Ai Editorial: Cash, mobile, cards, POS … not easy to deal with payments in Asia

First Published on 26th August, 2017

Ai Editorial: Be it for cash for transactions or an ecosystem like WeChat or use of credit/ debit cards, payment in Asia remains wide and diverse. How are airlines gearing up for the same, explores Ai’s Ritesh Gupta  


Any airline operating in the Asia Pacific region needs to diligently prepare for accepting payments. Working on such initiatives features many aspects that go beyond finalizing payment methods, and these include setting up processes and controls (currency management, currency heading, fraud prevention, and reconciliation and reporting), and compliance (PCIDSS, sensitive data protection, costs and reliability).

For instance, there are many markets such as cash-driven countries like Philippines where credit card acceptance simply cannot be compared with Singapore or Australia. And then China can be completely different, considering the popularity of payment options such as Alipay and WeChat Pay.

“Payment is quite wide and diverse (in the Asia Pacific region). Go back by five years there were only few forms of payment -cash, credit card, debit card…and that’s changed significantly over the last couple of years. Even if you consider just one country, say Singapore, where Scoot is based, it is a credit card, debit card-led market. And if one considers Philippines, more than 85% is via cash. For an international airline, with operations across Asia, one size doesn’t fit all,” says Trevor Spinks, Head of Sales and Distribution, Scoot-Tigerair.

Relying on local agents/ staff

So how an airline can gear up for Australia, a market which is credit card, debit card-led versus Philippines which is going to be different with cash being the preferred payment option?

“There is a need to remain close to your international markets. Do we have the correct strategy for payments in these countries? There are some countries where you need to cater to cash, there are some countries where an airline would need to take payment via 7-Eleven convenience stores. We have recently witnessed (the emergence of) Apple Pay, Samsung Pay coming in to the market, and expect Google Pay to available soon. So each market has a lot of different payment methods,” explained Spinks.

“So relying only on credit cards and debit cards as a method of payment as an international carrier is wrong. There is a need to work on a payment strategy for each country you are in. The best way to approach the same is seek feedback from GSAs (general sales agents) or country managers. They are ones who know their respective markets inside out and share popular payment methods and trends. So one can prioritize and be ready to accept payment via methods that are relevant, and can be fulfilled by airline websites or call centres.”

Special preparation  

China is a unique market in the whole of Asia.

It’s almost that you can think of China as one area, and can segregate it from the rest. Facebook and Google aren’t really relevant or functional in China, and as Spinks, says payment methods are even more distinctive in this market.

“Scoot flies to 18 destinations in China, and that’s a significant part of our network. We will be offering WeChat as a payment option soon. The complexity for WeChat pay is huge. It doesn’t use normal software language. WeChat Pay have their own language. So one needs to work with WeChat or 3rd party experts,” says Spinks. It is important as a massive chunk of population uses WeChat. “So it is about using what they use every day to fly Scoot. But, yes, China has very specific requirements, and different rules and regulations.”

He further explained: “So in terms of how you manage and work around this diverse payments world in this region, consider an airline which flies to 10 countries and each country has 5 forms of payments. And if all forms of payments are different from all the other markets, then there would be 50 forms of payments. You do need payment providers and acquirers. We work with Worldpay. They are already work with a number of payment distribution capabilities in several countries, and when airlines reach a certain point, they can work with one specialist and this allows an airline to straightaway tick, say 30 out of 50 payment methods, at one go.  At times, there is a need to work directly with 3rd party suppliers. WeChat is a great example. We might have to work directly with WeChat to work it out for us. So it is a very diverse and hard area to manage. There is a need for a dedicated person within the airline to look after this. Also, you need expertise within each of the market to understand, whether say is 7-Eleven convenience store a viable option or is the popularity decreasing and in two years time no one would be interested in paying via this option. So then no point in investing in that payment method.” 

As for consumers, airlines need to study how smartphones are shaping up their payment choices. How age and gender play a role in payments and where does travel as a shopping category fits in.

As new payment types become culturally engrained, users initiate to count on them for higher value transactions such as travel.

Other factors that need to be considered are:

·          Know the local requirements, such as whether airlines are required to partner with a local entity in order to start connecting with local consumers. What sort of benefits does a local payment gateway offer, other than meeting legal requirements? Can one partner facilitate different methods - convenience store (tend to be semi-digital payments - a consumer takes a code or a QR Code associated with a booking and pays), online banking etc.?

·          What are the complexities of integrating with a particular alternative payment method? Is extra cross-channel payment interface design and development required if airline goes directly with local payment platform?

·          Unlike credit card, each of the payment options in Asia has its uniqueness, e.g. transaction limit, availability of refund, no pre-authorization, chargeback rights. What is needed to design and implement necessary payment interfaces and processing flows?

·          What is needed to consolidate payment transaction especially for more easier reconciliation and reporting of sales and settlements across payment options?

·          Implement necessary payment controls according to the difference of processing by payment types (e.g. refund, void, capture).

·          Implement fraud monitoring and prevention across payment options. “Fraud becomes a bigger problem, bigger the airline becomes. So when we were small, we weren’t worried about fraud, we had relatively bigger issues (to sort). But now we have around 40 aircraft, and flying to 18 different countries, fraud can be a big “number” annually. So a partner such as Adyen or Worldpay can also help with fraud solutions. But what you need here and what generally falls under the finance department, you need people would be measuring and tracking fraud. So if one country had a fraud value of 1% and the norm is 3%, then its fine. And another one had a value of 10%, so there are significant issues in that country and you have got to measure it. And the onus also lies on the 3rd party partner to sort it out. And of course, fraudsters also find new way of cracking the system, so it is always a cat and mouse game,” concluded Spinks.


Hear from experts at Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more info, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Managing transactions and fraud with new tools…be realistic with expectations

First Published on 29th August, 2017

Ai Editorial: Managing revenue and fraud shouldn’t be about adding friction to transactions. One needs to set right expectations from initiatives such as Dynamic 3DS and biometric authentication, writes Ai’s Ritesh Gupta


Airlines, just like any other e-commerce business, need to cater to a variety of payment methods, currencies and devices.

As much as consumers experiment and embrace new forms of payment options, each new technological development introduces new avenues for fraud, meaning detection and prevention efforts need to be just as agile.

Airlines can’t afford to slip on one main count. Many fraud prevention methods introduce dilemmas between maximising revenue and minimising fraud – e.g. with more rules, implementation of 2FA or multifactor authentication fraud rates can be lowered, yet more genuine customers will be blocked; on the other hand, with less rules and lax authentication to maximize revenue, merchants will be more vulnerable to fraud attacks.


Avoid more friction for users

This dilemma only exists because airlines and travel companies are still relying on introducing more and more friction for users as a means of preventing fraud, says Justin Lie, CEO, CashShield. Citing an example, he says the new introduction of Dynamic 3DS promises greater conversions and less users blocked (on a case-by-case basis), but it still remains a rule-based system with restrictions that block users and introduce friction during payment. 

