First published on 25th August, 2016
Ai Editorial: Airlines are counting on machine learning to make decisions designed to optimize sales while keeping fraud and chargeback rates under control, writes Ai’s Ritesh Gupta
How efficiently machine learning is coming to grips with blocking fraudulent transactions automatically? And how does it work?
As I initiate my conversation with Justin Lie, who has built CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, from scratch, I am eager to know how the industry is trying to combat fraudsters.
The first remark is sharp enough to grab attention. “In recent years, online fraud syndicates are increasingly using machines to mask their online transactions as genuine, and they are well ahead in the technology that they are using as compared to what the travel industry is currently deploying. Therefore, it is imperative for companies in the travel sector to move towards using big data and machine learning to deal with fraud more effectively.”
As this tactic has been around for a while, where do cracks emerge then?
Singapore-based Lie, Group CEO, Founder, CashShield, says when we talk of machine learning, it is important to differentiate between the different types of machine learning deployed. Many fraud solutions in the market now tout their use of machine learning, but they are usually only using one form of machine learning – predictive analytics – which allows the solution to predict future fraud based on historical data.
Not just predictive analytics
So this method of fraud prevention is good, but problems arise when completely new transactions with no historical data are submitted into the system, and there is no way for the machine to predict whether or not the transaction is genuine or fraudulent.
“For instance, when a fraudster uses a new program to carry out a fraud attack, there would be no records of the new program, making it difficult for the machine to detect the suspicious behaviour until the fraudulent transactions were accepted and later recorded in the system as fraudulent,” explains Lie.
He says to increase the effectiveness of the fraud system, another form of machine learning must be used as well – pattern recognition.
“With pattern recognition, even without any prior historical data, the machine is able to detect patterns across different transactions and diagnose if the transaction exhibited bot behaviour or human behaviour,” Lie asserts. Using big data, the system collects information from the merchant’s website, such as the user’s web movement behaviour, social media accounts, likes or comments on the website, e-newsletter subscription or alternative payment methods. Combined with pattern recognition, the system draws patterns (for both positive and negative behaviour) to map the DNA profile of the user, and determine if other incoming transactions exhibit the same (fraudulent) behaviour or not. The large quantity of information collected from big data makes it difficult for fraudsters to cover all of their tracks, therefore increasing the effectiveness of preventing fraud.
We also dwelled on what different types of machine learning are there for an apt blend of chargeback protection and fraud prevention.
Lie explained: pattern recognition, deep learning and stochastic optimization are also necessary for combining millions of test results to be crunched for an optimized yes or no decision in real time. “Predictive analytics falls under the branches of supervised learning in machine learning, and is important to predict if a fraudster will use the same attack again in the future. However, other forms of machine learning – unsupervised learning – are also important, especially when new attacks with no previous data happen. Unsupervised machine learning is able to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour, and is effective in identifying genuine customers as much as identifying fraudsters,” he said.
He further explained: Statistical modelling provides test results, while probability modelling assigns weighting. When we apply this to fraud screening, using probability modelling only gives you a risk score based on the information collected about the transaction. The merchant still has to rely on a team of manual reviewers to look at the risk score and decide whether or not to accept the transaction. The problem here is that fraud officers are often risk averse and their main KPI is to bring the fraud rate as close to zero as possible, which results in many borderline genuine transactions rejected. Consequently, sales suffer tremendously since many genuine customers are turned away. Therefore, it is more useful and effective to rely on an algorithm – what we call an optimized fraud risk management algorithm – to make decisions designed to optimize sales as much as possible while keeping fraud and chargeback rates under control.
Optimized fraud risk algorithm
As for how such algorithm functions, Lie referred to two examples:
· The first example: It is not uncommon for a sibling to use another sibling’s online shopping website account to accumulate more loyalty points easily or for the former to use the latter’s accrued loyalty points for discounts. The problem occurs when the former sibling ends up signing in from a different IP address, uses a different device (different device fingerprint) and pays with a different payment account. Immediately, this will be flagged as suspicious behaviour, as it seems like a fraudster is hacking into the user’s account. However, through identity mapping, powered by machine learning, with the algorithm, the machine is able to use data to identify positive behaviour, rather than focus on all the negative behaviour only to pull this genuine customer away from the pool of flagged transactions.
· The second example: Small signs may be used to point out signs of fraudulent activity, even if they seem insignificant. Perhaps we have a user who, every time he makes a transaction, will be conscious to unselect the field to subscribe to the merchant’s newsletter. However, a fraudster that has hacked into his account has programmed his attack to select the field to subscribe to the merchant’s newsletter. With small signs like this, the machine is able to see how this fraudulent transaction does not match the user’s purchasing pattern of behaviour, and is therefore able to reject this transaction as fraudulent rather than genuine.
