- Payment & Fraud Editorials
Date: 30 Nov -0001 Location: Delegates:
-
Ai Editorial: Gearing up for a spate of 3rd party mobile wallets
Ai Editorial: Entering the world of “Dark Web” and yet remaining anonymous
Ai Editorial: Managing transactions and fraud with new tools…be realistic with expectations
Ai Editorial: One-click mobile payment – what if it fails?
Ai Editorial: How agility is playing its part in payment optimization at KLM?
Ai Editorial: Two issues associated with loyalty fraud – detection and prosecution
Ai Editorial: Averting breach of loyal members’ details by working in unison with them
Ai Editorial: Fraudsters are smart, so you need to be smarter
Ai Editorial: Use of app cloners and machine learning rises in mobile commerce fraud
Ai Editorial: Learnings from the transition to Chip n Pin
Ai Editorial: A mobile wallet is capable of addressing challenges related to the cost of payment, merchant fraud liability and the speed of checkout. Ai’s Ritesh Gupta assesses how airlines can embrace such emerging option smoothly
First Published 8th February 2016
The task of dealing with emerging payment options can’t be ignored. For instance, Apple Pay’s issuer total is already beyond 825 or so. As concerns pertaining to whether transactions via this mode are sizable enough or not get reduced, the focus is on ascertaining how to make the most of mobile wallets’ simplicity/ user experience or role in the booking funnel.
Airlines have to work out a way to handle proprietary functions and features of each of emerging mobile wallets, and this is in addition to existing multiple payment methods as well as sales channels.
As a specialist, Denmark-based Vivek Bhatnagar, VP Presales and Solution Architecture, CellPoint Mobile points out that the primary challenge for airlines is to understand that there is no unified approach to improving or prioritizing the complex, costly and constantly changing payments ecosystem, and that challenge exists for any merchant or retailer. He says no single payments vendor can solve the complex jigsaw puzzle with a comprehensive solution.
Being ready
Whenever a new payment method like Apple Pay, Android Pay or Samsung Pay launches an airline or a merchant needs to talk to their PSP or acquirer to support the same and the foresaid payment method may or may not be the immediate priority of the PSP or acquirer. However, if the airline has its own payment layer then it can connect to the PSP which supports the payment method or even connect to the acquirer that supports the payment method directly.
As a result, as Bhatnagar also asserts, it’s imperative for airlines to have a thin but feature-rich and agile payments layer within the enterprise that can talk to or integrate with best-in-class external solutions.
With that flexible framework in place, airlines can enable easy on-boarding, omni-channel payments, multiple PSP/acquirer connectivity, independently stored PSP payments, APM aggregation and improved acceptance rates.
“Each of this features give the airline the agility that is required to increase and protect revenue in the new digital age where the battle will be fought on speed and service. For example, markets like Singapore/ China where Android is the prevalent Mobile OS, having Android Pay and omni channel responsive UI experience will be the make or break decision with regards to the success of your mobile payment strategy,” says Bhatnagar.
Fragmentation in mobile payments
Apple Pay, Android Pay and other alternate mobile payment methods are expected to pose a major challenge to PayPal. Even though there have been discussions around how a new entrant can enter the transaction pie that features the merchant, issuer, acquirer and the card scheme, value is being created for the consumer.
Ultimately, the mobile payments ecosystem is going to be very fragmented, and this fragmentation is a reality that airlines must embrace and support in order to provide a wider range of solutions that customers will most easily adopt.
Bhatnagar says merchants need to take control of their payment ecosystem by owning their own payments layer that can deal with the fragmentation.
“Having a thin agile payments layer will give merchants the flexibility to tap into various sources using similar technologies like XML,” says Bhatnagar.
This provides merchants with an insulation layer from the complex dependencies of supporting different mobile operating systems and payment mechanisms from multiple external providers.
According to specialists, in practice, merchants with their own payments layer have a distinct advantage over those relying on external providers as they are able to rapidly adopt new mobile payment methods, and develop the perfect cocktail of payment methods and providers that matches the needs of their customers and the markets they operate in.
From customer experience perspective, omni-channel enablement is what can make or and break a sale. Airlines must provide seamless booking and payment experiences across all channels to match passengers’ behavior. For example, a traveller might search for a fare on a laptop at work, compare options on a smartphone on the way home, and purchase a ticket on a table at home that evening. Omni-channel enablement makes that three-stage process a smooth one.
eWallets were invariably part of retail giants, such as Alipay (Alibaba) and PayPal (eBay).
But now the space is evolving, with bank and network wallets emerging (Visa Checkout, MasterPass and ChasePay).
Bhatnagar acknowledges that VISA, MasterCard, Amex and Chase are all getting into the e-wallet space.
He says, “The idea is to offer ease of payment and bring about one-click payment readiness to the payment process. Businesses like VISA and MasterCard want merchants to continue to visibly use their brands in the new era of payments and are therefore aligning with e-wallets.”
Talking of Apple, Samsung and Google, these organizations are trying to step up customer ‘stickiness’ by integrating their technology into their consumers’ everyday lives. What should airlines take note of with reference to Apple Pay, Samsung Pay and Android Pay? And what should airlines avoid as far as these applications are concerned?
“Airlines are primarily merchants and they should ‘endeavor to embrace’ and adopt a nimble, agile but reliable payments platform that enables a suite of solutions,” recommended Bhatnagar.
