Ai Editorial: As trust around “personal data” wanes, hopes hinge on a stringent regulation

First Published on 21st March, 2018

The uproar about the reported “data breach”, featuring Facebook and Cambridge Analytica, a political data analytics entity, has raised concerns around the handling of “personal data”, writes Ai’s Ritesh Gupta  

 

Trust around the way personal data is being managed has taken a beating over the few days, post reports about how data featuring “Facebook users” was used for targeting of political ads mainly to aid then-U.S. presidential contender Donald Trump to forecast and tilt choices in one’s favour at the ballot box. According to a report by Reuters, Scott Vernick, a partner and an expert in privacy and data security at the Philadelphia law firm Fox Rothschild, said that Facebook “lost control of the data and wasn’t adequately monitoring what third-parties were doing”. Facebook stated that people knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked. Even though Facebook has defended their position, the impact of GDPR or General Data Protection Regulation on organizations of Facebook’s stature as well as the way personal data is collected and managed is coming to the fore. This regulation places greater emphasis on consumer consent and transparency in the collection and use of personal data.  

As we highlighted in one of our recent articles, travel e-commerce companies have been assessing their existing level of data protection compliance, as GDPR comes into force on 25th May this year.

Data being illegally acquired and used

The impact of this regulation would be extensive, as it applies not just to entities based in Europe, but to any organization that holds or processes personal data of individuals residing within the European Union (EU).

The fact that the ICO (Information Commissioner Office), the UK’s independent body set up to uphold information rights, is looking at investigating the use of personal data for political campaigns (with reference to the acquisition and use of Facebook data by Strategic Communication Laboratories, psychology professor at the University of Cambridge named Dr. Aleksandr Kogan and Cambridge Analytica), shows the organizations need to ensure that they don’t get embroiled in any controversy pertaining to data being illegally acquired and used. Elizabeth Denham, Information Commissioner stated that it is important that the “public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy”.

Considering that businesses have to keep a vigil on possible criminal and civil enforcement actions owing to any irregularity, it is better to gear up for a regulation like GDPR in an earnest manner. So it would be better to study budgetary, IT, personnel, governance and communications implications of GDPR at this juncture. This would mean businesses not only defend themselves against any potential fine or penalty, but they also ensure the trust of their customers doesn’t get broken.

Time to embrace accountability

There is a checklist for data controllers and data processors.   

Certain companies are going to process personal information as both a controller and a processor. So in such cases it is recommended that they complete the required assessments, both for a controller as well as a processor.

According to the ICO, organizations might as well get into the details of the new regulation, and how the same would potentially affect their business model and accordingly work on the planning process.

Some of the areas that travel e-commerce companies can dwell on are:

·          Senior management needs to be aware that the law is changing to the GDPR and by preparing in a diligent manner it could help them to be accountable possibly for other regions, too.

·          Be in control of what personal data an organization holds, the source and if it is going to be disclosed to other parties/ partners, who they are.

·          Clarify and account for basis for processing the data, and the period for which the same is going to be retained.

·          Be aware of an individual’s rights. According to the ICO, in case of the GDPR, rights for individuals include the right to be informed; the right of access; the right to rectification; the right to restrict processing etc.

·          Be ready to effectively detect, report and investigate a personal data breach.

Before organizations commit any error, knowingly or unknowingly, better would be to dig deeper into the way personal data is being collected, the source, the processing etc. to ensure they are in control of the situation. And a regulation such as GDPR could well prove to be a new benchmark in areas such as training employees about the new regulations and impacts on data handling and breach notification.  GDPR has come at a stage when there is a lack of trust among customers (concerns about privacy, lack of trust in brands among the most etc.). It is also expected to raise awareness among customers about data collection and eventually would encourage them to trust brands.

  

Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here

                        

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

 

 

Ai Editorial: Is machine learning showing e-commerce the “money”?

First Published on 13th March, 2018

Ai Editorial: Be it for having a bigger say in the inspiration phase or coming up with relevant recommendations on a mobile device in real-time or improving the conversion rate, machine learning is playing a bigger role than ever, writes Ai’s Ritesh Gupta

 

Airlines are finding ways to have a bigger say in the booking funnel, and one critical way to bolster the same is via machine learning, a technology where computers identify patterns in data.

What it essentially means is airlines are taking a comprehensive look at all user activity on their digital assets and then acting on the resulting data to eradicate hurdles in the shopping journey. For instance, how to single out a real shopper who is about to complete a transaction from a fraudster who is trying to trick the system and commit a fraudulent activity? Another area is how to come up with a recommendation about a trip that in all probability would garner the attention of the traveller and get them close to completing a booking on airline.com. So be it for early part of the booking funnel to closing stages of a transaction, machine learning is playing its part in a deeper way than ever.

Here we look at couple of areas that can result in better control over the passenger experience:    

Inspiration phase: It is being highlighted that inspiration leads to conversion. As LikeWhere states, airlines facilitating travellers in the inspiration and planning phase will be best positioned at the booking phase. So rather than offering loads of content, build on a layer of intelligence and display destination images, videos etc. as per the trip motive, lifestyle preferences etc.

