Ai Editorial: Paying via click, tap or touch is fine, but what about chargebacks?

First Published on 6th June, 2017

Ai Editorial: Completing a transaction via wearable devices or relying on biometric authentication for shopping is exciting. But airlines need to dig deeper to assess potential issues, writes Ai’s Ritesh Gupta

 

New technology, emerging ways to transact, biometric data for authentication…all of this is exciting indeed.

Say you are the airport, your wearable device guides you to your gate, a transaction can be done via an app or a platform featuring chatbots, in a way you are about to embrace 100% self-service passenger journey. This simplifies travel, a traveller is in more control than ever.

But it isn’t a straightforward process for airlines, as new technology or even payment methods need to be incorporated into their existing infrastructure.

Here is what airlines need to consider to avoid potential issues related to poor customer experience and chargebacks:

One mistake and a chargeback is a possibility: The adoption of wearable devices or the use of biometric technology like fingerprint scanning and facial recognition can’t be ignored. Speed and convenience are definitely major plus points. These develpoments have already showed signs of becoming a norm. Companies like Mastercard are counting on biometrics like fingerprints or facial recognition to verify a cardholder’s identity, simplifying online shopping. The digital check identifies users using unique individual characteristics, like fingerprint or face. Of course, when there is no need to remember a password, the chances of a conversion go up as there is speeding up of the digital checkout experience. According to Juniper Research, the number of OEM-Pay contactless users, including Apple Pay, Samsung Pay, and Android Pay, will exceed 100 million for the first time during the first six months of this year, before crossing 150 million by the end of 2017.

 

So keeping pace with such developments is a must for any travel e-commerce brand. But it shouldn’t be forgotten that the chargeback process is old-fashioned. It is vital to assess how to keep pace with disruption in payments. If there is claim for a chargeback and airlines attempt to dispute the same, then what will issuers accept as convincing proof needs to be ascertained.

According to Monica Eaton-Cardone, co-founder and COO of Chargebacks911, and the CIO of its parent company, Global Risk Technologies, referring to wearable payments, networks will not have considered the different types of data that will be associated with these technologies and, therefore, will not recognize valuable information as valid forms of evidence.

In a way, card network regulations are stuck in the past, and haven’t made any significant progress.

“It will be years until the data associated with these wearable devices will be recognized by the card networks, leaving merchants liable for billions in losses from undisputable, illegitimate chargebacks,” Monica mentioned. Even in case of biometrics, she underlines that it can be identified that a cardholder “almost definitely authorized a transaction, but if the card network won’t accept biometric data as proof, that information is of no use. She points out that biometric approval is part of a coherent antifraud plan, not a answer on its own.

Even Visa last year acknowledged that one of the challenges for biometrics is scenarios in which it is the only form of authentication.

“Biometrics could result in a false positive or false negative because, unlike a PIN which is entered either correctly or incorrectly, biometrics are not a binary measurement but are based on the probability of a match. Biometrics work best when linked to other factors, such as the device, geolocation technologies or with an additional authentication method,” stated Visa.

Monica is certain that in the absence of a flexible infrastructure that can facilitate options such as wearable payments, the problem of chargebacks will only swell.

Also, payments via chatbots (say on Facebook Messenger) can be integrated in a simple way. Brands need to make the most of such interactions, considering the popularity of messaging apps.

But the team at Chargebacks911 also cautions against poor execution of chatbots, in case they aren’t proficiently managed then there can be user frustration and more chargebacks.

Being aware of new avenues for fraud: A major hurdle with emerging technologies lies in evaluating how they will be implemented and what the response will be.

Visa does recommend that new forms of authentication must reach a balance between speed and security.

Specialists recommend that making judicial use of “friction” during the booking flow or checkout isn’t a bad option.

So friction can result in careful consideration of the booking process. In case a shopper doesn’t take that fraction of second to be in control of the situation, it can result in a buy they weren’t completely sure of or they may even complete a transaction without thinking through it properly.  

Do remember that unauthorized transactions by family members are one of the primary causes of chargebacks.

As for being realistic with 3DS 2.0, Chargebacks911cautions that this new development is an effective tool for targeting criminal fraud, but it has little impact on friendly fraud, which is ultimately responsible for most chargebacks.

Being prepared

Airlines, as merchants, can't do away with the need to go for multiple layers of technology such as tokenization, biometrics etc. to protect each and every transaction.

Yes, as much as digital payments strategy is going to revolve around choice, there is also a need to ensure the same meets not only a shopper’s preferences, but also ends up meeting issuer and merchant’s needs, too.

 

Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: 3 ways airlines can sharpen their crusade against loyalty fraud

First Published on 18th May, 2017

Ai Editorial: Awareness among loyalty program members, avoiding data breach and fraudulent loyalty transactions, and being a part of a strong merchant community can bring down the risk of loyalty fraud, writes Ai’s Ritesh Gupta

 

Airlines need to assiduously take initiatives on several fronts in order to safeguard their loyalty programs. The threat of loyalty fraud can’t be ignored as a fraudulent activity via use of miles would denote a write-off on the balance sheet. This eventually affects margins. So airlines must assess their defence against loyalty fraud. 

It is time airlines comprehend how loyalty fraud can involve customers, employees, travel agents, partners, and what can result in data breaches, malware etc. and accordingly train relevant teams and find ways to forge reliability and security across the organization. A recent research by Ai revealed that 72% of airline loyalty programs have an issue with fraud. Additionally, 30% of airline programs reported the problem was growing rapidly year-on-year. However, surprisingly, 10% of airline loyalty programs didn’t know if they had a fraud problem or didn't know that it was possible for loyalty fraud to occur.