The good news is most of the streamlining has been done by the providers themselves, an approach that eases issues with traditional payments. “In our experience, a stored payment solution, when implemented with mobile-based APMs such as Apple Pay and Android Pay, can bring in considerable incremental sales via the respective mobile apps,” shared Bhatnagar.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 7th July, 2017
Everything isn’t illegal on the “dark web”, but it is a marketplace where nefarious transactions related to stolen personal data for further unlawful acts take place. So how one remains anonymous, explores Ai’s Ritesh Gupta
Questions related to safety of our digital assets and related IDs – be it for a banking app, email account, frequent flyer program and other accounts like Facebook, Twitter, LinkedIn etc. – do concern us from time to time. It isn’t easy to remember passwords for all accounts, and when you end up having the same password for all, then edginess does grip us. What if this all-important password gets stolen?
As consumers, we seek simple logins and frictionless shopping. Should we be more patient? Well, in reality, consumers don’t wait. The idea of answering “security questions” or authenticating something by clicking on a link by logging in another account isn’t appreciated much. So this puts tremendous pressure on the entire digital commerce fraternity.
But, the fact is, the danger of being hacked or being a victim is seemingly getting stronger.
Critical data such as login IDs and passwords garnered by hackers are traded on the dark web. Such credentials are then exploited by cybercriminals for account hacking and online shopping.
Dark web – what is it?
When one reads about what can happen on the “dark web”, it becomes clear that this part of the Internet can’t be reached with the normal tools. Dark web is described as a collection of sites and these can't be indexed by traditional search engines. Also, these can't be opened by using traditional browsers.
It doesn’t come as a surprise when one reads or hears about trading on the dark web, be it for your PayPal account, email id, credit card information etc. – everything has a value.
But, a statistic like an identity getting stolen in two seconds, is menacing. Also, it is being pointed out that it is tough to keep track of the flow of money on the dark web.
It is said that owing to encryption, users can visit dark web websites anonymously. These sites exist within the so-called deep web. Content in the deep web is not automatically or fully concealed or anonymous, but it cannot be indexed in a manner as the surface web can be done. As for the dark web, it is a part of the deep web that is intentionally constrained and closed unless there are precise tools to get in.
So how to get in?
I stumbled upon a post by Brett Johnson, who initiated AnglerPhish Security three years or so ago, sharing information as “a former cybercriminal to combat the very crimes he once committed”. He referred to functioning of the world of dark web and emphasised upon the significance of remaining safe while accessing it.
Johnson shared that accessing the dark web requires particular software, and the most common is TOR. It is used for online privacy. Johnson asserts “criminals love the TOR network” and if “properly used, it provides near bulletproof anonymity”. According to torproject.org, it can’t solve all anonymity problems and focuses only on protecting the transport of data. “You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use Tor Browser while browsing the web to withhold some information about your computer’s configuration,” states torproject.org. “Also, to protect your anonymity, be smart. Don’t provide your name or other revealing information in web forms.”
Anyone who is out to there to fight cybercrime needs to be wary of accessing such marketplace. There are details related to what needs to be done before using the TOR browser. According to dailydot.com, shut every open Internet program, use the VPN protocol to link up to a place considerably away from where one resides. Doing this would mean that the current ISP won’t make out the usage of TOR, and the TOR entry node won’t be able to know the true IP address. One needs to access .onion sites on the TOR network in order to reach out to a marketplace.
What about catching culprits?
Not many cases are reported, but last month, the German police reportedly arrested the alleged administrator of one such marketplace from where a gun was purchased and used for last year’s shooting in Munich.
But the dark web isn’t disappearing. It has triggered various incidents of fraud. The list features point-of-sale attacks and also been behind other malicious developments, say a malware. Payments to sellers can be done via bitcoin in order to ensure details of the transaction don’t get disclosed.
According to a study by Equifax released earlier this year, websites that deal in file sharing on the dark web account for 29% share and leaked data 28%. Travel e-commerce companies are already looking at ways to curb the stealing of air miles, loyalty points etc. This is in addition to other illegal items.
Protection
Companies need to be wary of what can result in data theft and security lapses.
Airlines and travel e-commerce organizations need to be vigilant and be aware of where their sensitive information is stored. There is a need for stronger access or password controls (for instance, no passwords for mobile apps, rather a local authentication mechanism such as a fingerprint, PIN or face/voice recognition. Plus, a password complemented by a second factor), availing options such as public key cryptography to create secure authentication credentials etc. Companies including Facebook highlight that using security keys for two-factor authentication provide phishing protection since there is no need to enter a code and the hardware provides cryptographic proof in the machine, interoperability i.e. the same key for any supported online account, and fast login.
Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 29th August, 2017
Ai Editorial: Managing revenue and fraud shouldn’t be about adding friction to transactions. One needs to set right expectations from initiatives such as Dynamic 3DS and biometric authentication, writes Ai’s Ritesh Gupta
Airlines, just like any other e-commerce business, need to cater to a variety of payment methods, currencies and devices.
As much as consumers experiment and embrace new forms of payment options, each new technological development introduces new avenues for fraud, meaning detection and prevention efforts need to be just as agile.
Airlines can’t afford to slip on one main count. Many fraud prevention methods introduce dilemmas between maximising revenue and minimising fraud – e.g. with more rules, implementation of 2FA or multifactor authentication fraud rates can be lowered, yet more genuine customers will be blocked; on the other hand, with less rules and lax authentication to maximize revenue, merchants will be more vulnerable to fraud attacks.
Avoid more friction for users
This dilemma only exists because airlines and travel companies are still relying on introducing more and more friction for users as a means of preventing fraud, says Justin Lie, CEO, CashShield. Citing an example, he says the new introduction of Dynamic 3DS promises greater conversions and less users blocked (on a case-by-case basis), but it still remains a rule-based system with restrictions that block users and introduce friction during payment.
