Ai Editorial: Protecting a passenger’s identity in a connected world

First Published on 24th March, 2017

Ai Editorial: Operationalizing digital identity assessments is one initiative that every e-commerce enterprise needs to manage diligently, writes Ai’s Ritesh Gupta

 

Airlines, like any merchant, need to safeguard their users’ personal details saved. Imagine a situation where flyers open a personal account on an airline’s digital platform to access speedy bookings and swift flight check-ins, and at some point such data gets stolen, forces breakage in access to digital services and even results in negative publicity. This is indeed going to be a dreadful situation.

E-commerce entities require data to serve personalised offerings, but if they become a victim of a data breach then even a project like digital transformation receives a major setback. No airline can fathom breach of loyalty miles, and hacker selling account credentials to redeem the miles for tickets!

While e-commerce entities like Ryanair are looking at account personalization in a big way, this also means fraudsters can count on user identities to access personal and payment details. The reason being: use a trusted credit card saved in a valid customer account.

There is no scope for traditional ways of securing accounts or fraud prevention, for instance, savvy digital entities, focused on enrolling customer details in new ways to personalise their offerings, now consider static information being stored as a potential threat to being breached. The level of security or layers needs to be evaluated as fraudsters can hijack legitimate login sessions. Do seek a tighter measure against malware or social engineering attacks.

In fact, the threat of being breached can have detrimental impact on a bunch of airlines at one go. How? Experts don’t rule out multiple airlines systems being breached at the same time: when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

Bigger threat with “connected” world

Today’s intricately connected world means airlines have to work on their IT infrastructure, data management, digital interfaces etc. to ensure there is consistency in interactions. But this digital first approach also calls for stringent protection.

For instance, the Internet of Things (IoT) assumes that information and data will flow seamlessly and securely from one device or one party to another, where it can be accessed and used immediately. If the IoT keeps tracks of the items you intend to purchase, it can automatically tally the payment and process the payment as soon as it connects to the nearest payment terminal or app and verifies the customer's information and data. But wouldn’t this call for a stronger protection?

Fraudsters can work out near perfect identities from the digital detritus that digital entities and consumers are providing.  As ThreatMetrix aptly states: “It is identity, not passwords or payment details, that is the cybercrime currency of 2017: near perfect, yet terrifying, simulacrums of you and I that can be used to open new accounts, hack into existing ones, and monetize fraud attacks.”

According to ThreatMetrix’s Q4 Cybercrime Report, few of the alarming trends that need to be watched out for include:

·      New account originations continue to be the riskiest transactions with nearly 1 in 10 rejected.

·      Considering a spate of data breaches,  organizations can’t rely on static data elements. Dynamic information featuring a user’s digital identity will be critical in distinguishing “good customers from bad”. 

·      Fresh assaults will target collection of more details to strengthen stolen identities, rather than immediate monetization.

Attack from several quarters

Airlines need to consider the fact that one doesn’t distinguish between identities penetrated from behind a network/ firewall or via an account compromise. It is a big blow, one that, propelled by convincing identities as formulated by fraudsters, can fuel large-scale attacks. 

Organized crime

This stolen data is traded by organized and networked crime networks via certain websites, apparently made accessible via specialized encryption software and browser protocols that conceal the location of cybercriminals who are part of such sites.

Recently, a cybercriminal was reportedly sentenced to 50 months in prison for identity theft. This fraudster was caught selling personal data of victims on a cybercrime platform, AlphaBay.

Definition of being safe

When we talk of digital first for a seamless, personalised experience, the safety of identity or account data to needs to be prioritized as well.  Also, considering the lightening speed with which consumers expect every digital interaction to shape up,  airlines need to validate customer identities without any friction.

Bot detection, ID verification, device check, cookie erasing etc. are coming into use.

Specialists assert that it is critical to evaluate every digital identity, one shaped up by dynamic, shared intelligence unearthed from a variety of sources rather a specific organization a user transacts with. Time one looks at blending static identity data with dynamic, real-time intelligence from current and historical transactions. In order to gain better results and minimize friction, specialists are counting on behavioral biometrics , analytics and a predictive model based on past behavior and transaction data to authenticate transactions. The plan is to relate user and device interactions in the present session to past user and device interactions, and look at the gamut of attributes associated with the user, device and connection.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us

  

Ai Editorial: Assessing exploitation of connected devices for DDoS attacks

First Published on 15th March, 2017

Ai Editorial: DDoS or distributed denial of service are damaging for all e-commerce entities, and IoT-based botnets are only adding to the threat of disruption to services, writes Ai’s Ritesh Gupta

 

Businesses need to gear up for the era of Internet of Things (IoT), make the most of tokenization offering for contextual commerce, realign the flow of work across the business to service customers better…pressure is immense on organizations, including airlines, to evolve and embrace digital disruption.

But an inherent weakness in a technology or devices can result in a cyber assault, and airlines need to be wary of the same.  

A prime example is IoT continuously being exploited and used in cyber criminal activity. It is important to assess how to counter concerns such as IoT fuelling future DDoS (distributed denial of service - a host of compromised systems launch an assault on one target, thereby triggering denial of service for users of the targeted system) attacks.

This point is being raised as the number of attacks, the severity of such strikes and even the revelation of vulnerabilities can throttle a move towards change. This is not to discourage what an airline needs to do to embrace digital transformation, but rather prepare for any move in a meticulous manner.

Be it for online banking, retail or travel, e-commerce as a sector has to counter such malicious moves.