Of course, for this airlines need to focus on 1st party data. Carriers, too, realize that they can capitalize on the richness and size of data sets quite unique to their own organization. The ideal situation would be to generate enough data within your own user ecosystem to truly understand where and why people are planning to travel. “Once you have a user-specific data, you can understand the purchase journey and also what to recommend. Once you work on a profile of a user, you can understand travel habits and accordingly recommend something relevant, contextual,” points out Gillian Morris, CEO, Hitlist. When it comes to recommending, a way to build affiliation is by focusing on personalizing destination discovery. Here machine learning contributes by letting airlines to match locations with the lifestyle preferences of their customers. The key here is to deliver a nuanced recommendation, to “humanise” the available data.  As for what to recommend or what to consider before offering something to the traveller, Morris says, “People aren’t going to a destination, they’re going on a trip. In addition to destination and price, equally important are timing (say weekend vs. weekdays) and social context (family, individual, colleagues etc.).”

If airlines don’t act fast (on their own or by integrating their interface with a machine learning specialist), then they are bound to lose. Why? Because Google, Facebook etc. are in an advantageous position, just like Alibaba and Tencent in China. And then online travel groups like Ctrip.com are getting sophisticated with every passing day. For instance, the team at Trip.com, the Palo Alto, California-based company acquired by Ctrip late last year, is counting on their predictive artificial intelligence (AI) to understand various traits of a traveller - personality, interests, style and budget. So what attracted Ctrip in Trip.com? Travis Katz, Trip.com’s co-founder and CEO, referred to – predictive AI technology behind recommendations for travel, based around a bunch of contextual signals, and an engaged community, which has contributed content that complements the core technology.

(Read how JetBlue is capitalizing on artificial intelligence for trip planning (via partnership with Utrip, a destination discovery and planning platform that helps in crafting a personalized, hour-by-hour vacation itinerary) and lot more).

Monetization: Companies like LikeWhere assert that by engaging right from the inspiration phase, airlines can go for a fruitful association in the form of monetizing clicks. “Once we establish certain parameters with a customer we use machine learning to add value, through informing more contextual recommendations. Our product (recommendation engine) enables airlines to begin their customer lifecycle earlier in the inspiration phase which positions them for the booking/ancillaries – that’s where the monetization is,” says Matt Walker, Chief Storyteller at LikeWhere.

By preparing to serve content in an earnest manner, airlines can also benefit to have deeper association that goes beyond air and air-ancillaries. For instance, if an airline knows a traveller is in the middle of a trip (better if the passenger booked the flight itinerary with them), then they can use contextual signals provided by a mobile device to come up with recommendations. So for example, at 8AM the app knows you are most likely looking for breakfast or coffee, and can show you things nearby versus 9PM where it understands you are either looking to go out or plan your next adventure, and adapts the content accordingly. Similarly, if it’s raining where you are, the app understands this, and recommends things to do indoors. These are all signals that are taken into the account. And the ideas are offered in real-time.

Improving the conversion rate and managing fraud: If airlines adopt a risk-averse approach to managing card-not-present fraud, then sales can suffer tremendously. Limitations of the traditional rule-based fraud offerings and reliance on manual reviews are coming to the fore. With machine learning, the system understands when to skip rules when positive behaviour is detected. Moving towards machine learning allows airlines to remove all these unnecessary rules that would have otherwise blocked genuine customers. The combination of big data and machine learning allows more effective fraud prevention.

With data, including a set that is garnered from airlines, specialists focus on signals that aren’t just related to transactions, but also related to buying pattern, post booking behavior etc. Specialists churn the data through various permutations and combinations to identify potential fraud patterns that may be left behind by fraudsters, who have made micro-changes between transactions in one coordinated fraud attack to trick the system. Using real time pattern recognition, even micro-changes can be proactively identified and tagged to the same fraud pattern group. The data that Sift Science leverages includes attributes associated with the identity of a user, behavorial (browsing patterns, keyboard preferences etc.), location data, device and network data, transactional data, decisions (business actions taken), 3rd party data (geo data, currency rates, social data etc.) plus custom data that is specific to a particular merchant. So the purpose of maximizing legitimate transactions as well as avoiding fraudulent transactions is being served by machine learning.

 

Hear from experts about machine learning and e-commerce at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here                    

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: How is your GDPR transformation process coming along?

Ai Editorial: General Data Protection Regulation or GDPR compliance is a complex journey. It demands enterprise-wide introspection, be it for keeping a tab on the use of personal data or breach prevention or training of employees, writes Ai’s Ritesh Gupta

 

Travel e-commerce companies have been assessing their existing level of data protection compliance, as GDPR comes into force on 25th May this year. The impact of this regulation would be extensive, as it applies not just to entities based in Europe, but to any organization that holds or processes personal data of individuals residing within the European Union (EU).

What makes meeting compliance challenging is the fact that there is no silver bullet and there is no shortcut to be GDPR compliant. For instance, security experts can help in ensuring the unprotected PII data is identified, whereas marketing technology specialists would ensure how personal data is being used and how to put in place registered consent when accessing customer data.

The travel industry will be impacted due to the large volume of personal and sensitive data it processes about travellers.