The new version of 3-D Secure is being considered for supporting app-based purchases on mobile devices, and paving way for sharp risk-based decisioning for frictionless authentication. Other aspects include multiple authentication options, including passcode and biometrics, and integrating seamlessly into the checkout process. Even as this tool can play a part in combating illegal transactions and criminal fraud moves, airlines need to consider potential hurdles as well. As Lie points out, the problem with Dynamic 3DS is that it is controlled by card issuers and is therefore still working with the same set of data as before. “They are unable to tap on the merchants’ data for more information on fraud and are not as smart and flexible as they tout themselves to be. Therefore, merchants cannot expect Dynamic 3DS to be a be all and end all solution to solving fraud woes,” he says.  

Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud.

As we highlighted in one of our recent articles, rather than hard rules, airlines should direct fraud prevention efforts on behavioural analysis instead, which is compatible with all various payment methods, currencies and devices. A further step in sustaining or even improving conversion rates for airline can be to develop a decisioning algorithm with the mandate of maximising revenue at an optimal level of fraud risk. This will make the airline’s fraud prevention methods truly agile at maximising revenue while minimising fraud. Specialists point out that rules-based systems are in general reactive and probabilistic solutions, which is why they are unable to prevent fraud before it happens. Probabilistic frameworks only seek to train the system on historical data, and do not possess the expertise to move beyond probability scoring for fully automated decisions, thus crippling the system on manual reviews. Because of the need for manual reviews, rules-based systems also start to show cracks at high volumes, and reduces the company’s ability scale on demand.

Being susceptible to unknown fraud attacks

Among other developments, the industry has also been focusing on Dynamic Authentication. It uses multifactor authentication, machine learning, fraud intelligence and advanced device recognition technology.

“While the intentions of Dynamic Authentication to stop fraud in it tracks may be applauded, it also introduces new problems for users and cannot be seen as the be all and end all. Multifactor authentication, dynamic passwords disrupts the user’s experience severely and are forms of unnecessary friction that will be especially felt by the older generations,” says Lie. He says at the same time, Dynamic Authentication’s use of machine learning technology is still heavily reliant and trained with historical data, using old (and dated) fraud patterns to predict future fraud. This means that even with Dynamic Authentication, travel companies can still be susceptible to unknown cyber fraud attacks.

“Dynamic Authentication is very counterproductive, considering the added friction placed on users. On average, only 70% of dynamic passwords delivered are used, while merchants see a 40% reduction in purchase conversion rates after introducing Dynamic Authentication. Cart abandonment rates also grow significantly, but merchants do not track these dropout rates. Merchants must understand that even if fraud losses are mitigated, their business potential and opportunity costs have been restricted, since many genuine users are turned away constantly,” explained Lie.

As for biometrics, this technology can turn out to be an important proof in indicating that a shopper did authorize a transaction. At the same time, as Monica Eaton-Cardone, COO, Co-Founder of Chargebacks911 points out, this would be futile if the card network won’t consider biometric data as verification. In one of her blog posts, she mentioned that the industry “must revisit their policies before biometrics can be a truly effective method of fighting fraud and recovering revenue”.

“Card networks need to make biometric authorization a cornerstone of the dispute process,” asserted Eaton-Cardone.  

So it is imperative for airlines and all other travel e-commerce players to study in detail the utility of emerging   tools and technologies.  What is going to be their role in managing criminal fraud, friendly fraud, chargebacks etc. and the same time how they impact the customer experience at the time of making a transaction.


Hear from experts at Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more info, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Trapped in risk-averse fraud strategy? Stop focusing only on rules-based approach!

First Published on 18th August, 2017

Ai Editorial: Airlines need to be realistic about the flaws and limitations of the rules-based systems - mainly on their hindrances to scalability and restrictions to instant delivery, writes Ai’s Ritesh Gupta


The shortcomings of the traditional rules-based approach for fraud prevention continue to get highlighted. At a time when the efficacy of fraudsters and hackers in cracking areas of vulnerability is on the rise, it is imperative for merchants to improvise and sharpen rules on the fly.

Before discussing problems associated with the traditional rule-based fraud method, it needs to be underlined that there are more refined ways of ensuring a genuine travel shopper’s experience doesn’t get hampered. Overall, it is must for merchants to identify user behaviour much more accurately, which is useful not only in turning away fraudulent transactions, but also in identifying positive behaviour (genuine customers, especially big ticket spenders) to allow them to pass through. In addition, taking away rules, buying restrictions, 2FA or other difficult verification procedures increases the shopping experience for users, therefore lowering cart abandonment rates.

Merchants can’t be risk averse

The problem with deploying hard rules and relying on manual reviews is the fact that this method tends to work around evaluating the typical fields.

So how does a fraudster manage to break the rule and find a way out? How do they manipulate and defeat the system?

For instance, a system has been set in a way that it doesn’t allow more than 4 transactions in 60 minutes. In this case, fraudsters have figured out the stipulated rules and one of them being a duration-based rule. Then an attempt is made to craft their program in a way that the same will confront the system and not interfere with the rule.

There are certain rules systems that initially seem easy to comprehend, indicating which orders will be accepted, rejected, and reviewed. These are enough to detect simple, non-changing, known patterns. But as the need arises to add more rules, probably hundreds of them, to be clear with what’s genuine and what possibly could be fraudulent then even an astute executive may find it an arduous, tedious task to sort out the overlap with increasing number of rules and taking time out for manual reviews. The moment more time needs to be spent in curating and arranging rules, how each rule is faring, what sort of permutations and combinations are not working, what is the impact on the average order value, the threshold of the limit set etc. then the job becomes tedious. Even in case a point system is followed for rules, then also it can be a gruelling task.

In one of their blog posts, Accertify asserted that all channels and products aren’t alike when it comes to fraud risk. Citing an example, the team stated: Rules may include IP address velocity but an IP address from a provider of telecommunications services like Verizon isn’t as user-specific when compared with Comcast. So if there is a doubt for one IP address, then velocity could be adjusted, but maybe not for mobile. So there is a need to apply rules specifically for certain channels and product lines while countering threats.

Rules that are based on a single channel behavior don’t pave the way for a complete picture of the shopper’s activity across multiple channels.

Find a way to ensure that erroneous and feebly coded rules don’t end up stepping up manual review queues.  

In this context, the efficacy of machine learning offerings is coming to the fore, when compared with rules-based systems. Predictive analytics is a part of supervised learning in machine learning, and plays a part in predicting whether a cyber-criminal or a fraudster will repeat their act again in the future. At the same time, other types of machine learning – unsupervised learning – also have a role to play.

So what needs to be done?

