Ai Editorial: Fraudsters are smart, so you need to be smarter



A CEO books a trip worth $12000 with an OTA. But what if he is a fraudster, who has a found a way to deceive the agency. Ai’s Ritesh Gupta learns about a couple of real experiences of OTAs

Online travel agencies (OTAs), even the established global intermediaries, continue to be victims of online fraud.

Take the case of Booking.com, known for its agency model or letting bookers pay the hotel upon checkout. The OTA was in news late last year for fraudsters gaining access to contact details of customers, and they allegedly contacted them for pre-payment of their respective bookings. Booking.com acknowledged that 10,000 people were affected, and acknowledged that there is a need to combat fraud, which is now described as an organized crime. There were concerns, and stakeholders, including OTAs and hotels, were questioned about the security level of their systems/ websites.

So the question then is: how to shield customers’ personal and financial information?

Travel companies need to understand how hackers are gaining access to system data or server functionality.

The breach of data is happening and it could be owing to manipulating a web application and a fraudster tricks that application into performing commands and accessing data. Another way is to get hold of an authorized account via focus on session IDs, and eventually stealing them.

OTAs frequently receive complaints from customers about unauthorized credit card transactions. Experts recommend that additional steps can be implemented to curtail risk of credit card and personal data exposure, such as compartmentalization and tokenization on the inside of the company’s DMZ (Demilitarized zone. Network added between a private and a public network to provide additional layer of security). This is being considered to be a vital add-on to firewalls and external fraud measures. Such mechanism keeps a tab, acts and reports on dubious activity and can feature configurable fraud-alert rule sets, data- profiling modules, and other validation methods.                                                      

Also, at another level, it is important to know how to strike a balance while focusing on stringent fraud rules. These can result in reduced acceptance and revenue. Also, what safeguards exist to allow for loosening fraud rules? Optimizing acceptance means more fraud will slip through – an extra layer of defense is needed to catch it post authorization.

Dealing with fraud

For a security professional, the risk of being too cautious can result in a loss of revenue.  OTA executives shared a couple of experiences of how the team manages fraud.

A senior executive associated with Mumbai-based OTA Cleartrip.com told us: “If a fraudulent transaction happens, then we filter it out and blacklist the card used, email and phone number. We can’t block the name as there could be multiple customers with the same name. Overall, the variables that are take into consideration while assessing transactions are IP address, phone numbers, device ID, email id (domain name) etc.” The same executive mentioned that there are times when certain transactions are doubtful, and put them on high priority for manual check. “That’s where smartness comes in, scrutinizing the confidence level of the booker. For instance, there was a booking worth US$12000 or so that we kept on hold. The claimant user of the card, actually a fraudster, was residing in another country, he intended to travel in that country, and was claiming to be the CEO of an IT company. He was repeatedly making calls to check why his booking wasn’t going through. And then when we assessed his LinkedIn account, we found there was not even a single connection. So that’s a call every security team has to make. You could be interacting with a fraudster, and you might abruptly ask him what’s the time where he or she is located. It’s all about getting closer to authenticity of the information or even checking the confidence level.”

Here it needs to be mentioned that the booking experience of a customer shouldn’t be jeopardized.

I know of a recent instance where an airline called up my colleague in the U. S. mid-night, who had booked me for Delhi-Bangkok trip. The airline had concerns about the itinerary, considering that the booker was in the U. S. But my colleague felt the check needed to be more vigilant, considering that the airline had information about him, and disturbed his sleep by calling at odd hours. 

Another OTA told us an interesting movement that was being witnessed on their site. It was related to “seemingly Russian citizens” booking itineraries featuring a particular LCC in the Middle East. “The bookings featured destinations like Moscow, Kiev, Bishkek, Almaty etc. Most of the passengers booked through these transactions sounded like Russian citizens (female names ending with “ova” or male ones ending with “ev”.” The carrier had strict policies, and before the OTA could verify and reach out to the airline, fraudsters were cancelling those flights, and gaining credit vouchers for future bookings. “We eventually decided to cancel the sector.”

Moving on

Fraudsters always move on. Managing online fraud is an ongoing initiative, one that needs constant improvisation for better results. If this is not the case, then a travel organization would end up being a soft target, leaking revenue that shouldn’t have slipped from its grasp. In fact, despite having a team in place, one can still suffer at the hand of fraudsters.

A spokesperson from Cleartrip.com told me: “With the RBI mandate for third level of authentication, the frauds on Indian issued cards have reduced. However, the fraudsters have now shifted their focus onto the cards issued outside India. They specifically target cards issued in the U. S. , the U. K.,  Australia etc. The current trend in the market is - the fraudster is booking non-refundable and non cancellable tickets to avoid any action from the fraud detection teams. Fraudster is also targeting the immediate flights on domestic and international sectors.”  

So what are the challenges that OTA typically face in detecting and neutralizing the fraud transactions?

The first issue here is limited help from the airline /supplier/ hotels. Cleartrip.com told us: “We lose lot of revenue on to the cancellation charges by the airline in case of fraud transaction and needs to be cancelled. Some time the tickets are non refundable and non cancellable and we need to let the fraudster to fly on these bookings even though we detect them well in advance.”

The second is limited help from the law enforcement agencies and issuing banks in case if there is any opportunity to nab the fraudster. In this case, merchants are looking at support from the issuing bank, which isn’t through coming in most of the cases at this juncture.  

Here are few recommendations from Cleartrip.com:

Effective transaction monitoring  

  • In the current scenario, one must do the detailed review of the past and present transactions and identify in case if there is any suspicious activity happening around
  • Detailed analysis of payment failed transaction.
  • Regular updation of negative and positive data base of the customer.
  • Detailed verification of the high value transactions.
  • More co-operation and collaboration with the fraud departments of airlines / banks and OTA to exchange the fraud trends

Best practices to avoid chargeback debits

  • Extend full support to the acquiring banks in resolving the chargebacks.
  • The merchant must fulfill the requirement of supporting document within the time limit.
  • Provide detailed information in the first response.
  • Provide the proof of service utilization from the airline/supplier in case of service related chargeback.
  • Modify the terms and condition to safeguard yourself in case of chargeback.
  • The cancellation penalty, no show charges should be made more visible.