The regulation, which places greater emphasis on consumer consent and transparency in the collection and use of personal data, impacts those entities engaged in administering/ managing personal data within the EU or the European Economic Area (EEA). There are more aspects as for the impact of GDPR on travel organizations, including offering services to citizens in this area, scrutinizing the conduct/ behavior of people as part of data strategy etc. Going deeper, organizations within Europe that are associated with or avail the services of 3rd party companies based outside of the EU/ EEA have to ensure their partners/ vendors comply by the enforcement of GDPR or on behalf of these businesses. To summarize, this regulation impacts data controllers (garner data) and data processors (process data on behalf of a data controller). In November last year, law specialist firm Axiom indicated that that global companies had millions of contracts that needed to be identified and remediated by May 2018, at a cost of over more than $1.06 billion, referring to contracts between controllers and processors.

One way to evaluate the significance of the European Union’s GDPR is the failure on the part of an organization’s to meet the requisite compliance. It can result in bad PR plus a hefty penalty, too. It can touch an upper limit of €20 million or 4% of annual global turnover – whichever is higher. But more importantly, in terms of being data-centric and connecting the dots along a traveller’s entire journey, it offers an even bigger opportunity. Here are few aspects that are being discussed as of today:

  • Impact on the ownership of data: Before delving into how the GDPR impacts companies focused on data, the definition of personal data needs to be understood. It isn’t only about conventional personally identifiable information, say a name or an email id. Rather it also features identifiers that may, when combined with other data, identify an individual. Of course, airlines are getting used to this definition of personal data. Businesses have been keen on counting on any signal or identifier that helps them to stitch a profile and know the preferences/ behavior of their customers. So this new ruling will definitely have an impact on how travel companies collect, manage, and store personal data. Considering that we are in the era of a single view of passengers/ travellers, one in which airlines are looking at what’s happening across a user’s every search, what they browse, their booking and journey, airlines need to re-examine  the way they manage data, and plan for new processes and technologies enabling the consumers right to “own” their data. GDPR is not only about winning the trust of customers, but it is also having an impact on enterprise-wide functioning. In fact, GDPR is fuelling drive towards the initiative of digital transformation. Also, better compete with data-rich ecosystems or companies, be it for Alibaba, Google, Facebook etc.
  • Winning over the trust of customers: GDPR has come at a stage when there is a lack of trust among customers (concerns about privacy, lack of trust in brands among the most etc.). Plus companies are also pursuing personalization in a big way. But for this to work, data is of paramount importance and consumers won’t share data with companies they don’t trust. GDPR will raise awareness among customers about data collection and eventually would encourage them to trust brands. Expect competition to go down from companies that mishandle/ misuse data. Also, rather than considering security and customer experience separately, this development paves way for a more holistic view of the customer experience.

Readiness

GDPR compliance is a complex journey. A couple of areas that demand attention include keeping a close tab on the use of personal data and breach prevention.

  • Personal data: According to NGDATA (conducted a webinar this week, titled “Maximize the value of customer data within the boundaries of GDPR”), there is a need to be aware of registered consent when accessing customer data (so data coming from any touchpoint and system, the related computation or processing of data is to be done in sync with consent, assess how the data is being used, what data is being used and for how long that data can be used), address data audits in a speedy, exhaustive manner (say who has been accessing data) and ensure there is consent across all touchpoints (including integration with consent registration databases).
  • Breach prevention: It becomes extremely important for airlines to come to grips with their technical and organizational security measures, and appraise their respective cyber insurance policies to ensure they sufficiently cover the costs of a data breach. It is also being highlighted that the regulation requires data controllers to inform their national regulator of a data breach within 72 hours of discovering it, “if the breach is likely to result in a risk to the rights and freedoms of individuals.” As highlighted by Foregenix, the potential fines suggest that “any form of negligence or poor governance where data breaches are concerned is likely to prove extremely costly. And that's without factoring in the cost of legal representation to defend your position”.
  • Being responsible: It is vital to train and educate employees about the new regulations and impacts on data handling and breach notification, and every individual has a responsibility to ensure their role doesn’t contribute to the leakage of PII. According to Foregenix, being aware of what data a business requires, how it is used and how it flows around the organization will be essential for achieving and maintaining compliance with GDPR. Also, security awareness training modules including one for GDPR can help in preparing the whole team.

 

Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here

                        

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

 

Ai Editorial: Blacklists and fraud prevention - not an ideal match for sure

First Published on 27th February, 2018

Ai Editorial: Blacklists rarely work because hackers will never use the same credit card information twice, while whitelists are inaccurate since whitelisted customers can be compromised anytime, writes Ai’s Ritesh Gupta

 

The introduction of new fraud prevention methods is keenly followed in the travel e-commerce sector. Cutting down on the vulnerability, be it for data breaches or friendly fraud or card not present fraud (CNP), is high on the agenda of travel merchants.

On the flip side, if the fraud prevent strategy ends up being too defensive, then predicament pertaining to blocking of genuine customers surfaces. One area that needs attention is the usage of blacklists.

The rejection of legitimate travel shoppers is indeed a big issue, especially considering the fragmented nature of shopping in this category which tends to culminate after heavy research spanning over multiple sessions in case of a typical holidaymaker. And from the customer experience or conversion perspective, if such rejection takes place on airline.com then it would mean losing out on the shopper after battling for the same with OTAs, meta-search engines etc.!

