Ai Editorial: How robust is your data governance strategy? Apt for GDPR?

First Published on 12th September, 2018

Ai Editorial: Having a resilient and centralized data governance tool that can provide requisite information readily when needed will go a long way to comply with data regulations like GDPR, writes Ai’s Ritesh Gupta

 

It is imperative for businesses today to not only manage, understand and act on data, but also to ensure security and regulatory compliance.

Also, how to respond to strict regulatory environment, for instance, GDPR, where organizations could end up in a situation where they would need to adhere to a request regarding deletion of one’s personal data.

One key aspect pertaining to the whole initiative is data governance.

”Data governance is a key part of a robust and responsible data strategy that modern organizations cannot ignore,” says Kelvin Looi, Global Sales Executive, Unified Governance & Integration, IBM Analytics.

“Profiling each data to answer who, what, where, when and how, and to make this metadata available is fundamental. Basically, for each data, you need to understand what is the data all about, who owns it, where did it originates, where is it kept, when did it get there, and how the same is being processed,” said Looi, who was recently in Phuket for Ai’s 7th Annual ATPS Asia-Pacific.  

Compliance with a regulation like GDPR 

Having a robust and centralized data governance tool that can provide such information readily when needed will go a long way to comply with data regulations, like GDPR, to provide greater transparency of processing to data subjects on how data concerning them is collected, used, consulted and processed, asserted Looi.

Explaining further, he said ,”The `right to be forgotten’ article in GDPR is another requirement that will be difficult to achieve without a robust and centralized data governance tool. Basically, in many cases, data subjects have the right to request the deletion of their data and not to be contacted again. This request is almost impossible to comply with, without a tool to indicate where their data resides, and whether this data can actually be deleted without violating another regulation.

Data governance strategy 

E-commerce companies, including airlines, need to evaluate their data governance strategy to suit their organizational objectives.

“Forming a unit that is responsible for data governance would be a good start if you haven’t got one,” recommended Looi.

IBM has worked on a methodology for the same, and it goes through five phases:

1.     Assess,

2.     Design,

3.     Transform,

4.     Operate, and

5.     Conform

In the first phase, the focus is on conducting an assessment across governance, people, process, data and security. “From this assessment, we develop a target operating model that encompasses technical and organizational roadmaps,” said Looi. “In the second phase (design), we produce standards that cover governance, training, communication, privacy, data management and security management. During the transform phase, we conduct detail data discovery and embed standards, procedures, and tools to enhance existing processes. We also conduct the necessary training to ensure skills transfer.”


“In Operate, we ensure all relevant business processes and security control are executed. In Conform, we monitor, assess, audit, report and evaluate adherence to data governance target operating model,” mentioned Looi.

Managing availability and security 

On data availability and security, Looi recommended that profiling existing data environment and understanding where all the data is a meticulous way to start.

It is important to assess where all the data resides and how the data is connected to each other. Other considerations include what to protect and related accessibility (storing locally or in the cloud, encryption levels for data with different sensitivities, access rights etc.).

“When it comes to customer personal data, a few industries have implemented a customer hub, typically using a master data management solution to provide a “single source of truth” to customer data,” shared Looi. “This typically contains a registry to provide directory services to point to where customer data resides in different systems in a company. Industries like banks, insurance and healthcare are leading in this front. Industries such as airlines are far behind on this. The good news is some have started. Key GDPR requirements, like consent management, can be centrally managed in this customer hub. Companies who have implemented this customer hub will find an easier time to manage customer data availability and security, hand-in-hand with centrally managed customer consents and preferences. Many airlines still try to drive their customer centricity strategy off their loyalty system. But, a big portion of their passengers are not their loyalty club members,” shared Looi.

As for GDPR obligations, Looi, during his presentation referred to 5 areas:

1.     Rights of EU Data Subjects: enhanced rights for data subjects in the EU including notice, access, rectification, erasure, restriction, portability and objection; easier access to personal data with more information on processing available both clearly and understandably.

2.     Security of Personal Data: obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; includes 72-hour breach reporting to regulatory authorities and without undue delay to individuals in high risk scenarios.

3.     Lawfulness and Consent: processing only lawful if one of: consent, necessity, legal obligation, protection, public or legitimate interest or official authority; consent must be freely given, specific, informed, unambiguous and if a special category or certain other scenarios, explicit.

4.     Accountability of Compliance: need to demonstrate compliance with the principles relating to personal data processing pervades throughout the GDPR; include lawfulness, fairness, transparency, purpose/storage limitation, minimisation, accuracy, integrity and confidentiality.

5.     Data Protection By Design and By Default: Data controllers must implement technical and organisational measures demonstrating compliance with GDPR core principles; ensure the rights of data subjects are met and that only data necessary to the specific purpose are processed.

 

Follow Ai on Twitter: @Ai_Connects_Us

 

Relying on a multi-disciplinary approach for curbing fraud via machine learning

 

First Published on 4th September, 2018

Machine learning (ML) and artificial intelligence (AI) can help in detecting more fraud with less manual effort and approving genuine customers faster.

ML can also reduce but not remove the amount of rules that need to be maintained, adapt to new types of fraud faster and offers accurate prediction to cut down on false positives, explained Ben Laurie, Head of Asia, Accertify, during a workshop held as a part of complimentary meeting of the Asia-Pacific Airlines Fraud Prevention Group in Phuket.

