- Payment & Fraud Editorials

10^th January, 2020

Ai Editorial: The PSD2 Strong Customer Authentication (SCA) migration completion deadline for online payments in Europe continues to be a weighty issue, with concerns about the preparedness and compliance still coming to the fore, writes Ai’s Ritesh Gupta

The SCA requirements were originally planned for the 14th of September last year (with new migration completion deadline being 31st December 2020), but still concerns pertaining to PSD2 making online shopping more difficult and the same negatively impacting cart abandonment rates in the initial years of implementation are being highlighted.

As for the travel sector, a study by Amadeus in September had indicated that only one in three travel merchants were expected to be SCA-ready for the September-2019 deadline. The report featured 50 large travel firms (€1billion+ revenue).  

Concerns

All the stakeholders acknowledge the complexity of the payments markets across the EU and the hurdles resulting from the amendments that are needed.

As per the findings of a survey in December last year, (commissioned by Riskified, featuring 2,000 consumers and 200 retailers evenly split across the UK, Germany, France, and Spain):

• A third of shoppers would leave a site/app when asked to verify their identity.

• 80% of European retailers expect that PSD2 will negatively impact cart abandonment rates. Nearly 50% expect a significant increase (of 20% or more) in shopping cart abandonment rates.

• Almost 40% of European merchants are pessimistic about PSD2’s ability to curb fraud.

The top three authentication methods being studied by issuers include; One Time Passwords (OTP) (SMS to a mobile device), authentication within a mobile banking app, and 3DS. Among these, OTP and 3DS authentication are expected to adversely impact the user experience. Specialists recommend that merchants should use exemptions where possible. Also, by using fingerprints or facial recognition, one can combat fraud while also increasing convenience for consumers.  

PSD2 SCA 2020 plan   

Even as the European Banking Authority asserted that the definition of SCA had been set out in PSD2 when it was published in 2015, a section of the industry states that the authority has failed with PSD2 at least in the short-term.  Moving on the industry clearly needs to make fraud prevention and compliance efforts a priority. In terms of how the roadmap is going to shape up this year, the extension offers various players (issuers, acquirers, PSPs and merchants) extra time to entirely support EMV 3DS 2.1 and 2.2 by the end of this year. One can expect an incremental EMV 3DS execution with the new deadline.

Merchants need to test, preferably a flexible offering that can set up both 3D Secure 1 and 2 authentication protocols. This way if a specific issuer isn’t ready to support 3DS2, then the offering will by default redirect transactions to 3DS1.

Ingenico ePayments recommends following steps to prepare for the authority’s deadline:

By March 2020: integrate 3DS in your payment flow

• For merchants who have not implemented 3D yet, recommendation is to go straight to EMV 3DS 2.1 (skipping the implementation of version 1).
• For merchants who already have 3DS version 1, recommendation is to start implementing EMV 3DS 2.1.

By July 2020: use EMV 3DS 2.1 in your payment flow or be ready to do Step Up with EMV 3DS 2.1

By September 2020: SCA exemptions are available with EMV 3DS 2.2, if exemptions are not supported than all transactions will require 3D.

With this incremental approach, merchants will fully support EMV 3DS 2.2 by the 31st of December 2020.

Keen on exploring fraud prevention and payment-related issues?

Check-out Ai’s conferences scheduled for 2020: https://lnkd.in/fE7UK_T

30^th May, 2019

Ai Editorial: As consumers look to control their digital experiences, the ease with which one can complete a transaction in a secure environment is extremely important. Ai’s Ritesh Gupta assesses how open APIs are playing their part in this context.

Real-time payments and open banking, along with the opening up of customer banking data to 3rd parties and streamlining of digital payments via regulatory measures, are the main trends that are shaping up the future of digital payments.

Regulations like PSD2 are paving way for new services and faster payments. A lot of areas are being probed today, and one of them includes how open access and application programming interfaces (APIs) are going to impact real-time payments. Are individual banks going to make their data available through different technical standards or a regulation is going to pave way for common API standards in a certain market? Importantly, with open APIs and the implementation of payment hubs, there is going to be support for new networks and hence there will be competition for existing rails.

Open APIs

There are multiple ways in which APIs are playing their part:

• Streamlining payments as per travellers’ comfort: For instance, a cardholder shares travel plans online or through a mobile banking app, a company like Visa stores the cardholder’s travel details for future matching. A travel tag in real-time within the authorization message is provided. Issuers act on the same, and eventually the possibility of false declines goes down.

