contribute to the fraud analysis on its own, or with collecting as much data as possible, but rather on how the data collected may be used in a relevant manner. After the point of data collection, airlines have to amplify and triangulate the data, analysing the data through multiple permutations and combinations so as to better understand the fraud patterns left behind by fraudsters in their attempt to brute force the system.”
Counting on data for new types of fraud
It is imperative for airlines to sharpen their fraud prevention strategy, as it is just not about credit card fraud or payment-related anymore. So rather than only securing payments, there is also need to protect accounts and monitoring loyalty miles claims.
So how should an airline go about allocating resources for overall fraud management? Where do airlines tend to fall short?
Travel e-commerce entities need to apply big data and real time machine learning not only on securing payments, but also for securing accounts and monitoring loyalty miles claims.
“Using the same real-time machine learning techniques and behavioural analysis, the core fraud screening technology used for securing payments can be applied to securing accounts and monitoring loyalty miles claims as well. Similarly, data about the user can be collected from the airline’s website, including his/ her behaviour on the website or what he/ she does on the website,” mentioned Lie. “With an effective automated fraud management solution that eliminates the need for manual reviews and thus the need for heavy human labour, airlines can in fact save much more resources on fraud management.”
Lie said considering that airlines have a very low profit margin per transaction made, each fraud loss impacts the airlines significantly. Yet most airlines continue to rely on human labour, which contributes to overall costs to the business on top of fraud losses from ineffective fraud solutions. Airlines should seek to automate their fraud screening processes for greater efficiency as well as to concentrate their focus on other parts of the business. Adopting risk-averse tactics (such as keeping fraud to an absolute minimum) also eats away at an airline’s revenue. Instead, airlines must adopt an optimal risk management approach to its e-commerce strategy to fully maximise its revenue potential.
Data definitely has a role to play, and while data is important, what is more important is the quality and relevance of the data.
Relevant data is necessary to improve fraud prevention, as well as to improve the machine. For instance, if the machine is regularly receiving non-relevant data, the resultant output will be non-relevant decisions.
In addition, the way the data is processed must also be relevant when making probabilities of fraud risk. Also, instead of implementing a fraud prevention strategy that requires long gaps in training machines with data sets, travel companies should shift towards real time machine learning (or real time automated) fraud systems to get ahead of the fraudsters.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 10th August, 2017
Ai Editorial: Cyber-attacks resulting from hacking of public Wi-Fi connections aren’t new. But travel e-commerce companies need to be sharper than ever, writes Ai’s Ritesh Gupta
Connecting to a free Wi-Fi is one move that majority of us can’t do without. As much as the urge to stay connected is understandable, this can also play havoc with our sensitive data. Hackers can steal our credit card numbers, login credentials pertaining to a loyalty program or any account etc. So as much as travel e-commerce companies try to combat every possible loophole that puts traveller’s key details at risk, this threat continues to trouble all the stakeholders.
The significance of safeguarding a Wi-Fi network was highlighted recently by the WannaCry ransomware cyberattack.
In this context, airlines and other travel companies need to be more vigilant than ever. For instance, an unsafe Wi-Fi connection used by the airline staff can pave way for illegal access to internal networks for cyber criminals. Also, companies can’t ignore the threat of drive-by ransomware downloads and phishing attacks. It also needs to be understood that just because a connection requires a password to log in, it doesn’t mean a user’s online activities are encrypted.
Attacks on public Wi-Fi
There are basically two kinds of public Wi-Fi networks: secured and unsecured, for the latter users can be connected without any type of security feature like a password or login.
In May this year, Norton by Symantec surveyed over 15000 mobile device users who had connected to Wi-Fi. The findings were as follows:
· 60 percent feel their personal information is safe when using public Wi-Fi, yet 53 percent can’t tell the difference between a secure or unsecure public W-Fi network.
· 75 percent of consumers don’t use a Virtual Private Network (VPN) to secure their Wi-Fi connections, even though it’s one of the best ways to protect your information.
· 87 percent of consumers have potentially put their information at risk while using public Wi-Fi
Organizations need to be ready to combat “Man-in-the-middle” vicious strikes. These are carried by cybercriminals or hackers using a rogue hotspot.
For such malicious move, a fraudster or a hacker works out access to an unsecured, or weak secured Wi-Fi router. Such connections are usually found in public areas with free Wi-Fi hotspots. Once the weak link – say poor configuration or weak password - has been cracked, the hacker then deploys their kit in between the users’ computer and the websites the user visits. Cyber criminals are also finding methods to infuse malware into computers, which then settle into the browser and the user isn’t aware of the same. Post this the data being exchanged between the casualty and specific targeted website is recorded and coded into the malware. Yes, many companies use secure websites —HTTPS or Hypertext Transfer Protocol Secure —to provide online security. But once an affected user gets connected, HTTPS encryption on web pages can be evaded in some cases, and the website could be displayed in plain text HTTP including all input form text boxes for passwords, credit cards, etc.
Offering a secure Wi-Fi
In case an airline or hotel is offering a public Wi-Fi connectivity then some of the points to consider are:
· How to keep Wi-Fi networks safe and control the content that can be accessed? It is must to look into areas related to Wi-Fi content filtering and security.
· How to be in control of Wi-Fi content in multiple locations?
· What are the potential risks that are associated with unsecured Wi-Fi hotspots?
· How can the liability be minimized via cyber insurance?
· Should free Wi-Fi systems be hosted on a stand-alone network? One that is not connected to systems that maintain sensitive data.
· Are guests/ passengers going to be protected from malware and ransomware infections? There needs to be a provision to counter phishing websites.
Travel e-commerce companies have been relying on Internet Protocol (IP) intelligence to cut down on fraud. Such information is about the location of the user/ device initiating the contact and the reputation/ risk score of the IP address. This includes details related to suspicious Internet locations such as public Wi-Fi hotspots.
Creating awareness among travellers
Airlines need to ensure their loyalty program members’ respective accounts are safe from hackers especially when they are on public Wi-Fi.
As highlighted by Points, a loyalty e-commerce and technology specialist, travellers need to add a mobile hotspot to mobile data plan. This way they can set up a private Internet connection on the go. In order to encrypt any data users send or receive over a public Wi-Fi network, they can use a Virtual Private Network (VPN) from a trusted vendor. VPNs provide a “secure tunnel” that encrypts data being sent and received between your device and the Internet. Use them for your privacy.
Other recommendations include:
· Try verifying the authenticity of the Wi-Fi network before using it. Never connect to a network identified as computer-to-computer. And if you are using, then don’t access sensitive personal data or important accounts on unsecured public networks. Even secured networks can be risky.
· Users need to protect their passwords. Whether banking or email passwords, those are very valuable to cyber criminals. Don’t update your passwords on a public Wi-Fi.
· Ensure your device is not set up to automatically connect to an unknown Wi-Fi network. If yes, this means users can seamlessly connect from one hotspot to the next. Switch them off when in unfamiliar locations. Keep a vigil on your Bluetooth connectivity, too.
· Refrain from doing transactions over an unsecured Wi-Fi network. Also, turn off file sharing while using Wi-Fi.
· Only browse websites that start with HTTPS and avoid websites that start with HTTP while on public Wi-Fi.
· Install a reliable security solution.
Follow Ai on Twitter: @Ai_Connects_Us