Organizations need to capture a diverse set of raw variables that describe the transaction, ensure data stability and cleanliness and transform data to create new predictive characteristics.

As for being pragmatic with what to expect from machine learning, it is important to just not rely only on predictive analytics. Problems arise when completely new transactions with no historical data are submitted into the system, and there is no way for the machine to predict whether or not the transaction is genuine or fraudulent. It is important to count on pattern recognition. So even without any prior historical data, the machine is able to detect patterns across different transactions and diagnose if the transaction exhibited bot behaviour or human behaviour. Using big data, the system collects information from the merchant’s website, such as the user’s web movement behaviour. Combined with pattern recognition, the system draws patterns (for both positive and negative behaviour) to map the DNA profile of the user, and determine if other incoming transactions exhibit the same (fraudulent) behaviour or not. The large quantity of information collected from big data makes it difficult for fraudsters to cover all of their tracks, therefore increasing the effectiveness of preventing fraud. Specialists recommend that pattern recognition, deep learning and stochastic optimization are also necessary for combining millions of test results to be crunched for an optimized yes or no decision in real-time.  

Deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning -  would better equip merchants to deal with fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks. 

Machine learning systems are meant to be an improvement from rule-based systems, to reduce reliance on hard rules and to filter out fraud while passing more genuine users. However, machine learning systems only provide probability scores - or fraud scores - and would still require a team of manual reviewers to make sense of the score and thereafter a decision to pass or reject a transaction.

Curbing loyalty fraud

During the same workshop, Michael Smith, Co-Founder, Loyalty Fraud Prevention Association, referred to the issue of loyalty fraud. He highlighted that the issue of identity theft or payments fraud isn’t new. But the functioning of fraud rings, in which fraudsters band together in organized groups, continues to get sophisticated.

"Loyalty is big business, cash = fraud. It is important to balance the customer experience. It's a war, long war," said Smith.

Smith referred to the issue of synthetic identity fraud. This type of fraud doesn’t feature taking over existing identities and emerged since financial institutions improved how they prevent and detect traditional identity fraud. This forced fraudsters to nurture synthetic identity fraud. It is initiated by using a blend of fake information, such as a fictitious name, along with real data, to set up fraudulent accounts.  For instance, “Social security numbers” (in the U. S.) that get targeted most are ones infrequently used or ones those are less likely to use their credit actively, explained Smith.

As for account takeover (ATO) in the loyalty space, it is coming under scrutiny owing to data breaches.

Fraudsters get access to stolen credentials from a number of sources:

·          From data breaches, sold on the dark web

·          Phishing with fake websites

·          Malware, trojans, spyware

·          Social engineering

·          Hijacking a mobile device

The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behaviour. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.

By Ritesh Gupta, in Phuket, for ATPS

Ai Editorial: How a cryptocurrency like bitcoin is faring as a payment method?

First Published on 8th August, 2018

Ai Editorial: Even as travel ecommerce players closely evaluate what to expect as far as bitcoin is concerned, they also need to consider the possibility of fraud, writes Ai’s Ritesh Gupta

 

The future of bitcoin is under scrutiny. Questions are being raised – is bitcoin investment safe? Has pricing been manipulated? Some believe that the cryptocurrency would bounce back, though the pricing has taken a beating this year.

As for the travel industry, the recent news pertaining to Expedia Group opting to remove bitcoin as one of its payment options is an important development. A certain section of the industry has shown penchant for accepting cryptocurrency payments over the years. But now it seems that travel merchants, including airlines, are not extensively going to opt for cryptocurrency until this payment method establishes its staying power and stability. Volatility associated with a cryptocurrency like bitcoin and counting the same as a payment method isn’t exactly a prudent combination.

Even as investors may enjoy the instability to an extent (it is also being pointed out that since it is dissimilar to stocks or bonds, it is tougher in comparison to unearth price manipulation and fraud in case of a cryptocurrency), for a currency to be a pragmatic option for both shoppers and merchants it has to attain stability. In fact, negative publicity around cryptocurrencies such as bitcoin isn’t helping the cause. A couple of months ago, the Justice Department in the U. S. was in news for probing whether traders were deploying unlawful tactics to dupe others into buying or selling cryptocurrencies. According to a report by Bloomberg, the department attempted to look into illegitimate initiatives such as spoofing and wash trading. Also, the fact that bitcoin is labelled as a relatively risk currency also doesn’t help, for instance, in case the private key is lost or stolen it ends up being an issue.  

The issue of trust 

Even as travel ecommerce players closely evaluate what to expect as far as bitcoin is concerned, they also need to consider the possibility of fraud.

According to a report by Bitcoin.com News, cryptocurrency fraud stood at $9 million per day in the initial months of this year.

Since cryptocurrencies rely on a public ledger called a blockchain, the issue of trust has surfaced. What if it results in distrust? Sift Science has emphasized that in case of cryptocurrencies like bitcoin, “trust quite literally is currency”.

On the positive side, it is being highlighted that crypto payments are attractive for high-risk ecommerce entities engaged in selling big ticket items. Largely, the industry terms these transactions as secure ones. Aspects like cryptocurrency transactions carrying no personal information, and lower or no fee, too, makes them luring. 