• Processing of payments: The use of open APIs to simplify back-and-forth messaging that takes place during the course of a transaction is coming to the fore. API calls are coming into play to ascertain the payer details. Be it for domestic transactions or cross-border remittances, APIs are helping in making progress. Another area that is being discussed is cart abandonment. The Payment Request API is about cutting down the number of steps needed to complete a payment online, potentially doing away with checkout forms. This API facilitates the exchange of a user’s stored payment, address and contact details between the browser and a site.

• New products: Open APIs promise to fundamentally transform the experience of payments for end-users. An open API can be accessed under specified conditions by the 3^rd party developers. Recently Visa came up with a new platform with a set of beta APIs, specifications and development tools for issuers and issuer processors. These can help in creation of new digital card accounts on demand; set up rules/ limitations around use of digital cards, such as by merchant type, geography etc. 

“Open APIs are all about consolidation of data and processes that sit in different domains and systems. On one side there is more data than ever that helps to understand the context of the payment and on the other, once decisions on purchase are made – one can execute them easily across multiple platforms since they are connected,” mentioned Vojin Rakonjac, Head of Payment Solutions, Voyego.

“Devices or systems that are connected to these open APIs (no matter if it is chatbot or voice conversational agent/ banking chatbot or Siri) will learn more about our decisions and ultimately “know” what we want at a given time and their job is to understand the intent and automate most of the process in the backend so it looks seamless to the end user. There is a great example from Google’s assistant where haircut appointment is booked by voice. Assistant talks in human voice and negotiates timeslot with the local barber shop while on the other side of the line is real person. We should expect things to move in this direction more as long as device knows what are the boundaries that it can work with (time slot, budget etc.) and as long as payments are always performed with proper authentication,” added Rakonjac.

Going forward one area to watch out for is standards and guidelines for open APIs. This is going to be the deciding factor in the effort required for collaboration or integration.

Open banking

Considering that in a region like Europe it is becoming mandatory for banks to open up access to accounts, payment flows and end-customer data to 3rd parties, it is vital for the industry to dig deeper. All these developments are going to impact banks, as the rising role of APIs in retail banking is considered to be a recent phenomenon. Banks are beginning to expose their data for use by third parties, in particular fintech companies, through open APIs. APIs enable banks to expose their in-house data and application functionality to approved apps and services, while monitoring and controlling the flow of data. And by allowing for new digital experiences on mobile apps, 3rd party services etc., banks are potentially opening up to risks, for instance, fintech firms tapping into a bank’s financial data.

“With PSD2 we have banks aggregating a lot of data and opening their APIs so some of this data is available to 3rd parties (transactional, account data etc.). But banks are not using it to the full potential. Banks worry about loans/ credit cards it could offer – where they are sitting on top of data that would be very valuable for merchants or fintech’s and where this context can be fully utilized,” said Rakonjac. He expects innovation/ services around this space where data collected by banks is not used only for risk scoring (3DS 2) but is provided to the other companies where it can provide real benefit to the consumers.

“We already have aggregators that link into European banks and leveraging PSD2 (e.g. Figo). But, as digital identity advances and becomes more mainstream, we might have companies that will aggregate one’s account details for all of the payment methods. This way you will no longer need to have separate credentials or authentication mechanisms but only one. By doing so, customers won’t have to distinguish between payment methods – there would be only one option, Pay. To the customer, we are going towards one payment and one commerce – there will be no difference between physical store and e-commerce and there will be only one pay option.” 

Other than authentication, another area to watch out for is improved security. It has to be guaranteed that data is secure, and external services have access only to the controlled data that the consumer has permitted and that the bank has assigned.  

Follow Ai on Twitter: @Ai_Connects_Us

5^th October, 2020

Airlines can’t afford to let a booking slip by. E-commerce and payment technology specialists acknowledge that the way paying for essential daily needs and eventually other categories has shaped up during the pandemic, it is imperative for airlines to look at several aspects including their payment infrastructure, payment options, cost reduction, UX and conversion etc.   

“The challenge for airlines, apart from the immediate cash crunch and stop in travel demand, is re-tooling their digital payment systems to streamline direct-channel bookings and reduce cost per transaction,” Stephane Druet, SVP Product and Marketing at CellPoint Digital told Ai’s Ritesh Gupta in an interview. He added in the recovery phase – whenever we get to it – the question will be, “how can we do a lot more with less?”

Significance of payment orchestration

Payment orchestration is a strategic move to give airlines competitive advantage over the long run, but it will also be a great tactical move to support immediate recovery. If on one hand their focus is on intelligent routing that will dynamically optimise the routing of each transaction via such a network, on the other the plan is to work on an omni-channel experience and the ease of one-click payments, along with localized options in all the markets.

