Ai Editorial: Here’s why account takeovers are set to become a bigger headache
First Published on 8th November, 2018
Ai Editorial: Account takeovers (ATO) are shaking e-commerce players in many ways, including in the loyalty space. For instance, post an ATO orders can be made with the genuine card-on-file or stored credit (reward points or miles), writes Ai’s Ritesh Gupta
Retailers, including travel e-commerce players, are looking at combating the increasing threat of account takeover (ATO) attacks.
As the number of data breaches is going up, they are being linked to the surge in ATO attacks. This is because these breaches supply a treasure trove of information of login credentials, passwords, and personal information.
Here is how fraudsters are trying to make sense of what they are stealing: Data breaches can result in compromised login credentials. Post this fraudsters tend to test whether these credentials work on other sites or not. With one password for multiple accounts being a common practice, the threat of danger is unimaginable! Since testing credentials this way can be a laborious task, fraudsters use bots to automate the testing process. Once fraudsters have found credentials that work, they can either commit the fraud, or sell them on the dark web. According to Riskified, usually fraudsters have specialized roles: fraudster A is the expert at data breaches, and he’ll monetize the stolen credentials by selling them to fraudster B, who is the expert at loyalty fraud. Cybercriminals purchase these stolen credentials from the dark web, and thereafter launch coordinated fraud attacks for hostile ATOs, or to create spam accounts with real genuine identities.
Why even a bigger headache?
In case a successful data breach or an ATO attack happens, merchants can find themselves in an obnoxious situation. As explained by Sift Science, this is because stored payment methods make it easier for fraudsters to shop, fraudsters can redeem miles and points that sit in unsecure accounts, personable information is lost and then merchants also have to grapple with the issue of restoring accounts after a takeover incident. Spam accounts are useful for fraudsters to abuse promotional codes, which is another pain point for merchants.
A couple of reasons by ATO can become even a bigger headache:
· ATO can also occur under other circumstances such as when competitors suffer a data breach. Given that most people tend to use the same credentials with multiple merchants, fraudsters will test stolen credentials across multiple websites. This means that an enterprise’s accounts can also be compromised once fraudsters get hold of their competitors’ user data.
· It also needs to be considered that enterprises are starting to build ecosystems where a single account can be used to access multiple services, increasing the value of accounts and further compounding the problem of account takeovers. Accounts are becoming increasingly valuable, due to the amount of information and/or services tied to a single login, and considering that most enterprises have yet to deploy sophisticated fraud management techniques to detect fraudulent account logins, accounts have become the new gold for fraudsters today. A case to examine is Amazon, where one single account may be used to access multiple services including Amazon Prime, Alexa, cloud storage, music streaming and more. Once a single account is compromised, it would be difficult to have damage control on all possible endpoints that could benefit the fraudster. For instance, the fraudster could have access to the card-on-file to make purchases, or have access to the user’s information, or worse, in the case of IoT (e.g. Alexa), spy on the users in their homes.
What to consider?
Some of the top issues on the agenda of airlines as of today are - how to prevent fraudsters from accessing travellers' legitimate account? How to combat an ATO attack at the point of sale, and declining the order?
Companies acknowledge what's at stake - their reputation, messed up loyalty accounts, a customer's private information etc. A majority of fraud review operations are reluctant to decline orders coming from a logged in account. This is because the risk of offending a good customer is so high and the fear of a poor customer experience makes it a delicate issue. As pointed out by Riskified, a major aspect of preventing fraudsters from succeeding at the point of account login is processing data and making decisions in real-time.
Enabling two-factor authentication (2FA) is one option. Educating consumers to use strong passwords and securing their devices is also important. Notifications about suspicious activity, too, need to be considered. Still travel e-commerce companies need to dig deep. As recently shared by CashShield, organizations tend to rely on 2FA for account protection, which can be overcome by fraudsters with deceptive tactics, such as SMS phishing to trick users into giving up their 2FA reset codes; it is also not uncommon for fraudsters to intercept the confirmation SMS messages, proving that 2FA is not sufficient to prevent fraudulent account takeovers.
As for the role of a merchant, they need to go for stringent security protocols in storing and encrypting their data, to curtail the loss in case of a data breach. They can also attempt to lessen the harm by guaranteeing that the stolen data cannot be used. According to CashShield, one way to achieve this is to deploy real-time active surveillance on every login to filter out potential threats and prevent attackers from gaining unauthorized access to accounts.
For Ai’s Events, check - www.aieventdates.com
Follow Ai on Twitter: @Ai_Connects_Us
Ai Editorial: Machine learning and fraud – “scores” not important; results matter
First Published on 16th October, 2018
Ai Editorial: There are key pointers – denial rates, false positives and fraudulent transactions – that underline the performance of any machine learning technique in fraud prevention. As for what is the utility of scores, they are not important; results matter, writes Ai’s Ritesh Gupta
It is intriguing to understand how machine learning works – working on data, variables etc., and how is precise model worked out and refined to control fraud, be it for related to a payment, data breach or account takeover.