The new version of 3-D Secure is being considered for supporting app-based purchases on mobile devices, and paving way for sharp risk-based decisioning for frictionless authentication. Other aspects include multiple authentication options, including passcode and biometrics, and integrating seamlessly into the checkout process. Even as this tool can play a part in combating illegal transactions and criminal fraud moves, airlines need to consider potential hurdles as well. As Lie points out, the problem with Dynamic 3DS is that it is controlled by card issuers and is therefore still working with the same set of data as before. “They are unable to tap on the merchants’ data for more information on fraud and are not as smart and flexible as they tout themselves to be. Therefore, merchants cannot expect Dynamic 3DS to be a be all and end all solution to solving fraud woes,” he says.
Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud.
As we highlighted in one of our recent articles, rather than hard rules, airlines should direct fraud prevention efforts on behavioural analysis instead, which is compatible with all various payment methods, currencies and devices. A further step in sustaining or even improving conversion rates for airline can be to develop a decisioning algorithm with the mandate of maximising revenue at an optimal level of fraud risk. This will make the airline’s fraud prevention methods truly agile at maximising revenue while minimising fraud. Specialists point out that rules-based systems are in general reactive and probabilistic solutions, which is why they are unable to prevent fraud before it happens. Probabilistic frameworks only seek to train the system on historical data, and do not possess the expertise to move beyond probability scoring for fully automated decisions, thus crippling the system on manual reviews. Because of the need for manual reviews, rules-based systems also start to show cracks at high volumes, and reduces the company’s ability scale on demand.
Being susceptible to unknown fraud attacks
Among other developments, the industry has also been focusing on Dynamic Authentication. It uses multifactor authentication, machine learning, fraud intelligence and advanced device recognition technology.
“While the intentions of Dynamic Authentication to stop fraud in it tracks may be applauded, it also introduces new problems for users and cannot be seen as the be all and end all. Multifactor authentication, dynamic passwords disrupts the user’s experience severely and are forms of unnecessary friction that will be especially felt by the older generations,” says Lie. He says at the same time, Dynamic Authentication’s use of machine learning technology is still heavily reliant and trained with historical data, using old (and dated) fraud patterns to predict future fraud. This means that even with Dynamic Authentication, travel companies can still be susceptible to unknown cyber fraud attacks.
“Dynamic Authentication is very counterproductive, considering the added friction placed on users. On average, only 70% of dynamic passwords delivered are used, while merchants see a 40% reduction in purchase conversion rates after introducing Dynamic Authentication. Cart abandonment rates also grow significantly, but merchants do not track these dropout rates. Merchants must understand that even if fraud losses are mitigated, their business potential and opportunity costs have been restricted, since many genuine users are turned away constantly,” explained Lie.
As for biometrics, this technology can turn out to be an important proof in indicating that a shopper did authorize a transaction. At the same time, as Monica Eaton-Cardone, COO, Co-Founder of Chargebacks911 points out, this would be futile if the card network won’t consider biometric data as verification. In one of her blog posts, she mentioned that the industry “must revisit their policies before biometrics can be a truly effective method of fighting fraud and recovering revenue”.
“Card networks need to make biometric authorization a cornerstone of the dispute process,” asserted Eaton-Cardone.
So it is imperative for airlines and all other travel e-commerce players to study in detail the utility of emerging tools and technologies. What is going to be their role in managing criminal fraud, friendly fraud, chargebacks etc. and the same time how they impact the customer experience at the time of making a transaction.
Hear from experts at Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more info, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published, 14th March 2016
Ai Editorial: When one-click mobile transaction fails to go through, it shows a brand in poor light as one is used to accomplishing tasks quite swiftly on such devices, writes Ai’s Ritesh Gupta
A task on a mobile device at times is all about “a tap or one-time touch”. This also includes completing a mobile transaction in a jiffy. If all works well, the chances are we would indulge more in mobile shopping, as nothing can take away the impulsiveness or convenience of buying products via a mobile phone.
But this always doesn’t work out the way we desire.
UX issues
I do end up abandoning a buy or an in-app purchase when it takes too much time (blame it on the home Internet Wi-Fi connection despite having a supposedly fair download speed plan) or there is a complex issue related to acceptance of my preferred payment option.
I have been availing Uber cab hailing service. I love the Uber interface, but struggled with a recent journey.
Till last year my credit card details were stored, but I deleted them once Uber started offering the cash option (in India). On another note, I also downloaded Paytm wallet app recently.
When I tried booking a cab via Uber last week, a message flashed, stating “balance not sufficient”. Post this I filled in my credit card details for a deposit of Rs. 1000/- or $15. I thought it would be a sort of a guarantee for my trip, in case I don’t pay cash. But even though I was instructed not to leave the app, I received a short message from my mobile operator about addition of Rs. 1000/- in my Paytm Wallet. As for the taxi that I was trying to book, I was stuck within the app environment of Uber, and eventually I decided not to book. It was quite disappointing as the fare was to last only for few minutes.
So why didn’t the payment go through? May be Paytm wallet was designated as the payment option – may be by default. But the point is the app should show me an option to pay via cash at the time of booking, as it is quite convenient. As for the amount, it started reflecting as the balance under Paytm Wallet section of Uber.
When a user is asked to share credit card details against the time limit of a certain fare or a deal/ package, one would expect the transaction to come through. Also if the card details are stored in a safe environment, still if one-click payment option doesn’t work out in the check-out phase, it again disappoints.