Follow us on Twitter: @Ai_Connects_Us
Justin's profile: LinkedIn
First published on 17th August, 2016
Ai Editorial: Given the growth in card-not-present transaction volume, airlines need to be proactive to understand what triggers friendly fraud and how to deal with it, writes Ritesh Gupta from Kuala Lumpur
Airlines are constantly looking at ways to minimize the impact of chargebacks and one of the topics keenly discussed during the 5th ATPS Asia Pacific was “friendly fraud”.
Unlike fraud initiated by a criminal, friendly fraud is the case where a “cardholder” claims fraud for a transaction they were involved in. This type of fraud is hard to deal with as the legitimate cardholder uses the card with all of the correct information, and then disputes the same. What works against airlines and merchants is the fact that chargeback dispute procedure doesn’t support them, as banks and credit card organizations tends to seek only a small amount of proof from customers to corroborate a dispute claim.
Speaking here in Kuala Lumpur, Brett Small, Regional Director, APAC – Ethoca, mentioned that friendly fraud refers to “fraud that is committed when an individual had knowledge of and/or was complicit with and/or somehow benefited from the transaction on their own account, although the individual reported the transaction as unauthorized”.
Talking of airlines, Small said in case of airlines, friendly fraud is generally the result of buyer’s remorse, additional charges or fees, disagreement with refund rules, and a transaction that is completed by another party. He also explained the spectrum of behavior – varying from a benign one that generally involves a household/ family member (so may be a traveller is on the check-out page on a device, and someone inadvertently clicks to complete the transaction. So the cardholder was unaware of purchase made by a household member. Or as Small said it could be a simple case of just not recognizing the purchase – descriptor issue, statement is confusing, etc.) to the cardholder deliberately abusing the system with the intent to commit fraud.
Issues for merchants
Friendly fraud is difficult to distinguish from genuine fraud and even harder to prove for merchants:
· Difficult to detect at time of purchase.
· Issuers usually accept a customer’s assertion.
· The chargeback process does not adequately address friendly fraud.
· There is no way of collaborating with issuers.
· High impact to customers and risk of social media damage.
· Time consuming and labour intensive.
Why issuers struggle?
Explaining how issuers comprehend friendly fraud and the way it can be dealt, Small highlighted that friendly fraud is difficult to distinguish from genuine fraud.
· Issuers cannot see what is purchased.
· It may involve a dispute with a merchant that issuers are unaware of.
· Issuers are under pressure internally and from regulators to believe and refund customers.
· Issuers have thousands and sometimes hundreds of thousands of disputes per month.
· Issuers ask customers questions to try and validate disputes and also look for repeat disputers. But, cardholders have learnt how to “use” the system.
Issues being raised, but long way to go
Friendly fraud has raised the overall chargeback level, making acquirers more watchful about accepting risk liability. The industry has been looking at this issue, for instance, Visa last year chose to accept airline-supplied flight manifests as a remedy for fraud payment card chargebacks (when the passenger name matches the cardholder name). As explained by Monica Eaton-Cardone, COO, Chargebacks911, in one of her recent blog posts, initiatives taken such as one taken by Visa are being taken to help fraud-burdened merchants, but still it isn’t a definitive solution. She asserts that savvy consumers continue to exploit loopholes and merchants still report significant losses. She recommends that fraud filters need to work better. Also, merchants need to be sharp enough to understand the buying behavior, and consumers need to understand that their actions have consequences, and that getting involved in friendly fraud is going to have detrimental impact eventually.
More specifically, airlines need to look into booking history and any other internal and external data sources to verify travel. Evaluating customers’ chargeback history can be useful, too.
“There is a need to leverage merchant historical data - card number + device/ IP address for previous orders. Also, make household profiles and link all their devices. On another note, one may call the cardholder when it makes sense. This is based upon transaction amount, customer relationship, evidence etc,” said Small. “Airlines can look at implementing simple, clear refund policies. But, don’t be too easy as the new trend is refund abuse,” cautioned Small.
Other areas that can help:
· Chargeback representments (if evidence exists.)
· Using modified merchant descriptors.
· Making change and refund policies clear in the booking flow and post booking communications.
As it turns out, completely doing away with chargeback fraud isn’t a possibility, though curtailing the risk of such kind of credit card fraud is possible. Airlines have to count on ways to avert the danger of becoming a victim of friendly fraud. Merchant-issuer collaboration is essential and can play a big role in dealing with such malicious behavior.