Even in case of machine learning, it is vital to distinguish between the various kinds of techniques deployed. Rather than just focusing on predictive analytics, there is a need to bank on pattern recognition, deep learning and stochastic optimization. Why? Because, if by focusing only on predictive analytics, there could a gap for the fraudster to capitalize upon. What if a new threat surfaces with no previous data? Unsupervised machine learning is able to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour, and is effective in identifying genuine customers as much as identifying fraudsters.

To increase the effectiveness of the fraud system, another form of machine learning must be used as well – pattern recognition.

If an entity is heavily following rules-based methodology, then the main KPI would be to cut down the fraud rate as close to zero as possible. At the same time in many borderline genuine transactions would fail to pass through.

Rather the focus needs to be on - rely on an algorithm to make decisions to optimize sales as much as possible while keeping fraud and chargeback rates under control.

Go beyond rule-based prevention

Rules cannot keep pace with the degree of data and variety of always-evolving fraud that exists as of today. Do count on algorithm-oriented modelling. Assess how to make the most of business rules based on input from fraud specialists and machine learning classifiers, and bank on risk scores in real time to identify high-risk transactions. How to track users across identities, devices, IPs and locations? Is there a mechanism to combat proxy detection?

Also, as we highlighted in our recent articles, airlines are being recommended to focus on industry data and unique merchant data to combat fraud.

Rather than hard rules, airlines should direct fraud prevention efforts on behavioural analysis instead, which is compatible with all various payment methods, currencies and devices. And a further step in sustaining or even improving conversion rates for airline can be to develop a decisioning algorithm with the mandate of maximising revenue at an optimal level of fraud risk. This will make the airline’s fraud prevention methods truly agile at maximising revenue while minimising fraud. 


How is machine learning helping in combating fraud? Hear from industry experts at Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more info, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Data and fraud prevention - time for airline-specific plan of action

First Published on 15th August, 2017

Airlines need to make the most of industry data and unique merchant data to combat fraud. It’s time their data strategy deployed must be diverse and tailored, writes Ai’s Ritesh Gupta


Travel e-commerce players, including airlines, are trying to cut down on the margin of error in case of accepting or declining a transaction. So as they review an order they decide appropriately on what action to take.

In this context, the role of data that can help in combating fraud is coming to the fore. Data is being relied upon for answering key questions, for instance, why genuine customers are being blocked. Or how historical data can be used to improve the accuracy of any prevention strategy? How is transactional data being capitalized upon via one system and analysis model? How merchants are gearing up for automated, scalable fraud prevention?

Another area is how airline-specific data, be it for the activity on their respective websites or other digital assets or transactional data from direct and indirect channels, can result in better fraud prevention.

Collecting data from airlines

As for the sort of data that can be collected, it boils down to two types - industry data and unique merchant data, according to Justin Lie, who has built CashShield, a SaaS based self-learning fraud prevention solution for ecommerce.

Lie further explained:

·          Industry data includes information on coordinated fraud attacks, which may be shared across different airlines as all airlines are equally vulnerable to coordinated hackers.

·          Unique merchant data would vary from airline to airline, based on the individual information each airline collects or is able to provide.


When it comes to collecting more data, unique merchant data from Airline A may not be useful for information on the fraud risks Airline B would be exposed to.

“For unique merchant data, we will guide airlines to look for useful custom fields that can increase the accuracy of fraud detection. Also, we will allow airlines to data dump whatever data that may be collected, as more relevant data points can strengthen our real-time pattern recognition technology. Industry data on existing or current fraud attacks can also be useful information to share from airline to airline, but both types of data should be collected for analysis of anomaly detection,” shared Lie.

Airline-specific plan of action

As Lie pointed out in one of our previous interactions, a majority of fraud offerings have been worked out for mass markets, where most carriers are mainly required to garner data based on a template that evaluates only a restricted number of fields. He added that this isn’t enough. It also restricts an airline’s ability to craft an optimal data strategy and reporting for their performance/ return on investment. Unfortunately, not much useful data is returned to the merchant by default. Rather airlines need to go for better control of their data, including one related to a transaction.

“As each airline’s ecommerce website is unique, the data strategy deployed must be diverse and tailored,” asserts Lie. “It is vital to work with airlines and help them make use of all the data that is there on their respective websites.”

Lie says airlines can tap on smarter solutions that can customised unlimited data collection to maximize its fraud prevention, automation and false positive reduction capabilities.

“For instance, passive biometrics data including mouse cursor movements, keystrokes, words per minute or activity data including wishlists, purchase history or even seemingly insignificant data points like whether or not the user has chosen to subscribe to the newsletter can all be relevant information collected and used.

With the data collected, airlines can churn the data through various permutations and combinations to identify potential fraud patterns that may be left behind by fraudsters, who have made micro-changes between transactions in one coordinated fraud attack to trick the system. Using real time pattern recognition, even micro-changes can be proactively identified and tagged to the same fraud pattern group,” explained Lie.

“We should not be overly concerned about how each data point may contribute to the fraud analysis on its own, or with collecting as much data as possible, but rather on how the data collected may be used in a relevant manner. After the point of data collection, airlines have to amplify and triangulate the data, analysing the data through multiple permutations and combinations so as to better understand the fraud patterns left behind by fraudsters in their attempt to brute force the system.”

Counting on data for new types of fraud

It is imperative for airlines to sharpen their fraud prevention strategy, as it is just not about credit card fraud or payment-related anymore. So rather than only securing payments, there is also need to protect accounts and monitoring loyalty miles claims.

So how should an airline go about allocating resources for overall fraud management? Where do airlines tend to fall short?

Travel e-commerce entities need to apply big data and real time machine learning not only on securing payments, but also for securing accounts and monitoring loyalty miles claims.

“Using the same real-time machine learning techniques and behavioural analysis, the core fraud screening technology used for securing payments can be applied to securing accounts and monitoring loyalty miles claims as well. Similarly, data about the user can be collected from the airline’s website, including his/ her behaviour on the website or what he/ she does on the website,” mentioned Lie. “With an effective automated fraud management solution that eliminates the need for manual reviews and thus the need for heavy human labour, airlines can in fact save much more resources on fraud management.”

Lie said considering that airlines have a very low profit margin per transaction made, each fraud loss impacts the airlines significantly. Yet most airlines continue to rely on human labour, which contributes to overall costs to the business on top of fraud losses from ineffective fraud solutions. Airlines should seek to automate their fraud screening processes for greater efficiency as well as to concentrate their focus on other parts of the business. Adopting risk-averse tactics (such as keeping fraud to an absolute minimum) also eats away at an airline’s revenue. Instead, airlines must adopt an optimal risk management approach to its e-commerce strategy to fully maximise its revenue potential.

Data definitely has a role to play, and while data is important, what is more important is the quality and relevance of the data.