Non-UX related one-click payment issues
One-click payment isn’t only about streamlining the user experience (UX) or integration issues (say a travel ecommerce app with a mobile wallet).
Be it for the Asia Pacific region or Europe, there are significant regulatory, regional and technological hurdles to deal with.
If we talk of Europe, there are a set of rules and standards for the execution of Single Euro Payments Area (SEPA) or SEPA payment transactions that have to be followed by adhering payment service providers.
The realisation of SEPA called for a settlement on a general set of data to be exchanged in a common syntax.
As for merchants, there are several factors to be considered before they offer choice for paying to consumers. Optimizing reach and conversion, and at the same time costs of payments being kept low is of paramount importance. With the introduction of SEPA, it is being pointed out that caps on multilateral interchange fees will bring down fee for merchants.
Importantly, in order to facilitate cross-border sales and fuel the usage of one-click buy via mobile devices, specialists refer to interoperability. This would require a uniform e-identification system that can pave way for a relatively swifter exchange of information.
But the concept of cross-border remains a practical challenge, for instance in Asia.
Prasanna Veeraswamy, VP – Products at hotel booking mobile app HotelQuickly, referred to cross border payment instrument acceptance and payment while travelling as a major hurdle. Citing an example, he said, “It is so difficult to use a Singapore-based American Express card while you are travelling in Thailand, as a One Time Password (OTP) will be send to your home phone which you would not want to turn on while roaming internationally. A lot of times foreign payment instruments are not recognized locally too.”
New devices, new developments
Merchants can’t rest, and need to keep an eye on new devices.
It is clear that the evolving landscape has brought in new stakeholders into the payments ecosystem.
Veeraswamy referred to the following developments:
· Payment using wearable devices – There are new possibilities that are shaping up, for example, chips being used in conjunction with standard NFC modems in wearables. This protects users’ sensitive data and assists in secured contactless transactions. MasterCard is already working on plans to take payments to a gamut of fitness bands, smart watches and other wearable devices. Barclaycard has also unveiled several new wearable payment devices, with each device featuring contactless payment technology and to be powered by a secure digital wallet.
· Messaging based payments - LIINE, WeChat, Whatsapp and Snapchat.
· OTP or one-time password kind of security moving to messaging platforms rather than SMS.
· Cross platform wallets that will be a merger of Apple Pay and Android Pay - one wallet that works across all platforms.
As witnessed with existing payment options and devices, the readiness of devices to support one-click payments is going to hold the key. It all seems exciting, but one shouldn’t forget the significance of simplicity and security. Otherwise any promise looks like a fancy feature, and has an adverse impact on the brand.
The ideal one-click mobile payment solution should manage identification securely and instantly, support all cross-border payment methods preferred by consumers, and when a user is in the middle of a transaction there is a need to combat practical challenges to minimize the chances of abandonment.
Learn more about the latest developments in the arena of digital payments at the upcoming 10th Annual Airline & Travel Payments Summit, scheduled to place in Barcelona, Spain (26-27 April, 2016)
For more information, click here
Follow Ai on Twitter: @Ai_Connects_Us
Ai Editorial: A tailored payment infrastructure and the structuring of team internally, where multiple teams working in sync within an agile environment, paves way for payment optimization at KLM, writes Ai’s Ritesh Gupta. He spoke to Maarten Rooijers, Senior Manager Payments, KLM in Phuket recently.
In an era where the number of ways in which a customer can pay has risen tremendously, facilitating such wide variety of payment methods can be an arduous task. A merchant today is possibly expected to facilitate a transaction via every point of interaction.
In this context, an organization’s of KLM stature has led the way in embracing new technology and payment methods in a swift manner.
Consumers are indulging in technology and making the most of new devices to simplify what they wish to do. They are shopping for various products, including travel, through “voice”. Seeking Alexa and Google Assistant’s help in one’s native language is becoming a norm, and brands like KLM are responding to this trend. The airline is allowing users to search flights by giving spoken instructions. Once a suitable flight is identified, a link to the KLM's site is provided to complete the transaction. KLM’s Blue Bot is based on artificial intelligence, which is linked to a combination of KLM and external tech.
So how to optimize the payment experience by balancing the cost vs. revenue analysis or assessing the intangible value gained from any initiative?
“There is a need to evaluate whether the new technology (or any payment method) would result in additional value for the customer as well as the merchant. It is the customer who decides how they wish to pay,” says Maarten Rooijers, Senior Manager Payments, KLM. Rooijers was recently in Phuket for Ai’s ATPS, where he explained the evolution of KLM's online payment strategy (alternative forms of payment online, leveraging social media, multi-currency pricing, roll out of mobile wallets, demo of payment via WeChat etc.).
“Some of the new options to pay are being propelled by innovation in this industry. Some are also being facilitated by social media,” mentioned Rooijers.
The Payment team works closely together with KLM’s Social Media team which is also part of KLM’s Digital department. “Apart from the Payment team coming with initiatives to add new Payment options, it is sometimes a combination of initiatives coming from our establishments globally and requests from our SM team. It is not just about adding Google Pay, Apple Pay, Alipay etc., but it also about making the booking process easier. As for the payment team, we chose to standardize the process. So rather than having a payment functionality in each and every front-end, it was decided to set up an independent payment platform or a payment engine. It is connected to “internal” customers/ front-end for payments,” explained Rooijers.
Infrastructure + Agility
The payment infrastructure and internal alignment paves way for payment optimization at KLM.