In one of Ai’s conferences, it was highlighted that airlines can be attacked from unexpected quarters.

For instance, the case of “registered users fraud”. It was highlighted that it is a common scenario that a registered user is considered to be a “loyal” or “positive” user.  But it is time revisits such notion. Why? As one of the speakers stated, “Because a registered user after an account takeover and without identifying it, could be the most dangerous account in an airline’s user base. The fraudster could use this account to steal any personal details and book via methods with lower friction and probably less fraud analysis. How many of you checking your registered users?”

 

There are 3 areas where airlines can focus on to combat loyalty fraud:

1.     Creating awareness among loyalty progam members: Members need to know how to protect their loyalty accounts. This is even more critical today as the loyalty earning and burning lifecycle has opened new avenues for fraud. Of utmost importance is the realization that loyalty programs are being hacked and what can be done to avoid this? Do members of a frequent flyer program treat their respective loyalty accounts as credit card information? This type of fraud is similar to card-not-present fraud. An account can hacked by capitalizing on weak passwords, stealing of identity etc. So it must be highlighted that if fraudsters gains access to an account, they can seize points/ miles and rob loyal members by availing redemption options (other threat is data breach). As Michael Smith, Managing Partner, Airline Information and Co-Founder, (Loyalty Fraud Prevention Association (LFPA) says passengers (or customers at large) should be wary about which Wi-Fi they are connecting to, and also as FFP members they must be cautious about sharing name and account number. “With those two bits of information, fraudsters just need to guess your password and they are in to your account,” he says. Smith asserts that a flyer shouldn’t share or post the picture of a boarding pass, as it features vital information.

Managing passwords isn’t an easy thing to do considering so many accounts all of us manage. But having one simple password for all log-ins can probably result in worst nightmare – more than one account getting hacked. When the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.   

So airlines need to inform about passengers about seemingly simple mistakes that can unknowingly create havoc with FFP accounts.

2.     Taking internal measures to avoid data breach and fraudulent loyalty transactions: As an industry, airlines have made rapid progress in dealing with card-not-present transactions. There is no reason why the same can’t be replicated for loyalty fraud, as pointers are quite similar. Airlines have to sharpen their real-time decision making, customize as per their current risk engine and workflow. Lot of organizations are adding multiple layers (of course, not at the expense of shopping experience), for instance, how intelligence behind the email addresses of customers can yield better results? Accertify, in a blog post, underlined that email address is being “highly under-utilized” by many companies as a vital tool in an overall risk assessment strategy. Referring to limitations of a device ID or a phone number in case of global companies, Accertify highlighted that every time email is used it leaves a trail of sorts, and this is strong enough to evaluate to the level of risk associated with a transaction. As a specialist, Emailage points out that email addresses have the same convention globally: user-name, “@” sign and domain. This makes the email address a perfect data point for robust risk assessment.  The way that fraudsters use email addresses fall into patterns that are identifiable based on velocity and structure.  

In addition to data from 3rd party sources, the fraud specialists within an airline must be supported to speed up the pace and precision of fraud detection – reduction in manual reviews, how to screen for loyalty fraud, access to real-time custom reports etc. Overall, organizations must gear up for login behavior, account changes and evaluation of purchase behavior. CyberSource recommends tracking of user account creation and login behavior, as well as screening for fraud at purchase and redemption of points.

3.     Being a part of a strong merchant community: Airlines, as seen in the case of payments fraud, have been a part of a strong merchant community to jointly wage a battle against fraudsters. New organizations and tools are coming up. The Loyalty Fraud Prevention Association, set up last year, is focused on using the experience gained in fighting credit card fraud to deal with loyalty fraud. Also, Perseuss, as merchant community’s answer to the problem of fraud, has developed Theseuss. This new platform gathers loyalty fraud intelligence, and features an active and collaborative community of loyalty fraud experts using the system. Theseuss would enable the exchange of fraud intelligence and evidence to allow the identification of loyalty fraud patterns. One of the highlights is the use of machine learning algorithms to discover potential fraudulent loyalty transactions.

Follow Ai on Twitter: @Ai_Connects_Us

 

 

 

 

 

 

 

Press Release: What has Facebook got to do with loyalty fraud?

                                                                                                              PRESS RELEASE
Glasgow, 11th May 2017

Your credit card or loyalty account was compromised, Facebook might be the reason, says newly formed Loyalty Fraud Prevention Association.

Compromised credit card accounts, and now more than ever compromised loyalty program accounts, are an ever-growing problem for consumers. Fraudsters hack, breach or otherwise steal accounts and then often sell them online. This may be done in plain site via Facebook. The Loyalty Fraud Prevention Association (LFPA) calls on Facebook to police this issue to protect consumers. This problem, among others related to loyalty fraud, will be discussed at the LFPA Conference in Atlanta on May 24th and 25th.

Peter Maeder, Secretary of the Loyalty Fraud Prevention Association says: 

“Any quick search for pages in Facebook for stolen credit cards will yield many pages and users selling stolen account data. These fraudsters are now finding loyalty program accounts to be an easier target. Our members, which include some of the largest travel companies in the world, have reported this issue to Facebook, but have had little or no success removing the pages.” 