Relevant data is necessary to improve fraud prevention, as well as to improve the machine. For instance, if the machine is regularly receiving non-relevant data, the resultant output will be non-relevant decisions.

In addition, the way the data is processed must also be relevant when making probabilities of fraud risk. Also, instead of implementing a fraud prevention strategy that requires long gaps in training machines with data sets, travel companies should shift towards real time machine learning (or real time automated) fraud systems to get ahead of the fraudsters.


How can data help in combating fraud? Hear from industry experts at Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more, click here

Follow Ai on Twitter: @Ai_Connects_Us


Ai Editorial: Public Wi-Fi and fraud, how safe are you as a merchant?

First Published on 10th August, 2017

Ai Editorial: Cyber-attacks resulting from hacking of public Wi-Fi connections aren’t new. But travel e-commerce companies need to be sharper than ever, writes Ai’s Ritesh Gupta


Connecting to a free Wi-Fi is one move that majority of us can’t do without. As much as the urge to stay connected is understandable, this can also play havoc with our sensitive data. Hackers can steal our credit card numbers, login credentials pertaining to a loyalty program or any account etc. So as much as travel e-commerce companies try to combat every possible loophole that puts traveller’s key details at risk, this threat continues to trouble all the stakeholders.  

The significance of safeguarding a Wi-Fi network was highlighted recently by the WannaCry ransomware cyberattack.

In this context, airlines and other travel companies need to be more vigilant than ever. For instance, an unsafe Wi-Fi connection used by the airline staff can pave way for illegal access to internal networks for cyber criminals. Also, companies can’t ignore the threat of drive-by ransomware downloads and phishing attacks. It also needs to be understood that just because a connection requires a password to log in, it doesn’t mean a user’s online activities are encrypted.

Attacks on public Wi-Fi

There are basically two kinds of public Wi-Fi networks: secured and unsecured, for the latter users can be connected without any type of security feature like a password or login.

In May this year, Norton by Symantec surveyed over 15000 mobile device users who had connected to Wi-Fi. The findings were as follows:

·          60 percent feel their personal information is safe when using public Wi-Fi, yet 53 percent can’t tell the difference between a secure or unsecure public W-Fi network.

·          75 percent of consumers don’t use a Virtual Private Network (VPN) to secure their Wi-Fi connections, even though it’s one of the best ways to protect your information.

·          87 percent of consumers have potentially put their information at risk while using public Wi-Fi

Organizations need to be ready to combat “Man-in-the-middle” vicious strikes. These are carried by cybercriminals or hackers using a rogue hotspot.  

For such malicious move, a fraudster or a hacker works out access to an unsecured, or weak secured Wi-Fi router. Such connections are usually found in public areas with free Wi-Fi hotspots. Once the weak link – say poor configuration or weak password - has been cracked, the hacker then deploys their kit in between the users’ computer and the websites the user visits. Cyber criminals are also finding methods to infuse malware into computers, which then settle into the browser and the user isn’t aware of the same. Post this the data being exchanged between the casualty and specific targeted website is recorded and coded into the malware.  Yes, many companies use secure websites —HTTPS or Hypertext Transfer Protocol Secure —to provide online security. But once an affected user gets connected, HTTPS encryption on web pages can be evaded in some cases, and the website could be displayed in plain text HTTP including all input form text boxes for passwords, credit cards, etc.


Offering a secure Wi-Fi

In case an airline or hotel is offering a public Wi-Fi connectivity then some of the points to consider are:

·          How to keep Wi-Fi networks safe and control the content that can be accessed? It is must to look into areas related to Wi-Fi content filtering and security.

·          How to be in control of Wi-Fi content in multiple locations?

·          What are the potential risks that are associated with unsecured Wi-Fi hotspots?

·          How can the liability be minimized via cyber insurance?

·          Should free Wi-Fi systems be hosted on a stand-alone network? One that is not connected to systems that maintain sensitive data.

·          Are guests/ passengers going to be protected from malware and ransomware infections? There needs to be a provision to counter phishing websites.

Travel e-commerce companies have been relying on Internet Protocol (IP) intelligence to cut down on fraud. Such information is about the location of the user/ device initiating the contact and the reputation/ risk score of the IP address. This includes details related to suspicious Internet locations such as public Wi-Fi hotspots.

Creating awareness among travellers

Airlines need to ensure their loyalty program members’ respective accounts are safe from hackers especially when they are on public Wi-Fi.

As highlighted by Points, a loyalty e-commerce and technology specialist, travellers need to add a mobile hotspot to mobile data plan. This way they can set up a private Internet connection on the go. In order to encrypt any data users send or receive over a public Wi-Fi network, they can use a Virtual Private Network (VPN) from a trusted vendor. VPNs provide a “secure tunnel” that encrypts data being sent and received between your device and the Internet. Use them for your privacy.

Other recommendations include:

·          Try verifying the authenticity of the Wi-Fi network before using it. Never connect to a network identified as computer-to-computer. And if you are using, then don’t access sensitive personal data or important accounts on unsecured public networks. Even secured networks can be risky.

·          Users need to protect their passwords. Whether banking or email passwords, those are very valuable to cyber criminals. Don’t update your passwords on a public Wi-Fi.

·          Ensure your device is not set up to automatically connect to an unknown Wi-Fi network. If yes, this means users can seamlessly connect from one hotspot to the next. Switch them off when in unfamiliar locations. Keep a vigil on your Bluetooth connectivity, too.

·          Refrain from doing transactions over an unsecured Wi-Fi network. Also, turn off file sharing while using Wi-Fi.

·          Only browse websites that start with HTTPS and avoid websites that start with HTTP while on public Wi-Fi.

·          Install a reliable security solution.


For latest on CNP- and loyalty fraud, attend Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Averting breach of loyal members’ details by working in unison with them

First Published on 31st July, 2017

Ai Editorial: When airlines can actively involve their loyal customers, incorporate their inputs while designing benefits and tier-levels, they can also alert them and highlight the significance of account security and password protection. Is enough being done, questions Ai’s Ritesh Gupta


As of today airlines are suffering as the malice of loyalty fraud is on the rise. The latest news of Canada’s WestJet stating that “some WestJet Rewards member profile data has been disclosed online by an unauthorized third party” has once again underlined the threat of such attacks. Airlines need to quickly assess – the safety of data of members, and their accounts at this juncture – if they haven’t done so in the recent past.

In case of WestJet none of the data contained credit card or banking information, but this is a precarious issue. Rewards cards not only have a customer’s name, address and telephone number, but are frequently linked to partial credit and debit card information as well. It is enough for cybercriminals to work out an “identity” and go on a crime spree.


Are passengers aware or don’t care?

Airlines need to work out stronger means to safeguard members’ privacy. Even as airlines such as WestJet are working with the government, law enforcement agencies and the technology industry to combat the growth of hacking and other cybercrimes, it important that members are conveyed the significance of shielding their respective passwords.