Relatively easier to hack now

At a time when passengers expect a real-time answer or action on their feedback, what airlines need to be wary of is a break in any of the touchpoints and tighten their security.

The more devices an airline connects to the Internet, the more exposed this carrier would be to potential attacks.

It is being highlighted that the technical proficiency needed to perform cyber attacks is on the decline. Malware and services such as DDoS are easily acquired on the dark web. Other than DDoS, ransomware on connected watches, fitness trackers and TVs is expected to pose another challenge.

In their recently released report, National Cyber Security Centre (NCSC), the national technical authority for cyber security in the UK, stated that the degree of cyber threat varies from technical skills being “bought” to persistent threats involving custom-built malware designed to compromise specific targets.

Being digital first also means tighter security

If we talk of mobile-first engagement, attacks such as the one reportedly featuring Tesco Bank in the UK (it was reported that either Tesco’s internal systems or their mobile application were breached) put a question mark over the security of mobile apps. There are steps that airlines definitely need to focus on – additional layer of security in the form of biometric recognition or facial recognition, end-to-end encryption, working on mobile app security testing as part of the software development lifecycle etc. As for mobile-related threats, specialists point out organizations need to be wary of elevated permissions to install further malware such as keyloggers which could be used to steal login credentials, SMishing often proving to be more effective than traditional PC phishing campaigns etc.

But even as mobile malware is growing (surely can’t be ignored), it is the IoT that is proving to be a bigger concern. It has expanded the risk to all customer devices becoming compromised or attacked. Poor security practices in connected devices is coming to the fore. With feeble security, IoT devices are resulting in DDoS attacks. Not surprisingly, the list of vulnerable areas now features attacks on building blocks on which the Internet runs.  

For instance, the looming threat from the Mirai botnet. This botnet is being monetized today by cyber criminals for a large DDoS. It scan IP addresses across the internet looking for insecure devices. As per the information available, Mirai, a malware infecting vulnerable, connected devices, scans for 68 user name and password mishmash when attempting to infect and control a connected device.

The emergence of botnets means cyber attacks are only getting sophisticated. If we talk of “threat actors”,  there is this trend of learning from, hiring and working with one another. Akamai recently highlighted that the largest DDoS attack in their network came from Spike, a malware that has been around for over 24 months. This points to the fact that botnet operators take the emergence of Mirai botnet as a challenge, and try to compete and prove more hazardous with their next attack!  

What to consider?

Protecting the disparate components of the IoT ecosystem is vital.

Such devices need to be protected considering that they are operating in a digital environment. Equally important is the security of data transfer featuring the IoT devices and the platform. Data and privacy breaches continue to be on the rise. Also, a secure API platform is must.

Specialists also have been clarifying some of the misconceptions. According to Imperva, a data and application security specialist, even high bandwidth won’t shield a site from concentrated packets-per-second (PPS) and application layer attacks (no amount of bandwidth can guarantee 100 percent uptime), and there in no point in relying on a pre-existing appliance to block an incoming DDoS assault.

E-commerce entities, be it for airlines or online travel agencies, need to look beyond common vulnerabilities such as SQL injections or Local File Inclusions. So be it for working out scalable threat prevention security for any cloud - public, private and hybrid or trained staff or to working out right security architecture as well as documenting all networks with known traffic flows and shielding all disparate components of the IoT ecosystem, a detailed preparation is needed to protect the digital assets.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Contextual commerce – are airlines ready for it?

First Published on 9th March, 2017

Ai Editorial: One click payment for an airline ticket from the interface you prefer the most – say Facebook Messenger app, WeChat, WhatsApp etc. ? This is the sort of commerce infrastructure airlines need to prepare for, writes Ai’s Ritesh Gupta

 

What can lead to a conversion based on even one signal that a digital consumer today gives to go for a product or service? These signals aren’t mere search keywords or clicks on a website/ app. It’s about the interplay of context, location, interface as well as the device being used and payment facilitation.    

For instance, a group of friends are interacting via Facebook messenger app, they decide on meeting at a particular venue location (exact location is shared via a link/ map), and all of them avail an on-demand service without leaving the chat or the interface. No app was downloaded. Similarly, a passenger starts the shopping journey with interaction with a chatbot or initiates a search for a flight via a digital assistant, moving on to a meta-search environment and eventually completing a transaction without leaving the conversation. 

This is just a glimpse of how commerce is evolving.

What stands out is what’s working in the “background” to seamlessly process payments.

All of this is crucial for travel brands to assess, as one can’t ignore the prowess of ecosystems such as Facebook, Google, Apple, Alibaba etc. or the popularity of social and messaging apps.

Dealing with friction

The significance of letting a travel shopper wrap up a transaction without the friction of leaving a site or an app can’t be ignored.

Airlines need to make the most of tokenization offering that works in the “background” to ensure they are part of contextual experiences - search, social interactions etc. – and end up aiding a potential traveller to shop with them. Intermediaries like meta-search engines have been relying on APIs to ensure bookings are done within their environment, irrespective of the airline’s payment processor. APIs are playing a vital role in countering the intricacies of moving payment data between different stakeholders involved in the shopping journey, could be for retailing or travel-related buy. The end result here is the seamless movement towards buying an air ticket or an ancillary with an optimized checkout flow.

Travel may not be a frequent buy, but still a major plus is speedy checkout experience that customers expect as they don’t need to re-fill or share information again and again.