The way it works – when a user intends to transfer bitcoins to an individual or an entity, all computers running bitcoin software manage and administer the sender’s public signature through an algorithm and validate the previous transactions encoded in the blockchain to ensure the sender owns the bitcoins they say they do. This technology is regarded as a safe one. Overall, the trust has dwindled owing to a spate of deceitful initial coin offerings (ICOs), claims about mining services, and dubious practices on trading platforms. In a study of around 1500 cryptocurrency offerings, the Wall Street Journal found around one-third with red flags that include plagiarized investor documents, promises of guaranteed returns, and missing or fake executive teams. All the stakeholders need to be cautious. As highlighted by Kount, depending solely upon the regulatory bodies won’t be able to combat the increasing cryptocurrency fraud. Potential investors and businesses, too, need to educate themselves.

Merchants, including airlines, need to evaluate how bitcoin payments protect merchants against fraud and chargebacks. This is because chargebacks don’t work in a system built around blockchain. Also, there is a need to assess how does a cryptocurrency like bitcoin protect and compensate defrauded customers. Sift Science recommends that merchants should assess where their cryptocurrency was being stored and one should set up defenses accordingly. Also, companies taking bitcoin payment must be transparent and communicative with users when they decide to introduce crypto as a payment method.

 

Hear from experts at the upcoming 7th Annual ATPS Asia-Pacific, to be held in Phuket (4th – 6th Sep 2018). https://lnkd.in/fgEMiF6

 

Ai Editorial: Managing cross-border payments with aplomb

First Published on 3rd August, 2018

Ai Editorial: Managing cross-border payments is one aspect of business that demands constant attention. Ai’s Ritesh Gupta lists 5 key factors that merchants, including airlines, need to evaluate in detail to step up the acceptance rate.

 

For international airlines, as operators in multiple countries or continents, there is a need to deal with a variety of payment methods and different laws/ regulations.

A lot of introspection goes into optimizing the overall digital user experience, stepping up the acceptance rate, managing fraud, and being in control of the costs/ fees. This is because a lot goes on behind the scenes during the transfer of funds.  

Here we list 5 key factors that merchants, including airlines, need to study to optimize cross-border payments:

1.     Impact of regulation/ legislation: Regulatory interventions related to transactions are one area that airlines need to keep a vigil on. Be it for cutting down on costs, improving upon accessibility or paving way for innovation, the regulatory measures clearly indicate that there are plenty of ways in which the sector of payments is evolving.

Bringing down costs for cross-border transactions in euro as witnessed in the case of European Union is one example of this. Similarly other directives include capping of fees for debit and credit card transactions and restriction on surcharges for using such cards. For instance, airlines have been evaluating how to respond to PSD2 - the second EU Payment Services Directive - initiated to improve upon payment services across Europe. It mandates banks in the EU to facilitate users’ account details to other entities, with pre-approved customer consent. The European Commission decided that the second payment services should open the door for non-bank financial institutions to access banks’ data and bank accounts. The access is worked out to enable two categories of 3rd party payment service provider: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). In this context, merchants have examined issues such as - will global retailers become PISPs themselves? Is PSD2 adding friction to payments? Do merchants need to focus on online banking e-payments as a viable alternative payment option? How have merchants been capitalizing on provisions allowed through PSD2?

2.     Market intricacies: There are payment-related issues that need to be settled at a local level. For instance, payouts related to China are high on the agenda of airlines, especially considering the growth of outbound sector. The distribution landscape is increasingly getting fragmented in China and travel suppliers need to strengthen their payment infrastructure to cater to their B2B partners. As highlighted by J. P. Morgan, a challenge associated with China pertains to each time Chinese suppliers receiving funds from overseas they need to complete documentation for the regulatory authority within a few days of receipt of funds. So it is important to settle cross-border payments to Chinese businesses and consumers, in local currency. Also for payout options, companies are trying to do away with ways that involve hefty transfer, conversion and interbank fees.  According to J. P. Morgan, some of the issues that need to be considered are - Is the payments provider a foreign exchange market maker with the ability to offer onshore foreign exchange rates for Chinese currency? Does encrypted file transmission and secure client data, meet local formatting requirements and fully preserve remittance data received by suppliers? Does the solution support local language and regulatory reporting to streamline document preparation?

Overall, Asia is riddled with challenges. For instance, each of the payment options in Asia has its uniqueness, e.g. transaction limit, availability of refund, no pre-authorization, chargeback rights. It will require airlines necessary effort to design and implement necessary payment interfaces and processing flows.

3.     Being spot on with acquiring: The role of an acquirer comes into the picture as merchants target higher card authorization rates, lower scheme and interchange fees, and faster merchant settlement. According to Adyen, a majority of global merchants settle for a blend of local and international (or cross-border) acquiring, but adopting local acquiring approach nearly always has a positive impact on authorization rates. Though this varies by market, a merchant will typically see as much as 0.5-0.6% in uplift after transitioning from cross-border to local acquiring. Mexico’s Viva Aerobus acknowledged that it had to work on its technology to facilitate payments from passengers abroad, as they used their international credit cards in various currencies, and there was also need to adhere to are local banking and industry regulations. The low-cost carrier chose Worldpay’s acquirer solution to process international transactions.

4.     Optimizing UX: A major part of airlines’ commerce strategy includes optimizing their digital assets by offering a frictionless payment experience. Consumers are in control – they pay via their chosen payment method and through the device they are using – so airlines have to support the same. In order to support shoppers around the world, it is vital to present checkout information that is customized according to a particular region. The focus needs to be on the language, currency and payment type etc. A cross-border payment processing system should automatically detect a shopper’s URL, serve the appropriate options in the preferred language and also adjust purchase prices to the correct currency.