Druet said payment orchestration allows a merchant to quickly add the payment methods customers prefer in each market during the checkout process, reduce cart abandonment and maximize conversion. On the processing side, payment orchestration reduces the cost per payment transaction by dynamically routing payments to local acquirers to reduce cross-border traffic (and fees).

“Just a few percentage points improvement on an airline's conversion rate, authorisation rate, chargeback win-rate will make a huge impact on their operating margin. Payment orchestration helps them achieve that, so that's what they should focus on,” mentioned Druet.

A modern payment ecosystem that is governed by a payment orchestration platform simplifies and modernizes legacy payment systems and facilitates a truly omni-channel approach to payments. Airlines need to ensure this capability shouldn’t prove to be a costly and time-consuming initiative.  

“By the same token, it's not feasible for airlines to build connections with all the players in the payment space. Integrating individually with acquirers, payment processers, fraud partners and other providers is far too complex to manage effectively. But integrating with a single payment orchestration platform that can handle all aspects of the payment processes is simple, and can allow airlines to reduce cost and boost efficiency all while retaining the flexibility to shift when the market dictate,” said Druet.

He added, “Many airlines outsource their payment systems to a PSP and their PSS provider, under the assumption that a single vendor relationship will create simplicity. But these gateways tend to divert transactions to their own acquiring business, rather than to other acquirers who may offer a better transaction and authorization rate for the airline’s payment – and making modifications can be cumbersome.  By eliminating their reliance on third-party payment providers, payment orchestration allows airlines to set the direction of their payment strategy and move nimbly to achieve it.”

“We believe payment orchestration really has the potential to be a silver bullet, at least in terms of transaction routing, authorisation rates and the ability to roll out new payment methods quickly and seamlessly,” he said.  

In short, payment orchestration allows airlines to unify all components of a transaction under a single control layer. For cross-border merchants like airlines, this means integrating the right mix of regional and global payment partners (PSPs, acquiring banks) to optimize acceptance rates and minimize cost. A good payment orchestration platform will also automate back-end processes like settlement and reconciliation and incorporate fraud rules and regulatory compliance, all of which reduce chargebacks and fraud.

Payment orchestration synchronizes the flow of data and currency across channels and in concert with existing systems like reservation systems or loyalty programs and harmonizes any differences in format. And importantly, it facilitates the rapid deployment of new payment methods to meet customer expectations and preferences in various markets.

Getting ready for new payment methods

Supporting new payment methods is already on the priority list of airlines.

Read more: #ATPS workshop - COVID-19 accelerates adoption of new payment methods

Shoppers have embraced contactless or touch-free transactions. The coronavirus has accelerated a trend that was already in progress, acknowledged Druet.

“The appetite for contactless payments is growing, so airlines can expect to see an increased demand for mobile payments such as Apple Pay and Google Pay. As consumers regain the confidence to travel, they’ll expect airlines to support their payment needs - and travellers in different markets will have different preferences. Meeting those preferences in each region allows airlines to boost conversions and reduce abandoned transactions due to payment friction, or lack of available payment method,” he said.    

A payment orchestration platform significantly reduces the time to market for rolling out new payment methods, as integrating a new Alternative Method of Payment (AMOP) happens within the platform itself, not across individual systems. This allows airlines to pivot to meet travellers’ different payment preferences in different markets, and to do so without waiting in queue for a third-party provider to build out the necessary integration, explained Druet.

Airlines have to gear up for a mechanism that can support payment methods that customers value and prefer. In the current environment, that means contactless payments and digital wallets like Apple Pay. In the future, that may mean something else.

“Regardless of the COVID-19 crisis, the payments ecosystem continues to diversify, so it's not about supporting one method of payment over another. It’s about having the flexibility to deploy new payment methods when customers demand them, and to be able to do so at minimal cost and maximum speed. Consumers will pay in the manner which makes them feel most secure and confident about their transaction; it's up to airlines to meet them at that point. A payment orchestration platform helps them do that,” said Druet.

#ATPS Pre-event workshop on payment orchestration for airlines: Why, what and how?

Tuesday October 13, 2020, 6PM (GMT+8), 12:00 PM CET, 6:00 AM EST

http://www.airlineinformation.org/upcoming-events2/607-atps-virtual-conference-2020.html

First Published on 5^th February, 2019

Ai Editorial: Pretexting, baiting, email spoofing… these and many more are malicious acts of manipulating human psychology to gain access to personal or financial information to commit fraudulent transactions. Ai’s Ritesh Gupta finds out more about social engineering

As much as consumers today are being alerted not to share their personal information that can eventually result in a fraudulent transaction, the fact that it continues to happen means fraudsters tend to win in this battle of psychological one-upmanship.

