- Payment & Fraud Editorials

29th November, 2019

Travel merchants can't apply the so-called "airport security" approach for screening every transaction.

Rather there is a need to identify astute options to ensure the booking flow isn't unduly disrupted for legitimate shoppers. Companies have to leverage a shopper's fraud and risk score in order to ensure UX and fraud prevention aren't at odds with each other.   

This way they can take a vital step towards seamless plus secure ecommerce.

Ai Editorial from Jiri Marek, former Executive Sales & Marketing Director, LOT Polish Airlines

BITCOIN – Beyond Imagination - a Terrifying Currency?

This is my own definition of this growing phenomena of new age, describing feelings, principles, fears and opinions coming to the mind of people whenever they hear word BITCOIN It came to me through my experience of introduction BITCOIN as payment method into Aviation. How BITCOIN and AVIATION can get along with each other?

“Opposites attract” is the fundamental principle of nature, and more philosophically we can look to the east to Yin and Yang or to the west to light and dark side of “The Force”. Also in aviation we have contradictions.

On one hand airlines are highly regulated with very limited spot for frivolity, but on the other hand one of the core engines running aviation development since decades was look for the future and the out-of-box solutions. It seems that the opposites attract… but in this case not quite.

The same airlines, that do not want to loosen up on safety and security principles, are facing the new and liberated world of the internet. These two pieces are in fact very hard to match. When I shared for the first time this new idea of adopting BITCOIN as payment method within airline, it creates a feeling inside the organization like bringing “chaos” into “order”. In fact it was more of a fear. BITCOIN is somehow still perceived as the currency of the anonymous rebels, synonymous of the unregulated and wild deep internet world. 

Since airlines are extensively regulated mainly on safety and security issues, and they are using state of the art technology for flying, they became on the other hand kind of fossils in the merchandising and distribution of their content and product towards end consumer. In a result this is what we have: airlines would like to gain global reach and constantly complaining about regulators and authorities that they are bringing constrains and limit them to became truly global and on the other hand we have global borderless payment solution ready to use without any regulatory body or government behind it and no ownership, but somehow still steered clear of. Now is the time to look for the future.

I have no doubts, that the magnets will attract this time as well and it will happen sooner or later as The Mother nature always find a way through, constant search for balance, leading to evolution. Would you like to wait for this “evolution” or take rather first mover advantage and be part of “revolution”?

First Published on 12^th July, 2017

Ai Editorial: A variety of tools and techniques are being used to combat fraud in the mobile channel, but is it enough? Ai’s Ritesh Gupta explores

Mobile commerce demands planning on several counts and one of them is dealing with the malice of fraud.

As much as mobile apps and now even chatbots are ready to facilitate transactions without any hiccup, the risk of fraud can’t be taken lightly or handled just as the way web-based transactions are being managed. And it is imperative for airlines, OTAs etc. to ensure mobile users’ need for speed or overall experience isn’t perturbed while hitting the breaks on fraud.

Mobile fraud is challenging to merchants as transactions that are made through mobiles collect less information than web transactions. Merchants need to explore various areas - Is low use of 3D Secure still a major issue? How much malicious apps are of a concern? If existing fraud rules aren’t fully suited to the mobile channel, how does it impact the risk associated with a transaction? Is the risk of blocking genuine customers higher in case of mobile? Is it true that relatively higher costs are incurred in case of mobile such as greater chargeback rates, lengthier time for manual reviews etc.? All issues need to be dealt with without optimizing the user experience.

According to Kount’s Mobile Payments & Fraud: 2017 Report, merchants “earning more than $500 million annually were much more likely to say being able to detect mobile devices was “Very Important” relative to merchants with annual revenue of less than $5 million, at 61 versus 35%”. This year, the fraud prevention tools, techniques and services used most by merchants to prevent fraud in the mobile channel were card security codes or checking the CVV (58%), AVS (46%), fraud scoring (48%), device ID (38%), velocity checks (35%) and a complete fraud platform (47%).

Dealing with risk

Here we assess what’s being recommended to lower the risk of mcommerce fraud:

1.     Be informed about mobile behavior: It is vital to recognize or spot anomalous behavior in order to combat fraud. Also, declining of genuine orders, too, can be an issue if behaviour related to mobile usage isn’t considered. For instance, it is important to consider logging onto multiple devices and also mobility of the device. Since mobile users can transact on the move, then how to plan for rules based on IP geo-location criteria. Another aspect about usage is related to the time of the use. According to CyberSource, rules generally identify specific times of the day as more risky than others. So a rule may indicate that an order placed from a local IP address comes at a certain time slot. But what if an order comes via a mobile device at a completely different time. So such dissimilar patterns of use need to be scrutinized. 