The machine learning system starts with a basic model which is trained and improved with datasets over time. It is important to pre-process the data. To improve the efficiency and accuracy of the system, the data can be pre-processed with data slicing and augmentation and be cleaned sufficiently before it is used to train the model.
Making it work to control fraud
In the case of a fraud solution, the system will be given training sets consisting of a given set of known fraudulent transactions and known non-fraudulent transactions, so that the system will learn to differentiate and filter away fraudulent transactions, says Justin Lie, CashShield’s CEO.
Considering that various industries have differing levels of risk and exposure to fraud, the data collected from different industries may be customized. For instance, some data sets that may be collected from an airline merchant (and no other industry) would include: flight boarding times, whether the customer chooses to add a meal, whether the customer has an existing loyalty membership or whether seat preferences have been added.
A few algorithms modelled from the training sets will be put to the test with real life data, and thereafter, the algorithm with the least error will be chosen as the best algorithm. The amount of data and how relevant the data was used in deriving the algorithm will affect its accuracy. Over time, the algorithm must be constantly trained with data, especially with new data so that the margin of error can be minimized and inaccurately classified transactions (fraudulent as non-fraudulent and non-fraudulent as fraudulent) will be corrected.
Significance of “score” associated with machine learning
There are key pointers – denial rates, false positives and fraudulent transactions – that underline the performance of any machine learning technique. As for what is the utility of scores, Lie says scores are not important; results matter.
“Most merchants would aim to increase their transactions and reduce their fraud, and the performance of any machine learning technique should be evaluated based on whether this goal can be achieved. Nevertheless, it is important to note that each merchant would have differing goals with respect to fraud; for some, raising acceptance rates and growing aggressively is most important, while for some others, minimizing fraud rates down to zero is the most important KPI,” says Lie.
“With minimal risk, it is likely that overly strict filters are put in place and many genuine users have been blocked at the expense of lowering fraud rates. Therefore, the performance of the fraud solution would depend on the goals of the merchant. For example, taking in more risk may increase fraud rates slightly, but also lower false positives and rejection rates.”
Commenting on the significance of scores in terms of performance in controlling fraud and letting legitimate transactions go through, Lie said most fraud solutions on the market would be able to automate a good bulk of the transactions based on the score; extremely low scores will be rejected automatically and extremely good scores will be accepted. However, for the borderline transactions, a team of manual reviewers is required to make sense of the score. Generally, some guidelines will be given to the manual review team to look for further clues based on the data collected, and some working experience will be used, but most of the time the manual review team is relying on their gut feeling, which is affected by a risk-averse outlook to reject potentially genuine transactions to prevent fraud rather than to risk having passed a fraudulent transactions.
Therefore, fraud scores can only help a merchant this much, but ultimately, the fraud score is not the be all and end all in identifying fraud.
Human intelligence counts
Machine learning models would only still provide merchants with only a fraud score; to make sense of the score, fraud solutions or merchants would still need to rely on humans to make a decision.
“The problem here, is that humans are often risk-averse and would reject borderline risky transactions for fear that it could be fraudulent, and end up blocking more genuine customers than expected,” said Lie.
As such, a multi-disciplinary approach combining machine learning and other techniques is important to improve the efficiency and quality of the fraud detection process.
Follow Ai on Twitter: @Ai_Connects_Us
Ai Editorial: How agility is playing its part in payment optimization at KLM?
Ai Editorial: A tailored payment infrastructure and the structuring of team internally, where multiple teams working in sync within an agile environment, paves way for payment optimization at KLM, writes Ai’s Ritesh Gupta. He spoke to Maarten Rooijers, Senior Manager Payments, KLM in Phuket recently.
In an era where the number of ways in which a customer can pay has risen tremendously, facilitating such wide variety of payment methods can be an arduous task. A merchant today is possibly expected to facilitate a transaction via every point of interaction.
In this context, an organization’s of KLM stature has led the way in embracing new technology and payment methods in a swift manner.
Consumers are indulging in technology and making the most of new devices to simplify what they wish to do. They are shopping for various products, including travel, through “voice”. Seeking Alexa and Google Assistant’s help in one’s native language is becoming a norm, and brands like KLM are responding to this trend. The airline is allowing users to search flights by giving spoken instructions. Once a suitable flight is identified, a link to the KLM's site is provided to complete the transaction. KLM’s Blue Bot is based on artificial intelligence, which is linked to a combination of KLM and external tech.
So how to optimize the payment experience by balancing the cost vs. revenue analysis or assessing the intangible value gained from any initiative?
“There is a need to evaluate whether the new technology (or any payment method) would result in additional value for the customer as well as the merchant. It is the customer who decides how they wish to pay,” says Maarten Rooijers, Senior Manager Payments, KLM. Rooijers was recently in Phuket for Ai’s ATPS, where he explained the evolution of KLM's online payment strategy (alternative forms of payment online, leveraging social media, multi-currency pricing, roll out of mobile wallets, demo of payment via WeChat etc.).