The result is that loyalty programs and their members are becoming the victims of fraud costing tens of millions of Dollars annually. To address the growing phenomenon, the Loyalty Fraud Prevention Association (LFPA) will be gathering executives from loyalty programs from throughout North America and the world in Atlanta on May 24th and 25th of May, 2017. In addition to acting as an industry to stop Facebook and other Social Media sites from spurring fraud, issues to be discussed in this conference will include: Employee-driven loyalty frauds; Bot attacks on loyalty programs; Stopping fraud on the Dark Web; and the latest IT-solutions that combat loyalty fraud.

More information about the conference can be found at www.LoyaltyFraudAssociation.org

About the Loyalty Fraud Prevention Association (LFPA)
The Loyalty Fraud Prevention Association was founded in 2016. Its mission is to support the loyalty industry in its fight to reduce and eliminate fraud. Members consist of airlines, hotels, IT providers, financial services companies and others who operate loyalty programs from around the world.

For more information, visit www.LoyaltyFraudAssociation.org or find us on Linkedin.

LFPA / Press
Christopher Staab
Co-Founder, Loyalty Fraud Prevention Association
This email address is being protected from spambots. You need JavaScript enabled to view it.
+1 305 542 9901

 

Ai Editorial: Stepping up authorization for digital transactions via 3D Secure 2.0

First Published on 8th May, 2017

Ai Editorial: 3D Secure 2.0 is a data-driven initiative that supports digital payments and features expanded capabilities in terms of security and user experience, writes Ai’s Ritesh Gupta

 

The experience of searching for a flight and trip essentials can be a laborious one. In an era when travel e-commerce brands are jostling for winning “micro-moments”, losing out a conversion owing to an additional authentication layer at the time of checkout isn’t good news.

We all dread those few extra seconds, or the need for entering a password (which aren’t easy to remember) for a transaction to pass through.   

Even for airlines, as merchants, it isn’t easy to verify the authenticity of transaction as one can pay via a browser, mobile app, or connected device. So being in control of the purchase experience as well as controlling the chargeback level or fraud is always a tricky situation for airlines. 

Of course, 3D Secure has been around for a while, but airlines can’t go ahead with a binary view to such payer authentication; implement it across all transactions or don’t implement it at all. Travel e-commerce brands have been diligently looking at ways to choose the authenticate type and avoid unnecessary checkout issues, and getting better with “liability shift”.

3D Secure 2.0

3D Secure sets up an authentication data link between online merchants, payment networks and financial institutions to assess and share more intelligence about transactions. It has been widely acknowledged that the specification 1.0 was set up for PCs, and there wasn’t enough to deal with friction in the customer experience. A major issue with the traditional approach of 3D Secure today is transactions via mobile. 

Among the latest developments, 3D Secure 2.0 is being termed as a potential boost for digital commerce with quick, secure authentication, propelled by robust fraud-related intelligence. It strengthens the quality of real-time predictive risk scoring for both merchants and issuers. The new specification that would support app-based authentication and there would be integration with digital wallets, too.

Early adoption of the new specification is scheduled to begin in the second half of this year.

The two versions will run in parallel at this juncture. So support for both the versions would be critical as adoption rates of the updated specification among card issuers and merchants will vary.

For their part, EMVCo, a company which is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, introduced specifications for 2.0 in the last quarter of last year.

The industry is gearing up for 3D Secure 2.0. Merchants and issuers are already working on their implementations.

For their part, Visa has stated that in order to ensure issuers and merchants “have time to test, pilot, refine and fully roll out solutions, current Visa rules for merchant-attempted 3-D Secure transactions will extend to 3-D Secure 2.0 beginning April 2019”.  

 

 

Objectives

There are several areas, encompassing the shopping experience, mobile transactions, support for digital payments, cutting down false positives etc. that are being addressed with this new specification.

This new messaging protocol elevates the buying experience by facilitating intelligent risk-oriented decisioning that would result in frictionless authentication. Also, it lists use of numerous choices for step-up authentication, including one-time passcodes as well as biometrics.

The 3D Secure 2.0 is a data-driven initiative, and it means that passing data earlier offers merchants the ability to decide whether to authenticate a transaction or not. There would be a streamlined authentication, based on data elements shared through the protocol. The requirement of having to authenticate via static passwords would be done away with. The data available includes transaction related information as well as details about the device being used for the transaction. In fact, the 2.0 protocol will make extensive use of device data. This update also comes with the possibility to use token-based and biometric authentication, instead of passwords. So in the future a 3D Secure authentication will take place entirely in-app, with the touch of a finger.

There is a need to ensure a simple integration for additional data fields. The update paves way for a real-time, safe, information-sharing pipeline that merchants can pass on transaction attributes that the issuer can avail to validate users more precisely without asking for a static password or cutting down the pace of shopping experience. By supporting additional data during transactions, risk-based decisions will be possible on whether to authenticate or not.

As we highlighted in one of our recent articles, rigidity due to pre-constructed rules can now be combated with data sharing and data intelligence. And the release of 3D Secure 2.0 specifications, too, needs to be followed for the same. One way to ensure the decline rate is relatively lower could be via availability of quality data. Giving issuers a chance to interject themselves into the checkout can improve upon the risk assessment. So what was being done sporadically can be done in a widespread manner i. e. enabling issuers to amend their authorization risk settings and tie the authorization to the authentication. Enriched data flow with stakeholders with a better ability to approve “good” transactions.