5.     Payment infrastructure: Airlines need to design the integrated payment flow across payment options across channels and languages; implement integrated payment transaction and settlement reporting, gear up for multi-currency processing and conversion and opt for payment controls according to the difference of processing by payment types etc.

 

Hear from airlines and other industry executives about top payment-related trends at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: Dealing with a risk-averse mindset in fraud prevention

First Published on 25th July, 2018

Ai Editorial: A risk-averse mindset is commonly associated with rule-based systems, which is built with hard rules or buying limits, such as geo-location rules that could block out all transactions from one region, writes Ai's Ritesh Gupta

 

When merchants rely on conventional or long-used methods of spotting fraud, it tends to be associated with evaluating the standard fields (name, address, email, IP location, fingerprint and what can be found on the order form) and what transactions have cleared through the set rules.

The issue here is that those standard fields and hard rules are not tough for fraudsters/ hackers to break into and get breached once they have understood the rules worked out. For instance, it is quite straightforward for fraudsters to focus on new fake emails, and once they comprehend that a time based rule is set, they will attempt to set their program to go past the system. Not only so, authentic buyers are likely to be blocked. For instance, a geo-location rule would block customers booking transactions from ‘riskier’ locations.

Machine learning systems are meant to be an improvement from rule-based systems, to reduce reliance on hard rules and to filter out fraud while passing more genuine users. However, machine learning systems only provide probability scores - or fraud scores - and would still require a team of manual reviewers to make sense of the score and thereafter a decision to pass or reject a transaction.

Unfortunately, the fraud team’s KPI is still to ensure fraud rates are low - perpetuating the risk-averse mindset as they would rather reject a transaction than to risk passing a fraudulent one. To overcome such “risk-averse” mindset, it would require the fraud team to understand that risk is very much similar to financial risk; it should be managed, not eliminated. Since 0% risk gives 0% returns, having little to no fraud would mean much revenue has been lost. For merchants to fully overcome having a “risk-averse” fraud management system, a financial algorithm could be combined with the machine learning system to make sense of the risk financially, allowing for more revenue based on a greater risk appetite.

Also by focusing on machine learning, carriers can eradicate all those needless rules that would have otherwise stopped authentic buyers from competing their respective transactions.

The blend of big data and machine learning paves way for more solid fraud prevention.

As we highlighted in our previous articles, to simplify big data and machine learning, big data is first used to garner details about the user’s behaviour on the website (how the mouse moves, what he likes or puts into his wishlist, etc), and this information is combined with machine learning, which uses pattern recognition to map the pattern of his behaviour to match it either with positive (genuine) or negative (fraudulent) behaviour, as well as predictive analytics that records the positive/negative behaviour and uses that on future transactions for potential signs of fraud.

Lastly, an optimized fraud risk algorithm should be used to make decisions on whether or not to accept a transaction based on calculated risks to best optimize sales while controlling fraud and chargeback rates.

 

Hear from airlines and other industry executives about travel fraud at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: Saving on shoppers’ every second during the check-out phase

First Published on 3rd July, 2018

Ai Editorial: Travel companies are digging deep, focusing on UX design and security to streamline the payment experience. For instance, payments security through tokenization isn’t new, but specialists are counting on cloud support to overcome the issue of latency, writes Ai’s Ritesh Gupta

 

A major concern for a digital shopper tends to be the closure of a transaction. This particular stage generally results in few anxious seconds for many. The whole promise of a simple and frictionless payment procedure can go for a toss even if a shopper, especially using a mobile device, is made to wait. This delay can hamper the experience and eventually there could be shopping abandonment.  

This is exemplified by the fact a one-second delay in mobile load times can impact mobile conversions by up to 20%, as found out by Google. The delay means it can cost travel merchants dearly since travel shopping tends to span across many sessions and is a prolonged one.  

Optimizing payments page for mobile 

Travel companies have been focusing on several areas to ensure one gets closer to transacting on mobile. Every aspect of payment-related user experience (UX) design is being handled adeptly.

Be it for designing the payment page or working out a specific interface for each device, the level of detailing has increased tremendously over the years. According to Adyen, it is imperative for travel merchants to work out a uniform experience across any device. Whether the user is paying in the native app, or via a mobile browser, the checkout phase needs to pave way for conversions on any screen size. Travel companies need to ensure they have latest information about their customers to facilitate their recurring transactions. Also, in case a user suffers owing to the Internet infrastructure being slow, then how about cutting down on the number of images downloaded. All these adjustments can go a long way in soothing the concerns of the shoppers. Plus, companies like Adyen are trying to be proactive by working out options to deliver user-related reporting (i.e. providing shopper-level information including shopper ID, card token, etc.). With these details, merchants may be able to precisely predict what a user’s next buy will be, and when and how the purchase will be made.

 

As for making the payment, a consumer today has the right to not even come across payment options (after they share their information once and transaction goes through with the primary card on file).

Also, optimizing for local payment methods is another important consideration. For airlines focusing on the Asia Pacific region, one needs to diligently prepare for diversity in payments. Working on such initiatives features many aspects that go beyond finalizing payment methods, and these include setting up processes and controls (currency management, currency heading, fraud prevention, and reconciliation and reporting), and compliance (PCIDSS, sensitive data protection, costs and reliability).

