First Published on 5th February, 2019
Ai Editorial: Pretexting, baiting, email spoofing… these and many more are malicious acts of manipulating human psychology to gain access to personal or financial information to commit fraudulent transactions. Ai’s Ritesh Gupta finds out more about social engineering
As much as consumers today are being alerted not to share their personal information that can eventually result in a fraudulent transaction, the fact that it continues to happen means fraudsters tend to win in this battle of psychological one-upmanship.
Manipulating human psychology is often referred to as social engineering. Merchants and fraud prevention specialists are continuously looking at ways to combat social engineering. It is a tactic used by fraudsters to lure consumers to download malware or provide their confidential information for identity theft (seeking personal information, login details, passcode for online banking etc.). Another methodology is - internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.
Also, since the situation is already precarious as fraudsters have considerable access to emails, phone numbers, and other PII credentials, it is time further damage is curtailed by keeping a tab on social engineering.
According to INTERPOL, social engineering fraud can be divided into two main categories: mass frauds, which use basic techniques and are aimed at a large number of people; and targeted frauds, which have a higher degree of sophistication and are aimed at very specific individuals or companies. While the scams themselves differ, the methods used by criminals generally follow the same four steps: Gathering information; Developing a relationship; Exploiting any identified vulnerabilities; Execution.
Attacks include vishing (telephone fraud), smishing (text message fraud), phishing (email fraud seeking a password or sending an email attachment that is infected with malware or spyware. Fraudulent emails that claim to be from your bank, credit card provider or an established website) etc. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. Phishing is mainly used for emails, but it can be used in text messages, social media posts and instant messages, too. Another way is intentionally leaving behind USB sticks or other storage medium. They contain malware. Also, by hacking email accounts, a cybercriminal accesses an individual’s e-mail account and sends messages to their friends, relatives or colleagues claiming to be in trouble, for example, and needing money.
Social engineering may involve much more work for the fraudster. But these types of fraud are not easy to spot since it features a real person participating in the transaction or any other activity. Experts point out that consumers can play their part in curbing such attacks by being alert or responding with vigilance. With due diligence, one can make it tough for social engineers to get what they are seeking illegitimately.
Certain areas to watch out for:
· If the offer is too luring or incredibly unusual, then don’t take action. For example, don’t share bank details to buy a free London-Chicago ticket!
· Do check the spellings. Generally - the subject or the sender of an email – they aren’t correct in such cases. Poor grammar and spelling in email correspondence and letters sent by fraudsters.
· Don’t download any attachments or click on any links, unless it is from a known sender.
· Don’t share personal information that is generally not shared or is meant to be protected.
· Don’t lose control over your device - a fraudster can impersonate and offer free anti-virus software. Once the user installs the software, the fraudsters can take over their device.
· Beware of even unsual offers – free servicing of a computer or any promotional offer for your mobile device.
· Do not send identification documents – not even copies in response to an unknown person.
· Avoid putting all details on open social media pages
Other than simply being careless, there are instances, where consumers react in a certain situation, where an emotion takes over – could be due to fear, curiosity, desire etc. For instance, malware campaigns in social networking sites (could be an enticing video on Facebook ), gambling-related scams, cancer fraud etc.
A social engineer will always find a new way to do what they do. So controlling social engineering isn’t a straightforward task, but a lot can be done via education. Also, a mixed tactic of simulated social engineering attacks combined with interactive training modules is a way to prepare for such situations. Intermittent cyber security appraisals are also essential, because as organizations evolve, they change — and the information flow, too, changes within the company.
Upcoming Webinar: The Loyalty Fraud Prevention Association (LFPA) is set to host a webinar featuring a short presentation from SEON on what is social engineering and how it can be used to improve fraud prevention capabilities. Date: 14th February. For more, click here
First Published on 31st January, 2019
Organizations need to reassess their respective data security and encryption strategy as they embrace cloud propositions and gear up for regulatory and compliance mandates, according to a new report.
Digital transformation today is being equated to an enterprise-wide, cross-functional undertaking, with key drivers being enhancing the customer experience, cutting down on operational costs and creation of new services or revenue streams.
Rather than just modernizing IT infrastructure, organizations are going deeper – right from the ownership to banking on cross-functional, collaborative groups for the entire organization to eventually gear up for playing an “infinite game”.