Travel companies also need to take into consideration hardware and operating systems. For instance, some shoppers still use lower-end devices.

2.     Count on data: Data analysis is integral to any fraud detection initiative. When it comes to new technologies, there are supplementary fields or information required to complete a pertinent analysis. Otherwise, fraud exposure may go up. User data garnered during various interactions can improve fraud prevention, for instance, fraudsters rely on older versions of an app to make the most of gaps in security. More specifically, behaviour is also an indicator - swiping or typing? Filling information steadily or erratically?

Another aspect is customising and acting on e-commerce data specifically related to the digital assets of airlines. For instance, considering that each airline’s ecommerce website is unique, the data strategy deployed must be different and customised. It is important to work with airlines and help them utilise all the data that is available on their website. What is being done for airlines’ mobile sites or apps?

Overall, with more options to pay such as mobile or NFC, expect new ways of fraud to appear. It is crucial for the industry to move closer to active monitoring by featuring big data user and entity analytics to evaluate the shopper behaviour behind each payment that comes through. As a majority of fraud acts result from a synchronized attempt from one script, automated to optimize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters.

As for machine learning, it has to be ensured that an airline doesn’t only look at predictive analytics. It enables one to predict future fraud based on historical data. There is a need to incorporate pattern recognition, so even without any prior historical data, the machine is able to detect patterns across different transactions and diagnose if the transaction exhibited bot behaviour or human behaviour. Combined with pattern recognition, the system draws patterns (for both positive and negative behaviour) to map the DNA profile of the user.

As for efficacy of machine learning, it is highlighted that the data must be accurate and the rules must be set properly for it to work.

3.     Verification method: It is vital to assess what sort of consumer verification method, say what is being supported by the card networks, when assessing transactions originating from mobile devices. A mechanism is needed to authenticate the user. With which methods users wouldn’t have to worry about typing-in all of their cardholder information for each purchase? If the authentication method is too stringent, it can result in abandonment. But with poor security comes the threat that unauthorized users might make purchases. So in case of iOS, how safe are Touch ID or the device passcode as a device authentication option? What is the role of more conventional means such as PIN, signature for transactions in stores, or 3D Secure for transactions within apps? What is the liability for the fraud? For instance, in case of biometric fingerprint technology being used to authorize a transaction, is the fingerprint attached a compelling evidence in the merchant’s favour in the event of friendly fraud? There needs to be balance between streamlining the process and encouraging customers to buy without first thinking through a purchase. As a result, this could lead to buyer’s remorse, which could mean returns or even chargebacks at a later date.

Also, going by my personal experience, the two-factor authentication (2FA) can be time consuming. Yes, it is a security feature that gives additional security by adding a second-level authentication to access a particular account. But if one gets stuck, it results in disappointment. For instance, as I updated by account details for a subscription-based anti-virus service, the request for a code via SMS didn’t work as it called for another mobile number, whereas the option of downloading an app is always cumbersome as I can never remember by iOS app store password!

Also, as highlighted by Chargebacks911, biometric authorization isn’t a solution on its own for anti-fraud initiative, and there are few pieces of evidence more compelling than a fingerprint or facial scan to suggest that a cardholder did authorize a transaction.

It is recommended that e-commerce organizations need to rely on dynamic threat data to evaluate device health, location of the consumer and irregularities that may indicate fraud—in real time.

With dynamic, digital identity based authentication, airlines can better shield their shoppers’ logins and transactions.

As for the traditional approach of 3D Secure, a major issue has been transactions via mobile. Among the latest developments, 3D Secure 2.0 is being termed as a potential boost for digital commerce with quick, secure authentication, propelled by robust fraud-related intelligence. It strengthens the quality of real-time predictive risk scoring for both merchants and issuers. The new specification that would support app-based authentication and there would be integration with digital wallets, too. Early adoption of the new specification is scheduled to begin in the second half of this year.

4.     Rules: Importantly, specialists point out that uniqueness of the mobile channel be it for the way shoppers use their devices or data associated results in differences in fraud rules – especially with the goal of curtailing automatic review or declining of real payments via mobile.  

Rules worked out for mobile must rely on the data that can be collected, the behavioral patterns and fraud trends that are deemed to be relevant. Organizations are recommended to collect information about the device type and operating system, as well as mobile chargeback, rejection and review rates.

Airlines have been relying on testing the efficacy of rules on specific transaction types without having to wait for those transaction types or periods to occur in future.

Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year.

Dates: 29 – 31 August, 2017.