Follow Ai on Twitter - @Ai_Connects_Us
First Published on August 16, 2016
Ai Editorial: Airlines need to dig deeper, be it for taking advantage of the liability shift rule for full 3D Secure optimization or being savvy with fraud detection on their platforms, writes Ai’s Ritesh Gupta
How is the travel industry dealing with the issue of transactions wrongly declined due to suspected fraud?
It is a serious issue as an indifferent customer experience can result in customers cutting down on their card usage or even abandoning it altogether. Yes, merchants are more liable for card-not- present (CNP) transactions today but they also need to be wary of the repercussions of a purchase decline that isn’t a fraudulent one.
Of course, the first major impact is the value of the order. Now all the money spent on getting a customer close to completing a transaction is also wasted. So be it for a print ad or remarketing campaign, the cost of acquisition is negatively affected. Then one should also consider the probable lifetime value that is lost when a genuine traveller’s order is erroneously declined.
Working in tandem
In this context, all stakeholders need to work on apt card authorisation strategies.
So when we talk of stakeholders working in tandem, there is a need to constrict your acceptance gap. It is pointed out that there tends to be a gap in acceptance as banks today are more wary of remote/ card not present transactions. Plus, there have been data violations/ incidents of fraud and also merchants have the tendency to deny transactions from particular geographical areas. So by cutting down on this gap, one can benefit by authenticating those transactions, which have a higher likelihood of being authorized.
Making the most of what we have
So if we talk of what can be done, there is a need to make the most of what is available.
For instance, a travel company I spoke to referred to 3D Secure, and how this offering is different from other payment fraud prevention solutions.
3D Secure’s code is rooted in the authorization message from beginning to end when we consider settlement. This spans multiple parties and servers. One can reap benefits by focusing on troubleshooting and monitoring of the service, and linking various 3rd parties involved. The data elements obtained from the authentication are shared with the issuer. The same enables issuers to amend their authorization risk settings and tie the authorization to the authentication.
Issuers who have deployed a risk based authentication mechanism will contest or assess transactions that seem doubtful. This way they can flush out fraudsters and cut down on false-positive declines. So before authorization they can spot danger. Based on the risk level they are then able to challenge the consumer with knowledge based questions or one-time pin numbers sent via SMS.
Here it needs to be mentioned that as per the real experience of those of who have benefited from 3D Secure, it is being indicated that the end to end interoperability of 3D Secure eradicates the speculation once associated with CNP commerce.
As we learnt from Amtrak, the key to full 3D Secure optimization and effectiveness is to take advantage of the liability shift rule and to front load 3D Secure into your risk model. The company was able to lean on this new found component of the 3D Secure protocols to not only cut fraud but also increase sales. “Issuers have lower decline rates because they have better data across the lifecycle of the card. By giving the issuer the ability to silently interject themselves into the checkout make a risk determinant will allow you to expand your risk systems beyond your walls,” shared a source.
As for being realistic, one needs to ensure that the right tools are in place, too. You can't just go to market with a vanilla 3D Secure MPI provider and expect it to work.
Being savvy with algorithms
The fraud problem is boosting the false positive issue. Merchants, acquirers and issuers decline far more good transactions than bad.
“No industry is affected more by false-positives than the travel industry,” highlighted one executive.
Its true indeed as high ticket items along with the high potential for fraud results in the highest false-positives averages online. So every travel company needs to identify how to implement static rules, ones related to behavior of a user, and also device fingerprinting.
Multi-factor authentication is also being counted upon to bring down false positives. For instance, this way one can step up approvals for new account openings, as they say, across thin-file leads with limited credit histories. Some of the options include commonly used one-time passwords (logging on to a network or service using a unique password which can only be used once or 1-time passcode based on the token’s secret to ensure authentication); certificate-based authentication (blends a public and private encryption key unique to each device; context-based authentication (optimizes a layered approach to access security by assessing user login attributes and matching them against pre-defined security policies).
Talking of Chip and PIN versions of EMV cards, one needs to be careful as it has both positive and negative sides to it. Airlines need to build trust and strengthen security. Today there are ID checking services available that use online and social media identity data, ID documents and facial biometric checks to prove that a person is who they say they are.
Lastly, whatever move is made it needs to be checked minutely. For instance, it is being stressed that one shouldn’t use biometrics in client-server architectures (not suitable for use as a factor in two-factor authentication). This is because credentials are sent over the wire (both LAN/WAN and the Internet). Since such authentication can’t be taken off, it needs to be assessed in which situations it can be potentially compromised.