At the same time, as organizations plan to take advantage of cloud, mobile, social, and the Internet of Things, the rush to digital transformation is putting sensitive data at risk for organizations worldwide, according to the 2019 Thales Data Threat Report.
The report, based on a survey of 1,200 executives with responsibility for or influence over IT and data security, has stressed that shielding “sensitive data” is becoming increasingly complicated.
Dealing with intricate data environments
The decision to focus on the cloud or multi-cloud environments is a part of the transformation being planned. Airlines are scrutinizing and even executing plans to embrace cloud transformation, banking on open-source offerings rather being bogged down by proprietary technology. Considering the complexity of the IT set up that this industry has, there are options available to integrate applications, data and processes across both on-premises and cloud environments. There are 3 models for cloud computing - Infrastructure as a Service, Platforms as a service and Software as a Service. Managing infrastructure and domain-specific IT systems for retailing, real-time data intelligence, running a digital asset on purpose-built, multi-cloud set up, payment optimization etc. are among the initiatives that airlines are undertaking to keep pace with their customers in digital economy.
But this shift is also being referred as a hurdle to working out apt data security action. This complexity is listed over other issues such as employee needs, budget issues and ensuring organizational go ahead.
The situation demands a thorough introspection. For instance, in order to ensure not even a single second of a shopper is wasted during the check-out phase, progress in this arena is being made in the form of regional cloud support, an initiative that can bridge the gap between an airline and a passenger irrespective of the location. So how such initiative would help? The fact that every second counts, payment specialists are curbing any delay in mobile load times. So it means every aspect of modern commerce needs to be studied in detail.
Recommendations from the report:
· Cloud security must be seen as a shared security model between the enterprise customer and the PaaS, IaaS, or SaaS provider.
· Enterprises must take on responsibility for ensuring data protections like encryption, tokenization, and masking within their environments or ensuring its protection when the data moves between SaaS applications or migrates to another application.
Other key findings listed in the report:
· Concerns related to mobile payments include fraudsters using mobile payment apps for account takeover, new account fraud, exposure of PII, weak authentication protocols, and potential exposure of payment card information.
· The main data security concerns around IoT include attacks on IoT devices, lack of frameworks and controls, and protecting sensitive data through encryption and tokenization.
· Leading data security concerns regarding big data include sensitive data residing throughout the environment, data quality concerns, and privacy violations from internationally-originated data.
Hear from senior executives about data breaches at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK (7-9 May, 2019).
For more information, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 24th January, 2019
Payments are going digital and the increased speed of adoption is being driven by multiple factors. These include an abundance of new electronic payment methods—many of which are layered on top of existing payment methods—focused on convenience, speed and the overall consumer experience.
According to a recent report, Key Trends in Digital Payments Markets and Strategic Infrastructure, developed by The Initiatives Group and sponsored by Equinix, the key trends currently shaping digital payments markets around the world are:
· Real-time payments (To date, discussions about real-time payments have been dominated by the core functionality—speed, availability and rails on which money is moved, together with the challenges associated with their implementation. However, conversations are now shifting towards value-added products and services that an enhanced infrastructure will allow financial institutions (and others) to bring to market);
· Regulatory interventions—often focused on streamlining digital payments (regulators are seeking to capture the economic efficiencies embedded in electronic transactions, and to drive increased competition and innovation by opening up customer banking data to third parties. Regulators are also continuing to scrutinize and assert control around the costs associated with electronic payments, to ensure that their widespread adoption is not hindered (and related efficiencies gained), and there is transparency in pricing (with consumers and businesses able to make valid comparisons);
· Open banking—potentially bringing new players into the arena (As with real-time payments, open banking will facilitate the creation of new products and services, driven by regulation and enabled by advances in technology. While this will continue the commoditization of transaction banking, it also brings new opportunities to add value through data).
The study highlights that the handling of the payment, the ability to recognize returning customers and cross-linking potential offers need to happen fast, securely, and efficiently be delivered locally to users. It is critical to choose an interconnection and co-location provider based on its ability to reach all target users, interconnect the required cloud and payment partners, and integrate the required payment rails and governance controls.
Download the report – click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 16th January, 2019
Ai Editorial: The role of chatbots, be it for facilitating transactions or servicing during any phase of a traveller’s journey, is being strengthened. Ai’s Ritesh Gupta evaluates the lessons learned.