Security through tokenization 

Other than UX design, the shopper needs to be assured about security.

As Adyen highlights, everything that a merchant facilitates behind the screen” (e.g. tokenization of stored payment data, 1-click flows for subsequent purchases, or even use of account updater) should be clear and transparent to the users.

Payment specialists acknowledge that security is of utmost importance; however, the technologies deployed to shield a customer’s data can results in delays at the checkout stage and affect the payment experience -- especially for transactions coming in from remote locations. A progress in this arena is being made in the form of regional cloud support, an initiative that can bridge the gap between an airline and a passenger irrespective of the location. So how such initiative would help? The fact that every second counts, payment specialists are curbing any delay in mobile load times.

For instance, Braintree chose to refine its payment platform with regional cloud support, starting with the US and in Australia in May this year.

Braintree, in a blog post, shared that this will enhance its tokenization offering, which converts sensitive cardholder information into a unique token or digital identifier. It replaces sensitive payment data that cannot be mathematically reversed, enabling merchants to run payment operations without handling raw payment data. Since a player like Braintree gathers card data directly from the shopper on the merchant’s digital asset the consumer’s privacy stays protected. Still there was a need to overcome the issue of increased latency arising in remote locations. In today’s fast paced shopping environment, microsecond latency counts. The time taken to transforming PAN (Primary Account Number) to token and back to PAN needs to be done in a swift manner, and this shouldn’t have any sort of negative impact on payment processing. With cloud support, the plan is to accelerate the checkout phase and augment the payment experience.

Importantly, the team at Braintree indicated that initial tests show that shoppers in Australia experienced an average upsurge in speed during checkout of about 2.5 seconds. The team explained that it studied the same in an infrastructure production environment – “10 times during 1 minute, the average time for requests made to the Braintree data center and the average time for requests made to its local cloud service”. Plus, this initiative combined with a new Content Delivery Network (CDN) service, which minimizes possible communication failure rates.

 

Hear from airlines and other industry executives about payment experience optimization at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: How safe are ecosystems such as Amazon and Alibaba from the threat of ATO?

First Published on 21st June, 2018

Ai Editorial: What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering, writes Ai’s Ritesh Gupta

 

The recent media reports pertaining to Amazon accounts getting hacked is a disturbing development. Considering how many consumers and the extent to which they rely on these ecosystems, the threat of fraud and its implications on various stakeholders involved needs to be assessed.

A plenty is at stake since a single platform can be used to access multiple services.  

If we considering an ecosystem such as Tencent’s WeChat, the Chinese company has gone beyond primary services of messaging and social networking over the years. Mobile wallet, bill pay, P2P transfers, merchant services, ticketing, insurance, wealth management and mutual fund management are among the services that WeChat is associated with. Similarly, the likes of Amazon and Alibaba, too, are proving to be a lucrative option for fraudsters as a single account on the black market can give fraudsters access to a treasure trove of data, including multiple stored payment methods, bank account information, usernames and passwords. In fact, as highlighted by Sift Science, in May this year, an Amazon customer became a casualty as she found in her email statement related to shopping of goods that she hadn’t bought. The amount totaled $1,640 in total purchases. As it turned out, a fraudster had gained access to her account without her permission and eventually Amazon (not a pleasant experience for customer and the reputation took a beating) suffered due to this account takeover (ATO) attempt.  

What makes account takeover an even bigger threat for organizations is that an increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering. A case in point is the growth in mobile payment systems, which fraudsters can easily exploit by adding stolen credit cards or making unauthorized transfers of credits from compromised accounts. With a growing connectivity of data, fraudsters can have unparalleled access to multiple services with just one single account. A case to examine is Amazon, where one single account may be used to access multiple services including Amazon Prime, Alexa, cloud storage, music streaming and more. Plus, the company is already expanding and introducing different services. For e. g. Amazon uses Amazon Pay as a virtual wallet system to be used within the app.

“With a growing connectivity of data in a world of frictionless payments, Amazon is at risk of various fraud scenarios such as having unauthorized transfers of Amazon Pay credits from compromised accounts,” says Justin Lie, CashShield’s CEO. “Once a single account is compromised, it would be difficult to have damage control on all possible endpoints that could benefit the fraudster. For instance, the fraudster could have access to the card-on-file to make purchases, or have access to the user’s information, or worse, in the case of IoT (e.g. Alexa), spy on the users in their homes.”

Dealing with vulnerability 

Fraudsters no longer only make unauthorized payments with stolen credit cards, but are also carrying out promo abuse with the creation of multiple accounts, making unauthorized transfer of funds, and making unauthorized top up of credits.

One way to safeguard such accounts includes a two-step verification, requiring users to fill in a security code whenever they access an account from a new device. Currently, fraud protection for accounts are still far behind, especially compared to the systems designed to secure payments. Most enterprises rely on static verification measures such as two-factor authentication (2FA) and multi-factor authentication (MFA), but is easily bypassed by fraudsters (e.g. via SIM hacks or SIM swaps) and creates unnecessary friction for users. Unfortunately, more must be done in terms of ensuring user accounts are secure from fraud. It is pointed out that many merchants struggle between striking a balance between improving security and maximizing user experience, which is difficult if their only known option is to either deploy 2FA/MFA or not. Rather than using a blanket rule that forces every user to login with 2FA, real-time surveillance can be used to assess logins in the background, and only logins with borderline risks expected to go through 2FA. This would greatly improve the user experience on the whole, while ensuring that security for accounts is not taken for granted.