Skyscanner is reaping benefits related to better conversion rate. The team has been working on their direct booking offering that allows airlines to offer a fully localized booking experience, letting users to research, select and instantly book itineraries within their environment without having to re-direct to supplier sites. As for airlines, they process the requests and retain all of the passenger’s details.

 

Securely moving payment data

It is also imperative to assess the security of such initiatives. How secure is an RFID band that functions as both a ticket and a wallet? How Facebook is equipped to safely part with its own stored payment data with an entity like Uber and yet ends up ensuring Facebook Messenger users sustain control over their information? Specialists like PayPal have progressed swiftly, stating that sharing of customer, payment, and other data is done securely with PCI Level 1 compliant parties while keeping an entity vault protected, and also equally secure is sharing of data within their network of merchants.

But airlines still need to be wary of couple of issues.

Rather than rushing and joining the bandwagon, do look at risk mitigation.

As a specialist in this arena, Chargebacks911 explains that if the industry does not take basic safety measures before going for new technologies, then such initiatives can be more of a liability than a benefit.

For instance, referring to wearable payments, the team points out that it may turn out to be more secure when compared with standard payment options. “Wearable payments make use of the same kind of tokenization technology as other payment methods, like digital wallets and EMV chip cards, which may prove to function just as well on wearable devices,” says Chargebacks911’s COO, Monica Eaton-Cardone. She says one needs to be wary of family fraud and friendly fraud. In a recent blog post, she raised a pertinent point, “What will issuers accept as compelling evidence when merchants attempt to dispute chargebacks? The chargeback process is archaic—it can’t keep up with all the developing technologies. Networks will not have considered the different types of data that will be associated with these technologies and, therefore, will not recognize valuable information as valid forms of evidence. It will be years until the data associated with these wearable devices will be recognized by the card networks, leaving merchants liable for billions in losses from undisputable, illegitimate chargebacks.” She added that as of now, merchants already lose as much as $40 billion each year due to chargebacks.

So emerging technologies can augment the customer experience with seamless transactions, but areas like security and privacy, and chargebacks can also hamper the same.

 

Gain an insight into intriguing issues at Ai’s 11th Airline & Travel Payments Summit (ATPS) this year.

Date: 3 May - 5 May 2017   

Location: Berlin, Germany

For more info, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Managing account takeover fraud – a must in era of personalisation

First published on 24th February, 2017

Ai Editorial: Airlines need to move fast to be ahead of the curve and protect themselves against account takeovers, writes Ai’s Ritesh Gupta

 

The benchmark for completing a digital transaction – the moment when you are about to pay - is one click or swipe.   

Of course, in order to deliver one-click checkout experience, travel e-commerce players have to garner personal information, store chosen payment method and keep it secure. This transaction-related information is a vital component of overall account personalisation that businesses are keenly looking at today.

But what needs to be noted is that account takeover is the latest fraud tactic that is troubling merchants, and airlines, too, can be victims as merchants.

Account takeover fraud happens when a fraudster/ hacker misuses a user’s personal details saved with a merchant in order to take control of an existing account. Fraudsters bank on stolen credentials and phishing schemes to hack into or take over legitimate user accounts. They are capable of gaining access to accounts via malware, SQL injection attacks, spyware etc. And this can surely have a detrimental impact on trust and loyalty among valued customers.

Being wary of fraud as account personalisation picks up

As we highlighted in one of our recent articles, account personalisation is on the rise. One area where progress is being made is speedy bookings and swift flight check-ins on airline-owned platforms. Ryanair took an exemplary initiative last year, one related to account personalisation. This way the carrier chose to enable passengers to share their travel preferences by setting up a personal profile, and saving passport details etc. The users can also store their payment information.

So if on one had such initiatives are bound to make trip planning, booking and even servicing simpler, more efficient, then on the other  one needs to be wary of the situation where such data related to a user’s account gets stolen. 

Data breaches are dreadful, and this trend can also end up in a massive threat for airlines.

It is becoming common for cyber criminals to hack data, and then reuse the list of email addresses and passwords they have obtained on multiple sites. So here is what would happen - when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

Similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.

Identifying suspicious behavior

Account takeover security comes into action from an early stage – keeping a vigil on new account creation and the way these accounts tend to be used. This helps in assessment of risk with certain level of accuracy. In term of prohibiting fraud from happening, a fraudulent activity say a transaction is stopped before it takes place. Here a flexible rules engine highlights a dubious activity based on users’ behaviour and device attributes. As CyberSource states – an organization can then choose to accept, reject, or challenge the users to authenticate themselves – before the event can occur. One can also spot valuable returning customers.

A user’s device and Internet connection information can prove handy in managing such fraud. The device-based customer authentication can add a layer of defence against account takeover. This is important when assessing whether the real account owner is accessing the account or not. A way to do it is via evaluating a cookie associated with the stored payment method. If the same is missing when the payment method is used, then this person can be asked to re-fill the card number or provide verification code. So if a fraudster is trying to skip recognition by masking their IP address or spoofing geolocation, one can verify the real IP address and compare that to the stated IP to detect risky activity.