Is a chatbot astute enough to serve a traveller?
The overall experience based on interactions with chatbots till last year was mixed. The travel booking funnel is a prolonged one, and one of the areas where chatbots have struggled pertains to understanding the context of the query. A case in point is when an established OTA chose to revive an abandoned shopping cart via a chatbot interface (by sending a link for the same through email). What if a user has already finished a hotel booking, reaches the chatbot interface, asks a question about a local activity in the destination chosen and the chatbot is seemingly unaware of the booking funnel! The OTA failed to deliver the desired experience.
Specialists acknowledge such issues and assert that ongoing improvements are refining the messaging app user experience.
Today a top-notch airline-run transactional chatbot can understand over 60%-70% of inquiries on Facebook, and analysis is being done to understand the intent.
“The re-botulution is here now,” highlighted Jonathan Newman, Commercial Director at Barcelona-based caravelo, during one of Ai’s conferences in Bangkok, in August last year. The company has worked with approximately 10 airlines for their bots. Airlines are either moving their existing web-chats to bot interfaces or directly launching on messenger. The type of chabots, as specialists point out, are FAQ chatbots, transactional ones, initiating a conversation via a chatbot and keeping a user engaged till a human customer care executive takes over etc.
Chabots turn messaging platforms into a new channel for servicing and retail. “Since (now nearly two years) we first connected airline inventory to messenger platforms and in the last 12 months of our launching, training and iterating airline chatbots, we’ve gotten a much clearer picture of the purpose of bot technology,” mentioned Newman.
Newman referred to seven key lessons when it came to improving bots:
· Be reasonable
· Make it easy
· Be helpful
· Be connected
· Open your mind
· Be a team player
· Expect unexpected
Among the other companies, Ingenico Group this week launched its enhanced messaging bot offering, featuring artificial intelligence (AI) services from IBM.
According to Ingenico, Watson capabilities allow the group’s chatbot to better comprehend users’ requests once shared, “whatever they may be”.
It is being promised that the bot can better interpret nuances in language and phrasing, handling natural variations in the manner in which individuals communicate. As a result, the bot can respond quickly and effectively enabling it to meet each user’s specific needs, in a wide range of different languages. The group asserts that the new AI component will play a part in stepping up the conversion rate. A major aspect is Ingenico’s payment API. On Ingenico’s chatbot’s payment capability, Gabriel de Montessus, SVP Global Online (Retail BU) for Ingenico Group, said: “This new AI-powered capability enhances user experience and improves conversion significantly. Thanks to IBM Watson AI services, users simply tell the bot their desired purchase and submit payment and delivery information – achieving a truly seamless payment experience for consumers.”
Airlines are digging deep, and keen on expanding capabilities. At the time of the launch of Asian airline Scoot’s transactional chatbot in July last year, the airline indicated that other than supporting a full transaction flow, the plan was also to accept promo codes, assist customers to manage and make changes to their bookings, purchase ancillary products such as preferred seats and travel insurance, make interline bookings involving flights by partner airlines, and accept more payment modes
Companies like caravelo point out that retailing for airlines aren’t only about inventory + seat+ bag anymore. With a broadened catalog, airlines need to rethink the touch-points and engagement methodologies in making that catalog meaningful. The focus needs to be on micro moments of retailing engagement, in the channels where customers are. And considering the penetration of messaging apps, the role of chabots can’t be undermined. But the level of sophistication needs to step up to match the expectations of travellers.
Interesting questions that are being probed from e-commerce perspective include:
· The role of chatbots in stepping up the mobile conversion rate
· Role in targeting the second wallet
· Security of chatbots – what if they get hacked or the sort of attacks that can be carried out with them
Hear from experts about the role of chatbots, their performance and how they are being improved upon at this year’s Airline & Travel Payments Summit (ATPS), scheduled to take place in London (Brighton), UK (7-9 May, 2019).
For more info about ATPS, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 14th January, 2019
Ai Editorial: The new version of 3D Secure is being counted upon for supporting additional payment channels - in-app, mobile, and digital wallet payment methods, stronger authentication possibilities for a better checkout experience, and enhanced security, writes Ai’s Ritesh Gupta
A lot can happen in a fraction of a second when a shopper agrees to wrap up a digital transaction. In this context, the role of 3-D Secure 2.0 or EMV 3-D Secure in improving payments security and increasing authorizations is expectedly under the scrutiny. The purpose of the new protocol is to facilitate the data exchange between the merchant, cardholder and issuer.