Lie recommends that an end-to-end approach is needed to cover it all - to monitor transactions across multiple channels and devices in real time, at every stage of the process. From front-end filters detecting fraudulent logins to machine automation preventing fraudulent purchases and chargebacks through illegitimate account takeovers, these ecosystems must consider deploying sophisticated end-to-end solutions that can cover their bases.

It is time that ecosystems and even other companies make rapid progress since account takeover is indeed occurring more frequently - according to the 2018 Javelin Strategy & Research Report, account takeovers tripled in 2017, which resulted in $5.1 billion in associated losses.

When data breaches occur, consumers have no control. Yet when it comes to account takeovers, customers are told to play an active role in prevention by being vigilant and having complex passwords, even though a data breach would leak all passwords, no matter how complex it is. Lie says it is up to the merchant’s end to adopt stricter security protocols in storing and encrypting their data, to minimize the damage in case of a data breach. Considering that it is impossible to build the perfect defense, merchants could also aim to mitigate the damage done by ensuring that the stolen data cannot be used. One way to achieve this is to deploy real-time active surveillance on every login to filter out potential threats and prevent attackers from gaining unauthorized access to accounts.

 

Hear from airlines and other industry executives about ATO at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: Time for airlines to leverage both supervised and unsupervised ML for curbing fraud

First Published on 14th June, 2018

Ai Editorial: Deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning (ML) -  would better equip merchants to deal with fraud management, writes Ai's Ritesh Gupta

 

The travel industry needs to dig deeper to understand the efficacy of machine learning and its role in curbing payment fraud as well as the rising issue of account takeovers.

Machine learning often encompasses different types, and simply using one type (predictive analytics) is insufficient.

Supervised machine learning is considered to be a reactive approach to treat fraud. It has contributed in combating fraud to a certain extent – automating some processes, garnering more data to evaluate, but the industry has to capitalize on real-time machine learning as well.

Without real-time learning, supervised machine learning is unable to forecast and offset unfamiliar fraud attacks, since it is dependent only on the data on previous fraud attacks. Also, these systems can only generate probability scores for each transaction, therefore still involving manual reviews.

Many fraud solutions on the market are built with machine learning, but they are built with only one machine learning model (e.g. Random Forest) and the belief that relying on one model will be sufficient in allowing them to detect and prevent coordinated fraud attacks, says Justin Lie, CashShield’s CEO.

"Most travel e-commerce merchants still rely on this single disciplinary approach, requiring historical data to make correlations detect anomalies. However, as fraudsters become increasingly sophisticated, using machine learning for their attacks, they can get ahead by flooding systems with so much fake data that they pass through undetected," cautioned Lie.

Lie added, "As such, deploying a multi-disciplinary approach combining different technologies - both supervised and unsupervised machine learning -  would better equip merchants to deal with fraud management. Unsupervised machine learning can be used to learn on the fly and identify fraudulent patterns even without having been trained with historical data, i.e. able to identify unknown fraud attacks. Thereafter, predictive analytics may still be used to run the probabilities of fraud, giving a risk score."

Unsupervised machine learning is able to seek patterns and correlation amidst the new data collected, which helps to identify positive and negative behaviour, and is effective in identifying genuine customers as much as identifying fraudsters. Specialists recommend that pattern recognition, deep learning and stochastic optimization are also necessary for an optimized yes or no decision in real-time.

Making it work

Lie explained how the combination of unsupervised machine learning and supervised machine learning can work best in curbing fraud. He mentioned:

  • Supervised machine learning relies on historical data to predict and prevent further possibilities of fraud based on past fraud. The data set is labelled based on previous observations of fraud, and is described as either fraudulent or genuine. With this data set, there is a historical representation of fraud and transactions can then be determined if they are fraudulent based on these labels. If a fraudster uses a known attack, fraudulent patterns can be identified and stopped before it happens.
  • As for unsupervised machine learning, the data is unlabelled and the machine looks out for transactions which deviates from the norm. These transactions are classified into clusters and patterns across this are tracked, then determined if they are indicative of fraud. This new data is then labelled as either fraudulent or genuine. By learning on the fly, unsupervised machine learning is able to detect new forms of fraud and does not rely on historical examples. By analyzing millions of patterns in real-time, it is able to self learn and recognize new attack techniques, stopping fraud before it happens.

Blend of big data and machine learning

The combination of big data and machine learning allows more effective fraud prevention.  Big data is first used to garner details about the user’s behaviour on the website (for e. g. the movement of the mouse) which  is combined with machine learning. There is use of pattern recognition to configure this user's behaviour to tally it either with authentic or fraudulent behaviour. Along with this predictive analytics comes into play to record the positive/ negative behaviour and avail that on future transactions for probable signs of fraud. Finally, an optimized fraud risk algorithm needs to be counted upon to make decisions on whether or not to accept a transaction based on calculated risks to best optimize sales while controlling fraud and chargeback rates.

"Big data allows for more data collected - but relevant data is more important than collecting more data. Collecting data from the merchant’s website and behavioral data beyond payment data will be useful for analysis on the user’s behavior - whether good or bad," mentioned Lie.