According to digital security specialist, Gemalto, customers “often have thousands of points saved but many never think their frequent flyer points are at risk of being stolen”. The team goes on to add, “…they never think anyone would want access to their points.”

Significance of being aware

There are security challenges that an organization needs to manage, but members, too, need to be aware of how to take small steps to be in control of their own accounts. Considering the number of cases featuring  compromised usernames and passwords, program members, too, can be involved in taking appropriate action before the situation goes out of control, and both the brand and customers end up being at the receiving end.

Just like on-board flight safety is imperative (we all go through it despite it coming across as a mundane exercise for travellers on flights) and airlines even find creative ways to convey the message, similarly, airlines need to create awareness about password protection from time to time. For instance, how does malware get installed on a PC? It could be via logging onto a fake website or phishing scam (email that looks as if it’s from airline’s FFP). So why not create awareness about the same? After all, it is for the benefit of loyal members, too.

Carriers must propel them to update their current ID and password, and provide guidelines for making them more secure. How to keep the device safe from malware and viruses?

Among the other areas:

·          Airlines can encourage members to check their accounts or status on a regular basis. Is there any redemption they can’t fathom or weren’t involved in? Are miles or loyalty currency being used without the knowledge of a member? Considering the fast-growing market for the tangible value of stolen reward points/ miles and hackers/ fraudsters capabilities to steal the same, this calls for more proactive action.

·          Do members of a frequent flyer program treat their respective loyalty accounts as credit card information? This type of fraud is similar to card-not-present fraud. An account can hacked by capitalizing on weak passwords, stealing of identity etc. So it must be highlighted that if fraudsters gains access to an account, they can seize points/ miles and rob loyal members by availing redemption options (other threat is data breach). As Michael Smith, Managing Partner, Airline Information and Co-Founder, (Loyalty Fraud Prevention Association (LFPA) says passengers (or customers at large) should be wary about which Wi-Fi they are connecting to, and also as FFP members they must be cautious about sharing name and account number. “With those two bits of information, fraudsters just need to guess your password and they are in to your account,” he says. Smith asserts that a flyer shouldn’t share or post the picture of a boarding pass, as it features vital information.

So organizations need to inform travellers about simple mistakes that can unknowingly create havoc with loyalty or FFP accounts.

Being more vigilant and proactive

As for airlines, the responsibility is bigger than ever since the use of bots and proliferation of stolen data on the dark web is flourishing.

They have to rely on a set of assessment tools, such as device identification, geo-location, device intelligence and user-behavior profiling.

As Gemalto suggested recently, operators of FFPs or loyalty programs should assess if loyalty account has been accessed from a device that isn’t recognizable or registered, or an unidentifiable device has modified personal or account details, abrupt use of points or miles much higher than done previously, multiple tickets have been purchased with names differing from the account holder etc.

Also, one of the common causes of security breaches involve bad security practice from employees.

As highlighted in one of our recent articles, Botnet attacks on loyalty programs, how to negate them?, airlines need to identify the ways in which account information can potentially be accessed, in all probability via a blend of phishing scams, identity theft, and cracking of feeble passwords. Overall, the fraud prevention initiative, via behaviour analytics, device identification and tightening of data and IT infrastructure, needs to offer protection to loyal members.


Hear from experts about loyalty fraud at the upcoming 2017 APAC Loyalty Fraud Prevention Workshop, to be held in Singapore on 23rd August this year. For more, click here


Attend Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Gearing up for integration with WeChat – don’t forget it belongs to China!

First Published on 27th July, 2017

Ai Editorial: Many foreign companies, including travel technology entities, are looking at WeChat to serve Chinese travellers. There are 4 key areas they need to look at for the same – business licence, developer account set up and verification, payment issues and data privacy regulations, writes Ai’s Ritesh Gupta


“By integrating with WeChat, a technology company is just one step away from gaining access to a massive chunk of users in China.”

This remark from Maximilian Waldmann CEO of Berlin-based, conichi, aptly summarizes how important it is for airlines, hotels and other companies to capitalize on Tencent’s WeChat platform to serve users of this app. As per the first quarter results of the company, WeChat had 938 million monthly active users.

Before delving into what sort of effort is needed to integrate with WeChat, it must be underlined that being a part of this ecosystem, WeChat isn’t just about messaging. In addition to the communication layer for person to person, there is also a social layer, a media layer and also a connectivity layer (a rich set of API’s connects people to organizations, hardware to software, etc.).

As it turns out, travel companies are diligently finding ways to make the most of connectivity layer and be a part of this robust ecosystem. The user interface has emerged as a vital tool for service and support, whether human-powered, bot-powered or a combination of the two. For instance, in case of conichi, the company is working with hotels to either use a hotel’s app or WeChat to greet guests when they arrive at the hotel, and also focus on hyper local marketing, and GPS geo-fencing. This seems like a pragmatic move, as any message or visual that can add value to a guest/ passenger’s journey or even let them complete a transaction makes for a meaningful interaction with a traveller. And going by the popularity of WeChat, this platform can’t be ignored.

There are interesting developments on the anvil as far as WeChat is concerned.

Barcelona-based Inaki Uriz, co-founder and CEO at Caravelo says if an airline believes they can serve Chinese travellers just by translating or featuring a chatbot on Facebook platform, rather than the WeChat domain, then the effort wouldn’t be too fruitful. Uriz, whose team is working on a chatbot for WeChat for an airline in Europe, says it is important to move from being Chinese compatible to a Chinese friendly interface. “So this (developing a chatbot for WeChat) would mean analyzing what’s so popular about the interface, the use of buttons, the functionality of the entire platform, it is about being an integral part of the customer’s lifestyle etc. Mere translation won’t work,” highlighted Uriz.


But integrating with WeChat is challenging or at least demands preparation on several fronts.


According to Beijing-based experienced Chinese entrepreneur George Cao, Co-founder/ CEO, Dragon Trail Interactive, there are 4 areas where one needs to focus on:

1.     Business licence: “There are a few restrictions on the platform. They are primarily related to meeting the requirements stipulated by the government. Any organization that intends to introduce any offering on WeChat or even as simple as opening an account on WeChat, it is must to possess a local licence. You can’t do it as a foreign company. So there are two ways to do the same – register a subsidiary in China and use that business licence to do business with Tencent. Or work with a local company, and use their credentials,” says Cao. This aspect can be time-consuming for any entity trying to leverage digital platforms, including WeChat, in China.

2.     Integration/ Verification: Post account creation or for integration, an organization needs to register as a developer. When this entity develops a “Mini-Program” (an initiative taken to deepen the services offering in low-frequency use cases, connect more offline services to online users and offer a way to sample functionalities offered by apps) or leverage the WeChat API, one has to go through the verification process (cross checking of licence). So in addition to setting up an account for publishing content and building dynamic services that run within WeChat, how challenging is it for hardware developers to enable their devices to send and receive information between their products and the user’s WeChat mobile app? How can a travel app let users of WeChat to share your app’s content to friends via chats and their Moments feed, as well as add your content to their “Favorites”?   