“Some of the new options to pay are being propelled by innovation in this industry. Some are also being facilitated by social media,” mentioned Rooijers.
The Payment team works closely together with KLM’s Social Media team which is also part of KLM’s Digital department. “Apart from the Payment team coming with initiatives to add new Payment options, it is sometimes a combination of initiatives coming from our establishments globally and requests from our SM team. It is not just about adding Google Pay, Apple Pay, Alipay etc., but it also about making the booking process easier. As for the payment team, we chose to standardize the process. So rather than having a payment functionality in each and every front-end, it was decided to set up an independent payment platform or a payment engine. It is connected to “internal” customers/ front-end for payments,” explained Rooijers.
Infrastructure + Agility
The payment infrastructure and internal alignment paves way for payment optimization at KLM.
“Internally, we started working via structuring or a framework like Scrum (to embrace agility). The number of product teams within the KLM digital is quite big. There are multiple teams working in sync within this agile environment, involving the front-end, back-end API teams, payments team…looking at implementing new projects/ features.” shared Rooijers.
In the agile set up, how often does the payments team interact with the other teams?
“It’s almost daily,” mentioned Rooijers.
The Payment system is called EPASS (Electronic Payment and Settlement System). As for how the team manages challenges pertaining to introducing a new payment option, for example, Alipay or WeChat Pay, Rooijers shared that the EPASS layer is what that maintains liaising between the internal applications, mostly front-ends where customers book their trip or buy their ancillaries, and the external partners/ vendors – payment service provider (PSPs), gateways etc. “We are working with a number of PSPs and acquirers in order to be able to have a global offering. So when it comes to facilitating viable payment options from a new market or a region, rather than directly working with a new PSP, we prefer to route them to our existing PSP and work accordingly. Making a connection to a new PSP tends to be costly and needs resources. We therefore have selected PSP’s with a wide global coverage. If there are any new relevant Payment options emerging not initially supported by our contracted PSP’s, we request our PSP’s to start offering these or, alternatively, partner with the local or regional PSP.”
“Having said that”, adds Rooijers, “we always will keep our eyes and ears open for other players in the Payment landscape. The market is changing constantly and rapidly and we want to continue to offer relevant payment options globally at the right costs and according the most efficient process.”
KLM is offering 80 alternative payment options, and 10 of them are from the Asia Pacific region.
Follow Ai on Twitter: @Ai_Connects_Us
Ai Editorial: Working out an apt infrastructure for payment optimization
First Published on 21st September, 2018
Ai Editorial: Airlines intend to take steps to control their payments strategy holistically. This gives them visibility into payments in all their sales channels and in all countries, allowing them to identify inefficiencies, writes Ai's Ritesh Gupta
What can pave way for optimization of payment-related experience? It is a vital question, especially for travel merchants with cross-border operations.
Businesses can't wait for long to embrace a new payment method. Every minute detail is being scrutinized as far as removing friction from the shopping process is concerned. And if a customer abandons the shopping cart owing to inflexibility in payment-related options, then the likes of airlines aren't doing any good to their business.
Roadblocks to innovation
According to a recent study by Amadeus' payment business, travel e-commerce companies are pulled back by many factors when it comes to innovation in this space. The list includes consumer data security, credit card data security, fraud losses, complexity of existing payment systems etc.
So how to combat such major roadblocks to payments innovation?
"Airlines looking to innovate while at the same time keeping customer data safe should first carry out an audit of all the systems in their infrastructure which are storing or using that data," recommends Klein Wang, Head of Merchant Services APAC, Amadeus’ payments business.
Wang further added, "Then look to limit – or even eliminate – that data from their systems using techniques like tokenisation. When looking for a tokenisation provider, it is critical to find a provider whose tokens are compatible with all those systems which will need to use and interact with them."
Simplifying infrastructure
There tend to be issues with payment-related infrastructure and the role of partners that facilitate a payment. For instance, not all global payment processors handle acquiring banks and routing the same way. "Airlines work with a number of different acquiring banks and other related service providers. To simplify their payment infrastructure, airlines should look for payments providers which can give them access, control and visibility over their payments infrastructure in a single place. A single source of data and a single entry point to monitor and identify payments from across all their providers," mentioned Wang.
Also, talking of payment acceptance, it is vital for airlines to minimize costs with a more fluid workflow. For instance, what needs to be considered to route a payment to an appropriate acquiring bank? What does the study by Amadeus suggest? "It’s important for airlines to look at the total cost of their payments infrastructure, not just the direct acquiring cost. And many of them are doing that – although not all. With that in mind, the greatest opportunity for airlines today is in reducing the indirect costs of accepting payments caused by manual processes and inefficiencies which are the result of the complexity of managing payments across many different providers in different sales channels and markets," said Wang.