Recently, when I forgot my Apple ID password, I was asked to share the ID, filled in a code twice, and then could retrieve password via registered email or by filling out answers to questions registered earlier. And eventually guided about how to work out a strong password. But is it enough for account protection? The best answer is to make sure there is enough human expertise within an organization. And do keep an eye on any new stringent way of security. Behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. It is also being suggested that behavioral biometrics, which spots patterns in human activities, needs to be looked upon for continuous authentication, and looked beyond the two-factor authentication (2FA) method. So as airlines analyse more and more data (for example, device authentication, device ID, device fingerprinting etc.), fraudsters will struggle to fully to pass off as genuine. These new measures are must as hackers/ fraudsters are working on machines for getting around these security measures.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

How to share industry fraud data on a trusted private cloud platform

Travel companies have survived a massive threat to their existence by learning to share sensitive data on a private cloud platform, writes our guest columnist JJ Kramer, Chairman of Perseuss Steering Group

A decade ago, airlines operated in the usual silos of secrecy. The competitor was always the enemy. The competitor was trying to eat the other airline's lunch. But gradually they realised they had a common enemy who was trying - and frequently succeeding - to eat everyone's lunch.

The fraudster

International fraud gangs, stealing and abusing credit card data, were repeatedly ripping off one airline after another. Profitability was plunging and the situation was getting worse. The need to share information about fraudsters, legally, became apparent to all operators.

Now in 2017, travel companies are in a much better place. They have identified that there are four key steps which industries must take to fight fraud. Curiously, they all involve trust.

1. Build trust in your peers

The fightback started with pairs of airlines sporadically meeting to swap experiences and known fraudster information. Personal relationships formed and the trust between them became the bedrock of further progress. 

Among those pioneers was JJ Kramer, Chairman of Perseuss Steering Group. According to him, fraud thrives in an atmosphere of fear and mistrust. People have to start the fight against fraud by building a new atmosphere of cooperation and confidence in each other. Essential to building that trust was people meeting in person, not online. Face-to-face meetings were vital.

2. Build trust in your platform

But things soon begin to grow and it was obvious that the use of technology was also necessary. Who could be trusted to build the infrastructure? Who would govern it?

The airlines eventually selected an independent IT company with known competence to build the platform. The platform had high levels of security and the user community was 'members only'.

Airline fraud analysts were able to submit data about known fraudsters and check suspect data against the database. Fraud was being identified and reduced.

 

 

3. Build trust in your data

The airlines can now tackle the small, but important matter of the data. Who owned it? Who controlled it? Was shared data owned by everyone, once it was pooled? Chairman of Perseuss Steering Group stated that it was commonly agreed that fraud data is owned by the company who submitted it and it can be deleted by them at any moment. This decision increased the community's trust in the platform because they knew they controlled it, not the other way round.

4. Choose leaders you know and trust

As the user community grew to over 100 companies and welcomed in non-airline businesses (like online travel agencies, railway and retail companies), the management team adapted itself. A Steering Group was formed. People chose representatives they had met in person, regardless of the size of the company they worked in. Personal contact was, again, an important aspect that was taken into account. As Chairman of Perseuss Steering Group mentioned, the Steering Group channels and prioritizes the development process and that is the proof that the users are in charge, not anybody else.

About Jan-Jaap Kramer

JJ has been involved in the battle against airline card fraud for over 15 years. In his previous role as Manager Cashier Department/Credit Cards for Dutch airline Martinair (a subsidiary of KLM Royal Dutch Airlines) from 1999 to 2011 he was responsible for the security of the company's ecommerce and call centre passenger bookings. In 2011 he established his own consultancy company to help business and industry fight fraud. Soon after that he was elected chairman of Perseuss, the travel industry’s anti-fraud organization.

About Perseuss

Perseuss is the global travel industry’s own solution to the battle against fraud. It was founded in 2008 by a small group of airlines and soon became an industry standard for data-sharing. Today, the community has participants from around the globe including airlines, travel agents, railway, and retail companies. Its flagship offering is an online shared negative database, recently updated to include email age verification and artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals. Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.

 

Ai Editorial: Finding the right blend of data and machine learning for combating fraud

First Published on 13th February, 2017

Ai Editorial: The quality of data as well as making the most of different types of machine learning are vital for fraud prevention, writes Ai’s Ritesh Gupta

 

Fraud prevention isn’t just about one algorithm being used or acting only on historical data. One can fall woefully short with an ill-conceived approach. Airlines need to check valuable pointers – are chargeback rates under control? Even if the fraud system is indicating very low fraud rate, is it still resulting in high abandonment and rejection rates of the users?

Airlines are acknowledging the limitations of traditional rule-based fraud solutions, one of them being overly focused on bringing down the fraud rate as close to zero as possible. This tends to be a risk-averse approach, and one needs to negate rules when positive behaviour is detected. So how can big data and machine learning contribute?

Here we assess some of the critical aspects related with data strategy and machine learning that can contribute in fraud prevention:

·          Only predictive analytics isn’t enough: Predicting future fraud based on historical data isn’t enough. For instance, when transactions with no historical data are submitted into the system, the possibility of missing out on suspicious behavior is there.  

Unsupervised machine learning manages to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour.

With pattern recognition, even without any prior historical data, the machine is able to discover patterns across various transactions and establish if the transaction showed bot behaviour or human behaviour. Information collected from big data is vital here. It is initially used to garner information about the user’s behaviour on the website and these details are blended with machine learning, which uses pattern recognition to chart the pattern of this user’s behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/ negative behaviour and uses that on future transactions for potential signs of fraud. Also, behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. Specialists are tracking mouse movements and clicks in context and meaning while becoming increasingly more accurate over time.  

·          Relevant data: While data is important, what is more important is the quality and relevance of the data. Big data is receiving greater popularity and used more widely than ever, but it is not about how big the data is. Relevant data is necessary to improve fraud prevention, as well as to improve the machine. For instance, if the machine is regularly receiving non-relevant data, the resultant output will be non-relevant decisions.

