Ai Editorial: Data Breach at Mandarin Hotels


***STOP PRESS*** Registration is now open here for the 2015 Mega Event & 10th FFP Loyatly Conference!

It’s scary! Yes, time to minimize credit card and personal data exposure. No travel company wants to be a victim of unauthorized cyber-attacks. But today security protocols are under pressure to deliver. Ritesh Gupta, Airline Information Correspondent assesses the situation

It’s blatantly obvious now. The threat of fraudsters deceitfully obtaining confidential information for card fraud is looming large over airlines, hotels and intermediaries. Travel brands are taking a beating. As much as travellers need to be aware of phishing and skimming, travel companies too now can’t ignore the possibility of a scam. Take the recent case of Mandarin Oriental Hotel Group. The chain’s credit card systems in several of its properties across the U. S. and Europe were accessed without authorization.

So what resulted in breach of such magnitude?

The incident apparently was a direct result of an unauthorized cyber-attack. The chain states that despite the group’s leading data security systems, “this malware was undetectable by all anti-viral systems”.

As per the initial update, the breach only impacted credit card data, but not pin numbers or the 3-4 digit security code required for manual authorization. Mandarin Oriental also clarified that no other personal guest data had been compromised.

The situation is serious, says Kristian Gjerding, CEO CellPoint Mobile, as it does have an impact on bottom line and brand equity (consumer trust), especially moving forward with some of the newer payment methods and the increased ownership of the full transaction flow by airlines. With an increase in mobile payments comes an inevitable increase in the potential for mobile payment fraud. These days, smartphones and tablets can be hacked just as easily as computers, adds Gjerding.

How to prevent such situation

It needs to be understood that as airlines and brands become more astute at detecting fraud, hackers will also become more sophisticated and organized, able to launch higher-level, intricate cybersecurity attacks. Hackers will always try to find ways in, but airlines have an opportunity to limit the scope of the impact by being just as clever and by instituting constantly evolving security measures from the moment of sign-up – the very barriers that keep hackers at bay.

So what needs to be done on an immediate basis?

Answering the same, Gjerding mentioned that several authentication measures can be taken by airlines to prevent many issues. However, attention to hacking needs to be a continuous process, especially with the increase in consumer smart devices and subsequent direct sales channels. “Airlines need to ensure that their security systems are flexible and scalable, to monitor and security activity around the volume of transactions and the various channels in which they take place,” said Gjerding.

Converged payments

Gjerding emphasised that converged payments can solve many of the complexities of cross-channel digital transactions by providing airlines the technology and architecture they need to make the process uncomplicated, secure at various stages of the process, flexible and holistically visible – not to mention seamless and easy for customers.  

The basic concept behind converged payments is that all transactional activities—payments, redemptions, bookings, security step-checks, authentication, etc.—converge into a single, secure infrastructure where they are managed, processed and authorized.

Minimizing exposure

Many steps can be taken to minimise risk of credit card and personal data exposure, such as compartmentalization and tokenization on the inside of the airline’s DMZ (Demilitarized zone. Network added between a private and a public network to provide additional layer of security), said Gjerding. He added, “With the increase in passenger self-service, however, airlines will have to expose access to services and data – a level of vulnerability through which hackers can gain access,”

With a converged payments architecture serving as an organizing funnel, information from varied and disparate sources is fed into a central operation, checked and verified, standardized and normalized, and then exposed to extra layers of security so that the resulting transactions—payments, ticket bookings, boarding passes, rewards redemptions, in-flight purchases, upgrades, baggage fees, refunds and the like—are processed within a common, robust environment.

Converged payments capabilities also provide a centralized view of a customer’s digital/ mobile transactions and activities: payments, loyalty, booking, fraud detection and more.

With silos eliminated and processes streamlined by the underlying infrastructure, payments are executed quickly and seamlessly for the customer and the airline, and protected from hackers and other online threats through real-time alerts and, when necessary, manual verification and processing.

The team at CellPoint Mobile considers “inside the DMZ” prevention to be an important addition to firewalls and external fraud measures. This is a system that monitors, acts and reports on suspicious activity from the inside and can include configurable fraud-alert rule sets, data- profiling modules, and other authentication measures.

With the eventual ability to mix-and-match cash, credit payments and rewards redemptions for financial transactions, airlines will need comprehensive solutions that can detect, prevent and mitigate all types of fraudulent activities that occur in the complicated payments ecosystem.

Follow us on Twitter: @Ai_Connects_Us