“Internally, we started working via structuring or a framework like Scrum (to embrace agility). The number of product teams within the KLM digital is quite big. There are multiple teams working in sync within this agile environment, involving the front-end, back-end API teams, payments team…looking at implementing new projects/ features.” shared Rooijers.
In the agile set up, how often does the payments team interact with the other teams?
“It’s almost daily,” mentioned Rooijers.
The Payment system is called EPASS (Electronic Payment and Settlement System). As for how the team manages challenges pertaining to introducing a new payment option, for example, Alipay or WeChat Pay, Rooijers shared that the EPASS layer is what that maintains liaising between the internal applications, mostly front-ends where customers book their trip or buy their ancillaries, and the external partners/ vendors – payment service provider (PSPs), gateways etc. “We are working with a number of PSPs and acquirers in order to be able to have a global offering. So when it comes to facilitating viable payment options from a new market or a region, rather than directly working with a new PSP, we prefer to route them to our existing PSP and work accordingly. Making a connection to a new PSP tends to be costly and needs resources. We therefore have selected PSP’s with a wide global coverage. If there are any new relevant Payment options emerging not initially supported by our contracted PSP’s, we request our PSP’s to start offering these or, alternatively, partner with the local or regional PSP.”
“Having said that”, adds Rooijers, “we always will keep our eyes and ears open for other players in the Payment landscape. The market is changing constantly and rapidly and we want to continue to offer relevant payment options globally at the right costs and according the most efficient process.”
KLM is offering 80 alternative payment options, and 10 of them are from the Asia Pacific region.
Follow Ai on Twitter: @Ai_Connects_Us
First published on 29th September, 2016
Loyalty fraud is a malice that continues to spread. It is up to loyalty practitioners to educate the senior management, including CFO and CEO, on the seriousness of loyalty fraud, writes Ai’s Ritesh Gupta
Are you thinking like a fraudster? Are you contemplating how your rewards program or FFP can be exploited by a criminal?
It’s time to take action. It’s time to be in control.
Fraud is happening, and it’s growing.
The onus is on businesses to respond, simply because consumers aren’t changing their behavior and as a result they are more vulnerable to fraud. In one of its recent surveys, ACI indicated that consumers are not really protecting themselves enough. For instance, they “leave phones (with ever increasingly available mobile wallets) unlocked and perform sensitive transactions on public computers”. And to make it worse, if the perception is weak, or there is not adequate customer support as a result of a fraud incident, then the customer moves on.
As highlighted in one of our recent articles, the fact that airlines present more earning and redemption options today, mainly via partnerships and rewards ecosystems, this also means that the overall loyalty earning and burning lifecycle has paved way for new means of fraud. We referred to following initiatives to keep a tab on loyalty fraud – monitor activity, keep data/ information secure, stringent verification, being savvy with data, customer experience shouldn’t be jeopardized and creating awareness among consumers.
But, as I interacted with experienced airline industry and loyalty consultant, Iain Webster, it became clear that there are other areas, too, that need to be focused upon. Webster, currently associated with ICLP, a part of the Collinson Group, in London as senior loyalty consultant, asserted that fraud is growing. “The fraudsters are getting more serious as they realise the gains to be had. Loyalty practitioners need to get serious too,” suggested Webster.
Aligning things internally for fruitful results
Importantly, the industry also needs to align itself internally in order to have a bigger control over the malice of loyalty fraud.
Webster said it boils down to too few airlines recognising that loyalty is big business.
“A successful FFP can easily bring in more revenue than a Cargo division, for example. It is up to loyalty practitioners to educate their CFO and CEO on the seriousness of loyalty fraud,” he said.
He said there are 2 main issues when it comes to combating loyalty fraud today.
1. Detection: Most loyalty programs sit within marketing departments and therefore have neither the skills nor the inclination to spend time and resource digging around looking for an unseen problem. Detecting fraud requires a mix of data, financial and technical knowledge, said Webster.
2. Prosecution: “I deliberately use the word ‘prosecution’ because that is the logical consequence of theft. Loyalty fraud is theft. Period. But it is not easy to persuade top management or the authorities that something of value has been stolen. Therefore in instances where fraud is uncovered the usual response is to do little more than close the account and blacklist the email address of the fraudster who is then free to move on and do it again somewhere else under an alias,” explained Webster.
So airlines need to dig deeper, and need to have resources and processes in place.
· Define roles and set up a process – The fraud/ security team needs to be established with clear definition of roles. Also, airlines need to establish business policies and operational practices in addition to implementing fraud detection and prevention tools. Is there a process in place to assess multiple data points in order to detect modus operandi? How to work out manual and automated tools to keep a tab on fraud related to loyalty? Who is going to decide on performance metrics and related accountability?
· Areas of improvement - Loyalty program fraud largely tends to revolve around purchase of points or miles via fraudulent or stolen credit cards, and taking over of loyalty accounts by a cheat/ imposter, who generally redeems the points or miles. Where do you think airlines can improve at this juncture? “Firstly, if they are not already doing it, airlines should apply the same rigor to detecting credit card fraud with point purchase as they do with revenue ticket purchase. Then I believe the issue is not so much ‘taking over’ of loyalty accounts, but one of identity theft where an account is set up by the fraudster using a stolen identity,” said Webster. “Anecdotally I can well remember ringing up the genuine individual who was the named person on an account we had under investigation only to spend the first ten minutes trying to explain to him what a frequent flyer program was. He had no idea that the fraudster, his travel agent, was operating the account and then selling on the redemption tickets.”