The problem with 3D Secure (3DS) is that it has been compromised more than once in the past, and can be easily bypassed by fraudsters who develop fake, yet similar-looking pop-up windows used for 3DS authentication. But, as specialists point out, the new version is going to feature token-oriented and biometric validation, in place of static passwords. It introduces the risk-based authentication, which enables issuers to get additional data from both transaction context and merchant’s and cardholder’s risk profiles. Refined datasets for better verification features email, billing and shipping address, cardholder behaviour information, etc. By supplementing added data during transactions, it is being highlighted that risk-based verdicts will be possible on whether to authorize or not. The shopper experience would be improved upon with the eradication of the early sign-up procedure and taking out the need for cardholders to use static passwords.
Also, there is going to be support of non-browser-based “card not present” payments (so in both application and browser-based solutions, on mobile and other consumer connected devices).
From the industry’s perspective, 3-D Secure 2.0 will pave way for a real-time, protected, details-sharing channel that merchants can avail to send an unmatched number of transaction attributes that the issuer can use without looking for a static password. Overall, enhanced messaging with additional information for better decisions on authentication. Plus, other benefits include better datasets for risk-based authorization, and curbing illegitimate/ dubious transactions, even if a cardholder’s card number is stolen or cloned. Issuers gain from being back in control of their costs with this version. A bigger data set enables the issuer to step up the accuracy of their risk-based probe.
Impact on merchants
With this development, merchants need to garner and disclose high-quality, significant data (email id or device details) in order to process transactions where previously a card number, expiry date and CVC code were enough. The issuer will use such information, plus its own information about the cardholder and the merchant, to assess the transaction’s risk.
As explained recently by Ingenico ePayments in one of its blog posts, “…it’s important to see this as the foundation of using behavioural analysis to fight payment fraud. It’s part of a general sea change: for instance, the European Banking Authority (EBA) shared its opinion in June (last year) that CVV numbers cannot be a second authentication factor in the “knowledge” category (visible on the card), eventually passing to the “possession” category. Guidance from the EBA and EU central banks is needed on what SCA methods are RTS-compliant. Eventually we may see the payment page changing drastically.” It added, “For merchants, the response has varied country by country, but the more data they share, the better their authorization rate will be (up to 10% according to the card network). What’s more, if merchants do share data, and issuer authorization rates are still low, then card schemes will have the power to impose fines, which puts pressure on issuers to step up. They have an obligation to get results.”
For its part, Mastercard has set up a framework called Mastercard Identity Check. The program offers merchants and their banks a way to upgrade and enhance current security solutions to assess possible risks and authenticate legitimate transactions in a seamless way. The company shared that by relying on Identity Check’s AI and machine learning, EMV 3D-Secure can now take into account over 150 different variables of a transaction to help the issuer make a more accurate, insight-based decision whether to approve a transaction or decline it. These variables include such factors as screen brightness, device owner gestures and, shopping purchase history. They are used alongside insights from the merchant and issuer to authenticate a payment.
Major developments are in store, starting in April this year.
As shared by CardinalCommerce, for Visa, April is going to mark as the initiation period for EMV 3-D Secure in Europe. In the same month, American Express is expected to recommend issuers to shun using static authentication ways while concurrently pushing issuers who are leveraging the EMV 3-D Secure to use risk-based authentication. Also, Mastercard is working on putting in place specific measures related to PSD2 and EMV 3-D Secure.
There have been issues, too, that have been raised. It is being asserted that the new version is privacy invasive for the shopper. The merchant in all probability would need to handle data with precision (in order to adhere to privacy regulations) and the impact on the issuer, too, has been under the scrutiny. Also, counting on 3-D Secure 2.0 or EMV 3-D Secure is just one piece of the fraud prevention puzzle for merchants. It is being recommended that merchants should be seeking a fraud solution that is able to act as a filter for fraud, rather than only relying on 3DS. A multi-disciplinary approach, that combines machine learning and other techniques to make sense of the score automatically, is required to fully automate the fraud screening process.