In addition, the way the data is processed must also be relevant when making probabilities of fraud risk.  Algorithms are designed with biases. If the fraud system’s algorithm is centred towards eliminating fraud entirely, the decisions will compile results of a very low fraud rate, but also high abandonment and rejection rates of the users. Instead, if the fraud system is focused on maximising revenue per risk of fraud, it is possible that a slight allowance of letting the fraud rates up by 0.1% could increase acceptance rates by 10%.

·          Keeping pace with technological developments: Airlines, just like any other e-commerce business, need to cater to a variety of payment methods, currencies and devices. Each new technological development introduces new venues for this fraud, meaning detection and prevention efforts need to be just as agile.  Expect more creative modes of fraud to appear. So there is a need to shift to active surveillance by deploying big data user and entity analytics to understand the user behaviour behind each transaction. Considering that most fraud attacks come as a coordinated attempt from a single script, automated to maximize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters.

·          Airline-centric approach: As we highlighted in one of our recent articles, the e-commerce set up of airlines is distinctive, and it would be highly desirable to have a tailored data strategy.

For instance, how to capitalize on custom data fields be it for flight details, loyalty miles claims (to detect abnormalities) etc.

With more and more data analysed, it is harder for hackers to hide their tracks fully to pass off as genuine.

·          Assess liability shift: Airlines must expect better results at this juncture, considering that machine learning has evolved. For instance, improving fraud management doesn’t only mean lowering fraud rates, but it also about ensuring that the system does not hinder revenue growth. So better technology (big data, machine learning) is important, but how these systems are designed, and the KPI it keeps to is more important.

If we talk of liability shift, specialists point out that with pattern recognition, deep learning and stochastic optimization – seek an optimized yes or no decision in real time.

Based on calculated risks, the system passes the optimized number of transactions while ensuring that chargeback rates are still under control. As a result, borderline genuine transactions can be passed and unnecessary rules and bans are lifted, improving sales greatly. The efficacy of these “calculated risks” need to be scrutinized by airlines. It is being asserted that switch from predictive models of machine learning towards real-time machine learning is few years away.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Miles, account takeover, credit card…threat of fraud gets severe

First published on 13th January, 2016

Ai Editorial: Account takeovers and frequent loyalty program miles fraud in addition to credit card fraud are now demanding stringent measures for fraud prevention, writes Ai’s Ritesh Gupta

 

Every piece of customer data and information is under scrutiny. One can put a price tag on stolen account info – Uber, Facebook etc. and air miles. Today fraud prevention isn’t just about credit cards.

According to Sift Science, account info can yield more money “on the dark web than simple credit card details”. The team indicates that the threat of account takeovers (ATO) needs to be negated.

In fact, findings from the soon-to-be-published Sift Science 2017 Fraud-Fighting Trends report reveal that 48% of respondents observed a rise in ATO last year.

Travel e-commerce – an attractive proposition

Travel e-commerce is a common vulnerable target for cybercriminals as most of their offerings are large ticket purchases. Other than digital goods, this similar mode of thought or reason for hacking can also be found when we look at luxury good providers (also big ticket purchases), or for products that have a high resale value in the black market. Also, since travel e-commerce entities offer digital goods, it requires instant approval delivery to satisfy customers, yet would also open the gates to more fraud. Furthermore, the volatility of the item prices (which changes every minute based on consumer demand) means that merchants cannot afford to deploy manual reviews. Most OTA players simply accept suspicious transactions, absorbing the chargeback losses, instead of declining transactions and risk tarnishing their brand and losing out to the heavy competition.

Too much information up for grabs

Before we delve deep into what threat today looks like, if one were to assess the vulnerability level of travel booking systems, then where do they today and has anything changed?

“Not much hacking is required, as there’s less vulnerability here!” This recent remark from experts, Karsten Nohl and Nemanja Nikodijevic, aptly sums the brittle nature of “global distribution systems” operated by the travel industry today. 

According to details shared at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany in late December (video available here), the industry suffers owing to brittle authentication and web services. The authenticator printed on boarding passes and luggage tags is up for grabs rather easily. “Any person able to find or take a photo of the pass or tag can access the traveller’s information – including e-mail address and phone number – through the GDS’s or airline’s website,  stated Security Research Labs. The company goes on to add: “…many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.” And, too, many people can access information when a booking is generated. For instance, staff the agency, travel providers, GDS involved in any part of the PNR etc. Fraudsters can travel for free, create havoc with one’s frequent flyer account, use payment info etc. Security Research Labs suggests there is a need for “brute-force protection in the form of Captchas and retry limits per IP address” to start off, and bookings need to be protected with appropriate authentication, at the very least with a changeable password.

The point here is how much is being given away to a fraudster.

New areas of concern

There are two relatively new areas of concerns for travel e-commerce entities, according to Justin Lie, Group CEO, CashShield:

·          Account takeovers; for example, when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

·          Frequent loyalty program miles fraud; similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.

“As such, it is advisable for travel e-commerce entities to apply big data and real time machine learning not only on securing payments, but also for securing accounts and monitoring loyalty miles claims,” said Lie.

Tackling issues

Lie says companies should take control of their payment data, which should not be restricted by default. This data can be combined with big data (such as those data fields collected on their websites), so that they can derive a strong data strategy not only for fraud prevention, but also to get a better understanding of the user profiles that surf their website.

Also, fraud is becoming increasingly complicated and sophisticated very rapidly.