Alternate payment methods
According to Amadeus, many airlines have been adding new payment methods and today accept on average between six and ten different payment methods.
There are two challenges for airlines adding more payment methods: user experience and reporting.
"From a user experience perspective airlines need to find a way to offer the right payment method to the right customer without providing a bewildering list of different payment methods. From a reporting perspective, each new method of payment has a different reporting format so airlines need to work with a partner which can help to harmonise all these different formats so they can get a single view of all payments from all payment methods," said Wang.
Other than most popular or new options, airlines also need to work out a local checkout experience and at the same time being in a position to curb possible criminal fraud.
Wang mentioned that there is always a trade-off between verifying that a payment method is being correctly used by its owner on the one hand and creating an easy-to-use and seamless check-out experience.
"Using a fraud management tool to check the details for signs of potential fraud – in a way that is transparent to the end user – can really help here. Combining such techniques with the application of stronger authentication practises, 3D Secure for example, when the fraud management tool suggests dubious transactions, is a good way to balance consumer experience with effective fraud control," said Wang.
Airlines need to sort payment infrastructure related issues. In fact, as Wang says, for airlines looking at passengers from Asia, these problems even get more complex. "Many airlines are still not offering book and pay functionality on their mobile apps – in many markets, however, mobile is the default. In China, for example, 73% of all e-commerce purchases by value are made on a mobile device (Kleiner Perkins) and mobile payment volume grew 116% in 2017 over the previous year," said Wang. Asia has more diverse local payment practices, more local regulations and more payment providers to work with.
Follow Ai on Twitter: @Ai_Connects_Us
Ai Editorial: Use of app cloners and machine learning rises in mobile commerce fraud
First Published on 17th September, 2018
Ai Editorial: Considering the growth of mobile commerce, it is imperative for travel merchants to assess how fraudsters are crafting new techniques and tools for executing fraud through mobile devices, writes Ai’s Ritesh Gupta
Merchants can’t ignore mobile commerce. In fact, it doesn’t come as a surprise to see the way travel merchants are enhancing their apps with digital features and capabilities. The consumer is mobile and interconnected across multiple devices, shopping and switching from one to the other.
Shopping via mobile devices is flourishing. The growth rate is faster in certain countries, with China leading the way (m-commerce reached 93% of all e-commerce sales last year in China). In the U. S., an estimated 30% of all online sales are made on mobile devices. In Europe, transactions on mobile and desktop are estimated to be split 50-50. But is there any threat that is being ignored by travel merchants as the world of retailing is now mobile-first in most parts of the world?
“A new mobile commerce-related fraud technique that we found has emerged is the use of app cloners and machine learning techniques to create synthetic device identities,” says Justin Lie, CashShield’s CEO.
Mobile and synthetic identity fraud
Synthetic-identity fraud has already been described as the fastest-growing forms of identity theft in the U.S., according to the Department of Justice, as reported by CNBC.com in June this year. This kind of theft is working out a false identity using either fabricated or valid elements, such as a Social Security number, name, address, date of birth etc. As we highlighted in one of our articles this year, it often is not identified as fraud and the crime can go undetected for an indefinite period.
Even cloning has proven to be an issue for those who have been trying to control mobile device fraud.
For instance, a SIM swap attack in which a mobile number is hacked remains a problem. The fraudster takes control of a legitimate mobile user’s text messages, calls etc. Then login credentials are obtained through social engineering, phishing, an infected downloaded app etc. Mobile apps being reverse engineered and adding malicious code, too, has been around for a while.
As for how app cloners are being used in a malicious way, Lie shared, “Using app cloners, fraudsters can masquerade as multiple users to trick systems since the different transactions or logins will be detected as unique devices,” shared Lie.
Swift response
In one of its recent blog posts regarding mobile bank fraud, Microsoft Azure stressed on the significance of latency and response time when it comes to fraud detection. The team mentioned that the time taken by a bank to respond to an illegitimate transaction “translates directly to how much financial loss can be prevented”. The response time window or detection needs to happen in mere two seconds.
“This means less than two seconds to process an incoming mobile activity, build a behavioral profile, evaluate the transaction for fraud, and determine if an action needs to be taken,” recommended the blog.
In this context, as Lie also stated, machine learning can be used to identify such new forms on fraud.
“For instance, whether or not an app cloner has been used may be collected and analyzed as one of the data points, in addition to the other various data points that will be analyzed to identify hidden patterns between the same transactions by the same fraudster,” mentioned Lie.
Making the most of signals
As for what signals are being considered for transactions coming from mobile when it comes to previous purchases and also pattern recognition for possible fraud in the future/ unknown attacks, Lie indicated that rather than focus on the signals for fraud, the company often tends to focus on signals that may point to positive genuine behavior of the user making the transaction. For example, if the user chooses to connect with social media, that is more likely genuine as most fraudsters who want a quick exit would not bother connecting with social media in making transactions.