Check upcoming Ai Conferences dates or
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 9th January, 2019
Ai Editorial: IATA has completed first Open Banking live transaction this week. There are more developments to watch out for in 2019, writes Ai's Ritesh Gupta
Streamlining the payment experience isn't about offering the most convenient option to pay, but also ensuring security around the same. Pressure is mounting on airlines and other merchants in the travel sector. Rather than introducing verification processes that delay the transaction experience, airlines must plan frictionless on-boarding and authentication methods.
2019 is expected to witness progress on this count, as airlines continue to focus on offering a simple and frictionless payment procedure - a seamless check-out, being spot on with the choice and personalisation, and eventually managing payment and settlement of transactions seamlessly.
This week IATA has completed its first “IATA Pay” ticket purchase transaction in a live test environment. It is a new payment method for travellers when buying a ticket directly from an airline website. IATA has stated that this method is not only worked out for convenience of shoppers, but also to offer a cheaper payment option compared to other alternatives. The association also termed IATA Pay as highly secure, for faster cashflow with instant/near instant payment to the merchant, and a simpler payment process resulting in fewer lost sales. The live test was done under the UK’s Open Banking framework with IATA Pay pilot airlines, including Cathay Pacific Airways, Scandinavian Airlines and Emirates.
IATA is also working with Deutsche Bank on a prototype for Europe (excluding the UK), starting with the German market, which is expected to undergo testing in early 2019. Following this, IATA will validate the concept with the intention to expand to other regions, stated the association in a release.
Frictionless + Secure Environment
Among technology trends to watch out for in 2019, one can expect artificial intelligence to play a bigger role in fraud detection and cyber defence, security via biometrics, and the role of chatbots and voice-based digital assistants in shopping.
A couple of areas that are worth following include identity verification and how tokenization is shaping up in order to protect payment data.
Considering the pace with which mobile commerce has shaped up and continues to grow, it is vital for merchants to:
Airlines also need to find ways to understand a shopper's behaviour, including purchase behaviour across specific devices and also enhancing fraud detection.
This is where the use of tokenization is being followed closely. A token replaces sensitive account information, such as the 16-digit primary account number, with a unique digital identifier.
According to CyberSource, tokenization facilitates new payment capabilities and enables to adapt quickly to changing market requirements. Another important aspect is protecting sensitive payment card data. Visa Token Service helps shoppers to connect their cards to merchants of their choice within banking apps, and also comes into play when a customer opts for a new payment card and it gets updated seamlessly, rather than recurring payments and other card-on-file situations spoiling the payment experience. Also, to enhance the tokenization offering, specialists are looking at cloud support, and the plan is to accelerate the checkout phase and augment the payment experience.
Another area that is going to be crucial for merchants is the significance of latency and response time when it comes to fraud detection. The time taken by a bank to respond to an illegitimate transaction “translates directly to how much financial loss can be prevented”. The response time window or detection needs to happen in mere two seconds. "This means less than two seconds to process an incoming mobile activity, build a behavioral profile, evaluate the transaction for fraud, and determine if an action needs to be taken," as highlighted by Microsoft Azure in one of its blog posts regarding mobile bank fraud.
Lastly, fraud prevention specialists recommend that the time has come for merchants to become smarter. Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud. Real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.
Check upcoming Ai Conferences dates or
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 14th December, 2018
Ai Editorial: Data is going to be a key weapon in the arsenal of airlines as the industry attempts to fight emerging fraud threats, writes Ai’s Ritesh Gupta.
Airlines acknowledge that they need to be in a position to probe as many data source as possible in order to improve the probability of uncovering and combatting fraudulent activities and transactions.
Going forward, airlines not only need to focus on their own unique data, but they also have to count on external data plus be open to collaborating with other stakeholders to stop fraudsters’ malicious moves.
1. Tracking and consolidating own data: Blending all the available transactional data into a single system and analysis model is critical considering where the industry stands today with CNP purchases and e-commerce sales. In addition to ticket-related revenue generation, keeping a vigil on frequent flyer miles, loyalty points, gift cards etc. is must. Considering the way fraud evolves, airlines can’t ignore options like e-gift cards. Fraudsters are capable of breaking through gift card codes through various methods such as phishing or social engineering. Airlines’ own data, especially on their own channels like a website, is important to refine analytics around it.