Manipulating human psychology is often referred to as social engineering. Merchants and fraud prevention specialists are continuously looking at ways to combat social engineering. It is a tactic used by fraudsters to lure consumers to download malware or provide their confidential information for identity theft (seeking personal information, login details, passcode for online banking etc.). Another methodology is - internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.

Also, since the situation is already precarious as fraudsters have considerable access to emails, phone numbers, and other PII credentials, it is time further damage is curtailed by keeping a tab on social engineering.

According to INTERPOL, social engineering fraud can be divided into two main categories: mass frauds, which use basic techniques and are aimed at a large number of people; and targeted frauds, which have a higher degree of sophistication and are aimed at very specific individuals or companies. While the scams themselves differ, the methods used by criminals generally follow the same four steps: Gathering information; Developing a relationship; Exploiting any identified vulnerabilities; Execution.

Attacks include vishing (telephone fraud), smishing (text message fraud), phishing (email fraud seeking a password or sending an email attachment that is infected with malware or spyware. Fraudulent emails that claim to be from your bank, credit card provider or an established website) etc. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. Phishing is mainly used for emails, but it can be used in text messages, social media posts and instant messages, too. Another way is intentionally leaving behind USB sticks or other storage medium. They contain malware. Also, by hacking email accounts, a cybercriminal accesses an individual’s e-mail account and sends messages to their friends, relatives or colleagues claiming to be in trouble, for example, and needing money.

Being watchful   

Social engineering may involve much more work for the fraudster. But these types of fraud are not easy to spot since it features a real person participating in the transaction or any other activity. Experts point out that consumers can play their part in curbing such attacks by being alert or responding with vigilance. With due diligence, one can make it tough for social engineers to get what they are seeking illegitimately.

Certain areas to watch out for:

·          If the offer is too luring or incredibly unusual, then don’t take action. For example, don’t share bank details to buy a free London-Chicago ticket!

·          Do check the spellings. Generally - the subject or the sender of an email – they aren’t correct in such cases. Poor grammar and spelling in email correspondence and letters sent by fraudsters.

·          Don’t download any attachments or click on any links, unless it is from a known sender.

·          Don’t share personal information that is generally not shared or is meant to be protected.

·          Don’t lose control over your device - a fraudster can impersonate and offer free anti-virus software. Once the user installs the software, the fraudsters can take over their device.

·          Beware of even unsual offers – free servicing of a computer or any promotional offer for your mobile device.

·          Do not send identification documents – not even copies in response to an unknown person.

·          Avoid putting all details on open social media pages

Other than simply being careless, there are instances, where consumers react in a certain situation, where an emotion takes over – could be due to fear, curiosity, desire etc. For instance, malware campaigns in social networking sites (could be an enticing video on Facebook ), gambling-related scams, cancer fraud etc.

A social engineer will always find a new way to do what they do. So controlling social engineering isn’t a straightforward task, but a lot can be done via education. Also, a mixed tactic of simulated social engineering attacks combined with interactive training modules is a way to prepare for such situations. Intermittent cyber security appraisals are also essential, because as organizations evolve, they change — and the information flow, too, changes within the company.

Upcoming Webinar: The Loyalty Fraud Prevention Association (LFPA) is set to host a webinar featuring a short presentation from SEON on what is social engineering and how it can be used to improve fraud prevention capabilities. Date: 14th February. For more, click here

First Published on 6^th March, 2019

Ai Editorial: Pragmatic ways are emerging to cut down on drop-offs in the mobile booking funnel, and these aren’t just restricted to mobile design and UX.

How to ensure a fraction of a second isn’t wasted in delivering a sublime CX? How authentication of a shopper’s identity is being improved upon, and in the process ensuring that a user of a mobile device doesn’t end up being annoyed? How tokenization offering is being enhanced? How prudent is “guest checkout”?

These and other questions are being evaluated considering new features that are simplifying mobile shopping.

“Customers today want to pay how they want, where they want and they want it to be seamless and they are not willing to wait. In online payments it doesn’t matter if you are selling books or airline tickets – we are all in business of removing friction because in digital era, it is speed that sells,” said Vojin Rakonjac, Head of Payment Solutions, Voyego.

In addition to experimentation and testing that eventually shapes up the payment experience, including the check-out phase, there are other areas that are being focused upon:

1. Combination of tokenization and cloud: Tokenization facilitates new payment capabilities and enables to adapt quickly to changing market requirements.  Another important aspect is protecting sensitive payment card data. To enhance the tokenization offering, specialists are looking at cloud support, and the plan is to accelerate the checkout phase and augment the payment experience. Retailers are going deep and assessing the utility of various cloud offerings. For instance, infrastructure-as-a-service might be for a e-commerce site, whereas platform-as-a-service layer on services such as threat detection.