A case in point: a Singapore-based traveller, who is a tennis enthusiast, intends to visit San Francisco. He has finalized his trip and keen on shopping for tennis-related goods. He decides to get them delivered at a hotel in San Francisco he has chosen to stay. Why? Because he would save on shipping-related expenditure by choosing this option. So what might have been a crucial to-do-list of a holidaymaker’s much-awaited trip, it simply gets ruined due to inefficient fraud detection system. Specialists point out that such authentic buyers can suffer and their orders do get declined as certain shipping addresses can pose glitches for fraud review systems. As it turns out, a number of seemingly dissimilar orders all being shipped to a particular address can be considered to be an aberration. And if one bad or illegitimate order is shipped to one such property, then this address might end up being marked on a blacklist.

Dealing with the issue of blacklists

Initiatives related to spotting suspicious shopping and keeping them at bay by evaluating all the transaction details and adding them to a blacklist isn’t a new practice. This is generally done for cases where a merchant had to face a chargeback, and to block such shoppers again, they are blacklisted and prevented from placing another order in the future.

But such initiatives, where businesses are even automating blacklists i. e. to define rules and automatically block suspicious attempts, needs to be looked upon. It could be about declining a genuine transaction from the same email or IP address that had been marked in the blacklist previously. In such scenario, filters keep a tab on a transaction’s legitimacy by scrutinizing and inspecting a traveller’s IP address, location/ area, credit card number, e-mail id etc. So how this method is failing? In case, one email id is debarred, there is no guarantee that a fraudster can’t find a way around it. This is because a fraudster can amend it to a permutation that isn’t identifiable. For example, in case of Hotmail, users can add a period anywhere in the email address. The average blacklist isn’t able to spot This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. are all the same email address. It is quite common to create a similar-looking email address and circumvent the controls enforced by a system.

 

As the team at Riskified points out, blacklists can be useful in certain cases, for instance stopping spam email. But when it comes to CNP, it isn’t spam. The team asserts that an airline or any travel merchant using blacklists needs to probe and assess the overall false decline rate, the frequency of analyzing and updating their respective blacklists and to what their top-line revenue is getting impacted.

Counting on real-time machine learning

Blacklists rarely work because hackers will never use the same credit card information twice, while whitelists (skip the review process and are instantly approved – often result in high chargeback rates) are inaccurate since whitelisted customers can be compromised anytime. Whitelists can be an oversimplified solution to improving fraud review accuracy. Also, historical data (which blacklists are categorised as) lose relevance very quickly in the face of unknown cyber threats, since it is difficult for the machine to predict new fraud attacks without any prior information. According to CashShield, real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.

The team at Riskified underlines that a healthier way to combat fraud is to proactively spot fraudulent patterns using dynamic tagging and linking, and focus on sophisticated fraud detection models.

It is time travel merchants avoid taking steps that are in general reactive and probabilistic solutions. Rather there is a need to cut down on the probability of holding up transactions via a manual review or worse blocking them entirely. So rather than blacklisting, merchants can capitalize on intelligence, say unique data points that an email address provides. It could be name matching, IP address etc. In fact, email ids are part of essential details that are garnered for almost every transaction.

 

Hear from experts about e-commerce fraud at the upcoming “Getting Ahead in the Digital Age - 12th Airline & Travel Payment Summit”, to be held in Miami (24-26 April, 2018).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: 4 fraud-related issues that travel merchants need to handle diligently

First Published on 20th February, 2018

Ai Editorial: Loyalty fraud and account takeover, friendly fraud, inferior user experience and avoiding a risk-averse fraud strategy are areas that continue to garner maximum attention, writes Ai’s Ritesh Gupta

 

The Ai’s Travel Fraud Prevention Symposium in London, being held in London today, underlined the threats that travel merchants need to deal with.

We re-visit some of the issues that the industry is struggling with as of today:

  1. Threat of loyalty fraud looms large with data breaches and stolen credentials: Airlines need to prepare diligently for the threat of account takeover or ATO, especially considering their business falls in the “high ticket value, with a low margin” category. Why ATO is proving to be lucrative for fraudsters at this juncture? There are multiple reasons behind this. First, this type of fraud can be more valuable than credit card fraud. Second, organizations don’t have stringent measures in place to fight against ATO. As the team at Sift Science points out, the time available to exploit the information before detection is typically longer. Third, this type of cheating isn’t easy to detect. Since the account already exists and is related to a genuine customer, the fraud is relatively tougher to spot and the fraudster has more time to operate before they are caught.

ATO in the loyalty space (featuring airlines, hotels etc.) is coming under scrutiny owing to data breaches. Password stealing tactics pose a risk to all account-based online services.

Fraudsters get access to stolen credentials from a number of sources:

  • From data breaches, sold on the dark web
  • Phishing with fake websites
  • Malware, trojans, spyware
  • Social engineering
  • Hijacking a mobile device

Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Even as credentials have been stolen, it is imperative for organizations to bolster the authentication process. This way the risk of loyalty fraud can be minimized. So it comes to down to authentication and one of the tools is machine learning.