“This is especially so as credit card companies push for the adoption of the EMV chip, making it more difficult for card present fraud, thus forcing fraudsters to go online. Instead of implementing a fraud prevention strategy that requires long gaps in training machines with data sets, travel companies should shift towards real time machine learning (or real time automated) fraud systems to get ahead of the fraudsters,” said Lie.

Companies should also move fast to be ahead of the curve and protect themselves against account takeovers and loyalty fraud as well. 80% of all cyber attacks have a financial motive, and it is expected that more fraud syndicates will shift to online fraud, since it is so lucrative.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Shielding card-not-present transactions with customized KPIs

First Published on 2nd January, 2017

Ai Editorial: Airlines need to create their own fraud mitigation strategy, set up customized KPIs in conjunction with detailed data analysis to protect themselves, writes Ai’s Ritesh Gupta

 

Are merchants, acquirers, issuers etc. equipped with necessary arsenal to combat card fraud? Is the card-not-present environment still susceptible to fraud?

As a specialist in this arena, Chargebacks911’s COO, Monica Eaton-Cardone says payment card fraud will always be an issue—it will never be completely mitigated. “Wherever there is a chance for profitability, there will be criminal activity. And, each new technological development introduces a new avenue for fraud, meaning detection and prevention efforts need to be just as agile,” she says. Despite all this, she believes current security situation is the best we’ve seen it since the inception of payment cards. “Our society in general is well aware of the threat and is eager to address it. We aren’t denying the danger—which I think is an important step. The real challenge is to ensure attention to security spans all channels and all sales methods. Unfortunately, to date, security efforts have been inconsistently applied. EMV technology effectively mitigates card-present risks. Biometrics make mobile wallets virtually fraud-proof. But very little effort has been made to protect the card-not-present environment.”   

Improving upon traditional way of securing payments

Just a month back, a research by the Newcastle University in the U. K., indicated that working out the card number, expiry date and security code of any Visa credit or debit card “can take as little as six seconds”.  

For their part, Visa stated that this study didn’t consider other layers of security such as its Verified by Visa system.

Michael Roche, Vice President, Consumer Authentication, CardinalCommerce mentioned that Visa does have mechanisms that track frequency of payments across Card-Present (CP) and Card-not-Present (CNP) orders. “Unfortunately it’s limited by the information within the ISO8583 authorization spec. What Visa is doing though is exposing a whole host of risk and authentication capabilities. You can get to all of these through Visa Checkout right now. In the future you should be able to get direct access. (Checkout Visa Developer). Visa also supplements all their network data through the 3DS protocol. The 3DS protocol provides visibility into all the important info that the ISO8583 spec does not. CVV2 and AVS are antiquated solutions and once you deploy 3DS you’re reliability on them will be reduced. I do agree that these checks are past their prime,” said Roche. He added, “If you have a Rules Based Authentication (RUBA) 3DS solution and you are transacting with a Risk Based Authentication (RIBA) issuer you only need to rely on that RIBA issuers authentication response and it’s yes or no. Doesn’t get any better than that online.”

It’s every ecommerce player for themselves

Monica says it is not advisable for merchants to rely exclusively on card schemes for a safe and secure payment processing environment. “Just like everyone else in the industry, the card networks were initially caught off guard with the explosion of ecommerce growth and were ill-equipped to handle emerging threats,” she says. “Unfortunately, right now, it’s every ecommerce player for themselves. Retailers, airlines, OTAs, PSPs, banks—everyone needs to critique their own individual risk exposure and create a customized mitigation plan. Fortunately, there is an abundance of effective products and services available to choose from that will help ensure success.” In doing so, it is important to consider a few necessities. First, individual tools or solutions need to be incorporated into a comprehensive strategy and evaluated against a profitable level of risk exposure. Second, risk mitigation needs to be dynamic—what worked yesterday might not work tomorrow.   

Hackers are getting better

In the advent of greater tech advances, hackers themselves are also relying on machines to write algorithms to hack systems and crack codes, and they are getting better and quicker at it, Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, says. Other than capitalizing on vulnerabilities of a credit card or a debit card, hackers are also creating fake accounts on e-commerce sites to run hacks on the stolen credit cards. Therefore, much greater effort is needed to strengthen the current infrastructure, and it will have to be a combined effort between card schemes, PSPs and merchants to prevent cybercriminals from getting away too easily. Currently, there is a lack of information and transparency between merchants, PSPs and card schemes, while merchants receive almost no protection against fraud losses, since they have to bear the cost whenever unauthorized chargebacks are filed. “This broken line of communication should be fixed, while each stakeholder must understand the fragility of payment card security and where they stand in the ecosystem, or it would be difficult for the situation to improve. In the meantime, merchants themselves should also invest in identity management in authenticating fraudulent accounts (or hacked accounts) to protect themselves,” says Lie.

What to fix?

Monica admits that merchants definitely suffer from the industry-wide lack of transparency. “But I’d actually argue everyone involved in card-not-present transactions experiences consequences. I’ve been saying this for years: a lack of consistently applied standards and compliance with those standards is increasing costs and causing needless revenue loss. This is the problem we need to fix.”

Airlines and OTAs absolutely need to create their own fraud mitigation strategy.

Fortunately, the travel industry has a distinct advantage over many other industries, says Monica. “There is an abundance of personal information available for data analysis. Everything from frequent flyer accounts and past itineraries to in-flight purchases and travel companions can make fraud detection much more successful. Establishing and monitoring customized KPIs in conjunction with detailed data analysis can produce significant results.”