2. Assessing emotional factors during shopping: Irritation is being linked to site navigation, one way in which fear surfaces and increases tends to be related to the transaction size, plus there are security fears. And then there are trust issues, too. Shoppers avoid using a payment method even if it is secure if they feel that the company is not wholly to be trusted, according to Klarna. As for coming up with emotionally intelligent online strategies, Klarna recommends nurturing of m-shopping habits, embedding ‘one touch pause’ functionality into online shopping experience to allow consumers to return to same place, incorporating payment choice by offering alternative options such as deferred payments, ensuring the checkout page isn’t different from the rest of the site/ app experience etc.

3. Payment options and behind-the-scenes transaction routing: There is a need to evaluate whether the new technology (or any payment method) would result in additional value for the customer as well as the merchant. It is the customer who decides how they wish to pay. Airlines need to design the integrated payment flow across payment options across channels and languages; implement integrated payment transaction and settlement reporting, gear up for multi-currency processing and conversion and opt for payment controls according to the difference of processing by payment types etc. In case of KLM, as reported by Ai, rather than having a payment functionality in each and every front-end, it was decided to set up an independent payment platform or a payment engine. It is connected to “internal” customers/ front-end for payments.

4. Adhering to regulatory requirements: The payment ecosystem continues to evolve, and one of the driving factors behind the same are the regulatory moves focused on streamlining digital payments. A development that is being closely followed is the PSD2 in Europe. It introduces strict security requirements for the initiation and processing of electronic payments. One mandatory aspect is to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. This would directly impact customer experience (CX) and fraud management. The main consequence for retailers would be around the regulatory changes to reduce fraud that will have a direct impact to the CX. Where SCA is required, biometrics is expected to play a big role, considering availability of features such as fingerprint sensors, voice or facial recognition on smartphones. 

5. Curbing fraud: Merchants, along with payments specialists, are trying to capitalize on the evolution of the consumer technology to simplify authentication. One such move is enabling banks to count on biometric authentication into their respective apps so that users can avail their connected device and use their fingerprint, their voice their face to finish a transaction. The industry is also weighing ongoing improvements, for instance, EMV 3-D Secure Specifications, for a real-time, secure, information-sharing pipeline to authenticate buyers without adding any friction in the buying process.

Hear from senior executives about digital payments at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK  (7-9 May, 2019).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 9th January, 2019

Ai Editorial: IATA has completed first Open Banking live transaction this week. There are more developments to watch out for in 2019, writes Ai's Ritesh Gupta

Streamlining the payment experience isn't about offering the most convenient option to pay, but also ensuring security around the same. Pressure is mounting on airlines and other merchants in the travel sector. Rather than introducing verification processes that delay the transaction experience, airlines must plan frictionless on-boarding and authentication methods.

2019 is expected to witness progress on this count, as airlines continue to focus on offering a simple and frictionless payment procedure - a seamless check-out, being spot on with the choice and personalisation, and eventually managing payment and settlement of transactions seamlessly.

IATA Pay

This week IATA has completed its first “IATA Pay” ticket purchase transaction in a live test environment. It is a new payment method for travellers when buying a ticket directly from an airline website. IATA has stated that this method is not only worked out for convenience of shoppers, but also to offer a cheaper payment option compared to other alternatives. The association also termed IATA Pay as highly secure, for faster cashflow with instant/near instant payment to the merchant, and a simpler payment process resulting in fewer lost sales. The live test was done under the UK’s Open Banking framework with IATA Pay pilot airlines, including Cathay Pacific Airways, Scandinavian Airlines and Emirates.

IATA is also working with Deutsche Bank on a prototype for Europe (excluding the UK), starting with the German market, which is expected to undergo testing in early 2019. Following this, IATA will validate the concept with the intention to expand to other regions, stated the association in a release.

Frictionless + Secure Environment

Among technology trends to watch out for in 2019, one can expect artificial intelligence to play a bigger role in fraud detection and cyber defence, security via biometrics, and the role of chatbots and voice-based digital assistants in shopping.

A couple of areas that are worth following include identity verification and how tokenization is shaping up in order to protect payment data.

Considering the pace with which mobile commerce has shaped up and continues to grow, it is vital for merchants to:

• Count on mobile device attributes for identity verification. The focus is on leveraging data sources and characteristics such as device, location etc. to verify the authenticity of the user. 

• Keep a vigil on how fraudsters are crafting new techniques and tools for executing fraud through mobile devices. For instance, the use of app cloners and machine learning techniques to create synthetic device identities. Merchants have to come to grips with threats such as ID Spoofing, Porting etc. to comprehend the threat of mobile fraud.