  1. Friendly fraud – a battle that still isn’t easy for airlines to cope up with: Friendly fraud remains probably the biggest challenge and quite often the significance of an effective fraud mitigation strategy is underlined. Friendly fraud refers to “fraud that is committed when an individual had knowledge of and/or was complicit with and/or somehow benefited from the transaction on their own account, although the individual reported the transaction as unauthorized”. This type of fraud is a major issue for merchants as it can be tough to detect at the time of purchase, the chargeback process does not adequately address friendly fraud, and also it is time consuming to fight against the same.

“The predicament (pertaining to friendly fraud) is getting worse,” says a senior executive.

The executive pointed out that the available data is limited. Merchants definitely suffer from industry-wide lack of transparency. Their stance is feeble as there are plenty of factors outside merchants’ control that influence their reluctance to make a more substantial effort. “There is hardly enough information available pertaining to chargebacks and friendly fraud. This means there isn’t a strong foundation to bank on, to comprehend the situation. It’s challenging to amass authentic information on the matter without substantial contribution from banks, card networks, and merchants,” added the executive.

  1. Managing transactions and fraud with new tools…be realistic with expectations: Managing revenue and fraud shouldn’t be about adding friction to transactions. One needs to set right expectations from initiatives such as Dynamic 3DS and biometric authentication. Many fraud prevention methods introduce dilemmas between maximising revenue and minimising fraud – e.g. with more rules, implementation of 2FA or multifactor authentication fraud rates can be lowered, yet more genuine customers will be blocked; on the other hand, with less rules and lax authentication to maximize revenue, merchants will be more vulnerable to fraud attacks. Merchants should still develop their own fraud tools that are able to tap on their own sources of data for greater efficiency and more accurate detection of fraud. It is imperative for airlines and all other travel e-commerce players to study in detail the utility of emerging   tools and technologies.  What is going to be their role in managing criminal fraud, friendly fraud, chargebacks etc. and the same time how they impact the customer experience at the time of making a transaction.
  1. Trapped in risk-averse fraud strategy? Stop focusing only on rules-based approach!: The shortcomings of the traditional rules-based approach for fraud prevention continue to get highlighted. At a time when the efficacy of fraudsters and hackers in cracking areas of vulnerability is on the rise, it is imperative for merchants to improvise and sharpen rules on the fly. If an entity is heavily following rules-based methodology, then the main KPI would be to cut down the fraud rate as close to zero as possible. At the same time in many borderline genuine transactions would fail to pass through. Rather the focus needs to be on - rely on an algorithm to make decisions to optimize sales as much as possible while keeping fraud and chargeback rates under control.

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Counting on supervised machine learning to combat account takeover

First Published on 25th January, 2018

Ai Editorial: Companies can defend themselves adequately by using a tool like machine learning, and at the same time there needs to be reliance on rules and the human component as well, writes Ai’s Ritesh Gupta

 

Data breaches and compromised credentials are on the rise, and the task of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO) is becoming more challenging to safeguard against takeover of loyalty accounts.

According to a recent study by Connexions Loyalty, travel accounts could be quite valuable on the dark web (airline loyalty accounts: $3.20-$208 each).

As Sift Science highlighted in one of our recent articles, in most likelihood, every one’s credentials have already been compromised, and it is imperative for e-commerce companies to strengthen the “authentication” aspect, and damage can be controlled as far as account takeover (ATO) or gaining access to a loyalty account is concerned.

And one of the main tools for the same today is machine learning.

Kevin Lee, Trust & Safety Architect, Sift Science says finding unknown unknowns is a key to making machine learning powerful. “If you are creating a rule, it is typically being created because there has been a mishap in the past. So rules are created with certain parameters. It is very tough to create one-off rule – say number of clicks on a particular item, over $100, with a particular contact number, email id and block it or allow the user to redeem it, then one can get buried in such circumstances and gets difficult to figure out the performance. The trouble with that is fraudsters are literally being financially incentivized to reverse engineer those systems. In the case of machine learning, it creates a more complex scenario making it more challenging to reverse engineer.”

Lee, a speaker at the recently held Loyalty Fraud Workshop in Palm Springs, California, added that machine learning can look at the entire span of an account and look for anomalies. A human analyst’s capabilities are restricted, evaluating a certain number of signals at a time and come up with a verdict. “But there is enough data out there and that’s really when machine learning comes into play. With thousands or tens of thousands of members in a loyalty program, machines become smarter and identify anomalies (in usage of accounts or user behavior).” So by identifying anomalous areas within large data sets, one makes intelligent judgments accordingly.

Efficacy of machine learning

Companies can defend themselves adequately by using a tool like machine learning, and at the same time there needs to be reliance on rules and the human component (intervention and feedback) as well. “All of this works together in conjunction to deliver the best results,” said Lee. Other than putting in place strong measures for authentication (related to accessing accounts), Lee recommends that there needs to be analysis to assess whether there is any problem with the system yet. What is the current level of account takeover on the platform? “What sort of data are companies tracking and measuring? And this isn’t related to fraud or ATO purposes, but in general. So many organizations don’t have grasp over their own data. So it becomes tough to assess how big the problem is. So the first area that needs to be assessed is around data quality and data volume in terms of how clean that is,” he said. Once a virtuous data pipeline is in place, it can be built upon with machine learning models, with rules, and create tools to help the team analyze the ATO problem.  