The need to come up with 3D Secure 2.0 also grew owing to the prominence of non-browser-based, card-not-present payments used in-app, mobile and digital wallets. So as for mobile-related focus, one of the objectives of the new specification is to make the message interface and authentication flows amenable to mobile platforms.

As highlighted by Adyen, customer pain points are expected to be sorted out. For instance, the authentication will take place within a website’s environment, removing the need for a redirect. Also, importantly, it will feature SDKs that make it possible to set up authorization flows in-app, greatly enhancing the mobile experience.

Specialists have already underlined the significance of an analytics-driven approach to risk-based authentication, and issuers need to gear up for the highest granularity of control over the risk decision featuring advanced analytical methods.

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Chargebacks a cost of doing business, not an apt assessment

First published on 7th April, 2017

Ai Editorial: A meticulous approach needs to be attempted to target every source of chargeback. The role of data along with human expertise needs to be optimized, writes Ai’s Ritesh Gupta

 

Fraud threats are constantly changing and expanding. As fraud detection technology evolves, criminals alter their tactics—what worked for them in the past might not work today.

When it comes to fraud and chargeback management, agility is one potent weapon.

Be it for counting on new technology or human expertise or ensuring earning potential isn’t being curbed, airlines, like any merchant, need to be spot on with their moves.  

The consolidated figure for airline chargebacks is estimated to be $1.5 billion on annual basis. The financial consequences include dealing with fraudulent orders, expenditure incurred on fighting fraud and turning down valid orders. What’s typically the chargeback rate for an airline or a travel e-commerce entity that processes millions of card-not-present transactions on annual basis? Is it 0.8%, how can it be brought down to 0.7%? What’s the timeline and how can it improve the financial situation? This way travel e-commerce organizations not only keep the rate in control, but they are also striving to improve with pragmatic goals.

Here we assess some of the initiatives that can help in prevention of chargebacks.

Addressing the real issues: Airlines need to rely on technology, machine learning, and human forensics, or the blend of all to ensure one knows the real source of each chargeback. Otherwise one can never get to the core of the problem. The reason being a customized action, as part of a robust prevention strategy, is required to combat each chargeback source. Otherwise airlines won’t be able to target the right problem at an opportune time.

In this context, getting into details related to criminal fraud (how to cut down on unauthorized transactions that get processed?), friendly fraud (difficult to detect at time of purchase and issuers usually accept a customer’s assertion) and merchant error (it could be that even up to 40% of chargebacks could be cause by the merchant’s own mistakes, oversights, or shortcomings) is must. Also, airlines can’t only consider basic tools. At the same time, one can’t also feature every offering available for managing risk exposure. For instance, any merchant who uses Address Verification Service along with card security codes or 3D Secure is technically using multiple solutions to prevent fraud. Other options include card security codes, geo-location, device authentication, proxy piercing, biometrics etc. So airlines need to work out a meticulously constructed fraud mitigation plan.

 

 

Experts recommend that a move such as enforcing blacklists (featuring fraudsters) post an attack (rather than preventing the unauthorized transactions) isn’t an ideal move. Rather look at non-technical and API integration options, and act “faster”. Look out for the real source of each chargeback. Sort out areas like uncertain merchant error.

Coming to grips with the problem in time: The industry today is improving the acceptance rate with an integrated system for pre-authorization fraud scoring/ screening and post-authorization chargeback mitigation/ fraud recovery.

The travel industry is also relying on the efficacy of a machine learning engine that evaluates fraudulent users in real-time. Data is analyzed instantly, linking seemingly unconnected signs left behind by fraudsters. Other than detecting fraud, data is also playing its part in ensuring “genuine” orders do not get declined owing to any uncertainty around the transaction.

Alerts have emerged as a viable, faster alternative to the chargeback process. It is about how to do away with the need for a chargeback. And the key here is to stop processing of a chargeback in time.  As shared by ethoca during one of our conferences, upon notification from issuers, the company transmits an alert to the merchant. For their part, airlines can refund the passenger to avoid chargeback. Alert outcome is passed on to the issuer. Result: merchant and issuer liable losses recovered by card issuer on first contact. What this also means is companies can be in better control of things to come, preventing instances of fraud in the future. And companies can also use link analysis to eradicate related fraudulent orders.

Making the most of human expertise: Artificial intelligence or AI can extract anomalies and identify patterns from real-time data but human intelligence is still needed. According to Kount, it’s not just quality of data, its accuracy or the number of datasets that only matters, but human capabilities, too, are needed to communicate, strategize, and guide machines to the optimum business result.

Working in unison: There are multiple stakeholders at risk when it comes to chargebacks. 

Fraudulently filed chargebacks affect each stakeholder in the payment chain.

·          For merchants, a multi-layered approach is best. Today’s solution must be agile and diverse, coupling an evolving defence with effective representment strategies. 

·          Acquiring banks can help reduce the effects of fraud by establishing internal blacklists and developing chargeback triggers for advanced alert notifications.

·          Processors who undergo the most stringent underwriting procedures to maximize their KYC (Know Your Customer) compliance will ultimately reap the benefits through helping to ensure their merchants are following best practice methods that work alongside operational efforts to prevent friendly fraud.

·          For issuers, additional due diligence is key.  Despite the temptation to rapidly resolve a cardholder dispute, additional effort will pay off in the long run for those who consciously work to prevent bad habits from forming in the first place.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: New weapons for combating false positives – are airlines ready?