“However, such signals are not necessarily accurate in pointing out fraud - a more sophisticated fraudster might put in more effort to imitate a genuine user, and connect with social media just to trick the system. Therefore, what is more important in identifying unknown attacks would still be to use real-time pattern recognition to draw patterns between incoming transactions, and identify coordinated fraud patterns,” added Lie.
Follow Ai on Twitter: @Ai_Connects_Us
Ai Editorial: How robust is your data governance strategy? Apt for GDPR?
First Published on 12th September, 2018
Ai Editorial: Having a resilient and centralized data governance tool that can provide requisite information readily when needed will go a long way to comply with data regulations like GDPR, writes Ai’s Ritesh Gupta
It is imperative for businesses today to not only manage, understand and act on data, but also to ensure security and regulatory compliance.
Also, how to respond to strict regulatory environment, for instance, GDPR, where organizations could end up in a situation where they would need to adhere to a request regarding deletion of one’s personal data.
One key aspect pertaining to the whole initiative is data governance.
”Data governance is a key part of a robust and responsible data strategy that modern organizations cannot ignore,” says Kelvin Looi, Global Sales Executive, Unified Governance & Integration, IBM Analytics.
“Profiling each data to answer who, what, where, when and how, and to make this metadata available is fundamental. Basically, for each data, you need to understand what is the data all about, who owns it, where did it originates, where is it kept, when did it get there, and how the same is being processed,” said Looi, who was recently in Phuket for Ai’s 7th Annual ATPS Asia-Pacific.
Compliance with a regulation like GDPR
Having a robust and centralized data governance tool that can provide such information readily when needed will go a long way to comply with data regulations, like GDPR, to provide greater transparency of processing to data subjects on how data concerning them is collected, used, consulted and processed, asserted Looi.
Explaining further, he said ,”The `right to be forgotten’ article in GDPR is another requirement that will be difficult to achieve without a robust and centralized data governance tool. Basically, in many cases, data subjects have the right to request the deletion of their data and not to be contacted again. This request is almost impossible to comply with, without a tool to indicate where their data resides, and whether this data can actually be deleted without violating another regulation.
Data governance strategy
E-commerce companies, including airlines, need to evaluate their data governance strategy to suit their organizational objectives.
“Forming a unit that is responsible for data governance would be a good start if you haven’t got one,” recommended Looi.
IBM has worked on a methodology for the same, and it goes through five phases:
1. Assess,
2. Design,
3. Transform,
4. Operate, and
5. Conform
In the first phase, the focus is on conducting an assessment across governance, people, process, data and security. “From this assessment, we develop a target operating model that encompasses technical and organizational roadmaps,” said Looi. “In the second phase (design), we produce standards that cover governance, training, communication, privacy, data management and security management. During the transform phase, we conduct detail data discovery and embed standards, procedures, and tools to enhance existing processes. We also conduct the necessary training to ensure skills transfer.”
“In Operate, we ensure all relevant business processes and security control are executed. In Conform, we monitor, assess, audit, report and evaluate adherence to data governance target operating model,” mentioned Looi.
Managing availability and security
On data availability and security, Looi recommended that profiling existing data environment and understanding where all the data is a meticulous way to start.
It is important to assess where all the data resides and how the data is connected to each other. Other considerations include what to protect and related accessibility (storing locally or in the cloud, encryption levels for data with different sensitivities, access rights etc.).
“When it comes to customer personal data, a few industries have implemented a customer hub, typically using a master data management solution to provide a “single source of truth” to customer data,” shared Looi. “This typically contains a registry to provide directory services to point to where customer data resides in different systems in a company. Industries like banks, insurance and healthcare are leading in this front. Industries such as airlines are far behind on this. The good news is some have started. Key GDPR requirements, like consent management, can be centrally managed in this customer hub. Companies who have implemented this customer hub will find an easier time to manage customer data availability and security, hand-in-hand with centrally managed customer consents and preferences. Many airlines still try to drive their customer centricity strategy off their loyalty system. But, a big portion of their passengers are not their loyalty club members,” shared Looi.
As for GDPR obligations, Looi, during his presentation referred to 5 areas:
1. Rights of EU Data Subjects: enhanced rights for data subjects in the EU including notice, access, rectification, erasure, restriction, portability and objection; easier access to personal data with more information on processing available both clearly and understandably.
2. Security of Personal Data: obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; includes 72-hour breach reporting to regulatory authorities and without undue delay to individuals in high risk scenarios.
3. Lawfulness and Consent: processing only lawful if one of: consent, necessity, legal obligation, protection, public or legitimate interest or official authority; consent must be freely given, specific, informed, unambiguous and if a special category or certain other scenarios, explicit.
4. Accountability of Compliance: need to demonstrate compliance with the principles relating to personal data processing pervades throughout the GDPR; include lawfulness, fairness, transparency, purpose/storage limitation, minimisation, accuracy, integrity and confidentiality.