• To act on user-related reporting to precisely predict what a user’s next buy will be, and when and how the purchase will be made.

Airlines also need to find ways to understand a shopper's behaviour, including purchase behaviour across specific devices and also enhancing fraud detection.

This is where the use of  tokenization is being followed closely. A token replaces sensitive account information, such as the 16-digit primary account number, with a unique digital identifier.

According to CyberSource, tokenization facilitates new payment capabilities and enables to adapt quickly to changing market requirements. Another important aspect is protecting sensitive payment card data. Visa Token Service helps shoppers to connect their cards to merchants of their choice within banking apps, and also comes into play when a customer opts for a new payment card and it gets updated seamlessly, rather than recurring payments and other card-on-file situations spoiling the payment experience. Also, to enhance the tokenization offering, specialists are looking at cloud support, and the plan is to accelerate the checkout phase and augment the payment experience.

Another area that is going to be crucial for merchants is the significance of latency and response time when it comes to fraud detection. The time taken by a bank to respond to an illegitimate transaction “translates directly to how much financial loss can be prevented”. The response time window or detection needs to happen in mere two seconds. "This means less than two seconds to process an incoming mobile activity, build a behavioral profile, evaluate the transaction for fraud, and determine if an action needs to be taken," as highlighted by Microsoft Azure in one of its blog posts regarding mobile bank fraud.

Lastly, fraud prevention specialists recommend that the time has come for merchants to become smarter. Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud. Real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.

Check upcoming Ai Conferences dates or

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 18^th February, 2019

Ai Editorial: Rather than relying on archaic methods, travel companies should look at dynamic multi-factor authentication, behavioral analytics and machine learning to combat loyalty fraud, writes Ai’s Ritesh Gupta    

The threat of account takeover (ATO) is being keenly followed and one of the reasons is the overall damage that it can cause to loyalty programs. 

No doubt the focus of fraudsters is now set on loyalty points/ miles. According to Connexions Loyalty, travel accounts make an attractive proposition on the dark web and airline loyalty accounts: $3.20-$208 each.

Fraudsters get access to stolen credentials from a number of sources:

• From data breaches, sold on the dark web

• Phishing with fake websites

• Malware, trojans, spyware

• Social engineering

• Hijacking a mobile device

Fraudsters can choose to either redeem the points for rewards for a travel product or sell the points for cash or transfer the points into a shell account. They can also use saved payment details if available.

The mayhem being created is multi-layered, and airlines are suffering on various counts.

Loyalty fraud isn’t just about an account being accessed or taken over illegitimately. A fraudster can complete a transaction via stolen credit card information, garner points/ miles for the transaction and eventually redeem the same for an airline ticket. On one hand, the airline has to face the chargeback process and loses out the transaction amount generated through the airline ticket transaction. They end up paying chargeback fees if purchases were made with fraudulent credit cards. On the other, the airline has to salvage the situation as it to ensure the loyalty currency accrued remains with the FFP member since it wasn’t used by them.

Also, as airlines look for more redemption options, the loyalty currency can be used for a variety of product categories. So ATOs and loyalty fraud are becoming more attractive for fraudsters.

With all this, trust the traveller has reposed breaks and it is extremely tough for any brand to salvage the association that has gone sour. Other than brand damage, the negative impact can also be measured in terms of revenue loss and operational costs.

Putting apt measures in place 

According to CashShield, one of the reasons that ATO attempts are rising is not only due to the growing value of FFPs, but also because of lack of stringent security. The problem arises owing to the fact that a FFP isn’t checked frequently. Connexions Loyalty highlights that 1 out of 3 customers will log in to check their accounts once every few months. According to Kount, 34% of loyalty program consumers only log into their accounts every few months and 23% check account balances even once a month, providing a huge window of opportunity for fraudsters to operate undetected for weeks. So if it gets hacked, gets manipulated or misused, then the chances of the real owner raising an alarm are low.

Fraud prevention specialists are recommending several measures:

1.     Username/ password combination isn’t enough. Imagine the number of data breaches that have taken place over the past few years. Since users don’t really change passwords and have same ones for multiple accounts, one hack means the combination of email ids and username/ password can be cracked for a loyalty program, too. Explaining how it works, Ravelin states that credential stuffing depends on ‘combo lists’ - lists of passwords and emails generally gathered from various data breaches. The combinations are then routinely run against a login with any successful attempts logged. This is usually referred to as account ‘cracking’.

It is vital to keep a vigil on accounts for anomalies to effectively notice the behavior of genuine and fraudulent customers. According to companies like CashShield and CyberSource, companies should analyze user behavior throughout the entire journey- including account creation and login, any account activity and also at the point of transaction such as redemption of points. Forter rightly points out that from the moment a customer logs onto a website, to redeeming loyalty points or entering a coupon code, their shopping journey is rich and simultaneously vulnerable to new methods of exploitation.