First Published on 29th March, 2017

Ai Editorial: False positives have never been easy to identify. But with machine learning, 3D Secure 2.0 and data intelligence, airlines can be in better control of the situation, writes Ai’s Ritesh Gupta    

 

The denial of a digital service that is routine or legitimate is annoying.

For instance, as a credit card user, if I intend to access my statement on  bank’s website, and if even after filling of details and password (which most users tend to detest), the access to the same is denied then it disappoint us in a big way. Similar is the experience of a genuine digital transaction that either gets denied or takes longer than expected duration to finish due to seemingly stringent security measures.  

Airlines need to invest in apt user experience strategy and an integral part of the same is to work out right acceptance gap for payments so that revenue generation doesn’t get impacted in a negative away. Conversion rate in commerce isn’t just about getting traffic to digital platforms, but what also matters is not turning away authorized orders and how companies deal with false positives.

Also, from a business perspective, any travel company can’t afford to have a poor profile i. e. being bracketed as a high-risk merchant. Any business with low transaction volumes needs to be wary, as even a single chargeback will be termed as a significant development to the issuing bank than it would for an airline with relatively higher transaction volumes.

So airlines need to be vigilant of the new developments, and make incisive moves to deal with this problem.

·          Finding ways to distinguish real buyers from fraudsters: It is time digital enterprises evaluate the limitation of automated responses from rule-based filters. KPIs for authentication for CNP transactions include historic chargeback data, card acceptance rates, cart abandonment, issuer declines, merchant reversal declines, interchange cost etc. But areas like how online anti-fraud technology impacts false positives need to be assessed. Airlines can dig deeper into the efficacy of rules-based authentication, seeking control over their transactions, and also sort out the manual review problem as human analysis can’t be done away with.

Today negative attributes are being assessed in a dynamic manner and this is where machine learning can contribute when it comes to dealing with constantly evolving patterns. At the end of the day, the list of potential offenders can’t be too restrictive, and at the same time, airlines can be lenient with fraud prevention as well. Machine learning can cut down on unauthorized transactions while also reducing the risk of denying a genuine payment. Key here is the fact that the model keeps training through regular feedback. How? With information about traffic (based on behavioral, identity, and network patterns), and more of the same being garnered, more precise predictions can be. This results into fewer false positives. Also, this analysis can also pave way for customized checkout experience with lesser number of fields or even the fastest possible processing for authentic travellers.

·          Counting on data intelligence: Rigidity due to pre-constructed rules can now be combated with data sharing and data intelligence. And the release of 3D Secure 2.0 specifications, too, needs to be followed for the same. One way to ensure the decline rate is relatively lower could be via availability of quality data. Giving issuers a chance to interject themselves into the checkout can improve upon the risk assessment. So what was being done sporadically can be done in a widespread manner i. e. enabling issuers to amend their authorization risk settings and tie the authorization to the authentication.

Enriched data flow provides stakeholders with a better ability to approve “good” transactions.

As indicated by CardinalCommerce, in the past, merchants and issuers relied on “relatively simple data points in making authentication decisions”. But by relying on emerging sources of data and data intelligence, there is a chance to cut down on fraud and false positives. Legitimacy can be verified via purchase history, device and behavioral information, relevant social media details etc. So airlines better lookout for extra authentication data elements that are available at the time of the transaction so that both the merchant and the issuer can make a more informed and precise decision as whether or not to complete or deny a card-not-present transaction.

(Related article: How Amtrak worked out 99.85% acceptance rate, significantly better than the airline industry 96.3% acceptance rate).

·          Impact of 3D Secure 2.0:  The new specification when officially launched is being tipped to contribute in a big way. 3D Secure 2.0, with plans for early adoption in mid-2017, supports new transaction attributes, and this is expected to curb the level of false positives.  

The objective of new specifications is to aid verification on the basis of data elements pooled through the protocol with focus on a frictionless shopping experience for card users. Also to make the message interface and authentication flows agreeable to mobile platforms.

3-D Secure 2.0 will enable increased use of risk-based and dynamic authentication.

The risk-oriented outcome will be shaped up by uniform and extended set of data elements.

Owing to risk-based authentication method, issuers relying on static or partial passwords have to mull the improbability that consumers will memorize or easily use their passwords if these are only used for 3D Secure and are occasionally called for.

So be prepared for abandonment and failure rate. Accordingly issuers need to find ways for authentication.  

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Protecting a passenger’s identity in a connected world

First Published on 24th March, 2017

Ai Editorial: Operationalizing digital identity assessments is one initiative that every e-commerce enterprise needs to manage diligently, writes Ai’s Ritesh Gupta

 

Airlines, like any merchant, need to safeguard their users’ personal details saved. Imagine a situation where flyers open a personal account on an airline’s digital platform to access speedy bookings and swift flight check-ins, and at some point such data gets stolen, forces breakage in access to digital services and even results in negative publicity. This is indeed going to be a dreadful situation.

E-commerce entities require data to serve personalised offerings, but if they become a victim of a data breach then even a project like digital transformation receives a major setback. No airline can fathom breach of loyalty miles, and hacker selling account credentials to redeem the miles for tickets!

While e-commerce entities like Ryanair are looking at account personalization in a big way, this also means fraudsters can count on user identities to access personal and payment details. The reason being: use a trusted credit card saved in a valid customer account.

There is no scope for traditional ways of securing accounts or fraud prevention, for instance, savvy digital entities, focused on enrolling customer details in new ways to personalise their offerings, now consider static information being stored as a potential threat to being breached. The level of security or layers needs to be evaluated as fraudsters can hijack legitimate login sessions. Do seek a tighter measure against malware or social engineering attacks.