Crafting a holistic picture

How about data from airlines specifically? Lee said this is a crucial area. There are signals that fraud prevention specialists lookout for. And this is just not related to transactions, but also about buying pattern, post booking behavior etc. With the data collected, one can churn the data through various permutations and combinations to identify potential fraud patterns that may be left behind by fraudsters, who have made micro-changes between transactions in one coordinated fraud attack to trick the system. Using real time pattern recognition, even micro-changes can be proactively identified and tagged to the same fraud pattern group.

The data that Sift Science leverages includes attributes associated with the identity of a user,  behavorial (browsing patterns, keyboard preferences etc.), location data, device and network data, transactional data, decisions (business actions taken), 3rd party data (geo data, currency rates, social data etc.) plus custom data that is specific to a particular merchant.

A couple of examples:

·          On-site behavior: Site data including mouse cursor movements or every single step of that journey is collected and analyzed to reveal insights into users’ traits. It can all be relevant information collected and used. “With enough data it can be observed that the average person – when they redeem gift cards or loyalty points, most likely that’s not their first time. People tend to take their loyalty program or points/ miles seriously. Even before the transaction takes place, with machine learning one can map the holistic behavior. So one keeps on checking a particular redemption option and when they have enough currency, they go for it. It might take them months to complete this. So these are all good indicators. On the other these are missing in account takeover (instances),” said Lee.

·          Post transaction behavior: So let’s say if a ticket from an airline or an OTA has been bought or redeemed, a legitimate user can email the same or share itinerary with their family or friends. “But in case of a fraudster this generally doesn’t happen,” said Lee.

“A city pairing, time of the day, seasons…there could be a flight booking that might be risky, and another might not be risky at all. So a combination of factors can come into play,” said Lee.

The team has also worked on a set of capabilities that enables one to build custom fraud processes with less code.  

Types of machine learning

The power of machine learning is still in the supervised state, asserts Lee. Typically, supervised machine learning focuses on a cycle of training, predicting, and acting stages. “(The industry) is still sometime away from functioning in an unsupervised way,” he said. When you have humans involved or there are known “bads” such as chargebacks, the system can learn quicker in such supervised environment. “Unsupervised machine learning tends to be less accurate (in comparison). It is lower maintenance of course.” Sift Science uses an array of predictive models, including ones specific to a business plus network models because spotting bad behavior on one site helps to identify it on other sites as well.

As for not being vulnerable to new types of fraud attacks, companies like Sift Science look at how fraudsters are trying to break existing system controls and rules. So with reference to finding a way to attempt a fraud via email id or address by to circumventing the controls enforced, data normalization coupled with n-gram analysis extracts the key substrings in the data field to identify repeatable data patterns. And that’s one example of how machine learning plays it part.

 

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

What's happening to coins in Australia?

First Published on 22nd January, 2018
 
By Lance Blockley, The Initiatives Group
 
As Australia rapidly adopts electronic payments, give a thought to what is happening to all of those coins that we once used, but which are now replaced by eTickets on transit, eTolls on the roads, payment cards at parking meters and vending machines, and the soon to be launched New Payments Platform  -  let alone the loose change that you used to receive at the retail check-out, which has now been replaced by the exact tender you pay on a contactless card.
 
A 2014 report written by our payments consulting team at The Initiatives Group for the Australian Payments Clearing Association (The Australian Payments Association changed its name in 2017 to Australian Payments Network.  The report was called “The Evolution Of Cash, An Investigative Study”, published in July 2014) noted that, even at that time, 50% of both 5 cent and 50 cent coins on issue were being stored in jam jars rather than used in everyday payment usage  -  what might those percentages be today at the start of 2018?
 
A coin is a piece of metal or, rarely, some other material (such as leather or porcelain) certified by a mark or marks upon it as being of a specific intrinsic or exchange value.  Coins have been around for a long time, and also last a long time (Roman ones are still being found).  The use of cast-metal pieces as a medium of exchange is very ancient, and probably developed out of the use in commerce of ordinary ingots of bronze and other metals that possessed an intrinsic value. Until the development of bills of exchange in medieval Europe and paper currency in medieval China, metal coins were the only such medium of value exchange. Despite their diminished use in most commercial transactions today, coins are still indispensable to many modern economies.
 
But given the longevity of coins, does Australia already have enough coins on issue today to last it forever more?  If so, what happens to the Royal Australian Mint (and other Mints in a similar position in economies where electronic payments are eroding the use of cash), whose job for many decades has been to produce coins from bare metal?  Is another part of Australian manufacturing prowess to disappear?
 
Fortunately management at the RAM has been rapidly diversifying its business, and today the RAM generates significant revenue from tourism, the production of commemoratives (coins, medals & medallions) and the production of circulating coins for other countries less far along the adoption curve of electronic payments.  But it does still produce new circulating coins for Australia, albeit in ever reducing quantity.
 