5. Data Protection By Design and By Default: Data controllers must implement technical and organisational measures demonstrating compliance with GDPR core principles; ensure the rights of data subjects are met and that only data necessary to the specific purpose are processed.
Follow Ai on Twitter: @Ai_Connects_Us
Relying on a multi-disciplinary approach for curbing fraud via machine learning
First Published on 4th September, 2018
Machine learning (ML) and artificial intelligence (AI) can help in detecting more fraud with less manual effort and approving genuine customers faster.
ML can also reduce but not remove the amount of rules that need to be maintained, adapt to new types of fraud faster and offers accurate prediction to cut down on false positives, explained Ben Laurie, Head of Asia, Accertify, during a workshop held as a part of complimentary meeting of the Asia-Pacific Airlines Fraud Prevention Group in Phuket.
Organizations need to capture a diverse set of raw variables that describe the transaction, ensure data stability and cleanliness and transform data to create new predictive characteristics.
As for being pragmatic with what to expect from machine learning, it is important to just not rely only on predictive analytics. Problems arise when completely new transactions with no historical data are submitted into the system, and there is no way for the machine to predict whether or not the transaction is genuine or fraudulent. It is important to count on pattern recognition. So even without any prior historical data, the machine is able to detect patterns across different transactions and diagnose if the transaction exhibited bot behaviour or human behaviour. Using big data, the system collects information from the merchant’s website, such as the user’s web movement behaviour. Combined with pattern recognition, the system draws patterns (for both positive and negative behaviour) to map the DNA profile of the user, and determine if other incoming transactions exhibit the same (fraudulent) behaviour or not. The large quantity of information collected from big data makes it difficult for fraudsters to cover all of their tracks, therefore increasing the effectiveness of preventing fraud. Specialists recommend that pattern recognition, deep learning and stochastic optimization are also necessary for combining millions of test results to be crunched for an optimized yes or no decision in real-time.
Deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning - would better equip merchants to deal with fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks.
Machine learning systems are meant to be an improvement from rule-based systems, to reduce reliance on hard rules and to filter out fraud while passing more genuine users. However, machine learning systems only provide probability scores - or fraud scores - and would still require a team of manual reviewers to make sense of the score and thereafter a decision to pass or reject a transaction.
Curbing loyalty fraud
During the same workshop, Michael Smith, Co-Founder, Loyalty Fraud Prevention Association, referred to the issue of loyalty fraud. He highlighted that the issue of identity theft or payments fraud isn’t new. But the functioning of fraud rings, in which fraudsters band together in organized groups, continues to get sophisticated.
"Loyalty is big business, cash = fraud. It is important to balance the customer experience. It's a war, long war," said Smith.
Smith referred to the issue of synthetic identity fraud. This type of fraud doesn’t feature taking over existing identities and emerged since financial institutions improved how they prevent and detect traditional identity fraud. This forced fraudsters to nurture synthetic identity fraud. It is initiated by using a blend of fake information, such as a fictitious name, along with real data, to set up fraudulent accounts. For instance, “Social security numbers” (in the U. S.) that get targeted most are ones infrequently used or ones those are less likely to use their credit actively, explained Smith.
As for account takeover (ATO) in the loyalty space, it is coming under scrutiny owing to data breaches.
Fraudsters get access to stolen credentials from a number of sources:
· From data breaches, sold on the dark web
· Phishing with fake websites
· Malware, trojans, spyware
· Social engineering
· Hijacking a mobile device
The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behaviour. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.
By Ritesh Gupta, in Phuket, for ATPS
Ai Editorial: How a cryptocurrency like bitcoin is faring as a payment method?
First Published on 8th August, 2018
Ai Editorial: Even as travel ecommerce players closely evaluate what to expect as far as bitcoin is concerned, they also need to consider the possibility of fraud, writes Ai’s Ritesh Gupta
The future of bitcoin is under scrutiny. Questions are being raised – is bitcoin investment safe? Has pricing been manipulated? Some believe that the cryptocurrency would bounce back, though the pricing has taken a beating this year.
As for the travel industry, the recent news pertaining to Expedia Group opting to remove bitcoin as one of its payment options is an important development. A certain section of the industry has shown penchant for accepting cryptocurrency payments over the years. But now it seems that travel merchants, including airlines, are not extensively going to opt for cryptocurrency until this payment method establishes its staying power and stability. Volatility associated with a cryptocurrency like bitcoin and counting the same as a payment method isn’t exactly a prudent combination.
Even as investors may enjoy the instability to an extent (it is also being pointed out that since it is dissimilar to stocks or bonds, it is tougher in comparison to unearth price manipulation and fraud in case of a cryptocurrency), for a currency to be a pragmatic option for both shoppers and merchants it has to attain stability. In fact, negative publicity around cryptocurrencies such as bitcoin isn’t helping the cause. A couple of months ago, the Justice Department in the U. S. was in news for probing whether traders were deploying unlawful tactics to dupe others into buying or selling cryptocurrencies. According to a report by Bloomberg, the department attempted to look into illegitimate initiatives such as spoofing and wash trading. Also, the fact that bitcoin is labelled as a relatively risk currency also doesn’t help, for instance, in case the private key is lost or stolen it ends up being an issue.