Follow Ai on Twitter - @Ai_Connects_Us
First Published on 11th August, 2016
Ai Editorial: Wearable adds more touchpoints to every passenger journey, but is anything new, exciting happening? The long-term utility beyond health and notifications isn’t clear, writes Ai’s Ritesh Gupta
Where is wearable technology headed?
It’s a broad question, but there is a reason behind not jumping on to the utility for the travel sector.
The way today’s gadgets are shaping up, we expect them to deliver on multiple counts. So when I use my smartphone and smartwatch (say, paired together the way Apple products are), I expect to press lesser number of tabs (for instance, every time there is an interview scheduled in my email I expect my phone would send me a reminder without me pressing on a calendar tab), send useful notifications (say I have booked a room via an OTA app. On the day of the check-in, when I reach the vicinity of the hotel, I should be guided by my smartphone to reach the hotel) etc. So I am expecting a lot more all the time.
Frankly speaking, the lure of using a smartwatch hasn’t increased and it has failed to go beyond simple notifications. There is buzz that speech recognition and text-to-speech is set to improve, but it remains to be seen what is going to happen next. At this stage, simple experiences like third party apps not working on smartwatches seem to be an issue. When usage of apps doesn’t work it is quite frustrating.
“Smartwatches have limited capability to “keep going” while not connected to their host smartphones. However, we’re now well into “second generation” of wearable systems. The latest versions of Android Wear and upcoming version of Apple Watch now feature more “standalone” functionality. The Pebble has had this over 3 years, however,” says Ireland-based Kevin O’Shaughnessy, founder of Indigo.gt, a search and reservation platform for airport-to-city transfers. “The killer app for the watch so far has been notifications and simple “one-button” actions. These prove quite popular with long-time users. On day-of-travel this can take the stress out of the journey for many frequent flyers. Watch technology also features payments, but only in limited markets. The tap-to-pay, whether by card or devices, makes everyday travel simpler.”
He further added, “We’re now at a watershed moment with the “Wait spinner” on Apple Watch, for example. If Apple doesn’t take urgent measures to make the device more responsive, whether with better software or a new generation of watch, I worry about the long-term utility beyond health and notifications.”
I am not too savvy, but after reading about the role of a smartwatch, it is clear that data is being tracked with the current generation of wearables.
In its list of 10 compelling wearable device experiences over the next two years, Gartner mentioned biometric authentication, mobile health monitoring, virtual personal assistants, smart coaching, virtual and augmented reality, accurate motion recognition etc. The study also added that there is “genuine scope for wearables to create intelligent personalized experiences that really add value”. Overall, in comparison, the travel sector has to catch up. Yes, experts do pick developments such as the Starwood application for Apple Watch (unlocking room door in the hotel by the simple tap of a button) as a positive experience. One can also access stay details, including check-in, checkout and confirmation number, or points. Still it wouldn’t be wrong to say that the travel sector is lagging behind the likes of retail, healthcare and gaming when it comes to the “wearable future”.
“We have yet to see the travel industry tap into the “contextual purchase”,” says O’Shaughnessy.
He says the entire mobile ecosystem has the potential to eliminate the “point of sale” entirely, leaving staff to focus on customer service in retail, for example. “When it comes to notifications and proximity technology, mobile has the potential to reduce the hustle commonly seen at departure gates. With wearable, this can make the experience even more streamlined, and communication more personalised. On a personal note, I’ve yet to board a European flight smoothly with Passbook on my watch,” shared O’Shaughnessy.
What should airlines expect in the future?
I spoke to O’Shaughnessy about specific areas.
Data, analytics and personalisation: Wearable adds more touch-points to every passenger journey. “Airlines that thrive in this space will also thrive in mobile and next-generation web tools. The critical factors are payment technology, and moving toward account or virtual-account based relationships. The connection with loyalty programmes is open too,” shared O’Shaughnessy. Wearables can bank on being more connected to the user’s physical body than any smartphone or mobile device. Let’s see what the travel industry can bring. May be a chatbot via wearables – say that can guide me to a change in terminal at the airport with clear instructions without looking at the screens or booking a table at a particular restaurant with clear instructions about how far the restaurant is from my gate. Just random thoughts about one aspect of our journey.
Risk of data breach: Can my Apple Watch be hacked? There already have been concerns over personal health data being leaked. O’Shaughnessy says so far, this is a marginal risk. As devices become more capable, this may change.
Payments: Behind the scenes, the payment industry is changing entirely; when more banks in more markets adopt tokenization, we’ll see the applications first on mobile, second on wearable. Think about smoother, simpler payments, said O’Shaughnessy. There have been developments where companies like the Swiss watchmaker Swatch are gearing up to let consumers take their watch close to contactless terminals enabled for NFC (near field communication) technology, and avail contactless payment service.