Given that the RAM (unlike the Reserve Bank of Australia with its banknotes) has no legal requirement to take back surplus Australian coins, what is going to happen to all of that “hip pocket shrapnel” as it starts to build up in bank vaults around the country?  
 
There were 11 billion coins, worth $3.7 billion, in circulation in 2015, with the value of coins in circulation increasing by 2.8% in 2014/2015, slightly below its 5 year growth rate of 3.4%.  As shown in the diagram below, 40% of the circulating coins are 5 cent pieces (albeit only accounting for about 6% of the value of the coins in circulation) , which are rarely seen in retail commerce today and are likely to end up in the jam jars referenced above rather than being re-used in payment for a purchase.
 
 
Figure 1: The number of Australian coins in circulation by denomination in 2015

The problem of what to do with those coins in circulation in Australia that may now be surplus to requirements is compounded by seigniorage.  Seigniorage is the difference between the face value of the coin or the banknote and its production costs.  In the case of the RBA, the issuance of a new banknote leads to a liability being raised on its Balance Sheet in case that banknote is returned, and the seigniorage held as an asset to help fund (at least part of) the potential repurchase of the banknote; hence the RBA should be relatively ambivalent as to whether “excess” banknotes are returned to it or not.

In the case of the RAM, the issuance of a new coin into circulation sees the seigniorage booked as a profit for the enterprise, as in a normal manufacturing business: Revenue (face value of coin) less Cost of Goods Sold (cost of coin production) equals Profit (seigniorage)

Hence the RAM is potentially “reluctant” to the concept of taking back “excess” coins due to the loss that will be incurred on its Income Statement (with a commensurate outflow of funds), as it will need to pay face value for each coin and the coin’s metal content is almost certainly worth a lower amount.  This understandable lack of interest by the RAM in “repatriating” the surplus coins is therefore likely to see a build up of coins held by the commercial banks around the country.  One could surmise that, as the commercial banks’ investment in this unnecessary and unproductive working capital of surplus coins grows, the commercial banks will begin to energise requests to the Department of the Treasury (to which the RAM reports) for a “buy back”  -  albeit one which is likely to see the RAM generate a loss.  In the meantime, a period of stalemate might occur until this pressure builds.

With Australia leading the world in the adoption of contactless card payments at retail (in terms of the number of transactions per adult per year), which have been very potent at eroding the use of cash, the experience of the RAM over the next few years in handling the surplus of circulating coins will be watched closely by many other Mints around the world, who may themselves be in a similar situation before too long.

 

Ai Editorial: Threat of loyalty fraud looms large with data breaches and stolen credentials

First Published on 9th January, 2018

Ai Editorial: Merchants and fraud prevention specialists need to evaluate several areas such as data breaches, phishing, malware etc. to make it tough for fraudsters to gain access to a loyalty account, writes Ai’s Ritesh Gupta

 

Airlines need to prepare diligently for the threat of account takeover or ATO, especially considering their business falls in the “high ticket value, with a low margin” category.   

Why ATO is proving to be lucrative for fraudsters at this juncture?

There are multiple reasons behind this. First, this type of fraud can be more valuable than credit card fraud. Second, organizations don’t have stringent measures in place to fight against ATO. As the team at Sift Science points out, the time available to exploit the information before detection is typically longer. Third, this type of cheating isn’t easy to detect. Since the account already exists and is related to a genuine customer, the fraud is relatively tougher to spot and the fraudster has more time to operate before they are caught.

One breach - eventually key to many accounts

ATO in the loyalty space (featuring airlines, hotels etc.) is coming under scrutiny owing to data breaches, says Kevin Lee, Trust & Safety Architect, Sift Science, a speaker at the recently held Loyalty Fraud Workshop in Palm Springs, California.

Highlighting how one data breach can impact several verticals, Lee says, “Let’s say a customer has an account in both Uber and United Airlines. And if there is a data breach at Uber, and although United Airlines hasn’t faced any attack and are safe from that perspective, but if a user happens to use the same login credentials for both the companies, then the credentials are vulnerable for illegitimate use at other places. And about 55% of the people in the U. S. re-use passwords.” So in today’s password driven economy, if users are spending majority of their time in using 10-12 apps on their smartphones, it would be unreasonable to expect them to use different passwords for all the apps. “People tend to take a short-cut (when it comes to passwords) and won’t have unique passwords. So this makes them vulnerable to ATO.”

 

So everyone’s credentials have already been compromised? Is it the case?

As Google also pointed in November, account takeover is sadly already a common challenge for users across the web. The company also acknowledged that password stealing tactics pose a risk to all account-based online services. Key findings from a study (analysis spanning over one year till March last year, featuring study of numerous black markets that traded 3rd party password breaches as well as 25,000 blackhat tools used for phishing and keylogging):

·          It was found 788,000 credentials were lifted via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by 3rd party breaches.

·          Password stealing ways mean all account-based online services are under a threat. According to Google, in the case of 3rd party data breaches, “12% of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7% were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25% of attacks yield a valid password”.

·          Also, considering the fact, a password alone is hardly enough for securing access to a Google account, gradually more fraudster plan for garnering sensitive data that is requested when verifying an account holder’s identity. Google underlined that 82% of blackhat phishing tools and 74% of keyloggers tried to obtain a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.