A transaction may be sliced into multiple data points, where it may then be combined with real-time machine learning to match patterns through the permutations and combinations of the data points, as well as to identify when fraudsters make micro-changes between transactions (such as changing the device from iOS to Android between transactions to seem like the transactions come from a different source). As it turns out, most systems are still relying on a single disciplinary approach, and a multi-disciplinary approach that combines big data, predictive analytics and real-time machine learning would be more effective in detecting coordinated fraud attacks, recommended Lie.

Act and take charge

Travel merchants need to defend themselves adequately by using machine learning, and at the same time there needs to be reliance on rules and the human component (intervention and feedback) as well.

Merchants should learn to discern and understand the different types of machine learning, and be sure to know if the fraud solution uses only predictive analytics or covers more bases with more than one kind of machine learning. Machine learning technologies are yet to be deployed commonplace to secure accounts, even though machine learning, especially real-time machine learning can be applied on account protection.

Lie concluded with a word of caution for merchants: Many merchants are also still reliant on manual reviews, which means that even if they were able to improve their machine learning algorithms and systems, they would always still be held back by the end process of manual reviews and human errors.

 

Hear from airlines and other industry executives about travel fraud at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: How to stop fraud rings from using stolen or synthetic identities?

First Published on 29th May, 2018

Ai Editorial: The issue of identity theft or payments fraud isn’t new. But the functioning of fraud rings, in which fraudsters band together in organized groups, continues to get sophisticated, writes Ai’s Ritesh Gupta.  

 

Merchants are used to enticing online shoppers on their digital platforms, letting them select their preferred product via filters, visualize their shopping cart and eventually wrap it up via a frictionless check-out process. Now imagine the merchant being an illegitimate seller of stolen credit card details and extending the same shopping experience on the dark web! The nexus of fraud rings and their way of functioning is streamlining selling of credit cards and other associated information for $10 or so. Specialists point out that a sense of security is the worst possible sign that the likes of airlines and other travel merchants can hang on to.

Continuous and a bigger threat

The team at Riskified highlights two pertinent points related to fraud rings. First, at the end of the day no entity is safe from the assault of fraud rings. Second, these groups “tend to strike big, and have access to technology and resources that are unavailable to solo or less professional fraudsters”. From automated bot attacks to organized account takeovers, fraudsters are working out new ways to dupe and that too at a rapid pace.

As for one of the routes chosen to dupe genuine customers, these fraud rings find a way to verify fraudulent transactions by contacting phone/ mobile service provider to swap a victim’s phone number on to a new SIM card the scammers own. Criminal cases have indicated that fraudsters have spotted a major vulnerability in the way banks are using their customers’ mobiles to identify them. (A couple of days ago one such case emerged in the U. K. where a victim had  his £17,000 mortgage deposit cleared out of his bank account as fraudsters managed to change his  number on to a new SIM). Such incidents indicate fraud rings have access to detailed information about victims –could be  via data breaches or from the dark web, gaining batches of credit card numbers, complete with CVV, expiration date etc. So the stakeholders involved need to go for a stringent authentication mechanism. As for how fraud specialists like Riskified are helping retail companies, they observed that such transactions feature first time customers and were initiated using a particular phone carrier and a relatively small and uncommon ISP. There is a way to turn down all resulting fraud bids without impacting authentic orders.

Synthetic identity fraud

Another alarming trend as far as fraud rings are concerned is related to the issue of synthetic identity fraud. This type of fraud doesn’t feature taking over existing identities and emerged since financial institutions improved how they prevent and detect traditional identity fraud. This forced fraudsters to nurture synthetic identity fraud. It is initiated by using a blend of fake information, such as a fictitious name, along with real data, to set up fraudulent accounts.  For instance, “Social security numbers” (in the U. S.) that get targeted most are ones infrequently used or ones those are less likely to use their credit actively. So scammers set up such fake identities using potentially valid social security numbers with wrong personally identifiable information (PII). So there could be a real address and the social security number may seem authentic, but the number, name, and date of birth sequence do not match with any one person.

A major problem is the fact that it often is not identified as fraud and the crime can go undetected for an indefinite period. Criminals and other fraudsters rely in large part on the credit reporting system to create and use these synthetic identities.

The account can remain active, and possibly fraudsters capitalize on credit line increases and enhanced credit standing. Finally they max out the credit line and vanish without a hint. For those who get or potentially could get impacted, synthetic identify fraud isn’t easy to identify and prevent. According to a last year’s report released by the United States Government Accountability Office, banks can lose an estimated $50-$250 million in a year from synthetic identity fraud -related unpaid debt. The report also highlighted that fraudsters also exploit credit bureau procedures to improve their credit history by getting legitimate credit users to act as accomplices and add synthetic identities as “authorized users” on accounts in good standing. Over a period that can span months and years, identity thieves may make small charges and clear them, too. This way they set up a decent credit score and gain higher credit limits. In the end, they typically they charge the maximum amount on credit cards for transactions such as airline tickets and this stage is known as the “burst out”. 

The industry is on look-out for astute detection tools to detect and prevent such type of fraud. Advanced data analytics and biometrics are being recommended as solutions for the same.

Key takeaways to curb the activity of fraud rings:

·          Focus on how devices and accounts are connected in order to competently unearth the activity of fraud rings. Device behavior analytics includes transactions from TOR, high-risk locations, IPs, and ISPs, geo-location, IP address, and time zone mismatches etc.