“Working on a conversational interface or message-based user interface isn’t challenging, its already happening here. These preferred platforms (where users are spending their time and are being offered functionalities such as search, voice messaging etc.) can help in engaging with a potential travel buyer and rather than sending them to a website and eventually them abandoning their purchase, companies can facilitate bookings here,” said Cao. “Like Facebook Messenger API, WeChat API’s can be worked upon for an offering. Companies can build HTML5 –based used interface that are embedded within WeChat. All these are possible and technically not a huge endeavour if one passes through the regulatory requirements.”

Cao also recommends that brands should look at multiple layers of WeChat. “So, for instance, during a conversation with users, companies can send a link to complete a booking. Or one can leverage the content publishing platform – send users information that is already prepared, related to products, or aid the decision-making of users. If you just focus on messaging via chat, and not push contextual content that matches the intent of the users, then you are missing out on opportunities,” asserted Cao.

3.     Payments: As for WeChat Pay, options include scaning a one-time transaction code displayed on the user’s phone, scanning a QR code that users scan using WeChat to complete payment, and letting users pay via WeChat Pay within a mobile app, the last one being only available in Mainland China. As for cross-border settlement, users can pay in Chinese Yuan but have the transaction settled in a foreign currency when remitted to the vendor. “Receiving payments from China is more flexible now for foreign companies, as long as there is a local bank in a market or that country that can work with Tencent (money transfer being worked out). So Chinese customers pay in their currency, and the beneficiary can receive payment in a specific country in local currency. In case, a developer is keen on building payment functionality and intend to get the money transferred outside of China then again local licence is needed to do that,” explained Cao.

4.     Data-related restrictions: Not specific to WeChat or Tencent, there is one legal issue every foreign company has to deal with and even be wary considering the repercussions that an organization can face in case of not following the law. As widely reported, the country’s new Cybersecurity law introduced last month, is a major initiative in data privacy regulations. It has also been mentioned that authorities haven't provided enough information about how the wide-reaching law will be implemented. And any failure to comply would result in a penalty of US$150,000 etc. The law has been drafted to shield “personal information” and individual privacy.

Personal information – recorded in electronic form or otherwise, which can be used, solely or together with other information, to determine the identity of a natural person, including but not limited to the name, date of birth, ID card number, personal biometric information, and address and phone number of the nature person. Similarly, foreign organizations also need to understand areas – like what does “network operators” and “critical information infrastructure” stand for.

 “All customer data or information a non-Chinese travel company collects needs to stay in China – if you are collecting customer contact information, payment-related details etc.,” shared a source. Of course, for travellers going outside of China, name, their address, and other requisite information is forwarded to various airports to make it possible to check them in at airports. So what sort of restriction is being referred to?

As highlighted by CNBC, illegal collection, disclosure and receipt of a citizen’s personal information now constitutes a criminal offense.

 “Practically how it (collection and transfer of data) is being done, whether the law is being followed or not as of now – it is tough to say and probably not. It is a complicated issue, lots of brands are struggling right now with what it means.” There is no case as of now, and there are ways to work around this.  

Now take the case of a traveller interacting with a foreign brand via WeChat. This traveller shares some information that is related to a trip with an airline, and while interacting with the chatbot, this passenger shared some information about the ground transportation or car rental in China, and intends to carry on with the airline to offer an ancillary product. Can the airline act on this data that is being generated in China and match it with historical purchase behavior stored outside China? Or how to collect and act on data that is being garnered from touchpoints within and outside China? “So the airline could use an identifier of the data stored in China, and use some sort of a key to match with data stored in the central database…to access Chinese customer data, you can access storage in China, it’s possible. The key is to where the law in China stands when it comes to accessing and usage of customer data,” pointed out the source, referring to the current complexity. “It could become an issue if you don’t take the government’s stance seriously.

Questions have been raised about what it means for the foreign companies and is China facilitating free trade and an open global Internet with their new data privacy initiative. For their part, the government has already stated that the new law safeguards national cyberspace sovereignty and security.


Hear from Matt Brennan, WeChat Expert, China Channel at the upcoming Airline & Travel Payments Summit (ATPS) Asia-Pacific 2017 conference, to be held in Bali, Indonesia.

For more, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Botnet attacks on loyalty programs, how to negate them?

First Published on 21st July, 2017

Ai Editorial: Airlines need to guard themselves against data server breaches, malware or phishing programs in order to protect a loyal traveller’s login credentials and account, writes Ai’s Ritesh Gupta


Fraudsters attacking loyalty program isn’t new, but the threat is stronger than ever before.

The use of sophisticated bots is one reason why airlines and travel merchants need to be wary of the situation today. These are small applications that execute automated tasks. The fact that once a malware has infected a machine and it can be forced to turn infected machines into botnets is a serious concern. Bots are now at the forefront of triggering online fraud at large, and they can be deployed to test login credentials to take over user accounts. Considering that digital shoppers are sharing their personal details and not expect them to fill again while they transact or shop using their favourite loyalty currency, all of this needs to be guarded. Botnets are being counted upon to step up the efficacy of malicious attacks – most commonly account takeover and distributed denial-of-service attacks.

Overall, travel merchants need to guard themselves against data server breaches, malware or phishing programs in order to protect a loyal traveller’s login credentials. 

Bots and loyalty fraud

The situation is precarious as fraudsters or hackers are equipped to using artificial intelligence for accessing sensitive data that bots use to serve customers, including for transactions. Such attacks mean once personal information of members is obtained in a nefarious manner and a botnet attack is unleashed to complete illegitimate transactions, for instance, air tickets. Miles are accrued and the fraudster further capitalizes on the loyalty currency for more illegal transactions. Main focus as far as redemption is concerned is on - digital gift cards, tickets and expensive merchandise that is easy to resell. Cybercriminals are adept at comprehending the configuration/ structuring of gift card numbers, and botnets are part of their plans to target gift cards. When a card is breached, they steal the stored value. As the team at Chargebacks911 points out, the actual peril of loyalty program fraud is that the damage is already done by the time airlines come to grip with the fact there had been a breach. If the breach is spotted too late, airlines can’t resell tickets. Also, one has to deal with applicable chargeback fee. What happens to loyalty currency affiliated to an account that has been redeemed? Too many complications resulting from such malicious attacks. 

Vulnerable areas

Experts point out that the availability of compromised identity credentials on the dark web in big numbers is major indicator of the fact that the authentication mechanism tends to be poor or at least there is no room for archaic authentication system. For cybercriminals or fraudsters, one of their main weapons is to identify vulnerabilities. So airlines need to identify the ways in which account information can potentially be accessed, in all probability via a blend of phishing scams, identity theft, and cracking of feeble passwords. This unauthorized account takeover results in misuse of the loyalty currency.