In fact, the threat of being breached can have detrimental impact on a bunch of airlines at one go. How? Experts don’t rule out multiple airlines systems being breached at the same time: when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

Bigger threat with “connected” world

Today’s intricately connected world means airlines have to work on their IT infrastructure, data management, digital interfaces etc. to ensure there is consistency in interactions. But this digital first approach also calls for stringent protection.

For instance, the Internet of Things (IoT) assumes that information and data will flow seamlessly and securely from one device or one party to another, where it can be accessed and used immediately. If the IoT keeps tracks of the items you intend to purchase, it can automatically tally the payment and process the payment as soon as it connects to the nearest payment terminal or app and verifies the customer's information and data. But wouldn’t this call for a stronger protection?

Fraudsters can work out near perfect identities from the digital detritus that digital entities and consumers are providing.  As ThreatMetrix aptly states: “It is identity, not passwords or payment details, that is the cybercrime currency of 2017: near perfect, yet terrifying, simulacrums of you and I that can be used to open new accounts, hack into existing ones, and monetize fraud attacks.”

According to ThreatMetrix’s Q4 Cybercrime Report, few of the alarming trends that need to be watched out for include:

·      New account originations continue to be the riskiest transactions with nearly 1 in 10 rejected.

·      Considering a spate of data breaches,  organizations can’t rely on static data elements. Dynamic information featuring a user’s digital identity will be critical in distinguishing “good customers from bad”. 

·      Fresh assaults will target collection of more details to strengthen stolen identities, rather than immediate monetization.

Attack from several quarters

Airlines need to consider the fact that one doesn’t distinguish between identities penetrated from behind a network/ firewall or via an account compromise. It is a big blow, one that, propelled by convincing identities as formulated by fraudsters, can fuel large-scale attacks. 

Organized crime

This stolen data is traded by organized and networked crime networks via certain websites, apparently made accessible via specialized encryption software and browser protocols that conceal the location of cybercriminals who are part of such sites.

Recently, a cybercriminal was reportedly sentenced to 50 months in prison for identity theft. This fraudster was caught selling personal data of victims on a cybercrime platform, AlphaBay.

Definition of being safe

When we talk of digital first for a seamless, personalised experience, the safety of identity or account data to needs to be prioritized as well.  Also, considering the lightening speed with which consumers expect every digital interaction to shape up,  airlines need to validate customer identities without any friction.

Bot detection, ID verification, device check, cookie erasing etc. are coming into use.

Specialists assert that it is critical to evaluate every digital identity, one shaped up by dynamic, shared intelligence unearthed from a variety of sources rather a specific organization a user transacts with. Time one looks at blending static identity data with dynamic, real-time intelligence from current and historical transactions. In order to gain better results and minimize friction, specialists are counting on behavioral biometrics , analytics and a predictive model based on past behavior and transaction data to authenticate transactions. The plan is to relate user and device interactions in the present session to past user and device interactions, and look at the gamut of attributes associated with the user, device and connection.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us

  

Ai Editorial: Assessing exploitation of connected devices for DDoS attacks

First Published on 15th March, 2017

Ai Editorial: DDoS or distributed denial of service are damaging for all e-commerce entities, and IoT-based botnets are only adding to the threat of disruption to services, writes Ai’s Ritesh Gupta

 

Businesses need to gear up for the era of Internet of Things (IoT), make the most of tokenization offering for contextual commerce, realign the flow of work across the business to service customers better…pressure is immense on organizations, including airlines, to evolve and embrace digital disruption.

But an inherent weakness in a technology or devices can result in a cyber assault, and airlines need to be wary of the same.  

A prime example is IoT continuously being exploited and used in cyber criminal activity. It is important to assess how to counter concerns such as IoT fuelling future DDoS (distributed denial of service - a host of compromised systems launch an assault on one target, thereby triggering denial of service for users of the targeted system) attacks.

This point is being raised as the number of attacks, the severity of such strikes and even the revelation of vulnerabilities can throttle a move towards change. This is not to discourage what an airline needs to do to embrace digital transformation, but rather prepare for any move in a meticulous manner.

Be it for online banking, retail or travel, e-commerce as a sector has to counter such malicious moves.

Relatively easier to hack now

At a time when passengers expect a real-time answer or action on their feedback, what airlines need to be wary of is a break in any of the touchpoints and tighten their security.

The more devices an airline connects to the Internet, the more exposed this carrier would be to potential attacks.

It is being highlighted that the technical proficiency needed to perform cyber attacks is on the decline. Malware and services such as DDoS are easily acquired on the dark web. Other than DDoS, ransomware on connected watches, fitness trackers and TVs is expected to pose another challenge.

In their recently released report, National Cyber Security Centre (NCSC), the national technical authority for cyber security in the UK, stated that the degree of cyber threat varies from technical skills being “bought” to persistent threats involving custom-built malware designed to compromise specific targets.

Being digital first also means tighter security

If we talk of mobile-first engagement, attacks such as the one reportedly featuring Tesco Bank in the UK (it was reported that either Tesco’s internal systems or their mobile application were breached) put a question mark over the security of mobile apps. There are steps that airlines definitely need to focus on – additional layer of security in the form of biometric recognition or facial recognition, end-to-end encryption, working on mobile app security testing as part of the software development lifecycle etc. As for mobile-related threats, specialists point out organizations need to be wary of elevated permissions to install further malware such as keyloggers which could be used to steal login credentials, SMishing often proving to be more effective than traditional PC phishing campaigns etc.