The issue of trust
Even as travel ecommerce players closely evaluate what to expect as far as bitcoin is concerned, they also need to consider the possibility of fraud.
According to a report by Bitcoin.com News, cryptocurrency fraud stood at $9 million per day in the initial months of this year.
Since cryptocurrencies rely on a public ledger called a blockchain, the issue of trust has surfaced. What if it results in distrust? Sift Science has emphasized that in case of cryptocurrencies like bitcoin, “trust quite literally is currency”.
On the positive side, it is being highlighted that crypto payments are attractive for high-risk ecommerce entities engaged in selling big ticket items. Largely, the industry terms these transactions as secure ones. Aspects like cryptocurrency transactions carrying no personal information, and lower or no fee, too, makes them luring.
The way it works – when a user intends to transfer bitcoins to an individual or an entity, all computers running bitcoin software manage and administer the sender’s public signature through an algorithm and validate the previous transactions encoded in the blockchain to ensure the sender owns the bitcoins they say they do. This technology is regarded as a safe one. Overall, the trust has dwindled owing to a spate of deceitful initial coin offerings (ICOs), claims about mining services, and dubious practices on trading platforms. In a study of around 1500 cryptocurrency offerings, the Wall Street Journal found around one-third with red flags that include plagiarized investor documents, promises of guaranteed returns, and missing or fake executive teams. All the stakeholders need to be cautious. As highlighted by Kount, depending solely upon the regulatory bodies won’t be able to combat the increasing cryptocurrency fraud. Potential investors and businesses, too, need to educate themselves.
Merchants, including airlines, need to evaluate how bitcoin payments protect merchants against fraud and chargebacks. This is because chargebacks don’t work in a system built around blockchain. Also, there is a need to assess how does a cryptocurrency like bitcoin protect and compensate defrauded customers. Sift Science recommends that merchants should assess where their cryptocurrency was being stored and one should set up defenses accordingly. Also, companies taking bitcoin payment must be transparent and communicative with users when they decide to introduce crypto as a payment method.
Hear from experts at the upcoming 7th Annual ATPS Asia-Pacific, to be held in Phuket (4th – 6th Sep 2018). https://lnkd.in/fgEMiF6
Ai Editorial: Managing cross-border payments with aplomb
First Published on 3rd August, 2018
Ai Editorial: Managing cross-border payments is one aspect of business that demands constant attention. Ai’s Ritesh Gupta lists 5 key factors that merchants, including airlines, need to evaluate in detail to step up the acceptance rate.
For international airlines, as operators in multiple countries or continents, there is a need to deal with a variety of payment methods and different laws/ regulations.
A lot of introspection goes into optimizing the overall digital user experience, stepping up the acceptance rate, managing fraud, and being in control of the costs/ fees. This is because a lot goes on behind the scenes during the transfer of funds.
Here we list 5 key factors that merchants, including airlines, need to study to optimize cross-border payments:
1. Impact of regulation/ legislation: Regulatory interventions related to transactions are one area that airlines need to keep a vigil on. Be it for cutting down on costs, improving upon accessibility or paving way for innovation, the regulatory measures clearly indicate that there are plenty of ways in which the sector of payments is evolving.
Bringing down costs for cross-border transactions in euro as witnessed in the case of European Union is one example of this. Similarly other directives include capping of fees for debit and credit card transactions and restriction on surcharges for using such cards. For instance, airlines have been evaluating how to respond to PSD2 - the second EU Payment Services Directive - initiated to improve upon payment services across Europe. It mandates banks in the EU to facilitate users’ account details to other entities, with pre-approved customer consent. The European Commission decided that the second payment services should open the door for non-bank financial institutions to access banks’ data and bank accounts. The access is worked out to enable two categories of 3rd party payment service provider: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). In this context, merchants have examined issues such as - will global retailers become PISPs themselves? Is PSD2 adding friction to payments? Do merchants need to focus on online banking e-payments as a viable alternative payment option? How have merchants been capitalizing on provisions allowed through PSD2?
2. Market intricacies: There are payment-related issues that need to be settled at a local level. For instance, payouts related to China are high on the agenda of airlines, especially considering the growth of outbound sector. The distribution landscape is increasingly getting fragmented in China and travel suppliers need to strengthen their payment infrastructure to cater to their B2B partners. As highlighted by J. P. Morgan, a challenge associated with China pertains to each time Chinese suppliers receiving funds from overseas they need to complete documentation for the regulatory authority within a few days of receipt of funds. So it is important to settle cross-border payments to Chinese businesses and consumers, in local currency. Also for payout options, companies are trying to do away with ways that involve hefty transfer, conversion and interbank fees. According to J. P. Morgan, some of the issues that need to be considered are - Is the payments provider a foreign exchange market maker with the ability to offer onshore foreign exchange rates for Chinese currency? Does encrypted file transmission and secure client data, meet local formatting requirements and fully preserve remittance data received by suppliers? Does the solution support local language and regulatory reporting to streamline document preparation?