Ravelin recommends that targeting other tools that may indicate suspicious activity such as headless browsers, VPN, proxies etc. can be relied on as well.

2.     Machine learning technologies are emerging as an astute option to secure accounts. The efficacy of machine learning, especially real-time machine learning, can be explored for account protection. Rely on both supervised and unsupervised machine learning to comprehend both the historical patterns of use, as well as identify anomalies. According to CashShield, behavioral analytics with pattern recognition will be able to accurately filter fraudsters away from genuine users.

3.     Identity authentication: Technologies like behavioral biometrics, device fingerprinting etc. need to be focused upon for stringent screening. As Kount points out, these technologies allow a level of identify authentication to ensure that the person behind the screen is the real consumer. It is time to capitalize on options that enable a merchant to come into a situation where they can accept, reject, or challenge the users to authenticate themselves – before the event can occur.

4.     Avoiding unnecessary friction: Merchants are relying on two-factor authentication (2FA), but 2FA is not completely foolproof (susceptible to SIM hacks, SIM swaps) and unnecessarily impacts the user’s experience. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted. Companies like iovation recommend a dynamic, context-aware multi-factor authentication solution, which post integration with a mobile app, features multiple parallel authentication methods such as validating possession of a customer’s phone, pin codes, text verification, fingerprint scan etc. The focus is on deep analysis of the login device to make sure it is one that is registered to the account.  

5.     Beware of archaic methodologies: Sift highlights that measures such as putting a limit on how customers can earn points and spending requirements to accrue points shouldn’t be looked at. If an airline continues to deploy inefficient methods, then it would mean weak operational efficiency. This would result in a failure to ensure that more transactions can be processed without delay. Plus, a risk-averse manual reviewer, fearing increased chargeback rates, will reject borderline transactions as well. This is where the combination of humans and technology, for e. g., using machine learning to go through massive data sets and flag out potentially fraudulent behavior, is must. The call for full-machine automation can’t be ignored but it would depend upon the overall risk appetite of the merchant.

As Ravelin asserts, fraud never stays still. So merchants need to make swift progress to shield themselves from loyalty fraud.

6.     Dealing with intricate data environments: Airlines are scrutinizing and even executing plans to embrace cloud transformation, banking on open-source offerings rather being bogged down by proprietary technology. Enterprises must take on responsibility for ensuring data protections like encryption, tokenization, and masking within their environments or ensuring its protection when the data moves between SaaS applications or migrates to another application. 

Hear from senior executives about loyalty fraud at the upcoming ATPS (21st Century Customer Experience for Payments & Fraud - Airline & Travel Payments Summit) to be held in London (Brighton), UK  (7-9 May, 2019).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 27^th February, 2018

Ai Editorial: Blacklists rarely work because hackers will never use the same credit card information twice, while whitelists are inaccurate since whitelisted customers can be compromised anytime, writes Ai’s Ritesh Gupta

The introduction of new fraud prevention methods is keenly followed in the travel e-commerce sector. Cutting down on the vulnerability, be it for data breaches or friendly fraud or card not present fraud (CNP), is high on the agenda of travel merchants.

On the flip side, if the fraud prevent strategy ends up being too defensive, then predicament pertaining to blocking of genuine customers surfaces. One area that needs attention is the usage of blacklists.

The rejection of legitimate travel shoppers is indeed a big issue, especially considering the fragmented nature of shopping in this category which tends to culminate after heavy research spanning over multiple sessions in case of a typical holidaymaker. And from the customer experience or conversion perspective, if such rejection takes place on airline.com then it would mean losing out on the shopper after battling for the same with OTAs, meta-search engines etc.!

A case in point: a Singapore-based traveller, who is a tennis enthusiast, intends to visit San Francisco. He has finalized his trip and keen on shopping for tennis-related goods. He decides to get them delivered at a hotel in San Francisco he has chosen to stay. Why? Because he would save on shipping-related expenditure by choosing this option. So what might have been a crucial to-do-list of a holidaymaker’s much-awaited trip, it simply gets ruined due to inefficient fraud detection system. Specialists point out that such authentic buyers can suffer and their orders do get declined as certain shipping addresses can pose glitches for fraud review systems. As it turns out, a number of seemingly dissimilar orders all being shipped to a particular address can be considered to be an aberration. And if one bad or illegitimate order is shipped to one such property, then this address might end up being marked on a blacklist.