· Understand new developments – A lot is being talked about real-time, behavioral analytics-based fraud detection and prevention. “I would like to see greater use of technology and data mining to detect suspect behaviour patterns in much the same way as the insurance claims industry has been doing for years,” suggested Webster. Specialists highlight that behavioral analytics can be banked upon to discover and probe changes in user behavior with precision. So one can come to grips with complex fraud patterns with high accuracy based on dynamic user behavior modeling.
Loyalty Fraud Association
A new association, Loyalty Fraud Prevention Association, has been set up to fight loyalty fraud.
“By bringing together loyalty managers from different industries, travel, financial, and retail we will create an environment of shared knowledge of the techniques being used by the bad guys and the counter-measures that others have found successful. This way we can alert our members as to existing and potential scams. The loyalty version of Interpol. Maybe ‘Interpoints’ ?” said Webster, president, Loyalty Fraud Prevention Association.
A two-day event, Annual General Meeting - Loyalty Fraud Prevention Association (LFPA), is scheduled to take place in London (Nov 9-10) this year. The agenda: Is your loyalty program protected?
For any query, email - cstaab@aiconnects.us
Or click here
First Published on 31st July, 2017
Ai Editorial: When airlines can actively involve their loyal customers, incorporate their inputs while designing benefits and tier-levels, they can also alert them and highlight the significance of account security and password protection. Is enough being done, questions Ai’s Ritesh Gupta
As of today airlines are suffering as the malice of loyalty fraud is on the rise. The latest news of Canada’s WestJet stating that “some WestJet Rewards member profile data has been disclosed online by an unauthorized third party” has once again underlined the threat of such attacks. Airlines need to quickly assess – the safety of data of members, and their accounts at this juncture – if they haven’t done so in the recent past.
In case of WestJet none of the data contained credit card or banking information, but this is a precarious issue. Rewards cards not only have a customer’s name, address and telephone number, but are frequently linked to partial credit and debit card information as well. It is enough for cybercriminals to work out an “identity” and go on a crime spree.
Are passengers aware or don’t care?
Airlines need to work out stronger means to safeguard members’ privacy. Even as airlines such as WestJet are working with the government, law enforcement agencies and the technology industry to combat the growth of hacking and other cybercrimes, it important that members are conveyed the significance of shielding their respective passwords.
According to digital security specialist, Gemalto, customers “often have thousands of points saved but many never think their frequent flyer points are at risk of being stolen”. The team goes on to add, “…they never think anyone would want access to their points.”
Significance of being aware
There are security challenges that an organization needs to manage, but members, too, need to be aware of how to take small steps to be in control of their own accounts. Considering the number of cases featuring compromised usernames and passwords, program members, too, can be involved in taking appropriate action before the situation goes out of control, and both the brand and customers end up being at the receiving end.
Just like on-board flight safety is imperative (we all go through it despite it coming across as a mundane exercise for travellers on flights) and airlines even find creative ways to convey the message, similarly, airlines need to create awareness about password protection from time to time. For instance, how does malware get installed on a PC? It could be via logging onto a fake website or phishing scam (email that looks as if it’s from airline’s FFP). So why not create awareness about the same? After all, it is for the benefit of loyal members, too.
Carriers must propel them to update their current ID and password, and provide guidelines for making them more secure. How to keep the device safe from malware and viruses?
Among the other areas:
· Airlines can encourage members to check their accounts or status on a regular basis. Is there any redemption they can’t fathom or weren’t involved in? Are miles or loyalty currency being used without the knowledge of a member? Considering the fast-growing market for the tangible value of stolen reward points/ miles and hackers/ fraudsters capabilities to steal the same, this calls for more proactive action.
· Do members of a frequent flyer program treat their respective loyalty accounts as credit card information? This type of fraud is similar to card-not-present fraud. An account can hacked by capitalizing on weak passwords, stealing of identity etc. So it must be highlighted that if fraudsters gains access to an account, they can seize points/ miles and rob loyal members by availing redemption options (other threat is data breach). As Michael Smith, Managing Partner, Airline Information and Co-Founder, (Loyalty Fraud Prevention Association (LFPA) says passengers (or customers at large) should be wary about which Wi-Fi they are connecting to, and also as FFP members they must be cautious about sharing name and account number. “With those two bits of information, fraudsters just need to guess your password and they are in to your account,” he says. Smith asserts that a flyer shouldn’t share or post the picture of a boarding pass, as it features vital information.
So organizations need to inform travellers about simple mistakes that can unknowingly create havoc with loyalty or FFP accounts.
Being more vigilant and proactive
As for airlines, the responsibility is bigger than ever since the use of bots and proliferation of stolen data on the dark web is flourishing.
They have to rely on a set of assessment tools, such as device identification, geo-location, device intelligence and user-behavior profiling.
As Gemalto suggested recently, operators of FFPs or loyalty programs should assess if loyalty account has been accessed from a device that isn’t recognizable or registered, or an unidentifiable device has modified personal or account details, abrupt use of points or miles much higher than done previously, multiple tickets have been purchased with names differing from the account holder etc.
Also, one of the common causes of security breaches involve bad security practice from employees.
As highlighted in one of our recent articles, Botnet attacks on loyalty programs, how to negate them?, airlines need to identify the ways in which account information can potentially be accessed, in all probability via a blend of phishing scams, identity theft, and cracking of feeble passwords. Overall, the fraud prevention initiative, via behaviour analytics, device identification and tightening of data and IT infrastructure, needs to offer protection to loyal members.