So what kind of attacks are these and is the current fraud prevention set up enough to combat botnet attacks, signs of which could be, for instance, abnormal traffic patterns. Fraudsters or cyber criminals work out these attacks to appear like authentic traffic. One of the major issues is coming to grips with low volume, low frequency attacks. Web application firewalls struggle since this layer was devised to avert attacks against web services and not against customer identities. Web application firewalls count on IP reputation services and IP address velocity filters to identify bots. This arrangement is futile considering that botnets rotate IP addresses and have access to previously leaked user credentials.

As for controlling the same, first of all, merchants need to detect any contextual aberration in the way users generally user their respective device, or even there is a signal of deviation based on other dynamic data points such as behaviour, location, networks etc.; identify whether devices or connections have been corrupted with malware; if there is a case of unusual traffic patterns.  

According to digital identify specialist, ThreatMetrix, behavioral profiling and analytics constantly record all the actions pertaining to a device, account or persona. This paves way for identification of low volume, low frequency attacks, even if they are distributed.

A rule set to check for an IP address related with numerous email accounts offer information about traffic being botnet related or not.

Other than web application firewalls and aberration from usage pattern based on other dynamic data points, travel e-commerce players also need to count on shared intelligence that is real-time and is accumulated from various industries and markets, botnet proxy detection (new generation of private botnet proxies do not appear on public proxy lists) and keep a vigil on application integrity and malware detection to monitor all devices connecting to digital assets.

Be it for processing transaction data or managing users’ profiles and accounts, data security is a critical part of any loyalty program. It is imperative for airlines to shield their loyal members – right from account creation to managing account/ accrual of miles to redemption of points. All of this shouldn’t hamper the experience at any touchpoint. The fraud prevention initiative, via behaviour analytics, device identification and tightening of data and IT infrastructure, needs to offer protection to loyal members, even if the fraudster knows their password. If I can access my loyalty program account easily, can fraudster be denied a chance to do so? Loyalty fraud security needs to evolve to match today’s threats.


Hear from experts about loyalty fraud at the upcoming 2017 APAC Loyalty Fraud Prevention Workshop, to be held in Singapore on 23rd August this year. For more, click here


Attend Ai’s 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali (29 – 31 August). For more, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Countering mcommerce fraud with a tailored approach

First Published on 12th July, 2017

Ai Editorial: A variety of tools and techniques are being used to combat fraud in the mobile channel, but is it enough? Ai’s Ritesh Gupta explores


Mobile commerce demands planning on several counts and one of them is dealing with the malice of fraud.

As much as mobile apps and now even chatbots are ready to facilitate transactions without any hiccup, the risk of fraud can’t be taken lightly or handled just as the way web-based transactions are being managed. And it is imperative for airlines, OTAs etc. to ensure mobile users’ need for speed or overall experience isn’t perturbed while hitting the breaks on fraud.

Mobile fraud is challenging to merchants as transactions that are made through mobiles collect less information than web transactions. Merchants need to explore various areas - Is low use of 3D Secure still a major issue? How much malicious apps are of a concern? If existing fraud rules aren’t fully suited to the mobile channel, how does it impact the risk associated with a transaction? Is the risk of blocking genuine customers higher in case of mobile? Is it true that relatively higher costs are incurred in case of mobile such as greater chargeback rates, lengthier time for manual reviews etc.? All issues need to be dealt with without optimizing the user experience.

According to Kount’s Mobile Payments & Fraud: 2017 Report, merchants “earning more than $500 million annually were much more likely to say being able to detect mobile devices was “Very Important” relative to merchants with annual revenue of less than $5 million, at 61 versus 35%”. This year, the fraud prevention tools, techniques and services used most by merchants to prevent fraud in the mobile channel were card security codes or checking the CVV (58%), AVS (46%), fraud scoring (48%), device ID (38%), velocity checks (35%) and a complete fraud platform (47%).


Dealing with risk

Here we assess what’s being recommended to lower the risk of mcommerce fraud:

1.     Be informed about mobile behavior: It is vital to recognize or spot anomalous behavior in order to combat fraud. Also, declining of genuine orders, too, can be an issue if behaviour related to mobile usage isn’t considered. For instance, it is important to consider logging onto multiple devices and also mobility of the device. Since mobile users can transact on the move, then how to plan for rules based on IP geo-location criteria. Another aspect about usage is related to the time of the use. According to CyberSource, rules generally identify specific times of the day as more risky than others. So a rule may indicate that an order placed from a local IP address comes at a certain time slot. But what if an order comes via a mobile device at a completely different time. So such dissimilar patterns of use need to be scrutinized. 

Travel companies also need to take into consideration hardware and operating systems. For instance, some shoppers still use lower-end devices.

2.     Count on data: Data analysis is integral to any fraud detection initiative. When it comes to new technologies, there are supplementary fields or information required to complete a pertinent analysis. Otherwise, fraud exposure may go up. User data garnered during various interactions can improve fraud prevention, for instance, fraudsters rely on older versions of an app to make the most of gaps in security. More specifically, behaviour is also an indicator - swiping or typing? Filling information steadily or erratically?

Another aspect is customising and acting on e-commerce data specifically related to the digital assets of airlines. For instance, considering that each airline’s ecommerce website is unique, the data strategy deployed must be different and customised. It is important to work with airlines and help them utilise all the data that is available on their website. What is being done for airlines’ mobile sites or apps?

Overall, with more options to pay such as mobile or NFC, expect new ways of fraud to appear. It is crucial for the industry to move closer to active monitoring by featuring big data user and entity analytics to evaluate the shopper behaviour behind each payment that comes through. As a majority of fraud acts result from a synchronized attempt from one script, automated to optimize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters.

As for machine learning, it has to be ensured that an airline doesn’t only look at predictive analytics. It enables one to predict future fraud based on historical data. There is a need to incorporate pattern recognition, so even without any prior historical data, the machine is able to detect patterns across different transactions and diagnose if the transaction exhibited bot behaviour or human behaviour. Combined with pattern recognition, the system draws patterns (for both positive and negative behaviour) to map the DNA profile of the user.

As for efficacy of machine learning, it is highlighted that the data must be accurate and the rules must be set properly for it to work.