 

Ai is set to conduct the 11th Airline & Travel Payments Summit (ATPS) this year.

Date: 3 May - 5 May 2017; Location: Berlin, Germany

For more info, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Real-time fraud prevention, can this be attained in 2017?

First published on 21st December, 2016

Ai Editorial: Real-time automated fraud prevention means that the fraud solution is fully automated to make real time decisions, without any need for manual reviews at all. How far are we from attaining this, explores Ai’s Ritesh Gupta

 

Commerce today is about seamless movement between devices, and this also means one-click or no-checkout options in an omni-channel environment.

With all this, security is certainly the issue, and in an increasingly global world, so is the ability to accept a variety of payment methods, currencies and devices. Customers want to be able to shop and buy, no matter where they are or which channel they're on – offline, online, mobile, app. Airlines and brands must position their products, goods and services for all channels – keeping in mind that customers of tomorrow will increasingly be interacting primarily or solely from mobile devices.

On the fraud front, improvements in biometrics, authentication, verification and identification will gradually reduce the risk of fraud. The blockchain process, developed for cryptocurrency verification and authentication, holds a lot of promise for increased payment protection in the mobile environment.

Better fraud management

The workload on financial institutions has risen with the advent of real-time payments.

Key components of real-time transactions include certification of payment, availability of funds, instant settlement and confirmation of the transaction. The industry has had to figure out configuration for inter-bank settlement, and also core processes should be available in an unbroken manner. As Accenture points out, considerations include real-time settlement of every payment or deferred net settlement, loss-sharing agreements or prefunding of settlement accounts etc. Global payment infrastructure has been moving toward faster payments and real-time settlement. So considering new ways in which transactions are happening, say via mobile, how this demands better fraud management effort?

Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, says a decade ago, the payment landscape was largely dominated by banks, and these banks set in place industry security standards and protocol to protect merchants and themselves from breaches and hacks. “However, with the rise of financial technology or FinTech, so has the number of FinTech companies. With more than 9000 companies currently around, and with the number expected to grow, the number of points of breaches have grown as well, since these FinTech companies do have to deploy or adhere to the same security and safety protocol that the banks stick to for protection. Here, the entire payment ecosystem on the whole has weakened with a larger number of fail points,” says Lie.

In addition, traditional rule based fraud solutions require manual reviews to be done before the settlement period (normally the next day after the transaction is processed).

“Real time settlement will greatly hinder these conventional solutions since they will have to either auto accept or reject these manual reviews to process payment,” says Lie.

He says to deal with this, merchants have to either accept almost all transactions (thus increasing chargeback rates) or reject seemingly risky transactions quickly (thus lowering conversion rates). This traditional fraud management is seen as static defence, but it has become evident that such traditional methods are falling behind newer methods that fraudsters are designing to launch their attacks.

“With new channels of payments such as mobile or NFC, more creative modes of fraud are expected to appear. It is important for us to transit then, instead, to active surveillance by deploying big data user and entity analytics to understand the user behaviour behind each transaction. Considering that most fraud attacks come as a coordinated attempt from a single script, automated to maximize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters,” explained Lie.

Mobile fraud

Mobile as a platform for transactions is facilitating new ways of payments.

But mobile fraud is relatively more challenging to handle.

“It is so (mobile fraud is challenging to merchants) as transactions that are made through mobiles collect less information than web transactions, and therefore look much more similar. Without the appropriate technology or expertise, it is difficult for merchants to be able to differentiate between the real or fraudulent orders. As a result, higher costs are incurred, which includes the greater chargeback rates, lengthier time for manual reviews and bad service rendered to users,” said Lie.

Even though, the risk of fraud is greater as there are additional hindrances when it comes to cardholder and device authentication, apps like Apple Pay and Samsung Pay could actually help deter fraud. Both of these apps rely on biometric fingerprint technology in order to authorize a transaction. Therefore, in order for the user to authorize a transaction, the cardholder needs to provide a fingerprint. Not only is this a strong deterrent against unauthorized transactions, but the customer’s fingerprint attached to a transaction is very compelling evidence in the merchant’s favor in the event of friendly fraud.

Real-time automated fraud prevention

Lie says most existing fraud solutions around are still quite far away from achieving real time automation.  

 While more and more solutions on the market are currently using machine learning to detect fraud, these types of machine learning rely heavily on training data sets to predict probabilities (as opposed to real time automated decisions). These data sets are based on new fraud trends from either

(1)    filed chargeback information as historical data (which could be at least 30-90 days old) or

(2)    from human intelligence of the large risk analyst team to manually provide inputs.

“The way these machine learning algorithms are designed forces the solution to rely on these training data sets, requiring at least 10-30 days (or even months) of training. As a result, the long training gap and the reliance on training data sets prevents the solution from making decisions instantly, but rather only allows it make predictions of the probability of fraud,” says Lie.

He says real time machine learning is required for real time automated fraud prevention. Real time machine learning means that the fraud system is able to learn instantly on the fly with each new incoming transaction, and requires no lag time or historical training data sets to provide information on the new transaction. Consequently, the system  is able to make optimized decisions instantly, without the need for manual reviews.

However, it seems like it will still take 2-3 years for the industry to switch from predictive models of machine learning towards real time machine learning, due to the rarity of such solutions.

 

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

 

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Retail or travel – can you define “convenience” in a different way?