Hear from experts about loyalty fraud at the upcoming 2017 APAC Loyalty Fraud Prevention Workshop, to be held in Singapore on 23rd August this year. For more, click here
Or
Attend Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more, click here
Follow Ai on Twitter: @Ai_Connects_Us
A CEO books a trip worth $12000 with an OTA. But what if he is a fraudster, who has a found a way to deceive the agency. Ai’s Ritesh Gupta learns about a couple of real experiences of OTAs
Online travel agencies (OTAs), even the established global intermediaries, continue to be victims of online fraud.
Take the case of Booking.com, known for its agency model or letting bookers pay the hotel upon checkout. The OTA was in news late last year for fraudsters gaining access to contact details of customers, and they allegedly contacted them for pre-payment of their respective bookings. Booking.com acknowledged that 10,000 people were affected, and acknowledged that there is a need to combat fraud, which is now described as an organized crime. There were concerns, and stakeholders, including OTAs and hotels, were questioned about the security level of their systems/ websites.
So the question then is: how to shield customers’ personal and financial information?
Travel companies need to understand how hackers are gaining access to system data or server functionality.
The breach of data is happening and it could be owing to manipulating a web application and a fraudster tricks that application into performing commands and accessing data. Another way is to get hold of an authorized account via focus on session IDs, and eventually stealing them.
OTAs frequently receive complaints from customers about unauthorized credit card transactions. Experts recommend that additional steps can be implemented to curtail risk of credit card and personal data exposure, such as compartmentalization and tokenization on the inside of the company’s DMZ (Demilitarized zone. Network added between a private and a public network to provide additional layer of security). This is being considered to be a vital add-on to firewalls and external fraud measures. Such mechanism keeps a tab, acts and reports on dubious activity and can feature configurable fraud-alert rule sets, data- profiling modules, and other validation methods.
Also, at another level, it is important to know how to strike a balance while focusing on stringent fraud rules. These can result in reduced acceptance and revenue. Also, what safeguards exist to allow for loosening fraud rules? Optimizing acceptance means more fraud will slip through – an extra layer of defense is needed to catch it post authorization.
Dealing with fraud
For a security professional, the risk of being too cautious can result in a loss of revenue. OTA executives shared a couple of experiences of how the team manages fraud.
A senior executive associated with Mumbai-based OTA Cleartrip.com told us: “If a fraudulent transaction happens, then we filter it out and blacklist the card used, email and phone number. We can’t block the name as there could be multiple customers with the same name. Overall, the variables that are take into consideration while assessing transactions are IP address, phone numbers, device ID, email id (domain name) etc.” The same executive mentioned that there are times when certain transactions are doubtful, and put them on high priority for manual check. “That’s where smartness comes in, scrutinizing the confidence level of the booker. For instance, there was a booking worth US$12000 or so that we kept on hold. The claimant user of the card, actually a fraudster, was residing in another country, he intended to travel in that country, and was claiming to be the CEO of an IT company. He was repeatedly making calls to check why his booking wasn’t going through. And then when we assessed his LinkedIn account, we found there was not even a single connection. So that’s a call every security team has to make. You could be interacting with a fraudster, and you might abruptly ask him what’s the time where he or she is located. It’s all about getting closer to authenticity of the information or even checking the confidence level.”
Here it needs to be mentioned that the booking experience of a customer shouldn’t be jeopardized.
I know of a recent instance where an airline called up my colleague in the U. S. mid-night, who had booked me for Delhi-Bangkok trip. The airline had concerns about the itinerary, considering that the booker was in the U. S. But my colleague felt the check needed to be more vigilant, considering that the airline had information about him, and disturbed his sleep by calling at odd hours.
Another OTA told us an interesting movement that was being witnessed on their site. It was related to “seemingly Russian citizens” booking itineraries featuring a particular LCC in the Middle East. “The bookings featured destinations like Moscow, Kiev, Bishkek, Almaty etc. Most of the passengers booked through these transactions sounded like Russian citizens (female names ending with “ova” or male ones ending with “ev”.” The carrier had strict policies, and before the OTA could verify and reach out to the airline, fraudsters were cancelling those flights, and gaining credit vouchers for future bookings. “We eventually decided to cancel the sector.”
Moving on
Fraudsters always move on. Managing online fraud is an ongoing initiative, one that needs constant improvisation for better results. If this is not the case, then a travel organization would end up being a soft target, leaking revenue that shouldn’t have slipped from its grasp. In fact, despite having a team in place, one can still suffer at the hand of fraudsters.
A spokesperson from Cleartrip.com told me: “With the RBI mandate for third level of authentication, the frauds on Indian issued cards have reduced. However, the fraudsters have now shifted their focus onto the cards issued outside India. They specifically target cards issued in the U. S. , the U. K., Australia etc. The current trend in the market is - the fraudster is booking non-refundable and non cancellable tickets to avoid any action from the fraud detection teams. Fraudster is also targeting the immediate flights on domestic and international sectors.”
So what are the challenges that OTA typically face in detecting and neutralizing the fraud transactions?
The first issue here is limited help from the airline /supplier/ hotels. Cleartrip.com told us: “We lose lot of revenue on to the cancellation charges by the airline in case of fraud transaction and needs to be cancelled. Some time the tickets are non refundable and non cancellable and we need to let the fraudster to fly on these bookings even though we detect them well in advance.”
The second is limited help from the law enforcement agencies and issuing banks in case if there is any opportunity to nab the fraudster. In this case, merchants are looking at support from the issuing bank, which isn’t through coming in most of the cases at this juncture.
Here are few recommendations from Cleartrip.com:
Effective transaction monitoring
- In the current scenario, one must do the detailed review of the past and present transactions and identify in case if there is any suspicious activity happening around
- Detailed analysis of payment failed transaction.