Follow Ai on Twitter: @Ai_Connects_Us

17^th January, 2020

Ai Editorial: Data security and privacy-related initiatives are now a priority, and travel merchants have to embrace proactive and appropriate tools for the entire organization, writes Ai’s Ritesh Gupta

It is imperative for organizations to capitalize on personal data, and at the same time address concerns pertaining to privacy and misuse of such data.

So if on one hand, travel merchants are sharpening their initiatives associated with collecting, sharing, analyzing and processing data, on the other it has to be ensured that data is secure and complies with the latest data privacy regulations. The arena continues to evolve with relatively new regulations, including the General Data Protection Regulation (GDPR), which came into force in May 2018, and the California Consumer Privacy Act (CCPA).

Some crucial topics that are being discussed are how to protect data at the source level, how to avoid heavy data exfiltration,  what does constant modernization of data operations entail etc. Also, what are the requirements of privacy laws- opt-in and opt-out options?

Gearing up for data privacy challenges

Certain areas that demand attention are:

• Data governance: As IBM Analytics recommended in a presentation at one of Ai’s conferences in the past, working out a robust data governance tool is must. Profiling each data to answer who, what, where, when and how, and to make this metadata available is fundamental. Basically, for each data, you need to understand what is the data all about, who owns it, where did it originates, where is it kept, when did it get there, and how is it processed. Only via such tool, a merchant can deal with vital components such as the "right to be forgotten" article in GDPR since data subjects have the right to request the deletion of their data and not to be contacted again. A registry that provides directory services to point to where customer data resides in different systems in a company is must, too.

Plus, IBM also recommends an operating model – starting with an assessment across governance, people, process, data and security, then finalizing standards that cover governance, training, communication, privacy, data management and security management. Post this, there is provision for  detail data discovery and embed standards, procedures, and tools to enhance existing processes. And there is also necessary training to ensure skills transfer. Finally, all relevant business processes and security control are executed.

• Understanding consent requirements: With various privacy laws that exist today, organizations need to comprehend consent requirements. What does consent entail? That’s the first step. For aspects such as the “right-to-be-forgotten” one, companies need to rationalize the entire process, especially considering that data is distributed in several ways and tends to be hosted in cloud-based and on-premises environments.  Being in control of what and where (in terms of deployments)  data is stored become critical. A privacy-by-default approach to data storage becomes must.

• Protection teams: Organizations also need staff with expert knowledge of data protection law and practices, risk assessment evaluation (data breaches and cyber attacks) etc.  

• Sharpening cybersecurity – Security specialists refer to new offerings that are a blend of advanced network, cloud and data security. Focus is on technologies like firewall protection, cloud security and data loss prevention. Also, the blend of encryption everywhere and cloud-native development paves for operations in a transparent and optimized environment designed to provide security that is data-centric rather than point to point.

This approach is becoming a necessity, considering that fact merchants not only need to counter the threat of a breach via a risk-adaptive defense mechanism, but also for ease of operations for any entity operating in the connected digital landscape. Projecting how the cybersecurity strategy is going to shape up in 2020, Forcepoint indicated that the same will move from “indicators of compromise to indicators of behavior” and will focus on comprehending risks that lie within and the importance of preventing data theft no matter the user, device, transfer medium or cloud application.

Keen on exploring data privacy and protection issues?

Check-out Ai’s conferences scheduled for 2020: https://lnkd.in/fE7UK_T

First Published on 20^th February, 2018

Ai Editorial: Loyalty fraud and account takeover, friendly fraud, inferior user experience and avoiding a risk-averse fraud strategy are areas that continue to garner maximum attention, writes Ai’s Ritesh Gupta

The Ai’s Travel Fraud Prevention Symposium in London, being held in London today, underlined the threats that travel merchants need to deal with.

We re-visit some of the issues that the industry is struggling with as of today:

1. Threat of loyalty fraud looms large with data breaches and stolen credentials: Airlines need to prepare diligently for the threat of account takeover or ATO, especially considering their business falls in the “high ticket value, with a low margin” category. Why ATO is proving to be lucrative for fraudsters at this juncture? There are multiple reasons behind this. First, this type of fraud can be more valuable than credit card fraud. Second, organizations don’t have stringent measures in place to fight against ATO. As the team at Sift Science points out, the time available to exploit the information before detection is typically longer. Third, this type of cheating isn’t easy to detect. Since the account already exists and is related to a genuine customer, the fraud is relatively tougher to spot and the fraudster has more time to operate before they are caught.

ATO in the loyalty space (featuring airlines, hotels etc.) is coming under scrutiny owing to data breaches. Password stealing tactics pose a risk to all account-based online services.

Fraudsters get access to stolen credentials from a number of sources:

• From data breaches, sold on the dark web
• Phishing with fake websites
• Malware, trojans, spyware
• Social engineering
• Hijacking a mobile device

Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Even as credentials have been stolen, it is imperative for organizations to bolster the authentication process. This way the risk of loyalty fraud can be minimized. So it comes to down to authentication and one of the tools is machine learning.

2. Friendly fraud – a battle that still isn’t easy for airlines to cope up with: Friendly fraud remains probably the biggest challenge and quite often the significance of an effective fraud mitigation strategy is underlined. Friendly fraud refers to “fraud that is committed when an individual had knowledge of and/or was complicit with and/or somehow benefited from the transaction on their own account, although the individual reported the transaction as unauthorized”. This type of fraud is a major issue for merchants as it can be tough to detect at the time of purchase, the chargeback process does not adequately address friendly fraud, and also it is time consuming to fight against the same.

“The predicament (pertaining to friendly fraud) is getting worse,” says a senior executive.

The executive pointed out that the available data is limited. Merchants definitely suffer from industry-wide lack of transparency. Their stance is feeble as there are plenty of factors outside merchants’ control that influence their reluctance to make a more substantial effort. “There is hardly enough information available pertaining to chargebacks and friendly fraud. This means there isn’t a strong foundation to bank on, to comprehend the situation. It’s challenging to amass authentic information on the matter without substantial contribution from banks, card networks, and merchants,” added the executive.

3. Managing transactions and fraud with new tools…be realistic with expectations: Managing revenue and fraud shouldn’t be about adding friction to transactions. One needs to set right expectations from initiatives such as Dynamic 3DS and biometric authentication. Many fraud prevention methods introduce dilemmas between maximising revenue and minimising fraud – e.g. with more rules, implementation of 2FA or multifactor authentication fraud rates can be lowered, yet more genuine customers will be blocked; on the other hand, with less rules and lax authentication to maximize revenue, merchants will be more vulnerable to fraud attacks. Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud. It is imperative for airlines and all other travel e-commerce players to study in detail the utility of emerging   tools and technologies.  What is going to be their role in managing criminal fraud, friendly fraud, chargebacks etc. and the same time how they impact the customer experience at the time of making a transaction.

4. Trapped in risk-averse fraud strategy? Stop focusing only on rules-based approach!: The shortcomings of the traditional rules-based approach for fraud prevention continue to get highlighted. At a time when the efficacy of fraudsters and hackers in cracking areas of vulnerability is on the rise, it is imperative for merchants to improvise and sharpen rules on the fly. If an entity is heavily following rules-based methodology, then the main KPI would be to cut down the fraud rate as close to zero as possible. At the same time in many borderline genuine transactions would fail to pass through. Rather the focus needs to be on - rely on an algorithm to make decisions to optimize sales as much as possible while keeping fraud and chargeback rates under control.

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 14^th December, 2018

Ai Editorial: Data is going to be a key weapon in the arsenal of airlines as the industry attempts to fight emerging fraud threats, writes Ai’s Ritesh Gupta.

Airlines acknowledge that they need to be in a position to probe as many data source as possible in order to improve the probability of uncovering and combatting fraudulent activities and transactions.

Going forward, airlines not only need to focus on their own unique data, but they also have to count on external data plus be open to collaborating with other stakeholders to stop fraudsters’ malicious moves.  

1.     Tracking and consolidating own data: Blending all the available transactional data into a single system and analysis model is critical considering where the industry stands today with CNP purchases and e-commerce sales. In addition to ticket-related revenue generation, keeping a vigil on frequent flyer miles, loyalty points, gift cards etc. is must. Considering the way fraud evolves, airlines can’t ignore options like e-gift cards. Fraudsters are capable of breaking through gift card codes through various methods such as phishing or social engineering. Airlines’ own data, especially on their own channels like a website, is important to refine analytics around it.

Big data is first used to collect information about the user’s behaviour on the website (for instance, how the mouse moves, words per minute etc.), and this information is combined with machine learning, which uses pattern recognition to map the pattern of his behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/ negative behaviour and uses that on future transactions for potential signs of fraud. After the point of data collection, airlines have to amplify and triangulate the data, analysing the data through multiple permutations and combinations so as to better understand the fraud patterns left behind by fraudsters in their attempt to brute force the system.

Real-time data from airline.com can also help in curbing fraud. Blacklists rarely work because hackers will never use the same credit card information twice, while white-lists are inaccurate since white-listed customers can be compromised anytime. Real-time machine learning can help against blanket blacklists and white-lists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.

2.     Blending data from other sectors for the benefit of airlines: Specialists serving the travel industry state that the fraud-related issues must be confronted collectively. There is strength in numbers and insight in data—and help is available to leverage them both. Specialists like Accertify are working on airline-specific offerings, and their machine learning technology aggregates and transforms information from a diverse set of sources to identify emerging fraud risks and attacks. External data can complement and lend a new dimension to internal data sources, offering a better view of shoppers and the authenticity of transactions. Evaluating IP addresses, credit card data, and email addresses can enhance a carrier’s interpretation of who is doing what—and from where they are doing it.

3.     Accuracy of machine learning: The collection of more and relevant data would help to improve the accuracy of the machine learning models by churning the data through various permutations and combinations to identify potential fraud patterns. However, ultimately a multi-disciplinary approach, that combines machine learning and other techniques to make sense of the score automatically, is required to fully automate the fraud screening process. Machine learning models are only able to provide a fraud score, of which a bulk of transactions are automated but humans are still required to review a good number of transactions that are considered borderline. 

4.     Authorization rates: Among the other areas, data is being relied upon for improving upon the authorization rates. As highlighted by Adyen, on average, 5%-15% of ecommerce credit card transactions are rejected by issuing banks, and out of these, a quarter don’t work due to shortage of convincing reasons, mostly due to old and inefficient systems. And in certain markets, authorization rates across issuers take a dip because of suspicion of fraud. In this context, it is imperative to bank on data to evaluate the main reasons behind those declines and take appropriate initiatives. For instance, one areas that could be looked upon is - issuer-specific authorization rate trends. These actions may include optimizing the type of data submitted or identifying optimal routing for a given transaction.

5.     Collaboration: A shared database or working together with relevant partners is going to be the biggest factor in combating fraud. IATA Perseuss allows members to check suspect transactions against a community database holding records from around the world. Still there is plenty to learn from other industries or law enforcement in a particular market that has managed to control fraud to an extent. With a partnership featuring different players from the industry, the government and law enforcement agencies, fraudsters are being punished. For instance, the Banking Protocol scheme in the U. K. allows bank branch staff to immediately alert police and Trading Standards if they suspect fraudulent activity. The Dedicated Card and Payment Crime Unit (DCPCU), backed by the finance industry, made 84 arrests and interviews under caution in the first half of 2018, which led to 26 fraudsters being convicted. As for capitalizing on data, intelligence is also shared with law enforcement including the National Crime Agency. A campaign is being led by Financial Fraud Action UK to help everyone protect themselves from preventable financial fraud and is being delivered with and through a range of partners in the UK payments industry, financial services firms, law enforcement agencies, telecommunication providers, commercial, public and third sector organizations.

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 21^st June, 2018

Ai Editorial: What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering, writes Ai’s Ritesh Gupta

The recent media reports pertaining to Amazon accounts getting hacked is a disturbing development. Considering how many consumers and the extent to which they rely on these ecosystems, the threat of fraud and its implications on various stakeholders involved needs to be assessed.

A plenty is at stake since a single platform can be used to access multiple services.  

If we considering an ecosystem such as Tencent’s WeChat, the Chinese company has gone beyond primary services of messaging and social networking over the years. Mobile wallet, bill pay, P2P transfers, merchant services, ticketing, insurance, wealth management and mutual fund management are among the services that WeChat is associated with. Similarly, the likes of Amazon and Alibaba, too, are proving to be a lucrative option for fraudsters as a single account on the black market can give fraudsters access to a treasure trove of data, including multiple stored payment methods, bank account information, usernames and passwords. In fact, as highlighted by Sift Science, in May this year, an Amazon customer became a casualty as she found in her email statement related to shopping of goods that she hadn’t bought. The amount totaled $1,640 in total purchases. As it turned out, a fraudster had gained access to her account without her permission and eventually Amazon (not a pleasant experience for customer and the reputation took a beating) suffered due to this account takeover (ATO) attempt.  

What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering. A case in point is the growth in mobile payment systems, which fraudsters can easily exploit by adding stolen credit cards or making unauthorized transfers of credits from compromised accounts. With a growing connectivity of data, fraudsters can have unparalleled access to multiple services with just one single account. A case to examine is Amazon, where one single account may be used to access multiple services including Amazon Prime, Alexa, cloud storage, music streaming and more. Plus, the company is already expanding and introducing different services. For e. g. Amazon uses Amazon Pay as a virtual wallet system to be used within the app.

“With a growing connectivity of data in a world of frictionless payments, Amazon is at risk of various fraud scenarios such as having unauthorized transfers of Amazon Pay credits from compromised accounts,” says Justin Lie, CashShield’s CEO. “Once a single account is compromised, it would be difficult to have damage control on all possible endpoints that could benefit the fraudster. For instance, the fraudster could have access to the card-on-file to make purchases, or have access to the user’s information, or worse, in the case of IoT (e.g. Alexa), spy on the users in their homes.”

Dealing with vulnerability 

Fraudsters no longer only make unauthorized payments with stolen credit cards, but are also carrying out promo abuse with the creation of multiple accounts, making unauthorized transfer of funds, and making unauthorized top up of credits.

One way to safeguard such accounts includes a two-step verification, requiring users to fill in a security code whenever they access an account from a new device. Currently, fraud protection for accounts are still far behind, especially compared to the systems designed to secure payments. Most enterprises rely on static verification measures such as two-factor authentication (2FA) and multi-factor authentication (MFA), but is easily bypassed by fraudsters (e.g. via SIM hacks or SIM swaps) and creates unnecessary friction for users. Unfortunately, more must be done in terms of ensuring user accounts are secure from fraud. It is pointed out that many merchants struggle between striking a balance between improving security and maximizing user experience, which is difficult if their only known option is to either deploy 2FA/MFA or not. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted.

Lie recommends that an end-to-end approach is needed to cover it all - to monitor transactions across multiple channels and devices in real time, at every stage of the process. From front-end filters detecting fraudulent logins to machine automation preventing fraudulent purchases and chargebacks through illegitimate account takeovers, these ecosystems must consider deploying sophisticated end-to-end solutions that can cover their bases.

It is time that ecosystems and even other companies make rapid progress since account takeover is indeed occurring more frequently - according to the 2018 Javelin Strategy & Research Report, account takeovers tripled in 2017, which resulted in $5.1 billion in associated losses.

When data breaches occur, consumers have no control. Yet when it comes to account takeovers, customers are told to play an active role in prevention by being vigilant and having complex passwords, even though a data breach would leak all passwords, no matter how complex it is. Lie says it is up to the merchant’s end to adopt stricter security protocols in storing and encrypting their data, to minimize the damage in case of a data breach. Considering that it is impossible to build the perfect defense, merchants could also aim to mitigate the damage done by ensuring that the stolen data cannot be used. One way to achieve this is to deploy real-time active surveillance on every login to filter out potential threats and prevent attackers from gaining unauthorized access to accounts.

Hear from airlines and other industry executives about ATO at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 8^th November, 2018

Ai Editorial: Account takeovers (ATO) are shaking e-commerce players in many ways, including in the loyalty space. For instance, post an ATO orders can be made with the genuine card-on-file or stored credit (reward points or miles), writes Ai’s Ritesh Gupta 

Retailers, including travel e-commerce players, are looking at combating the increasing threat of account takeover (ATO) attacks.

As the number of data breaches is going up, they are being linked to the surge in ATO attacks. This is because these breaches supply a treasure trove of information of login credentials, passwords, and personal information.

Here is how fraudsters are trying to make sense of what they are stealing: Data breaches can result in compromised login credentials. Post this fraudsters tend to test whether these credentials work on other sites or not. With one password for multiple accounts being a common practice, the threat of danger is unimaginable! Since testing credentials this way can be a laborious task, fraudsters use bots to automate the testing process. Once fraudsters have found credentials that work, they can either commit the fraud, or sell them on the dark web. According to Riskified, usually fraudsters have specialized roles: fraudster A is the expert at data breaches, and he’ll monetize the stolen credentials by selling them to fraudster B, who is the expert at loyalty fraud. Cybercriminals purchase these stolen credentials from the dark web, and thereafter launch coordinated fraud attacks for hostile ATOs, or to create spam accounts with real genuine identities.

Why even a bigger headache? 

In case a successful data breach or an ATO attack happens, merchants can find themselves in an obnoxious situation. As explained by Sift Science, this is because stored payment methods make it easier for fraudsters to shop, fraudsters can redeem miles and points that sit in unsecure accounts, personable information is lost and then merchants also have to grapple with the issue of restoring accounts after a takeover incident. Spam accounts are useful for fraudsters to abuse promotional codes, which is another pain point for merchants.

A couple of reasons by ATO can become even a bigger headache:

·         ATO can also occur under other circumstances such as when competitors suffer a data breach. Given that most people tend to use the same credentials with multiple merchants, fraudsters will test stolen credentials across multiple websites. This means that an enterprise’s accounts can also be compromised once fraudsters get hold of their competitors’ user data.

·          It also needs to be considered that enterprises are starting to build ecosystems where a single account can be used to access multiple services, increasing the value of accounts and further compounding the problem of account takeovers. Accounts are becoming increasingly valuable, due to the amount of information and/or services tied to a single login, and considering that most enterprises have yet to deploy sophisticated fraud management techniques to detect fraudulent account logins, accounts have become the new gold for fraudsters today. A case to examine is Amazon, where one single account may be used to access multiple services including Amazon Prime, Alexa, cloud storage, music streaming and more. Once a single account is compromised, it would be difficult to have damage control on all possible endpoints that could benefit the fraudster. For instance, the fraudster could have access to the card-on-file to make purchases, or have access to the user’s information, or worse, in the case of IoT (e.g. Alexa), spy on the users in their homes.

What to consider? 

Some of the top issues on the agenda of airlines as of today are - how to prevent fraudsters from accessing travellers' legitimate account? How to combat an ATO attack at the point of sale, and declining the order?

Companies acknowledge what's at stake - their reputation, messed up loyalty accounts, a customer's private information etc. A majority of fraud review operations are reluctant to decline orders coming from a logged in account. This is because the risk of offending a good customer is so high and the fear of a poor customer experience makes it a delicate issue. As pointed out by Riskified, a major aspect of preventing fraudsters from succeeding at the point of account login is processing data and making decisions in real-time.

Enabling two-factor authentication (2FA) is one option. Educating consumers to use strong passwords and securing their devices is also important. Notifications about suspicious activity, too, need to be considered. Still travel e-commerce companies need to dig deep. As recently shared by CashShield, organizations tend to rely on 2FA for account protection, which can be overcome by fraudsters with deceptive tactics, such as SMS phishing to trick users into giving up their 2FA reset codes; it is also not uncommon for fraudsters to intercept the confirmation SMS messages, proving that 2FA is not sufficient to prevent fraudulent account takeovers.

As for the role of a merchant, they need to go for stringent security protocols in storing and encrypting their data, to curtail the loss in case of a data breach. They can also attempt to lessen the harm by guaranteeing that the stolen data cannot be used. According to CashShield, one way to achieve this is to deploy real-time active surveillance on every login to filter out potential threats and prevent attackers from gaining unauthorized access to accounts.

For Ai’s Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

19th July, 2019

Ai Editorial: How travellers transact has changed, and merchants can't ignore the role of e-Wallets and bank transfers while deciding on their payment acceptance mix, writes Ai's Ritesh Gupta.

Alternative ways to pay for travel, such as e-Wallets and bank transfers, are being used more often than cards and cash combined, according to a new report released by Amadeus and PPRO. This growth is occurring across the world with e-Wallets now twice as popular as cards in China, accounting for 49% of the country’s $155B digital travel spend.

Merchants like airlines, especially those operating in multiple countries, are looking at alternative payment methods because of several reasons:

• Settling in a market quickly (facilitate new local payment methods with minimal development effort).

• Checkout optimization (offering a payment method that works well with the traveller).

• Cut down on inefficiencies (local payment methods via one technical, operational, and funding flow).

Digital wallets

In this context, digital wallets have become popular owing to the fact users can avail preloaded credentials and this fastens the online checkout experience. And China has stood out for the usage, since payment is one part of an app. What makes an app like WeChat more compelling than just invisible payments or scanning QR Codes for completing a payment is the fact an ecosystem manages transactions along with ID management and many other aspects holistically.

Companies like Union Pay, Alibaba and Tencent chose to capitalize on the fact that the card usage wasn't as penetrative as one would expect in a populous market like China, so they came up with a payment method that proved to be convenient and ubiquitous. It was available to anyone with a mobile phone or an Internet connection. It was also driven by necessity, since Chinese travellers moving outside their country needed to have an alternative to using a standard credit card. "That is total freedom for the Chinese traveller as they no longer have to rely on cash as their only form of payment while abroad," pointed out Eric Liebman, Global Head of Travel, Ingenico ePayments.  

What works in favour of these payment methods is reduced friction. In today's world of instant gratification, as acknowledged by Ingenico ePayments, travellers "demand things now". "...customers want to be able to pay without any friction and with the method they prefer. They don’t want us dictating how they pay, it’s the other way around. That means things like Amazon Alexa, Apple’s Siri, e-wallets or even Uber-like experiences where experience is key, but payments are invisible," mentioned Liebman in a blog post.

Plus, for a merchant, one factor that goes in the favour of this form of payment is seamless convenience and built-in security. Encryption, tokenisation, and device authentication result in additional security.

"Ubiquity is one of the main key takeaways from Chinese companies. Chinese users are at a point where they are using their mobile wallet for anything. Alipay and WeChat Pay are present in online and offline stores alike, in use in China, and outside. It is an ‘all-in-one’ payment transforming solution, showing non-Chinese companies where innovation and an intimate consumer-knowledge can take them," says Rodrigo Sánchez Prandi, VP Product at payments technology specialist dLocal. "Simplicity will go a long way and it will always attract users. If you give your users ease-of-use by adding their preferred payment method, such as paying with one click, one tap, or even one smile, you are a step ahead in today’s payments’ world."