·          Investigate anything that seems unusual or suspicious.

·          Explore how collaboration such as a cross-industry approach or contributing in fraud intelligence can help law enforcement identify, investigate and prosecute fraud.

·          How can unsupervised machine play its part in ascertaining correlations and linkages to find fraud rings? How can the combination of unsupervised and supervised machine learning help? How are specialists evaluating unconventional data points, integrating different data streams that were structured, unstructured, real time etc. and relying on machine learning models to curb the threat of fraud rings?

·          Insert analytical details around uncommon conduct and usual trends as features in technical fraud discovery procedure.

 

Hear from airlines and other industry executives about travel fraud at the upcoming 7th Annual Airline & Travel Payments Summit (ATPS), co-hosted with UATP, (4- 6 September 2018 in Phuket, Thailand).

For more click here

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: Why consumers are proving to be the weakest link in ATOs?

First Published on 4th May, 2018

Ai Editorial: The level of awareness about hacking and data breaches has gone up, but a feeble approach towards password management is paving way for hackers to steal confidential information, writes Ai’s Ritesh Gupta

 

Coming to grips with the issue of account takeover (ATO) isn’t a straightforward task, and a major reason behind the same is poor password hygiene.

Consumers are proving to be the weakest link in the fight against ATO fraud. According to the findings of a recent analysis, initiated by password management specialist LogMeIn’s LastPass, nothing much has changed over the last two years when it comes to creating and handling of passwords. This is important as password stealing means all account-based online services are under a threat.

The level of awareness about hacking and data breaches has gone up, but a feeble approach towards password management is paving way for hackers to steal confidential information. In their Psychology of Passwords research, LogMeIn has referred to following traits of individuals representing society at large and explains why people are falling short of taking action:

The issue of same passwords: Majority of 2000 respondents have between one and 20 online accounts for work and personal use. When it comes to password creation, nearly half indicate there is no difference in passwords created for these accounts. This attribute is dangerous and helpful for hackers in doing their job. Let’s say a customer has an account in both Starbucks and Lufthansa. If there is a data breach at Starbucks, and although Lufthansa hasn’t faced any attack and are safe from that perspective, but if a user happens to use the same login credentials for both the companies, then the credentials are vulnerable for illegitimate use at other places. The fear of forgetfulness is the major reason behind using the same password for multiple accounts. Despite being aware of the security risks owing to weak passwords or even breaches, people tend to avoid any action. They stick to the same passwords and don’t change them often. Even the millennials, a group supposedly well-versed with technology, mostly reuse passwords because of fear of forgetting and commonly use a variation of 1-2 passwords they can remember. 

On the positive side, according to the same study, more users are opting for more secure password storage and automated password resets to overcome the anxiety of failing to recall.

 

Onus on merchants 

The scale and sophistication of breaches is ascending, and this is resulting in more ATOs. These takeovers are increasingly performed at scale by bots, as well as manually. Hackers work on scripts that try out different groupings of stolen usernames plus probable passwords across numerous websites and apps, until they find a way in. Travel e-commerce companies suffer owing to chargebacks, loyalty fraud, resources spent on resolving issues etc. Companies like Google highlight that enterprising hijackers are persistently looking for, and are able to gain access to, a plethora of platforms’ usernames and passwords on black markets.

Specialists such as Sift Science recommend that airlines and other travel companies need to be proactive, especially considering that “every one’s credentials have already been compromised”. The company recommends following measures:

Ø  Work out planned evaluation of models and rules to ensure they are updated once bad signals are uncovered.

Ø  Keep on informing and educating customers about the significance of passwords. There might not be anything new in these instructions but nevertheless the importance of strong passwords can help. For instance, constructing unique passwords that include a sequence of upper and lowercase letters, numbers and special characters. Directing users not re-use same passwords. The database of passwords needs to be secure, too.

Ø  Create awareness about the root cause of ATOs: Fraudsters get access to stolen credentials from a number of sources. These include:

·          From data breaches, sold on the dark web

·          Phishing with fake websites

·          Malware, trojans, spyware

·          Social engineering

·          Hijacking a mobile device

Ø  Stringent verification: Keep a vigil on aspects like IP, cookie, device ID, session history, event velocity, and key-logging. In case there is a sign-in from a device a user hasn’t used or a location that isn’t associated with an account, companies need to seek additional information before allowing access to accounts. Verification is a blocking event: once sent, the respective activity (login or another) cannot proceed until with the verification is successfully completed. Dynamic challenges feature two-factor authentication on all doubtful logins, while allaying the danger of account lockout.

Ø  Looking beyond passwords: Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.

 

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

 

Editorials

  • Ai Editorial: Assessing the impact of PSD2 on e-commerce payments +

    19th April, 2019 Ai Editorial: The PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, writes Ai’s Ritesh Gupta Read More
  • Ai Video - What’s taking NDC forward and what’s not? +

    17th April, 2019  NDC, IATA’s XML-based data transmission standard, has been around for more than six years. The industry acknowledges the need to target a critical mass of volume of Read More
  • Ai Editorial: Airline retailing needs NDC, but that's not the only thing +

    10th April, 2019 By Ai's Ritesh Gupta in London Airlines are gearing up to answer relatively complex questions as they try to match up passengers’ expectations as retailers. The plan Read More
  • 1
  • 2
  • 3
  • 4
  • 5