- Regular updation of negative and positive data base of the customer.
- Detailed verification of the high value transactions.
- More co-operation and collaboration with the fraud departments of airlines / banks and OTA to exchange the fraud trends
Best practices to avoid chargeback debits
- Extend full support to the acquiring banks in resolving the chargebacks.
- The merchant must fulfill the requirement of supporting document within the time limit.
- Provide detailed information in the first response.
- Provide the proof of service utilization from the airline/supplier in case of service related chargeback.
- Modify the terms and condition to safeguard yourself in case of chargeback.
- The cancellation penalty, no show charges should be made more visible.
First Published on 17th September, 2018
Ai Editorial: Considering the growth of mobile commerce, it is imperative for travel merchants to assess how fraudsters are crafting new techniques and tools for executing fraud through mobile devices, writes Ai’s Ritesh Gupta
Merchants can’t ignore mobile commerce. In fact, it doesn’t come as a surprise to see the way travel merchants are enhancing their apps with digital features and capabilities. The consumer is mobile and interconnected across multiple devices, shopping and switching from one to the other.
Shopping via mobile devices is flourishing. The growth rate is faster in certain countries, with China leading the way (m-commerce reached 93% of all e-commerce sales last year in China). In the U. S., an estimated 30% of all online sales are made on mobile devices. In Europe, transactions on mobile and desktop are estimated to be split 50-50. But is there any threat that is being ignored by travel merchants as the world of retailing is now mobile-first in most parts of the world?
“A new mobile commerce-related fraud technique that we found has emerged is the use of app cloners and machine learning techniques to create synthetic device identities,” says Justin Lie, CashShield’s CEO.
Mobile and synthetic identity fraud
Synthetic-identity fraud has already been described as the fastest-growing forms of identity theft in the U.S., according to the Department of Justice, as reported by CNBC.com in June this year. This kind of theft is working out a false identity using either fabricated or valid elements, such as a Social Security number, name, address, date of birth etc. As we highlighted in one of our articles this year, it often is not identified as fraud and the crime can go undetected for an indefinite period.
Even cloning has proven to be an issue for those who have been trying to control mobile device fraud.
For instance, a SIM swap attack in which a mobile number is hacked remains a problem. The fraudster takes control of a legitimate mobile user’s text messages, calls etc. Then login credentials are obtained through social engineering, phishing, an infected downloaded app etc. Mobile apps being reverse engineered and adding malicious code, too, has been around for a while.
As for how app cloners are being used in a malicious way, Lie shared, “Using app cloners, fraudsters can masquerade as multiple users to trick systems since the different transactions or logins will be detected as unique devices,” shared Lie.
Swift response
In one of its recent blog posts regarding mobile bank fraud, Microsoft Azure stressed on the significance of latency and response time when it comes to fraud detection. The team mentioned that the time taken by a bank to respond to an illegitimate transaction “translates directly to how much financial loss can be prevented”. The response time window or detection needs to happen in mere two seconds.
“This means less than two seconds to process an incoming mobile activity, build a behavioral profile, evaluate the transaction for fraud, and determine if an action needs to be taken,” recommended the blog.
In this context, as Lie also stated, machine learning can be used to identify such new forms on fraud.
“For instance, whether or not an app cloner has been used may be collected and analyzed as one of the data points, in addition to the other various data points that will be analyzed to identify hidden patterns between the same transactions by the same fraudster,” mentioned Lie.
Making the most of signals
As for what signals are being considered for transactions coming from mobile when it comes to previous purchases and also pattern recognition for possible fraud in the future/ unknown attacks, Lie indicated that rather than focus on the signals for fraud, the company often tends to focus on signals that may point to positive genuine behavior of the user making the transaction. For example, if the user chooses to connect with social media, that is more likely genuine as most fraudsters who want a quick exit would not bother connecting with social media in making transactions.
“However, such signals are not necessarily accurate in pointing out fraud - a more sophisticated fraudster might put in more effort to imitate a genuine user, and connect with social media just to trick the system. Therefore, what is more important in identifying unknown attacks would still be to use real-time pattern recognition to draw patterns between incoming transactions, and identify coordinated fraud patterns,” added Lie.
Follow Ai on Twitter: @Ai_Connects_Us
***STOP PRESS*** ►Registration is now open here for the 2015 Mega Event & 10th FFP Loyatly Conference!
Although most European countries, Canada and a number of other markets have adopted mandatory Chip & PIN on physical card payments, removing signature as a form of authentication, there are many markets around the world that are yet to go through this transition - most notably the USA. But the pace of adoption of Chip & PIN is heating up, for example many markets in Asia will be going through this transition over the next few years, with the intentions of, and mandates from, the relevant Central Banks and/or international card Schemes already published.
Even though each market is different and has a distinctive history or legacy surrounding its card payment system, before embarking on the Chip & PIN transition it is worth reviewing what has occurred elsewhere and the learnings from countries that have already “been through the change”. In this regard, the Airline Information is pleased to be able to provide access to “PIN@POS: Australian Case Study” - please click here for a free download.
The payments consulting team of the RFi Group led the PIN@POS initiative on behalf of the Australian card industry, culminating in the removal of signature on 1 August 2014. They have written the Case Study based on their detailed knowledge of a two and a half year journey to PIN@POS, and it provides valuable information for those already on or about to start down the same road. Indeed, readers contemplating an industry-wide coordination of any sort may derive benefit from this case study. We hope that our readers can benefit from these learnings in their own implementation efforts.
Follow us on Twitter: @Ai_Connects_Us