Big data is first used to collect information about the user’s behaviour on the website (for instance, how the mouse moves, words per minute etc.), and this information is combined with machine learning, which uses pattern recognition to map the pattern of his behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/ negative behaviour and uses that on future transactions for potential signs of fraud. After the point of data collection, airlines have to amplify and triangulate the data, analysing the data through multiple permutations and combinations so as to better understand the fraud patterns left behind by fraudsters in their attempt to brute force the system.
Real-time data from airline.com can also help in curbing fraud. Blacklists rarely work because hackers will never use the same credit card information twice, while white-lists are inaccurate since white-listed customers can be compromised anytime. Real-time machine learning can help against blanket blacklists and white-lists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.
2. Blending data from other sectors for the benefit of airlines: Specialists serving the travel industry state that the fraud-related issues must be confronted collectively. There is strength in numbers and insight in data—and help is available to leverage them both. Specialists like Accertify are working on airline-specific offerings, and their machine learning technology aggregates and transforms information from a diverse set of sources to identify emerging fraud risks and attacks. External data can complement and lend a new dimension to internal data sources, offering a better view of shoppers and the authenticity of transactions. Evaluating IP addresses, credit card data, and email addresses can enhance a carrier’s interpretation of who is doing what—and from where they are doing it.
3. Accuracy of machine learning: The collection of more and relevant data would help to improve the accuracy of the machine learning models by churning the data through various permutations and combinations to identify potential fraud patterns. However, ultimately a multi-disciplinary approach, that combines machine learning and other techniques to make sense of the score automatically, is required to fully automate the fraud screening process. Machine learning models are only able to provide a fraud score, of which a bulk of transactions are automated but humans are still required to review a good number of transactions that are considered borderline.
4. Authorization rates: Among the other areas, data is being relied upon for improving upon the authorization rates. As highlighted by Adyen, on average, 5%-15% of ecommerce credit card transactions are rejected by issuing banks, and out of these, a quarter don’t work due to shortage of convincing reasons, mostly due to old and inefficient systems. And in certain markets, authorization rates across issuers take a dip because of suspicion of fraud. In this context, it is imperative to bank on data to evaluate the main reasons behind those declines and take appropriate initiatives. For instance, one areas that could be looked upon is - issuer-specific authorization rate trends. These actions may include optimizing the type of data submitted or identifying optimal routing for a given transaction.
5. Collaboration: A shared database or working together with relevant partners is going to be the biggest factor in combating fraud. IATA Perseuss allows members to check suspect transactions against a community database holding records from around the world. Still there is plenty to learn from other industries or law enforcement in a particular market that has managed to control fraud to an extent. With a partnership featuring different players from the industry, the government and law enforcement agencies, fraudsters are being punished. For instance, the Banking Protocol scheme in the U. K. allows bank branch staff to immediately alert police and Trading Standards if they suspect fraudulent activity. The Dedicated Card and Payment Crime Unit (DCPCU), backed by the finance industry, made 84 arrests and interviews under caution in the first half of 2018, which led to 26 fraudsters being convicted. As for capitalizing on data, intelligence is also shared with law enforcement including the National Crime Agency. A campaign is being led by Financial Fraud Action UK to help everyone protect themselves from preventable financial fraud and is being delivered with and through a range of partners in the UK payments industry, financial services firms, law enforcement agencies, telecommunication providers, commercial, public and third sector organizations.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 4th December, 2018
Imagine receiving an email early in the morning, stating that your personal data has “possibly” been compromised. It’s disturbing. But the agony doesn’t end here. Ai’s Ritesh Gupta explains why.
A data breach is a big concern for all. From consumers’ perspective, if one understand the tricky situation it can shake one and all. Come to think of it - if a user has created a formidable password and believes everything is fine, how about unearthing the fact that if there is a data breach, then the same password is leaked and is of no use. Considering what all is at stake, the leaking of passwords and how a fraudster can benefit from it is an annoying as well as distressing situation for the user.
As experienced from an email from Quora today, the company shared that some user data was “compromised by a third party who gained unauthorized access” to its systems. Information that may or may not have been compromised includes account and user information (e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data). Even though the company acknowledged that it is their responsibility to make sure things like this don’t happen, it also stated: “while the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so”.