But even as mobile malware is growing (surely can’t be ignored), it is the IoT that is proving to be a bigger concern. It has expanded the risk to all customer devices becoming compromised or attacked. Poor security practices in connected devices is coming to the fore. With feeble security, IoT devices are resulting in DDoS attacks. Not surprisingly, the list of vulnerable areas now features attacks on building blocks on which the Internet runs.  

For instance, the looming threat from the Mirai botnet. This botnet is being monetized today by cyber criminals for a large DDoS. It scan IP addresses across the internet looking for insecure devices. As per the information available, Mirai, a malware infecting vulnerable, connected devices, scans for 68 user name and password mishmash when attempting to infect and control a connected device.

The emergence of botnets means cyber attacks are only getting sophisticated. If we talk of “threat actors”,  there is this trend of learning from, hiring and working with one another. Akamai recently highlighted that the largest DDoS attack in their network came from Spike, a malware that has been around for over 24 months. This points to the fact that botnet operators take the emergence of Mirai botnet as a challenge, and try to compete and prove more hazardous with their next attack!  

What to consider?

Protecting the disparate components of the IoT ecosystem is vital.

Such devices need to be protected considering that they are operating in a digital environment. Equally important is the security of data transfer featuring the IoT devices and the platform. Data and privacy breaches continue to be on the rise. Also, a secure API platform is must.

Specialists also have been clarifying some of the misconceptions. According to Imperva, a data and application security specialist, even high bandwidth won’t shield a site from concentrated packets-per-second (PPS) and application layer attacks (no amount of bandwidth can guarantee 100 percent uptime), and there in no point in relying on a pre-existing appliance to block an incoming DDoS assault.

E-commerce entities, be it for airlines or online travel agencies, need to look beyond common vulnerabilities such as SQL injections or Local File Inclusions. So be it for working out scalable threat prevention security for any cloud - public, private and hybrid or trained staff or to working out right security architecture as well as documenting all networks with known traffic flows and shielding all disparate components of the IoT ecosystem, a detailed preparation is needed to protect the digital assets.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Contextual commerce – are airlines ready for it?

First Published on 9th March, 2017

Ai Editorial: One click payment for an airline ticket from the interface you prefer the most – say Facebook Messenger app, WeChat, WhatsApp etc. ? This is the sort of commerce infrastructure airlines need to prepare for, writes Ai’s Ritesh Gupta

 

What can lead to a conversion based on even one signal that a digital consumer today gives to go for a product or service? These signals aren’t mere search keywords or clicks on a website/ app. It’s about the interplay of context, location, interface as well as the device being used and payment facilitation.    

For instance, a group of friends are interacting via Facebook messenger app, they decide on meeting at a particular venue location (exact location is shared via a link/ map), and all of them avail an on-demand service without leaving the chat or the interface. No app was downloaded. Similarly, a passenger starts the shopping journey with interaction with a chatbot or initiates a search for a flight via a digital assistant, moving on to a meta-search environment and eventually completing a transaction without leaving the conversation. 

This is just a glimpse of how commerce is evolving.

What stands out is what’s working in the “background” to seamlessly process payments.

All of this is crucial for travel brands to assess, as one can’t ignore the prowess of ecosystems such as Facebook, Google, Apple, Alibaba etc. or the popularity of social and messaging apps.

Dealing with friction

The significance of letting a travel shopper wrap up a transaction without the friction of leaving a site or an app can’t be ignored.

Airlines need to make the most of tokenization offering that works in the “background” to ensure they are part of contextual experiences - search, social interactions etc. – and end up aiding a potential traveller to shop with them. Intermediaries like meta-search engines have been relying on APIs to ensure bookings are done within their environment, irrespective of the airline’s payment processor. APIs are playing a vital role in countering the intricacies of moving payment data between different stakeholders involved in the shopping journey, could be for retailing or travel-related buy. The end result here is the seamless movement towards buying an air ticket or an ancillary with an optimized checkout flow.

Travel may not be a frequent buy, but still a major plus is speedy checkout experience that customers expect as they don’t need to re-fill or share information again and again.

Skyscanner is reaping benefits related to better conversion rate. The team has been working on their direct booking offering that allows airlines to offer a fully localized booking experience, letting users to research, select and instantly book itineraries within their environment without having to re-direct to supplier sites. As for airlines, they process the requests and retain all of the passenger’s details.

 

Securely moving payment data

It is also imperative to assess the security of such initiatives. How secure is an RFID band that functions as both a ticket and a wallet? How Facebook is equipped to safely part with its own stored payment data with an entity like Uber and yet ends up ensuring Facebook Messenger users sustain control over their information? Specialists like PayPal have progressed swiftly, stating that sharing of customer, payment, and other data is done securely with PCI Level 1 compliant parties while keeping an entity vault protected, and also equally secure is sharing of data within their network of merchants.

But airlines still need to be wary of couple of issues.

Rather than rushing and joining the bandwagon, do look at risk mitigation.

As a specialist in this arena, Chargebacks911 explains that if the industry does not take basic safety measures before going for new technologies, then such initiatives can be more of a liability than a benefit.