Ancillaries: With more opportunities to sell, more opportunities to capture ancillary revenue opens. This will be powered by inventory but also analytics. Some examples:
· Book your taxi on arrival
· In-flight beverage/catering sales
· Sale of security fast-track passes
· Re-accommodation and flight status updates as a premium service
The IoT (or Internet of Things) future shaped by wearables: Wearables is one aspect of the Mobile or IoT space. As one of the first consumer IoT segments, this will push technology towards “longer battery life” and “better processing power” in order to make products more competitive over time.
Kevin O’Shaughnessy is scheduled to speak at the upcoming 5th Airline & Travel Payments Summit Asia-Pacific. It is scheduled to take place next week (17-18 Aug) in Kuala Lumpur.
Follow Ai on Twitter: @Ai_Connects_Us
Event’s Twitter hashtag:
First published on 3rd August, 2016
When we talk of loyalty fraud, balancing security, revenue optimization and above all no comprise in delivering a desired customer experience is a must, writes Ai’s Ritesh Gupta
Airlines dread the thought of ending up being a victim of loyalty fraud. Be it for costs associated, poor customer experience or reputation taking a beating, any fraudulent activity can prove to be a strenuous act to cope up with.
Loyalty program fraud largely tends to revolve around purchase of points or miles via fraudulent or stolen credit cards, and taking over of loyalty accounts by a cheat/ imposter, who generally redeems the points or miles. Considering the fact that airlines present more earning and redemption options today, mainly via partnerships and rewards ecosystems, this also means that the overall loyalty earning and burning lifecycle has paved way for new means of fraud. As we gear up for Loyalty Fraud Prevention Discussion Group APAC (a complimentary meeting to stop the threat of loyalty fraud), scheduled to take place in Kuala Lumpur (22 August, 2016), we thought of highlighting some of the ways one can mitigate and protect respective programs against this illegitimate exercise.
· Monitor activity: Airlines need to assess the possibility of fraud at the point of transaction, including the purchase or redemption of points or miles. Also, as CyberSource recommends, carriers need to shield accounts in their loyalty programs. One needs to identify fraud at account creation and login, and monitor accounts for suspicious activity. It is recommend that one should assess monitor device information throughout the customer lifecycle, from the account opening to account login and transactional activity.
· Keeping data/ information secure: Customers hate identify theft, so keeping such data secure is a must. Of course, if airlines fail when it comes to custodial responsibility to secure customer information, the trust factor takes a beating. According to a global study (in December 2015) by a digital security specialist Gemalto, around 64% of people surveyed worldwide are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen.
· Stringent verification: There is a need to go beyond conventional passwords and PIN based approach. As highlighted by Visa, biometrics offer “the only way to link” a person’s physical identity to his or her digital identity. Biometric authentication features fingerprints, facial recognition to authenticate one’s identity. This is something that cannot be replicated with ease.
· Being savvy with data: Connexions Loyalty asserts that it’s imperative to link data sets with identities, i. e customer loyalty data with customer transactional data, social and digital behavior, demographics etc.
· CX shouldn’t be jeopardized: Any measure taken to prevent fraud shouldn’t jeopardize the customer experience. Stronger collaboration is required, with fraud prevention, IT and marketing interacting regularly to ensure a loyal customer is offered a superlative experience.
· Create awareness: I generally don’t even access my loyalty account till it’s time to redeem an award. Does this give a fraudster a window to act? Airlines need to inform their loyalty program members to be more vigilant, share information about breaches and the significance of setting new password from time to time.
Overall, airlines need to look at a meticulous fraud initiative that is fit for particular needs, featuring real-time monitoring method, including analytics, scoring, device data, product based rules, behavioural monitoring, and geographic analysis.
Its time airlines make the most of machine-learning and rules-based systems to combat this malice. Taking a look at the bigger picture, online fraud is a massive issuer. According to an initiative taken by the Europol in June, an international law enforcement operation targeting airline fraudsters resulted in the detention and investigation of 140 individuals found in possession of tickets bought using stolen or fake credit card details. Those arrested during the operation “were also found to be involved in other forms of crimes, including human trafficking, drug trafficking, cybercrime and terrorism”. Talking of rewards fraud detection and prevention, it definitely calls for a long-term plan. Balancing security, revenue optimization and above all no comprise in delivering a desired customer experience is a must.
Ai is scheduled to conduct the Loyalty Fraud Prevention Discussion Group APAC, a complimentary meeting to stop the threat of loyalty fraud, in Kuala Lumpur (22 August, 2016).
Follow Ai on Twitter: @Ai_Connects_Us
Event’s Twitter hashtag: