- Payment & Fraud Editorials

23^rd November, 2020

A number of organizations have fallen short of keeping their data secure even though they believe that they have a defense mechanism in place to protect their information and systems. But any breach or illegitimate access to data is a big blow considering that teams are working remotely.

Capabilities of hackers/ scammers continue to get more sophisticated and it is vital to for organizations to identify any unusual behavior before a databreach happens.

Some of the pertinent areas that need to be focused on are:

• Ensure there is clarity over what to protect and where.
• One cannot misuse data or leak if there is no access. “So either limit access by default or control the size of the potential leak,” says Jan Kubíček, Kiwi.com’s Director of Security. Do evaluate if there is any data stored in an unsecured external storage service. If it accessed without authorization then it’s a threat.
• Focus on real-time threat intelligence. This can help in evaluating behaviour which otherwise can be missed by traditional endpoint security technology, according to Daniel Farr, Leading Information Security Consultant, Foregenix. 
• Unpatched or old vulnerabilities shouldn’t be overlooked at any cost, said Kubíček.
• Encourage a culture of security within an entity. Do focus on security awareness and training alongside technical controls.

By Ritesh Gupta

Ai Team 

***STOP PRESS*** ►Registration is now open here for the 2015 Mega Event & 10th FFP Loyatly Conference!

It’s scary! Yes, time to minimize credit card and personal data exposure. No travel company wants to be a victim of unauthorized cyber-attacks. But today security protocols are under pressure to deliver. Ritesh Gupta, Airline Information Correspondent assesses the situation

It’s blatantly obvious now. The threat of fraudsters deceitfully obtaining confidential information for card fraud is looming large over airlines, hotels and intermediaries. Travel brands are taking a beating. As much as travellers need to be aware of phishing and skimming, travel companies too now can’t ignore the possibility of a scam. Take the recent case of Mandarin Oriental Hotel Group. The chain’s credit card systems in several of its properties across the U. S. and Europe were accessed without authorization.

So what resulted in breach of such magnitude?

The incident apparently was a direct result of an unauthorized cyber-attack. The chain states that despite the group’s leading data security systems, “this malware was undetectable by all anti-viral systems”.

As per the initial update, the breach only impacted credit card data, but not pin numbers or the 3-4 digit security code required for manual authorization. Mandarin Oriental also clarified that no other personal guest data had been compromised.

The situation is serious, says Kristian Gjerding, CEO CellPoint Mobile, as it does have an impact on bottom line and brand equity (consumer trust), especially moving forward with some of the newer payment methods and the increased ownership of the full transaction flow by airlines. With an increase in mobile payments comes an inevitable increase in the potential for mobile payment fraud. These days, smartphones and tablets can be hacked just as easily as computers, adds Gjerding.

How to prevent such situation

It needs to be understood that as airlines and brands become more astute at detecting fraud, hackers will also become more sophisticated and organized, able to launch higher-level, intricate cybersecurity attacks. Hackers will always try to find ways in, but airlines have an opportunity to limit the scope of the impact by being just as clever and by instituting constantly evolving security measures from the moment of sign-up – the very barriers that keep hackers at bay.

So what needs to be done on an immediate basis?

Answering the same, Gjerding mentioned that several authentication measures can be taken by airlines to prevent many issues. However, attention to hacking needs to be a continuous process, especially with the increase in consumer smart devices and subsequent direct sales channels. “Airlines need to ensure that their security systems are flexible and scalable, to monitor and security activity around the volume of transactions and the various channels in which they take place,” said Gjerding.

Converged payments

Gjerding emphasised that converged payments can solve many of the complexities of cross-channel digital transactions by providing airlines the technology and architecture they need to make the process uncomplicated, secure at various stages of the process, flexible and holistically visible – not to mention seamless and easy for customers.  

The basic concept behind converged payments is that all transactional activities—payments, redemptions, bookings, security step-checks, authentication, etc.—converge into a single, secure infrastructure where they are managed, processed and authorized.

Minimizing exposure

Many steps can be taken to minimise risk of credit card and personal data exposure, such as compartmentalization and tokenization on the inside of the airline’s DMZ (Demilitarized zone. Network added between a private and a public network to provide additional layer of security), said Gjerding. He added, “With the increase in passenger self-service, however, airlines will have to expose access to services and data – a level of vulnerability through which hackers can gain access,”

With a converged payments architecture serving as an organizing funnel, information from varied and disparate sources is fed into a central operation, checked and verified, standardized and normalized, and then exposed to extra layers of security so that the resulting transactions—payments, ticket bookings, boarding passes, rewards redemptions, in-flight purchases, upgrades, baggage fees, refunds and the like—are processed within a common, robust environment.

Converged payments capabilities also provide a centralized view of a customer’s digital/ mobile transactions and activities: payments, loyalty, booking, fraud detection and more.

With silos eliminated and processes streamlined by the underlying infrastructure, payments are executed quickly and seamlessly for the customer and the airline, and protected from hackers and other online threats through real-time alerts and, when necessary, manual verification and processing.

The team at CellPoint Mobile considers “inside the DMZ” prevention to be an important addition to firewalls and external fraud measures. This is a system that monitors, acts and reports on suspicious activity from the inside and can include configurable fraud-alert rule sets, data- profiling modules, and other authentication measures.

With the eventual ability to mix-and-match cash, credit payments and rewards redemptions for financial transactions, airlines will need comprehensive solutions that can detect, prevent and mitigate all types of fraudulent activities that occur in the complicated payments ecosystem.

Follow us on Twitter: @Ai_Connects_Us
 

NDC is fine, but are airlines ready to offer a better payment experience?

Ai Editorial: One transaction for a trip, but having separate payment record of each trip element involving a different supplier isn’t an ideal story. Are airlines ready to handle this, especially in the context of traditional card payments, in the NDC era? Ritesh Gupta finds out

The objective of being in control of what a carrier intends to sell sounds like a pragmatic idea. As data-driven personalisation becomes the norm, every airline understandably would like to offer its differentiated, unique product and at the same time something that matches the intent of the traveller, too. Also, airlines have been considering the possibility of making personalised offers to agencies without them being prepared by an intermediary by following the NDC standard.

Payments landscape – dealing with inevitable complexity

There are several dimensions that need to be considered as airlines move toward selling products in a different way. One of the most complicated aspects that need to be addressed is the authorization and settlement of a transaction. Considering the complex payments landscape, it isn’t going to be a straightforward process to optimize the payment experience.

It’s true that the scenario where a traveller shops trip essentials (such as airline seat, car rental, insurance etc.) on one site and pays multiple merchants in a single checkout session isn’t new. 

There are certain aspects of travel that are being streamlined. As it recently emerged, IATA’s One Order industry-led initiative is “intended to modernize the multiple and rigid booking, ticketing, delivery and accounting methods with a single, flexible order management process”. According to the association, accounting “will be based upon workflow of a single order, bringing the industry closer to standard retail accounting principles”.

As for the passenger, the plan is to simplify the experience as travelers will no longer need to juggle between different reference numbers and documents. All they will need is their order reference number to be easily recognized and served by all. 

This ideal cart checkout scenario will create complexity for an airline which must now accept the liability associated with the delivery of the various services being bought. Travellers will appreciate the single cart experience but they will also expect the airline, as the merchant of record for the sale, to service their complaints when a service is not delivered as expected. This is where there is room for improvement, says Global Collect's Laurie Gablehouse, a travel payments specialist. 

Payment experience – far from being optimized

Let’s imagine a situation. Say you have shopped for US$1500 for your next trip. You have paid $1000 for your air ticket and $500 for your hotel stay. You completed shopping on an airline website at one go. As it turns out, the details of these two components would need to be tracked separately, with separate bills at your disposal.

Why so?

It’s just the way the world of merchants, acquirers, issuing banks and card schemes work.

A lot happens when our card details are used for a transaction. Several stakeholders come into play as our transaction is converted into an invoice. As it stands, without these stakeholders, a transaction can’t be done.  So imagine a scenario where each travel supplier has its own acquirer, and how the world of authorization and billing eventually shapes up today!

“Yes, the liability for the order is why the payment process works in this way.” says Gablehouse, referring to the current scenario.

Considering that there are two parts to a transaction – authorization, and clearing and settlement, where can the situation be improved?

Gablehouse states that it isn’t a technology issue; it’s just the functioning of this sector that is hard to fiddle with. A bank expects the merchant who accepts the payment to be the responsible party for the collection of the funds. If the consumer decides to reverse the payment AFTER the services have been delivered then the merchant is left with the loss. If this was not a service the airline was responsible for delivering, then there must a legal means of recourse to be reimbursed by the third party provider.

Authorization commences when travellers presents their respective cards to the merchant for shopping. In a matter of few seconds, checks pertaining to fraud and credit line are supposedly done, and a decision is taken. Post this there is a contractual obligation pertaining to payment and a product/ service being bought. So where can changes takes place in order to sort the issue of a traveller receiving one payment detail?

Interchange is the clearing and settlement mechanism that transfers data between the card processor and the issuing bank.  There is an opportunity for card schemes to help the industry, improving the situation at the back-end, says Gablehouse. The back-end requirements are where this single order ides is quite fragmented, she says.

Here the situation is expected to be better in case of alternative form of payments such as digital wallets.

The idea of having one generic merchant id

The scenario can evolve by working with card schemes and identifying means for the airline or merchant if they could authorize $1500 as a total and not as $1000and $500. They are being billed separately as we don’t have the standards to allow for the single authorization for two different merchants. In order to settle $1500 settle at one go, authorization needs to be a single, bundled amount, says Gablehouse.

Hypothetically, Gablehouse says a single generic merchant id could be used to obtain the authorization for the entire sale. This is not something that the card schemes and banks should consider as a means to facilitate the process. This would also require changes to the settlement to ensure that the individual merchant ids could be used for settlement. In the ideal scenario, there should be multiple acquirers which eventually see the settlement file containing all components of shopping when a card scheme processes the billing. This would in turn simplify our payment experience if we were to book more than an air ticket with multiples services from an airline.

First Published on 29^th March, 2017

Ai Editorial: False positives have never been easy to identify. But with machine learning, 3D Secure 2.0 and data intelligence, airlines can be in better control of the situation, writes Ai’s Ritesh Gupta    

The denial of a digital service that is routine or legitimate is annoying.

For instance, as a credit card user, if I intend to access my statement on  bank’s website, and if even after filling of details and password (which most users tend to detest), the access to the same is denied then it disappoint us in a big way. Similar is the experience of a genuine digital transaction that either gets denied or takes longer than expected duration to finish due to seemingly stringent security measures.  

Airlines need to invest in apt user experience strategy and an integral part of the same is to work out right acceptance gap for payments so that revenue generation doesn’t get impacted in a negative away. Conversion rate in commerce isn’t just about getting traffic to digital platforms, but what also matters is not turning away authorized orders and how companies deal with false positives.

Also, from a business perspective, any travel company can’t afford to have a poor profile i. e. being bracketed as a high-risk merchant. Any business with low transaction volumes needs to be wary, as even a single chargeback will be termed as a significant development to the issuing bank than it would for an airline with relatively higher transaction volumes.

So airlines need to be vigilant of the new developments, and make incisive moves to deal with this problem.

·          Finding ways to distinguish real buyers from fraudsters: It is time digital enterprises evaluate the limitation of automated responses from rule-based filters. KPIs for authentication for CNP transactions include historic chargeback data, card acceptance rates, cart abandonment, issuer declines, merchant reversal declines, interchange cost etc. But areas like how online anti-fraud technology impacts false positives need to be assessed. Airlines can dig deeper into the efficacy of rules-based authentication, seeking control over their transactions, and also sort out the manual review problem as human analysis can’t be done away with.

Today negative attributes are being assessed in a dynamic manner and this is where machine learning can contribute when it comes to dealing with constantly evolving patterns. At the end of the day, the list of potential offenders can’t be too restrictive, and at the same time, airlines can be lenient with fraud prevention as well. Machine learning can cut down on unauthorized transactions while also reducing the risk of denying a genuine payment. Key here is the fact that the model keeps training through regular feedback. How? With information about traffic (based on behavioral, identity, and network patterns), and more of the same being garnered, more precise predictions can be. This results into fewer false positives. Also, this analysis can also pave way for customized checkout experience with lesser number of fields or even the fastest possible processing for authentic travellers.

·          Counting on data intelligence: Rigidity due to pre-constructed rules can now be combated with data sharing and data intelligence. And the release of 3D Secure 2.0 specifications, too, needs to be followed for the same. One way to ensure the decline rate is relatively lower could be via availability of quality data. Giving issuers a chance to interject themselves into the checkout can improve upon the risk assessment. So what was being done sporadically can be done in a widespread manner i. e. enabling issuers to amend their authorization risk settings and tie the authorization to the authentication.

Enriched data flow provides stakeholders with a better ability to approve “good” transactions.

As indicated by CardinalCommerce, in the past, merchants and issuers relied on “relatively simple data points in making authentication decisions”. But by relying on emerging sources of data and data intelligence, there is a chance to cut down on fraud and false positives. Legitimacy can be verified via purchase history, device and behavioral information, relevant social media details etc. So airlines better lookout for extra authentication data elements that are available at the time of the transaction so that both the merchant and the issuer can make a more informed and precise decision as whether or not to complete or deny a card-not-present transaction.

(Related article: How Amtrak worked out 99.85% acceptance rate, significantly better than the airline industry 96.3% acceptance rate).

·          Impact of 3D Secure 2.0:  The new specification when officially launched is being tipped to contribute in a big way. 3D Secure 2.0, with plans for early adoption in mid-2017, supports new transaction attributes, and this is expected to curb the level of false positives.  

The objective of new specifications is to aid verification on the basis of data elements pooled through the protocol with focus on a frictionless shopping experience for card users. Also to make the message interface and authentication flows agreeable to mobile platforms.

3-D Secure 2.0 will enable increased use of risk-based and dynamic authentication.

The risk-oriented outcome will be shaped up by uniform and extended set of data elements.

Owing to risk-based authentication method, issuers relying on static or partial passwords have to mull the improbability that consumers will memorize or easily use their passwords if these are only used for 3D Secure and are occasionally called for.

So be prepared for abandonment and failure rate. Accordingly issuers need to find ways for authentication.  

Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here

Follow Ai on Twitter: @Ai_Connects_Us

First published on 8^th December, 2016

Ai Editorial: As the devices that can be connected to the Internet expand, wrapping up a shopping experience by paying on these devices would be a logical progression. So airlines need to gear up for what all IoT can do to facilitate a transaction, writes Ai’s Ritesh Gupta

Technology that augments your decision-making is enamouring.

Imagine this – a family is in a car, and one of the member’s smartphone is connected to it. The family decides to go on a holiday. A digital assistant (could be a smartphone service or an app) is being posed questions, and itineraries are getting flashed on the screen in the car. And the screen is also displaying things to do, weather-related information etc. Five itineraries are short-listed. The user sees these options in the smartphone app, and ends up booking.

Going by what all is being talked about – seamlessly moving between connected devices and turning any Internet connection into a commerce experience – this makes technology enticing.

IoT and seamless experience

Between the Internet of Things and emergence of concepts such as wearable technology, the travel booking funnel is getting split and fragmented – marked by a number of sessions across devices. There is huge pressure to understand the profile, intent, context/ booking phase, location, device etc.

The IoT assumes that information and data will flow seamlessly and securely from one device or one party to another, where it can be accessed and used immediately, says Kristian Gjerding, CEO of CellPoint Mobile.

“If the IoT keeps track of the items you intend to purchase, it can automatically tally the payment and process the payment as soon as it connects to the nearest payment terminal or app and verifies the customer's information and data,” says Gjerding. “The IoT will remove even more layers and more steps that are now involved in shopping and paying for goods and services – such as the IoT-connected refrigerator that senses the absence of baby formula and orders it automatically.”

The value of IoT commerce is that it can make our lives smarter and simpler.

So how can airlines evaluate the potential of IoT commerce at this juncture?

“Everyone knows how frustrating modern air travel can be, and any technology that simplifies that experience for passengers will be a welcome phenomenon,” says Gjerding.  

In the airline environment, IoT can:

-       connect a passenger’s baggage to his/ her mobile device for real-time tracking and updates.

-       create verified IDs from distributed documents, speeding the process of passing through security, customs or boarding a plane.

-       be used to provide real-time alerts about flight changes, status updates or emergency notifications.

“The potential of IoT commerce, however, requires airlines to embrace mobility, connectivity and IoT thought processes and strategies now. Because passengers, consumers and technology innovators are moving faster than airlines and retailers when it comes to technology and expectations, and the travel industry needs to play catch-up,” stated Gjerding.

Transactional capabilities of IoT Commerce

The fundamental transaction model is similar to that of a customary one featuring – a customer, a merchant, an issuer, and an acquirer.

The technologies that are required to process transactions does not change with the IoT – payments still have to go through the usual verification, authentication and security checks that are already in place, says Gjerding.

 A traveller transacts, the issuer authorizes the same and the flow of payment runs through to the acquirer and merchant.

“The IoT comes into action because of the role it can play in making transactions and commerce much more seamless, connected and transparent in peoples’ lives,” says Gjerding.

He says airlines should prepare for IoT commerce in the same way that they must prepare for mobile commerce: They must make conscious, tangible commitments to modernizing and streamlining their legacy systems around payments, data collection, data integration, security and other activities. Instead of storing data in separate silos or divisions, the IoT assumes that data can be accessed and acted upon in real time, regardless of where it originates. For airlines, the first order of business is to embrace mobile-first and IoT technologies, and then to make sure that airlines have the right internal expertise, third-party vendors and innovators in place to create real change.

“Instead of thinking about payment processes as a cost center, airlines need to embrace these new technologies and capabilities for their revenue-creating potential. As payments, shopping, travel booking and buying move rapidly away from cash and credit to the mobile and digital environment, airlines need to follow them there in order to capture the revenues that they’re already creating – revenues that will continue to grow as more consumers make the shift to mobile-first payments and as more “things” become connected to each other via the Internet,” explained Gjerding.  

Issues related to security and privacy

All customers and passengers worry about security and privacy of their information, especially when it is stored in the “cloud” or available online databases.

Cyber security specialists have been working on roadmaps and architecture of IoT security.

Gjerding says airlines and all businesses must ensure that their payment and security processes meet or exceed the current industry standards, and they must also be open to ongoing security innovation. According to him, blockchain processes, for example, are just one new type of technology that can be used for improving security, verifying identities and authenticating passengers and payments. “No doubt other new technologies, apps and IoT-enabled capabilities will emerge, and all companies – airlines or otherwise – must have their ears to the ground about what’s coming next so that they’re not caught off guard and are fully capable of leveraging and benefitting technology to their advantage,” says Gjerding.

Main challenges in progressing with IoT commerce

The main challenges involve technology and actual implementation.

Gjerding says for IoT capabilities to work, modern devices need to connect to the broader IoT network, and older devices need to be updated or replaced. And even more importantly, the private companies and public agencies involved in collecting and leveraging IoT information need to embrace IoT strategies directly into their organizations and operations, and they need to make sure that policies around data collection and privacy are modern, secure and foolproof.

“Nothing can put the damper on a new technology or bold new idea like lack of consumer trust. There's a balancing act involved – moving quickly enough to stay in touch with the market, revenue streams and travellers’ expectations, but not moving so quickly that critical precautions are overlooked,” he says.

Gestation period

There’s certainly a lot of innovation around the IoT, but broader implementation will take time as the rest of the world catches up to IoT innovation. IoT thinking and increasingly smartphones are leading to more sophisticated digital wallets and mobile payments – which will lead to personalized mobile wallets or payment technologies with predictive capabilities built in. IoT might extend to other transaction or authentication technologies, and some banks or companies are already experimenting with voice recognition, facial recognition, various kinds of chips, even pulse recognition as the identification-verification step needed for payments. Blockchain, a verification-authentication process developed for virtual currencies like Bitcoin, has the potential to evolve and grow as an underlying process for other types of virtual payments, peer-to-peer payments and other transactions.

When it comes to Internet technology and commerce – the sky is the limit, summed up Gjerding.

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Airlines need to plan diligently for an omni-channel payments offering. Ritesh Gupta finds out what needs to be done, and how to reap rewards.  

The value of delivering an omni-channel payments solution is in the ability to deliver data-backed, personalized customer experiences across all sales channels.

This requires the ability to capture data across all payments channels through a single integration. With a single overview, it’s possible for airlines to reduce their internal workload, streamline processes, and gain valuable insights into cross-channel customer payment preferences. The ultimate result is the increase in revenues.

Here we explore how to craft an omni-channel payment experience: 

• IT infrastructure:  There are airlines that are still using legacy systems that have been designed to handle credit card transactions only. Such infrastructure has limiting capabilities, and not designed to integrate with new technology. Importantly, it ends up being an investment decision. A mechanism is worked out taking into consideration all the sales channels and this layer deals with one or more payment service providers, and streamlines operations such as multi-acquiring switching, alternative forms of payment, reporting etc.

It is important for airlines to look at the entire payment chain, from gateway to risk, to acquiring, and identify areas in which they can prioritize improvements, says Sander Maertens, VP Travel, Adyen.

Airlines need to gear up for an integrated solution for the entire payment chain, as well as support alternative payment methods, and look for a single line of reporting and reconciliation. 

• Single view across all channels: It is important for airlines to capture data across all payments channels through a single integration.  Identifying travellers across payment channels, and thereby paving the way for a faster check out regardless of location or device they are using, is a clear benefit of an omni-channel approach.

• Making adjustments: Airlines need to adjust their operations, too. For instance, the settlement process of alternative payment methods can differ vastly. In case of SEPA Direct Debit, one of the preferred payment methods in Germany is asynchronous, meaning that there is no real time confirmation that the funds are guaranteed. As confirmation is given after several days, therefore this payment method should not be available with a short time to fly.

• User experience: The payment ecosystem is responding to the expectations of customers by looking at new ways in which you can shorten processing times and improve the customer experience. But even though mobile is now a primary sales channel, there are times when the experience isn’t optimized. The shopper flow is often compromised at the payment stage by two key failures – a clunky look and feel, and multiple steps to complete the purchase.

By offering dynamic payment pages that automatically detect the screen size of the consumer, the device, airlines can ensure a more seamless payment experience. In addition, offering features such as one-click payment, where at the checkout stage shoppers are given the option to have their payment details securely stored, will also optimize the mobile experience. With the rapid evolution of the mobile payment landscape, it is often key to work together with a payment to remain on top with the latest developments.

Benefits

• Combating fraud: In an omni-channel payment environment, data is again the key to minimizing fraud. By gathering data across channels, it is possible to determine a transaction’s fraud score by looking at specific data points such as device type, time to flight, ticket value and type of journey. By designing intelligent dynamic screening based on real-time analysis of the most comprehensive range of shoppers’ data, airlines can take a customized approach based on their specific requirements. This way it is possible to effectively reduce chargeback rates and minimize “false positives”, that is to say genuine customers that are declined.

• 3D Secure: Traditionally, online merchants have adopted a binary view to 3D Secure; implement it across all transactions, or don’t implement it at all. However, both of these approaches have problems. If you apply 3D Secure to all transactions, conversion will suffer, and if you don’t apply it at all, fraud will still be a factor. But there is a third possibility – selectively applying 3D Secure only to high-risk transactions, based on data customized to the airline. The way to do this is to dynamically assess and rank a transaction’s risk score on a scale from low to high, and then trigger 3D Secure only for the high-risk transactions. This means airlines can avoid routing genuine customers through 3D Secure, ensure a smoother payment flow, and minimize the potential conversion impact. By making 3D Secure a dynamic part of the payment flow, it becomes an asset rather than a conversion killer.

• Understanding cross-channel customer payment preferences: Once the infrastructure is in place, real-time API’s can deliver information about the payment preferences and behaviour. So be it for simplifying payment page, tailored options (for example, once its ascertained that the card user is a German, he or she could be offered a cheaper payment option suited for that nation), stored card details or optimizing for mobile, all can benefit a travel e-commerce brand.

Follow Ai on Twitter: @Ai_Connects_us and Checkout our events at: www.AiConnects.us

15^th November, 2019

Ai Editorial: Deepfakes supported by AI techniques today are considered to be a growing problem. It is vital to build AI systems that can automated deepfake detection so that risks such as identity fraud can be tackled, writes Ai’s Ritesh Gupta

Artificial intelligence (AI)-based identity fraud is emerging as a serious issue. Recognition of one’s voices and face as a way to validate a person’s identity is under scrutiny with the rise of synthetic media and deepfakes. Be it for security-related risks, user privacy concerns or fraudulent transactions, repercussions are being probed at this juncture.

Technology to manipulate images, videos and audio files is progressing faster than one’s ability to tell what’s real from what’s been faked. According to the findings of a study released last month, the number of deepfake videos almost doubling over the last seven months to 14,678.

The level of sophistication with which fraudsters are moving ahead is exemplified by the recent case in which an executive was duped into transferring $243,000 to a bank account, or even the news of top AI-researchers in the U. S. struggling to cope up with computer-generated fake videos that could undermine candidates and mislead voters during the 2020 presidential campaign. Such cases of fake phone call or a video file show how deepfake techniques are encroaching in the lives of the people in a wrong way.

Deepfakes are powered by deep learning AI. The algorithms behind this AI are fed large amounts of data. Eventually, by capitalizing on such data, “deepfake” videos manipulate audio and video using AI to make it appear as though someone did or said something they didn’t. It does pose a challenge to validating the legitimacy of information presented online.

The case in China

Zao, a free deepfake face-swapping app, not only exemplified how quickly deepfakes have gone mainstream but also triggered a privacy backlash amid concerns about identity theft. The Chinese app allows a user to use their photographs and then its AI engine changes their faces with those of celebrities featuring in video clips. Zao amended its policies, and stated that the app will not store the biometric information of users and transferring of data wouldn’t be done without consent.

This privacy storm was mainly in China, but the threat of this trend was acknowledged everywhere since the app indicated how the technology is now available for smartphone users. In no time, questions were raised about the possibility of payment-related fraud, too. With biometric technologies such as Alipay’s ‘Smile to Pay’ being increasingly adopted as a form of payment across China, the concerns were valid. Alipay currently serves over 1 billion users. Ant Financial Services Group, which operates Alipay, stated that its facial recognition capabilities were safe and its facial payment system won’t be breached. It also emphasized that the team has implemented rigorous, best-in-class privacy, security and risk control processes.  

What is coming under inspection is the efficacy of biometric security measures such as the voice and facial recognition. Can it be compromised by deepfakes that can almost perfectly imitate these features of a person?

Combatting threats

Initiatives are in the pipeline, focusing on automated deepfake detection.

Identity verification specialist, Jumio highlighted that it is “vitally important to embed 3D liveness detection into identity verification and authentication processes”. The company is working on plans to combat advanced spoofing attacks including deepfakes. Its offering was recently introduced as a beta.   

Facebook was recently in news for working on a ‘de-identification’ technology to morph a person’s face so that they remain unrecognisable to facial recognition technology.

Amazon Web Services (AWS), Facebook, Microsoft and other organizations have recently committed to initiatives that encourage work on technology that can be deployed to better detect when artificial intelligence has been used to alter a video in order to mislead the viewer. AWS has indicated that building deepfake detectors will require novel algorithms which can process a vast library of data (more than 4 petabytes). Established organizations have chosen to collaborate as it is being widely acknowledged that it is important to have data that is freely available for the community to use. For instance, Facebook is commissioning a realistic data set that will use paid actors, with the required consent obtained, to contribute to a challenge. No Facebook user data will be used in this data set, according to the company. Concrete results, especially better detection tools, are being awaited as the likes of Facebook and Amazon admit that identifying manipulated content and deepfakes is a technically demanding and rapidly evolving challenge. 

Deepfakes aren’t fading away, and their consequences are being felt on a global scale.

Hear from fraud prevention and cybersecurity experts at Ai’s next ATPS –

http://www.airlineinformation.org/upcoming-events2/370-2020-conference-dates.html

First Published on 30^th August 2017

Ai Editorial: Paying for ancillary products at the airport or limited payment options for in-flight shopping havent been as streamlined as some of the other options. Ai’s Ritesh Gupta learns how Amadeus is sorting these issues out.

Security and convenience are two key aspects of completing a transaction that make a traveller comfortable and assured about paying an entity.

But this has been one big hurdle for airlines as far as payments within the airport environment is concerned. Despite airlines selling more services at the airport, until now there has been no way to pay that is optimal for both the traveller and the airline. For instance, it is common for travellers to hand over their payment card to the check-in agent to use an infrastructure that’s shared by many airlines. The safety of such transactions can be questioned.

In this context, the roll-out of Amadeus Airport Pay, starting with the Lufthansa Group a couple of months ago, is set to help carriers to take secure payments at check-in desks.  It is a combined software-hardware solution which is wireless, making it completely independent of the common use check-in infrastructure found at the airport.

“Amadeus Airport Pay is the first wireless solution in the industry, which accepts EMV chip card or EMV compliant smart wallet payments and can be used by multiple airlines and ground handlers, and multiple banks, in any airport across the world,” says Dan Greaves, Senior Manager, Marketing, Payments, Amadeus IT Group.

According to Amadeus, it is also the only EMV solution that can be integrated with the Departure Control System, booking and ticketing flow, meaning payments are faster, more accurate and automatically accounted for. Pocket-sized and wireless, the solution has brought real mobility to airport payments and helped to improve the passenger experience.

Countering the problem

The Chip and Pin cards are far more secure, and installing a Chip and Pin terminal which only needs to talk to one bank is a straightforward process. The problem in the airport environment has been that check-in agents may represent one airline for 3 hours during the morning then a completely different airline a few hours later. So they need to process transactions, which will be directed to many different banks.

“The problem is compounded by the fact that the providers of the shared infrastructure at airports are – understandably – reluctant to integrate third-party hardware. Until now there hasn’t been a Chip and Pin solution which is compatible with the number of different merchants and banks found in the airport environment,” said Greaves.

“That means that either check-in staff have to send customers to a different desk at the other end of the terminal to pay for ancillary services such as excess baggage, which is clearly not a great customer experience, or payments are processed by swiping the magnetic strip on the back of the card. This is the same technology as was used in the old cassette tapes and just as easy to copy so security is clearly an issue.”

As Amadeus explained, there were three basic challenges to enabling travellers to pay for additional services at the check-in desk:

·      Security – While most of the world has migrated to EMV Chip and Pin payments in face-to-face environments, there are still many airport payments where the card data is entered via either magnetic swipe or, worse, manual entry.

·      Multi-bank / multi acquiring – check-in desks are shared between airlines so a payment system must be able to identify which payment is for which airline and, process the payment accordingly to the relevant airline’s bank.

·       Mobile – “It was not in our original solution. When first conceiving a solution we imagined it would be connected directly to the check-in desk. It was Lufthansa Group who suggested we “cut the cable!” to make a wireless solution. This makes the solution completely independent from the airport technology provider, making deployment much quicker, and enables airlines to take payment anywhere in the airport, not just at the check-in desk,” explained Greaves.

Amadeus’s payment platform, which provides the capability to process payments from different airlines each with different banks, has combined with Ingenico’s mobile payment gateway which gives access to a range of wireless EMV payment terminals.

Role of Ingenico

As for working with Ingenico, how did Amadeus go about the wireless gateway and meeting the contactless mandates from card schemes? According to Amadeus, as Lufthansa Group requested a wireless solution and at the same time Visa’s mandate requires contactless capabilities, the team had to find a partner to help achieve both these objectives.  There was a need to set up the right architecture, which would ensure compatibility with these mandates, as well as providing with future proofing against as yet unseen developments.

“We achieved this by ensuring that the architecture was not dependent on the payment terminal itself; new, updated terminals can be swapped in as required,” shared Greaves.

New opportunities

The arena of on-board retail, especially with the rollout of on-board Wi-Fi, has opened interesting opportunities for both travellers and airlines.

“Definitely, on-board Wi-Fi opens up the opportunity to process onboard payments in a much more flexible way, much the same as payments are processed on airline websites today. This has the potential to reduce fraud, increase the number of inflight payment options and reduce the overall cost of payment for on-board transactions,” said Greaves.

In the aircraft, travellers typically have the option to pay by cash or by card. But when a transaction takes place mid-flight it is often an offline process, which means that the payment is only processed after landing. This can leave airlines vulnerable to fraud.

A lot of airlines are also limited in the number of payment methods they can accept for inflight sales – in the vast majority of cases, inflight payments are limited to cash and cards.

“But with the growth of new forms of payment there is growing demand for customers to be able to pay using payment methods such as Alipay, PayPal and others. 

The growing availability of inflight Wi-Fi is solving some of these issues for airlines and travellers and opening up the possibility to manage inflight payments in the same way as payments are currently managed on an airline’s website,” mentioned Greaves.

Combatting fraud

Point-of-sale based malware has proven to be an area of concern in the retail industry. It has resulted in maximum credit card-related breaches.

Acknowledging the same, Greaves mentioned that this is a critical point and one of the main drivers for developing the solution in the first place. “The credit card data is encrypted by the payment device itself and is not stored there. With this point-to-point encryption we assure that the credit card data cannot be compromised. In addition, Ingenico put – as part of their general terminal products – measures in place that prevent the Chip and Pin terminals from being manipulated. Amadeus Airport Pay uses EMV technology that has a high layer of security thanks to their embedded microchip, which authenticates the card and allows to authenticate cardholders via PIN. This makes them a lot harder to counterfeit than magnetic stripe cards, which contain static information in the magnetic strip and is overall an older, less secure technology, which is more susceptible to fraud. The payment card details are encrypted by the payment terminal and are not stored on the terminal; the credit card data does not pass through the airport workstation either, reducing the risk of data being compromised. 

Follow Ai on Twitter: @Ai_Connects_Us

First Published on 7th October, 2016

Ai Editorial: If airlines adopt a risk-averse approach to managing fraud, then sales can suffer tremendously. Ai’s Ritesh Gupta explores this issue

When one talks about the role of machine learning in managing fraud, there is one question that immediately crops up.

How does machine learning take the onus and deliver – in terms of liability shift as well as handling fraud and boosting sales? The industry is already talking about 100% chargeback protection i. e. getting entirely refunded for any unauthorized transaction not getting detected.

As it turns out, a huge problem with the traditional rule-based fraud solutions and reliance on manual reviews lies in a risk-averse approach to managing fraud. Methods like these are overly focused on bringing down the fraud rate as close to zero as possible, and tries to prevent the first chargebacks from happening. When this happens, sales suffer tremendously.

Firstly, fraud managers would rather not take the risk of accepting a borderline transaction (which could be genuine), resulting in much greater false positives. At the same time, rules deployed (location based, amount based, time based, etc) limit genuine users from making transactions.

In addition to the effectiveness in detecting fraudsters, with machine learning, the system understands when to skip rules when positive behaviour is detected. Furthermore, an optimized algorithm (another form of machine learning) allows the system to optimize and make the most of all the transactions that are seen as part of a portfolio. Based on calculated risks, the system passes the optimized number of transactions while ensuring that chargeback rates are still under control. As a result, borderline genuine transactions can be passed and unnecessary rules and bans are lifted, improving sales greatly.

What hampers sales?

According to Justin Lie, Group CEO, CashShield, a SaaS based self-learning fraud prevention solution for ecommerce, around 3-4 years ago, airlines were reluctant to speak about big data and machine learning as they were still very reliant on payment gateways to handle fraud. However, in recent times, fraud has evolved to become much more complex, and airlines have increasingly come to understand the importance of fraud management to gain competitive advantage and optimize sales.

“We are definitely seeing a positive trend of airline companies gaining back control of their payment options, flow and procedures in the industry, and they are more and more knowledgeable about putting together the various pieces of puzzle to enhance performance,” Lie says.

The use of rules and manual reviews hamper sales and are not the most effective form of managing fraud, added Lie.

“When airlines move away from traditional methods, they must be comfortable with automating most or all of the fraud systems, which means that they can redirect resources to more important areas and focus on their core business, and also allows them to scale up operations much easily while keeping the cost managing fraud under control,” said Lie.

From detecting fraud to predicting it

When using traditional methods of detecting fraud (deploying hard rules and manual reviews), it is often based on analysing the standard fields (name, address, email, IP location, fingerprint and what can be found on the order form) and what transactions have passed through the hard rules. The problem here is that those standard fields and hard rules are extremely easy for fraudsters to manipulate and get passed once they have figured the rules in place. For example, it is now easy for fraudsters to generate hundreds or thousands of new fake emails, and once they realise that a time based rule (no more than 3 transactions in an hour) is in place, they will try to write their program to attack the system with 3 transactions per hour each time. Not only so, genuine customers are likely to be blocked. For instance, a geo-location rule would block customers booking transactions from ‘riskier’ locations.

Moving towards machine learning allows airlines to remove all these unnecessary rules that would have otherwise blocked genuine customers. The combination of big data and machine learning allows more effective fraud prevention. To simplify what has been said about big data and machine learning, big data is first used to collect information about the user’s behaviour on the website (how the mouse moves, what he likes or puts into his wishlist, etc), and this information is combined with machine learning, which uses pattern recognition to map the pattern of his behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/ negative behaviour and uses that on future transactions for potential signs of fraud. Lastly, an optimized fraud risk algorithm should be used to make decisions on whether or not to accept a transaction based on calculated risks to best optimize sales while controlling fraud and chargeback rates.

Automating fraud analysis

Since the information and data that each airline collects are different (including their web structure and payment options), airlines should refrain from using a one size fits all solution. Instead, they should consider using fraud solutions that cater and adapt to their industry and business model.

Rather than collecting as much data as possible, the quality of the data and how the airlines use the data for better decisions in fraud prevention and increasing sales is much more important.

As for machine learning, it often encompasses different types, and simply using one type (predictive analytics) is insufficient. Merchants should learn to discern and understand the different types of machine learning, and be sure to know if the fraud solution uses only predictive analytics or covers more bases with more than one kind of machine learning. To “improve” machine learning, or rather just to get the best out of machine learning, businesses should deploy solutions that use more than just predictive analytics, or upgrade to a solution that uses predictive analytics, pattern recognition and optimization if they are still using traditional methods of preventing fraud.

Follow us on Twitter: @Ai_Connects_Us

Managing cross-device identity – it’s about helping and knowing customers

Passengers today look for better management of their digital identity, and brands, too, need to aid them and also serve them better via cross-device tracking, writes Ritesh Gupta, Ai Correspondent

How can I have more control over my digital identity? It’s a valid question as no ones like to manage so many usernames and passwords in one’s digital life.

We log in to apps, sites and devices. It can be quite a tedious job to remember all the passwords. Passwords aren’t expected to go away, but there is a chance that you could be soon logging in via facial recognition software.

Also, as much as a consumer is besotted by the idea of not to remember so many passwords, airlines, too, need to explore what they can do in this era of cross-device usage by identifying digital users with as much accuracy as they can. How tracking can be improved upon to serve a relevant message or aid in the journey of a passenger. This would translate into a customer experience, where one would be recognized for a true one-to-one experience.

Let’s assess some developments in the arena of digital identity and cross-device tracking, and how the same is impacting the overall customer experience:

• Making accessibility simpler: The use of several devices, and accessing same or different apps and sites is quite common. We would dread the idea of remembering passwords for all. Recognizing that passwords can be shared or stolen, Intel is already working on app that remembers passwords and automatically fills them in when one returns. Essentially it’s about logging in with your “face”. The company has come up with a limited version of facial recognition app, titled True Key.  So how does it work? A user’s distinctive features such as facial math and master password come into play. As for the security part, data isn’t shared or saved, but still nothing is “hack” free, at least of today. But Intel is definitely promising a robust protection in addition to the simplification of password management. A major attraction of this app – a user’s info syncs to all devices that are being used. It’s an absolute must in the age we are living. Intel continues to build and iterate the product. Airlines need to keep an tab on such developments and make the most of it to simplify accessibility of their digital touchpoints.

• Seamless experience across apps: The number of devices for our booking and also during the time of our journey that we are using is on the rise. In addition to a laptop, a tablet, and a smartphone, you might already be wearing a smart device on your wrist. Say, you are carrying all of this on the day of travel - iPhone, iPad and Apple Watch. Your digital identity and journey details need to “synced” across all devices. Tech-savvy brands are already doing this.

“With the addition of handoff and group data sharing HotelQuickly offers a truly seamless experience between all the HotelQuickly family of apps,” says hotel mobile-only booking app HotelQuickly’s COO and CMO Christian Mischler. If you make a booking on your HotelQuickly iPhone/iPad app, you will instantly be able to access that data on the Apple Watch app. If you’re looking at a previous booking on your Apple Watch, handoff will prepare that exact booking on your iPhone so you can view all the details in its entirety. “If you have not yet made any bookings and you are looking at the HotelQuickly app on the Apple Watch, we are preparing the HotelQuickly iPhone app for you to make a new booking. Just look for the HotelQuickly icon on the 'lock' screen of your iPhone and you know the handoff is ready,” says Mischler.

Airlines also need to know the limitation of each technology or app.

For instance, American Airlines, British Airways, New Zealand Air and easyJet have been in news for introducing smart watch services to help flyers check-in and board with QR codes, or alert passengers about flight delays or changes. However, as Leighton’s CEO Lyle McCalmont says, technical infrastructure needs to keep up. “We are already reading reports of Apple Watches not fitting under some airport access scanners,” he points out.

• Cross-device messaging/ ads: Cross-device tracking is all about recognizing a user behind various devices. Airlines will always struggle to craft an optimized customer experience programme if they aren’t sure of how passengers are interacting across devices. Similarly, what’s their conversion journey looks like. This if not done properly can result in wastage in ad spending, something that’s always been a point of contention when attribution is analyzed. Also, the timing and frequency of messages/ ads can hurt a brand if travellers receive meaningless content.

So what has improved in digital identity as far as tracking a user across various devices is concerned?

The debate around exact match or deterministic approach such as provided by Facebook or any other log in way, and implied match techniques or prediction-based approach continues. The specialists in prediction-based approach are increasingly saying the perceived gap in scale is coming down and so is the variation in the total figure of addressable users for each approach.

A major highlight of prediction-based tracking is that it is set up on data signals from ad requests across the web.

Those who specialize in probabilistic way assert that identify fragmentation is being handled better than ever, driven by machine-learning algorithms. Such specialists count on cross-device data points to probabilistically harmonize mobile device IDs to desktop cookies; forming a bridge between devices. 

So what’s the accuracy of prediction-based approach? There has been talk of over 95% precision. For instance, cross-device technology company Drawbridge shared that its model was 97.3% accurate in indicating a relationship between two or more devices (according to a release in April, 2015).

Follow Ai on Twitter: @Ai_Connects_Us and Checkout our Events at: www.AiConnects.us