For instance, referring to wearable payments, the team points out that it may turn out to be more secure when compared with standard payment options. “Wearable payments make use of the same kind of tokenization technology as other payment methods, like digital wallets and EMV chip cards, which may prove to function just as well on wearable devices,” says Chargebacks911’s COO, Monica Eaton-Cardone. She says one needs to be wary of family fraud and friendly fraud. In a recent blog post, she raised a pertinent point, “What will issuers accept as compelling evidence when merchants attempt to dispute chargebacks? The chargeback process is archaic—it can’t keep up with all the developing technologies. Networks will not have considered the different types of data that will be associated with these technologies and, therefore, will not recognize valuable information as valid forms of evidence. It will be years until the data associated with these wearable devices will be recognized by the card networks, leaving merchants liable for billions in losses from undisputable, illegitimate chargebacks.” She added that as of now, merchants already lose as much as $40 billion each year due to chargebacks.

So emerging technologies can augment the customer experience with seamless transactions, but areas like security and privacy, and chargebacks can also hamper the same.

 

Gain an insight into intriguing issues at Ai’s 11th Airline & Travel Payments Summit (ATPS) this year.

Date: 3 May - 5 May 2017   

Location: Berlin, Germany

For more info, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Managing account takeover fraud – a must in era of personalisation

First published on 24th February, 2017

Ai Editorial: Airlines need to move fast to be ahead of the curve and protect themselves against account takeovers, writes Ai’s Ritesh Gupta

 

The benchmark for completing a digital transaction – the moment when you are about to pay - is one click or swipe.   

Of course, in order to deliver one-click checkout experience, travel e-commerce players have to garner personal information, store chosen payment method and keep it secure. This transaction-related information is a vital component of overall account personalisation that businesses are keenly looking at today.

But what needs to be noted is that account takeover is the latest fraud tactic that is troubling merchants, and airlines, too, can be victims as merchants.

Account takeover fraud happens when a fraudster/ hacker misuses a user’s personal details saved with a merchant in order to take control of an existing account. Fraudsters bank on stolen credentials and phishing schemes to hack into or take over legitimate user accounts. They are capable of gaining access to accounts via malware, SQL injection attacks, spyware etc. And this can surely have a detrimental impact on trust and loyalty among valued customers.

Being wary of fraud as account personalisation picks up

As we highlighted in one of our recent articles, account personalisation is on the rise. One area where progress is being made is speedy bookings and swift flight check-ins on airline-owned platforms. Ryanair took an exemplary initiative last year, one related to account personalisation. This way the carrier chose to enable passengers to share their travel preferences by setting up a personal profile, and saving passport details etc. The users can also store their payment information.

So if on one had such initiatives are bound to make trip planning, booking and even servicing simpler, more efficient, then on the other  one needs to be wary of the situation where such data related to a user’s account gets stolen. 

Data breaches are dreadful, and this trend can also end up in a massive threat for airlines.

It is becoming common for cyber criminals to hack data, and then reuse the list of email addresses and passwords they have obtained on multiple sites. So here is what would happen - when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

Similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.

Identifying suspicious behavior

Account takeover security comes into action from an early stage – keeping a vigil on new account creation and the way these accounts tend to be used. This helps in assessment of risk with certain level of accuracy. In term of prohibiting fraud from happening, a fraudulent activity say a transaction is stopped before it takes place. Here a flexible rules engine highlights a dubious activity based on users’ behaviour and device attributes. As CyberSource states – an organization can then choose to accept, reject, or challenge the users to authenticate themselves – before the event can occur. One can also spot valuable returning customers.

A user’s device and Internet connection information can prove handy in managing such fraud. The device-based customer authentication can add a layer of defence against account takeover. This is important when assessing whether the real account owner is accessing the account or not. A way to do it is via evaluating a cookie associated with the stored payment method. If the same is missing when the payment method is used, then this person can be asked to re-fill the card number or provide verification code. So if a fraudster is trying to skip recognition by masking their IP address or spoofing geolocation, one can verify the real IP address and compare that to the stated IP to detect risky activity.

Recently, when I forgot my Apple ID password, I was asked to share the ID, filled in a code twice, and then could retrieve password via registered email or by filling out answers to questions registered earlier. And eventually guided about how to work out a strong password. But is it enough for account protection? The best answer is to make sure there is enough human expertise within an organization. And do keep an eye on any new stringent way of security. Behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. It is also being suggested that behavioral biometrics, which spots patterns in human activities, needs to be looked upon for continuous authentication, and looked beyond the two-factor authentication (2FA) method. So as airlines analyse more and more data (for example, device authentication, device ID, device fingerprinting etc.), fraudsters will struggle to fully to pass off as genuine. These new measures are must as hackers/ fraudsters are working on machines for getting around these security measures.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Editorials

  • Ai Editorial: How is Sabre placed today with “rapid of evolution” of IT offerings? +

    First Published on 21st August, 2017 Ai Editorial: “Any competition is good. We are the leaders, we are the innovators, we continue to invest significantly to maintain and expand our Read More
  • Ai Editorial: Trapped in risk-averse fraud strategy? Stop focusing only on rules-based approach! +

    First Published on 18th August, 2017 Ai Editorial: Airlines need to be realistic about the flaws and limitations of the rules-based systems - mainly on their hindrances to scalability and restrictions Read More
  • Ai Editorial: Knowing a passenger inside out – the journey has just started +

    First Published on 16th August, 2017 Ai Editorial: It is the dream of every marketer to have a rich set of customer data that is consistently available at every touchpoint. Read More
  • 1
  • 2
  • 3
  • 4
  • 5