A massive problem for consumers
The agony prolongs after this email. The thought of using one password for multiple accounts haunts.
A frail approach towards password management is enabling hackers to gain access to confidential information.
As per an analysis, initiated by password management specialist LogMeIn’s LastPass, nothing much has changed over the last two years when it comes to choosing and handling of passwords.
As we highlighted in one of our reports, consumers stick to same passwords and don’t change them often. This is a significant revelation as password stealing means all account-based online services are under a threat.
In an interview, an executive from Sift Science even pointed out that every one’s credentials have already been compromised and the industry has actually reached the point of no return. It might not be a straightforward task to gain access to everyone’s account, but just like solving a puzzle or putting several pieces together, fraudsters can sneak through the defence. So from one data beach one can get a vital piece of information about users. And then another breach sharing more details about users and so eventually cracking all details of one account.
This issue of same password for multiple accounts is a tough habit to break. Even the millennials, a group supposedly well-versed with technology, mostly reuse passwords because of fear of forgetting and commonly use a variation of 1-2 passwords they can remember! On the positive side, more users are opting for more secure password storage and automated password resets to overcome the anxiety of failing to recall, but it is a long way to go.
How to go about it?
Even as credentials are being stolen, it is imperative for organizations to bolster the authentication process. Merchants should aim to mitigate the damage done by ensuring that the stolen data cannot be used. One way to achieve this is to deploy real-time active surveillance on every login to filter out potential threats and prevent attackers from gaining unauthorized access to accounts. Organizations can avail offerings that can spot passwords that are currently in use in a domain but have been exposed in a previous data breach. As much as merchants need to take action and ensure that data doesn’t get stolen (How to prevent “Starwood guest database breach” -like incidents?), consumers, too, need to be informed.
So inform and educate customers about the significance of passwords. There might not be anything new in these instructions but nevertheless the importance of strong passwords and changing them from time to time can help. For instance, working out unique passwords that include a sequence of upper and lowercase letters, numbers and special characters. Directing users not re-use same passwords. Train the user to be security-minded and to spot scams. Also, as in case of certain apps, the password expires after a while and users are left with no option but to change it. No one likes friction in any user session, but at the end of the day the problem is too big to ignore.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 3rd December, 2018
Ai Editorial: One question that organizations need to dig deep into is – how to go for end-to-end protection for the sensitive data an organization has and how to prevent a data breach? Ai’s Ritesh Gupta looks into it.
It’s frightening. The number as well as the scale of data breaches is now large enough to scare possibly every organization. Marriott acknowledging Starwood guest reservation database security incident exemplifies the precarious situation pertaining to cybersecurity today.
The list of post data breach initiatives is a laborious task. Right from analyzing how it happened to what all was stolen to data breach disclosure and informing customers to implementing security measures after the attack, it is a rough ride for many.
One question that organizations need to dig deep into – how to go for end-to-end protection for the sensitive data an organization has and how to prevent a data breach? Even as one might think over whether data could ever be 100% secure, organizations can’t halt and have to assess how to inch closer to it or bridge a possible loophole? For instance, what’s the weakest point that hackers can go for? Common ways are malware infiltration and phishing.
This year’s list of impacted airlines includes British Airways and Cathay.
Be it for Marriott/ Starwood or any travel company, what is at stake is possibly what an organization is all about – customers and their data. According to Marriott, the database:
“…contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
Encryption for personal information
Clearly the days of relying on a simple encryption method are over. In encryption, data is hidden using a coding system that swaps one number or letter for a dissimilar one using a refined encryption algorithm. Encryption of personal data is must and this should span at all possible points where it exists. For this, be aware of where data resides and evaluate cloud settings, big data as well as web storehouses, file systems databases and virtualization implementations.
Companies need to assess latest developments pertaining to database and file encryption.
· It is imperative to assess what field-level encryption stands for, and once data is encrypted, how systems in a company’s architecture only end up viewing the Ciphertext (it is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it).
· Also, cybersecurity-savvy organizations are looking at automating encryption deployment and management. Specialists point out that data needs to be encrypted even when it is processed by databases or cached in memory. This can be a critical step as it also cuts down on the risk of access to data owing to the staff’s credentials getting compromised, as data would only be available via authentic applications. (As explained by Microsoft Azure, the state of data at “rest” refers to all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk; in “transit” when data is being transferred between components, locations, or programs). A key is to encrypt application data sent to the database and decrypt query results when it is returned by the database to the application.