First Published on 14th December 2016

Ai Editorial: Retail automation, frictionless checkout, invisible payments etc. are developments that are set to redefine shopping. As commerce evolves, airlines, too, need to respond to such exciting initiatives, writes Ai’s Ritesh Gupta

 

“No line. No checkout.” This is what the retail sector is inching towards.

Being “made to wait” at any stage of shopping, be it offline or online, can be a dampener. So the retail sector is steadfastly doing away with what can be the bane for conversion or the overall shopping experience.

If we go by what Amazon has come up with (Amazon Go is a new kind of store with no checkout required) or even what Panasonic is testing (convenience-store checkout machines that can scan and bag items on their own), then you don’t really worry about waiting for paying. In case of Amazon Go, the company says you never have to wait in line. Consumers can avail the Amazon Go app to enter the store, shop and leave. In case of Panasonic, the system is retailer agnostic, so one won’t necessarily need Amazon credentials or a specific ecosystem, says Apple or Google. This all needs to be considered as the bar for delighting a customer gets raised. Comparison between retail and travel would be inevitable at some stage, as one would expect travel e-commerce to respond too. So if I am moving straight out of a supermarket without having to wait for my turn to pay, then why wouldn’t I expect the same say during any stage of my journey?

Isn’t it relieving when you move out of a cab, say Uber, and all you need to do is focus on luggage rather than paying for the ride? It might not take more than a couple of minutes to pay, but when technology saves your time, we start falling for it. We start expecting it in other areas, too.

Technology – the driving force

Technology is driving automation, and it can overlap for different sectors. For instance, Amazon Go’s checkout-free shopping experience features similar technologies as used in self-driving cars: computer vision, sensor fusion, and deep learning.

The Internet of Things (IoT) is also lending a new dimension to convenience.

So as machines take over and manage certain decisions, say ordering grocery, consumer behavior is likely to alter drastically.

This definitely is going to affect e-commerce merchants, including airlines, across the globe.

As we highlighted in one of our recent articles, IoT thinking and increasingly smartphones are leading to more sophisticated digital wallets and mobile payments – which will lead to personalized mobile wallets or payment technologies with predictive capabilities built in. IoT might extent to other transaction or authentication technologies, and some banks or companies are already experimenting with voice recognition, facial recognition, various kinds of chips, even pulse recognition as the identification-verification step needed for payments.

 As for facilitating payments, as Ingenico points out, the IoT payment solution will need an infrastructure based on cloud architecture and connectivity. This would call for standardization in the payments process.   

Gap between retail and travel

Despite the unique and inherent attributes that have shaped travel into a silo industry, airlines and OTAs alike are coming to the conclusion that the gap between travel and traditional retail is reducing. This is due in part to the growth of ecommerce and evolutional demands of today’s consumers. As a result, a competitive advantage will be given to those companies that think outside the box when it comes to payment acceptance.  

Conversion has always been a hot topic, but with the transformational changes in payments, gaining a competitive advantage takes a lot more than layout and price. Similar to what has transpired with big box e-tailers, the changes in consumer behavior today foretells significant innovation requirements for travel and airlines, as asserted by Chargebacks911’s COO, Monica Eaton-Cardone. In a recent interaction, she pointed out that e-commerce leaders such as Amazon and Apple have pioneered efforts that will forever change the way buyers and sellers view commerce, but even before the hype of today’s frictionless frenzy, payment methods and options were evolving. Loyalty programs advanced to store credit, financing options such as “Bill Me Later” became a popular contender, and a variety of monthly recurring options with the addition of new value add-ons helped curb profit requirements in order to support price wars—which are still going on today.

When it comes to airlines, the breadcrumb trail has already been laid. Loyalty programs offer dwindling promises as airlines are forced to follow the footsteps of other industry pioneers that faced similar issues.

The could be fraud risk with emerging payment options and passengers do worry about security and privacy of their information, especially when it is stored in the cloud or available online databases. The good news is that travel isn’t the first industry to test out these emerging options. Effective management strategies, first designed for the pioneering retail sector, are available and scalable for travel. Solutions are derived from rule-based service policies and intelligent feedback. 

As for payments, the real challenge is that each payment method has its own risk factors. It’s necessary to plan accordingly—for each different payment method you accept or new technology you embrace, carefully research any security vulnerabilities, and have a solution in-place to mitigate that risk.

But airlines would need to respond swiftly to emerging developments in the retail sector.

The fact is, today’s customer is a very different consumer than those of the past, and the gap between travel and retail is closing quickly. In order to compete, conversion is king. This means being able to identify your customer’s wants and needs, then serving up options that meet or exceed those expectations.

 

Follow Ai on Twitter: @Ai_Connects_Us

Editorials

  • Ai Editorial: 6 stringent measures for dealing with loyalty fraud +

    First Published on 18th February, 2019 Ai Editorial: Rather than relying on archaic methods, travel companies should look at dynamic multi-factor authentication, behavioral analytics and machine learning to combat loyalty Read More
  • Ai Editorial: Making mobile app count - easyJet shows the way +

    First Published on 13th February, 2018 Ai Editorial: Rather than only focusing on incremental revenue, easyJet has been looking at ways to capitalize on what role mobile devices can play Read More
  • Ai Editorial: Flirting in aircraft or points for quality sleep – what entices you? +

    First Published on 8th Feb, 2019 Ai Editorial: The last few days have been exciting. Delta and Coca-Cola apologized for introducing flirtatious napkins on-board, whereas Qantas chose to offer frequent Read More
  • 1
  • 2
  • 3
  • 4
  • 5