Overall, Asia is riddled with challenges. For instance, each of the payment options in Asia has its uniqueness, e.g. transaction limit, availability of refund, no pre-authorization, chargeback rights. It will require airlines necessary effort to design and implement necessary payment interfaces and processing flows.
3. Being spot on with acquiring: The role of an acquirer comes into the picture as merchants target higher card authorization rates, lower scheme and interchange fees, and faster merchant settlement. According to Adyen, a majority of global merchants settle for a blend of local and international (or cross-border) acquiring, but adopting local acquiring approach nearly always has a positive impact on authorization rates. Though this varies by market, a merchant will typically see as much as 0.5-0.6% in uplift after transitioning from cross-border to local acquiring. Mexico’s Viva Aerobus acknowledged that it had to work on its technology to facilitate payments from passengers abroad, as they used their international credit cards in various currencies, and there was also need to adhere to are local banking and industry regulations. The low-cost carrier chose Worldpay’s acquirer solution to process international transactions.
4. Optimizing UX: A major part of airlines’ commerce strategy includes optimizing their digital assets by offering a frictionless payment experience. Consumers are in control – they pay via their chosen payment method and through the device they are using – so airlines have to support the same. In order to support shoppers around the world, it is vital to present checkout information that is customized according to a particular region. The focus needs to be on the language, currency and payment type etc. A cross-border payment processing system should automatically detect a shopper’s URL, serve the appropriate options in the preferred language and also adjust purchase prices to the correct currency.
5. Payment infrastructure: Airlines need to design the integrated payment flow across payment options across channels and languages; implement integrated payment transaction and settlement reporting, gear up for multi-currency processing and conversion and opt for payment controls according to the difference of processing by payment types etc.
Hear from airlines and other industry executives about top payment-related trends at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).
For more click here
Follow Ai on Twitter: @Ai_Connects_Us
Ai Editorial: Dealing with a risk-averse mindset in fraud prevention
First Published on 25th July, 2018
Ai Editorial: A risk-averse mindset is commonly associated with rule-based systems, which is built with hard rules or buying limits, such as geo-location rules that could block out all transactions from one region, writes Ai's Ritesh Gupta
When merchants rely on conventional or long-used methods of spotting fraud, it tends to be associated with evaluating the standard fields (name, address, email, IP location, fingerprint and what can be found on the order form) and what transactions have cleared through the set rules.
The issue here is that those standard fields and hard rules are not tough for fraudsters/ hackers to break into and get breached once they have understood the rules worked out. For instance, it is quite straightforward for fraudsters to focus on new fake emails, and once they comprehend that a time based rule is set, they will attempt to set their program to go past the system. Not only so, authentic buyers are likely to be blocked. For instance, a geo-location rule would block customers booking transactions from ‘riskier’ locations.
Machine learning systems are meant to be an improvement from rule-based systems, to reduce reliance on hard rules and to filter out fraud while passing more genuine users. However, machine learning systems only provide probability scores - or fraud scores - and would still require a team of manual reviewers to make sense of the score and thereafter a decision to pass or reject a transaction.
Unfortunately, the fraud team’s KPI is still to ensure fraud rates are low - perpetuating the risk-averse mindset as they would rather reject a transaction than to risk passing a fraudulent one. To overcome such “risk-averse” mindset, it would require the fraud team to understand that risk is very much similar to financial risk; it should be managed, not eliminated. Since 0% risk gives 0% returns, having little to no fraud would mean much revenue has been lost. For merchants to fully overcome having a “risk-averse” fraud management system, a financial algorithm could be combined with the machine learning system to make sense of the risk financially, allowing for more revenue based on a greater risk appetite.
Also by focusing on machine learning, carriers can eradicate all those needless rules that would have otherwise stopped authentic buyers from competing their respective transactions.
The blend of big data and machine learning paves way for more solid fraud prevention.
As we highlighted in our previous articles, to simplify big data and machine learning, big data is first used to garner details about the user’s behaviour on the website (how the mouse moves, what he likes or puts into his wishlist, etc), and this information is combined with machine learning, which uses pattern recognition to map the pattern of his behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/negative behaviour and uses that on future transactions for potential signs of fraud.
Lastly, an optimized fraud risk algorithm should be used to make decisions on whether or not to accept a transaction based on calculated risks to best optimize sales while controlling fraud and chargeback rates.
Hear from airlines and other industry executives about travel fraud at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).
For more click here
Follow Ai on Twitter: @Ai_Connects_Us