Dealing with the issue of blacklists

Initiatives related to spotting suspicious shopping and keeping them at bay by evaluating all the transaction details and adding them to a blacklist isn’t a new practice. This is generally done for cases where a merchant had to face a chargeback, and to block such shoppers again, they are blacklisted and prevented from placing another order in the future.

But such initiatives, where businesses are even automating blacklists i. e. to define rules and automatically block suspicious attempts, needs to be looked upon. It could be about declining a genuine transaction from the same email or IP address that had been marked in the blacklist previously. In such scenario, filters keep a tab on a transaction’s legitimacy by scrutinizing and inspecting a traveller’s IP address, location/ area, credit card number, e-mail id etc. So how this method is failing? In case, one email id is debarred, there is no guarantee that a fraudster can’t find a way around it. This is because a fraudster can amend it to a permutation that isn’t identifiable. For example, in case of Hotmail, users can add a period anywhere in the email address. The average blacklist isn’t able to spot riteshxyz@hotmaill.com, ritesh.xyz@hotemail.com and ritesh_xyz@gmail.com are all the same email address. It is quite common to create a similar-looking email address and circumvent the controls enforced by a system.

As the team at Riskified points out, blacklists can be useful in certain cases, for instance stopping spam email. But when it comes to CNP, it isn’t spam. The team asserts that an airline or any travel merchant using blacklists needs to probe and assess the overall false decline rate, the frequency of analyzing and updating their respective blacklists and to what their top-line revenue is getting impacted.

Counting on real-time machine learning

Blacklists rarely work because hackers will never use the same credit card information twice, while whitelists (skip the review process and are instantly approved – often result in high chargeback rates) are inaccurate since whitelisted customers can be compromised anytime. Whitelists can be an oversimplified solution to improving fraud review accuracy. Also, historical data (which blacklists are categorised as) lose relevance very quickly in the face of unknown cyber threats, since it is difficult for the machine to predict new fraud attacks without any prior information. According to CashShield, real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.

The team at Riskified underlines that a healthier way to combat fraud is to proactively spot fraudulent patterns using dynamic tagging and linking, and focus on sophisticated fraud detection models.

It is time travel merchants avoid taking steps that are in general reactive and probabilistic solutions. Rather there is a need to cut down on the probability of holding up transactions via a manual review or worse blocking them entirely. So rather than blacklisting, merchants can capitalize on intelligence, say unique data points that an email address provides. It could be name matching, IP address etc. In fact, email ids are part of essential details that are garnered for almost every transaction.

Hear from experts about e-commerce fraud at the upcoming “Getting Ahead in the Digital Age - 12th Airline & Travel Payment Summit”, to be held in Miami (24-26 April, 2018).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

11th Aug, 2020 

A recent report by Checkout.com has indicated that merchants lose “over $20 billion due to false declines”.

While $12.7 billion of this figure goes to another merchant when a customer is turned away, it must to be noticed that false declines “are also making for a less efficient digital economy”. This is because “$7.6 billion of potential spending never came about as the shopper lost interest. 

In the same report, a senior industry executive pointed out that re-visiting risk appetite is vital. Also, a “lot of sins can be hidden in the name of #fraud prevention, because fraud teams aren’t always incentivised to have a very rigorous statistical measure of false positives and false negatives”.

“Many companies just don’t want to get on the MasterCard and Visa chargeback programmes, and that’s the guiding principle. But I think where the real value lies is in getting more intelligent about where you set those lines and being very honest with yourself and very rigorous about what your risk appetite is, and knowing what your actual false positive and false negative rates are when it comes to fraud,” Andrew Row, Managing Director of Uber Payments has been quoted as saying in the report.

Travel sector

Travel ecommerce players are focused on garnering bookings and not going to initially care where a booking is coming from. They also need to better handle the issue of falsedeclines — legitimate orders that get rejected on suspicion of fraud.

It is imperative for airlines and others to evaluate their own fraud model and points of verification and authentication of the payment process.

To curb revenue leakage, travel companies must evaluate distinct behavior and risk, for instance, on each device, rather than applying one set of rules. Ekata asserts that rather than “strictly looking at definitive good or bad, it would be more effective to look at the probability of good or bad, so to adjust to the right tolerance level in letting transactions through”.

In fraud riskmanagement, as PayPal also points, it is vital to source info from a variety of sources, incl. real-time info to check authenticity of transactions.

Priceline, in conjunction with Forter, chose to rely on automated decision-making throughout the entire payment flow to work out an apt routing for a transaction to be approved.

Airline Travel Payment Summit - ATPS Virtual Conference
20 - 21 Oct 2020

https://lnkd.in/dwqsrau

The ATPS Virtual, co-hosted with UATP, is dedicated to the payments and fraudprevention strategies needed for airlines and travel-related businesses to survive.