China leading the charge

According to WorldPay, this growth in China along with a surge of adoption in North America will propel eWallets to become the leading eCommerce payment method globally within five years.

With a validated business model, Chinese technology companies are taking their expertise to other markets as well. As indicated by Amadeus' report, Ant Financial, the owner of Alipay, is currently expanding beyond China. The company now has interests in Dana in Indonesia, Asceno in Thailand, Pi Pay in Cambodia, and Mynt in the Philippines, among others. It is expected that in these regions, accelerated transformation in payments will occur as a consequence, stated the report.

Hear from senior executives about eWallets in China and other Asian markets at the 8th Annual ATPS Asia-Pacific to be held in Penang, Malaysia (27-29 August, 2019).

9^th September, 2019

The travel industry at large isn’t ready for the implementation of Strong Customer Authentication (SCA), required for all online transactions in Europe from 14 September 2019.

A study initiated by Amadeus has indicated that only one in three travel merchants are expected to be SCA-ready by the deadline. The report featured 50 large travel firms (€1billion+ revenue).

Merchants will have to adapt to SCA, which aims to increase payment security and protect sensitive consumer payment data. The preparedness of the travel e-commerce sector in dealing with the anticipated negative impact is being assessed since SCA poses risks for travel merchants, not to mention implementation challenges. This requirement is being introduced as part of the second Payment Services Directive (PSD2).

A couple of issues that have been highlighted in Amadeus’ report, ‘Strong Customer Authentication in travel payments: preparing for two-factor authentication’ are: 

• Cart abandonment: Uneasiness and apprehensions being associated with SCA are valid as travel merchants dread the idea of adding any sort friction to a transaction process. SCA stipulates all electronic payments in Europe be subject to 2-factor authentication, meaning travellers must undertake extra steps to validate the transaction before payment is accepted.

The SCA requirements are going to impact the speed of consumer transactions and the number of steps to be completed when paying. One of the major concerns has been the inclusion of additional authentication into the checkout flow, since it introduces an extra step that can add friction and increase customer drop-off.

If one considers the growing prowess of mobile devices for shopping in general, it means that there could be even larger customer drop-off. So is the impact of SCA likely to be even higher on mobile devices?  

“…requiring travellers to undergo additional checks, such as providing a one-time passcode sent to their mobile device, introduces some friction to the digital experience. This may sound like a small price to pay but our research shows the industry expects this additional friction to increase abandonment rates by 10-20%,” mentioned Jean-Christophe Lacour, Head of Merchant Services, Payments, Amadeus. The company expects any drop in abandonment rates to be a short-lived phenomenon as travellers get accustomed to the new steps needed, which they’re actually already performing for mobile banking for example.

• Applying SCA: The report also mentioned that card issuers “are responsible for applying SCA to a particular transaction, yet many other players including acquirers and merchants themselves must upgrade systems so they are capable of handling 2-factor authentication. If that doesn’t happen, and an issuer therefore cannot request a traveller performs SCA, they may simply reject the payment”.

Much to the relief of the industry, many local regulators across Europe have introduced a grace period for SCA compliance for e-commerce transactions over recent weeks.

• Being ready for it: The top three authentication methods being studied by issuers include; One Time Passwords (OTP) (SMS to a mobile device), authentication within a mobile banking app, and 3DS. Among these, OTP and 3DS authentication are expected to adversely impact the user experience.

According to the report: “…with 65% of airlines and agents expecting SCA to negatively impact sales, how travel companies prepare has implications for the bottom line. There are steps firms can take to mitigate the impact of SCA, with 70% of respondents to our research intending to work with their acquirer and payments partners to apply the various exemptions provided for within the regulation and more than half signalling a move to the latest authentication technology (3D Secure 2.X).”

Specialists recommend that merchants should use exemptions where possible.

Also, by using fingerprints or facial recognition, one can combat fraud while also increasing convenience for consumers.  

Amadeus surveyed payments leaders from 50 large travel merchants regarding their approach to achieving SCA readiness. The majority of responding organizations generate more than €1 billion in annual revenue with respondents drawn from airlines (60%) travel sellers (30%) and hotels (10%). The survey was carried out in August 2019 with industry conference and media company ‘Airline Information’ providing support with respondent recruitment.

Related articles:

Businesses not ready for SCA, worried about impact on UX: report

Optimizing UX for transactions being “challenged” under 3DS 2.0