3.     Verification method: It is vital to assess what sort of consumer verification method, say what is being supported by the card networks, when assessing transactions originating from mobile devices. A mechanism is needed to authenticate the user. With which methods users wouldn’t have to worry about typing-in all of their cardholder information for each purchase? If the authentication method is too stringent, it can result in abandonment. But with poor security comes the threat that unauthorized users might make purchases. So in case of iOS, how safe are Touch ID or the device passcode as a device authentication option? What is the role of more conventional means such as PIN, signature for transactions in stores, or 3D Secure for transactions within apps? What is the liability for the fraud? For instance, in case of biometric fingerprint technology being used to authorize a transaction, is the fingerprint attached a compelling evidence in the merchant’s favour in the event of friendly fraud? There needs to be balance between streamlining the process and encouraging customers to buy without first thinking through a purchase. As a result, this could lead to buyer’s remorse, which could mean returns or even chargebacks at a later date.

Also, going by my personal experience, the two-factor authentication (2FA) can be time consuming. Yes, it is a security feature that gives additional security by adding a second-level authentication to access a particular account. But if one gets stuck, it results in disappointment. For instance, as I updated by account details for a subscription-based anti-virus service, the request for a code via SMS didn’t work as it called for another mobile number, whereas the option of downloading an app is always cumbersome as I can never remember by iOS app store password!

Also, as highlighted by Chargebacks911, biometric authorization isn’t a solution on its own for anti-fraud initiative, and there are few pieces of evidence more compelling than a fingerprint or facial scan to suggest that a cardholder did authorize a transaction.

It is recommended that e-commerce organizations need to rely on dynamic threat data to evaluate device health, location of the consumer and irregularities that may indicate fraud—in real time.

With dynamic, digital identity based authentication, airlines can better shield their shoppers’ logins and transactions.

As for the traditional approach of 3D Secure, a major issue has been transactions via mobile. Among the latest developments, 3D Secure 2.0 is being termed as a potential boost for digital commerce with quick, secure authentication, propelled by robust fraud-related intelligence. It strengthens the quality of real-time predictive risk scoring for both merchants and issuers. The new specification that would support app-based authentication and there would be integration with digital wallets, too. Early adoption of the new specification is scheduled to begin in the second half of this year.

4.     Rules: Importantly, specialists point out that uniqueness of the mobile channel be it for the way shoppers use their devices or data associated results in differences in fraud rules – especially with the goal of curtailing automatic review or declining of real payments via mobile.  

Rules worked out for mobile must rely on the data that can be collected, the behavioral patterns and fraud trends that are deemed to be relevant. Organizations are recommended to collect information about the device type and operating system, as well as mobile chargeback, rejection and review rates.

Airlines have been relying on testing the efficacy of rules on specific transaction types without having to wait for those transaction types or periods to occur in future.


Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year.

Dates: 29 – 31 August, 2017.

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Entering the world of “Dark Web” and yet remaining anonymous

First Published on 7th July, 2017

Everything isn’t illegal on the “dark web”, but it is a marketplace where nefarious transactions related to stolen personal data for further unlawful acts take place. So how one remains anonymous, explores Ai’s Ritesh Gupta


Questions related to safety of our digital assets and related IDs – be it for a banking app, email account, frequent flyer program and other accounts like Facebook, Twitter, LinkedIn etc. – do concern us from time to time. It isn’t easy to remember passwords for all accounts, and when you end up having the same password for all, then edginess does grip us. What if this all-important password gets stolen?

As consumers, we seek simple logins and frictionless shopping. Should we be more patient? Well, in reality, consumers don’t wait. The idea of answering “security questions” or authenticating something by clicking on a link by logging in another account isn’t appreciated much. So this puts tremendous pressure on the entire digital commerce fraternity.

But, the fact is, the danger of being hacked or being a victim is seemingly getting stronger.

Critical data such as login IDs and passwords garnered by hackers are traded on the dark web. Such credentials are then exploited by cybercriminals for account hacking and online shopping.

Dark web – what is it?

When one reads about what can happen on the “dark web”, it becomes clear that this part of the Internet can’t be reached with the normal tools. Dark web is described as a collection of sites and these can't be indexed by traditional search engines. Also, these can't be opened by using traditional browsers.

It doesn’t come as a surprise when one reads or hears about trading on the dark web, be it for your PayPal account, email id, credit card information etc. – everything has a value.

But, a statistic like an identity getting stolen in two seconds, is menacing. Also, it is being pointed out that it is tough to keep track of the flow of money on the dark web.

It is said that owing to encryption, users can visit dark web websites anonymously. These sites exist within the so-called deep web. Content in the deep web is not automatically or fully concealed or anonymous, but it cannot be indexed in a manner as the surface web can be done. As for the dark web, it is a part of the deep web that is intentionally constrained and closed unless there are precise tools to get in.

So how to get in?

I stumbled upon a post by Brett Johnson, who initiated AnglerPhish Security three years or so ago, sharing information as “a former cybercriminal to combat the very crimes he once committed”. He referred to functioning of the world of dark web and emphasised upon the significance of remaining safe while accessing it.

Johnson shared that accessing the dark web requires particular software, and the most common is TOR. It is used for online privacy. Johnson asserts “criminals love the TOR network”  and if “properly used, it provides near bulletproof anonymity”. According to, it can’t solve all anonymity problems and focuses only on protecting the transport of data. “You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use Tor Browser while browsing the web to withhold some information about your computer’s configuration,” states “Also, to protect your anonymity, be smart. Don’t provide your name or other revealing information in web forms.”

Anyone who is out to there to fight cybercrime needs to be wary of accessing such marketplace. There are details related to what needs to be done before using the TOR browser. According to, shut every open Internet program, use the VPN protocol to link up to a place considerably away from where one resides. Doing this would mean that the current ISP won’t make out the usage of TOR, and the TOR entry node won’t be able to know the true IP address. One needs to access .onion sites on the TOR network in order to reach out to a marketplace.

What about catching culprits?

Not many cases are reported, but last month, the German police reportedly arrested the alleged administrator of one such marketplace from where a gun was purchased and used for last year’s shooting in Munich.

But the dark web isn’t disappearing. It has triggered various incidents of fraud. The list features point-of-sale attacks and also been behind other malicious developments, say a malware. Payments to sellers can be done via bitcoin in order to ensure details of the transaction don’t get disclosed.

According to a study by Equifax released earlier this year, websites that deal in file sharing on the dark web account for 29% share and leaked data 28%. Travel e-commerce companies are already looking at ways to curb the stealing of air miles, loyalty points etc. This is in addition to other illegal items.


Companies need to be wary of what can result in data theft and security lapses.

Airlines and travel e-commerce organizations need to be vigilant and be aware of where their sensitive information is stored. There is a need for stronger access or password controls (for instance, no passwords for mobile apps, rather a local authentication mechanism such as a fingerprint, PIN or face/voice recognition. Plus, a password complemented by a second factor), availing options such as public key cryptography to create secure authentication credentials etc. Companies including Facebook highlight that using security keys for two-factor authentication provide phishing protection since there is no need to enter a code and the hardware provides cryptographic proof in the machine, interoperability i.e. the same key for any supported online account, and fast login.


Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).

Follow Ai on Twitter: @Ai_Connects_Us