The role of tokenization, too, needs to be looked at. Even if tokens were to be hacked, it promises to shield credit card numbers or any other critical customer data as none of it would be available for access.
Organizations aren’t only looking at shielding sensitive data, but also to meet regulatory or compliance responsibilities that entail implementation of precise key management controls. It is important to focus on key management process and plan for control of keys that access and encrypt data.
Other than encryption, do plan for a robust user management system. Put in place an incisive access control-mechanism to ensure that only authorized accounts and processes can view the data. Also, gear up for supervision of authorized accounts accessing data, to make sure the same have not been compromised.
The issue of breaches happening due to stolen and/or weak passwords can’t be ignored, too.
The approach needs to be sophisticated. Focus on developing capabilities that can stop attackers at each step of the way to help prevent the theft of data in a breach. Other than investment in cybersecurity technologies, organizations have to hire and retain skilled personnel to form a robust end-to-end protection strategy for sensitive data. Otherwise, it could end up being yet another horrendous data breach story.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 23rd November, 2018
Ai Editorial: As more fraud-related solutions get introduced, the promise of protection against chargebacks is getting stronger. What needs to be evaluated before opting for the same, probes Ritesh Gupta
Managing fraud liability and availing chargeback (a forced transaction reversal initiated by the cardholder’s bank) guarantee on every transaction approved at first go comes across as an attractive option when considered from a merchant’s perspective.
Whether there can be 100% prevention of chargebacks remains an interesting discussion, still merchants such as airlines have to work on a risk mitigation plan to cut down on the same.
According to Chargebacks911, chargebacks are caused by criminal fraud (1-10%), friendly fraud (50-80%), or merchant error (20-40%).
As more fraud-related solutions get introduced, the promise of protection against chargebacks is getting stronger.
But is there any hidden factor that needs to be considered? What needs to be evaluated before opting for the same?
One of the factors is cost vs. chargeback protection.
“Some fraud solutions in the market today offer a guaranteed chargeback protection, which means that they will take financial responsibility for any approved order that turns out to be fraudulent. This shifts the liability away from merchants and onto these fraud specialists,” says Justin Lie, CashShield’s CEO. “However, not all e-commerce merchants will choose to take up the chargeback protection service, depending on their existing chargeback rates and business goals. For example, some solutions factor in the chargeback protection by increasing the cost of service, and a merchant with low chargeback rates may consider their fraud cost lower than the cost of deploying a chargeback protected fraud serviced.”
The cost of the chargeback protected service will be one of the important considerations - if the merchant ends up losing more on cost with the liability shift, then perhaps the merchant would be better off without the chargeback protection.
Second factor is the risk appetite of an e-commerce organization.
A shift in liability might also mean that the merchant would be open to accepting more risk, and therefore more fraud. With that in mind, the travel merchant must consider their risk appetite, whether or not accepting more risk is possible, or if their main goal is to minimize fraud as much as possible. At the same time, fraud rates must still be kept at an acceptable level and not be left too high, or the merchant may be left with warnings and suspensions from card issuers.
Focus shouldn’t be only on “guarantee”
One can’t ignore the significance of accurately detecting fraud attempts and stopping fraudsters from succeeding in whatever they intend to do.
As specialists at Chargebacks911 point out, merchant errors which can be rather simple and inadvertent need to be curbed. For friendly fraud, a key option for merchant is to strategically argue unlawful chargebacks when they're issued. Each chargeback dispute conveys a powerful message to the issuing bank, asserts Chargebacks911. It also points out by doing so merchants end up restoring their innocence and also improving their association rapport with the issuer. Eventually a merchant freed of any apparent fault are subjected to lesser friendly fraud chargebacks.
In case of criminal fraud, the blend of machine learning with human forensics needs to deliver.
Deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning - would better equip merchants to deal with fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks.
Machine learning systems are meant to be an improvement from rule-based systems, to reduce reliance on hard rules and to filter out fraud while passing more genuine users. However, machine learning systems only provide probability scores - or fraud scores - and would still require a team of manual reviewers to make sense of the score and thereafter a decision to pass or reject a transaction.
Follow Ai on Twitter: @Ai_Connects_Us