According to Sift Science, fraudsters get access to stolen credentials from a number of sources:

·          From data breaches, sold on the dark web

·          Phishing with fake websites

·          Malware, trojans, spyware

·          Social engineering

·          Hijacking a mobile device

Lee says, “My general assumption is that every one’s credentials have already been compromised.” He added, “We have actually reached the point of no return.” It might not be a straightforward task to gain access to everyone’s account, but just like solving a puzzle or putting several pieces together, fraudsters can sneak through the defence. So from one data beach one can get a vital piece of information about users. And then another breach sharing more details about users and so eventually cracking all details of one account. “So that’s how an entire identify of a user could be worked out,” said Lee.

Certainly organizations can look at preventing “own” credentials from being stolen. So, working in unison with the IT team, it can be ensured that information stored in servers and people accessing them is secure. “Unfortunately your consumers have become your weak spot. If they reuse their credentials and passwords then it remains a big issue (for organizations).

Be as strong as possible in authentication

Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.

So let’s say a user booked a flight and then after a month is redeeming miles from the same device. So from a machine id or device fingerprinting standpoint, that would be a good signal from the authentication perspective.  Also, consistency in the timing of redeeming miles or points could be another indicator. Another area is behavior on the digital interface – the way redeeming is being done, the time taken to reach the checkout stage etc. Such actionable intelligence from all possible data inputs can help in curbing loyalty fraud. Machine learning evaluates massive volumes and varieties of data to deliver real-time decisions. “With enough data it can be observed that the average person – when they redeem gift cards or loyalty points, most likely that’s not their first time. People tend to take their loyalty program or points/ miles seriously. Even before the transaction takes place, with machine learning one can map the holistic behavior. So one keeps on checking a particular redemption option and when they have enough currency, they go for it. It might take them months to complete this. So these are all good indicators. On the other hand these are missing in account takeover (instances).

So even as credentials have been stolen, it is imperative for organizations to bolster the authentication process. This way the risk of loyalty fraud can be minimized. So it comes to down to authentication and one of the tools is machine learning, sums up Lee.

(We will take a detailed look at the role of machine learning in curbing loyalty fraud in the upcoming articles). 

 

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Role of real-time data in payments optimisation comes to the fore

First Published on 23rd November, 2017

Ai Editorial: Big data and real-time machine learning is being counted upon for securing payments as well as protecting user accounts and monitoring loyalty miles claims, writes Ai’s Ritesh Gupta

 

The role of data in stepping up the conversion rate and curbing fraud is coming to the fore.

The traditional ways of removing pain points of shopping as well as managing fraud have largely been reactive measures. But, with the availability of relevant, real-time data, a more proactive approach is improving efforts in this arena.

1.     Sector-specific analysis: As e-commerce entities, airlines need to dwell on sector-specific data analysis, for instance, gaining understanding of the user profiles that shop on airline.com. Specialists recommend that specific data fields such as loyalty miles claims can be assessed to check for any irregularity. Similarly, the words per minute typed, the movement of the cursor around the site etc. is being evaluated, rather than only focusing on the card blacklist. Real-time data from airline.com can also help in curbing fraud. Blacklists rarely work because hackers will never use the same credit card information twice, while white-lists are inaccurate since white-listed customers can be compromised anytime. Real-time machine learning can help against blanket blacklists and white-lists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.

2.     Authorization rates: Among the other areas, data is being relied upon for improving upon the authorization rates.

As highlighted by Adyen, on average, 5%-15% of ecommerce credit card transactions are rejected by issuing banks, and out of these, a quarter don’t work due to shortage of convincing reasons, mostly due to old and inefficient systems. And in certain markets, authorization rates across issuers take a dip because of suspicion of fraud. In this context, it is imperative to bank on data to evaluate the main reasons behind those declines and take appropriate initiatives. For instance, one areas that could be looked upon is - issuer-specific authorization rate trends. These actions may include optimizing the type of data submitted or identifying optimal routing for a given transaction.

3.     Evaluating the next buy: Adyen has also indicated that it is gearing up for shopper-centric reporting and this would help in analysing the next buy, and when and how the purchase will be made.

4.     Data from multiple sources: Other than unique merchant data for airline-specific analysis, travel e-commerce players can also capitalise on industry-level data. This could be details about synchronized fraud incidents, which may be shared across various carriers as all of them are equally susceptible to coordinated hackers/ fraudsters. Industry data on existing or current fraud attacks can also be useful information to share from airline to airline, but both types of data should be collected for analysis of anomaly detection. In fact, the way various sectors have shared data to control payments fraud, the same is gaining traction for a relatively new malice - loyalty fraud. This is important as hackers or cyber criminals have shifted their focus to loyalty fraud. The plan is to spot loyalty fraud patterns and potential fraudulent loyalty transactions. The fraudsters are leveraging loopholes as seen in the case of data breaches featuring even established airlines. So be it for loyalty or any fraudulent transaction, the more data that is collected, analyzed and linked, the more likely airlines and other merchants can avert the danger. It is quite possible for offenders to use stolen credentials across multiple merchants.

5.     Only historical data isn’t enough: It is time to look beyond traditional machine learning that tends to only rely on historical data for training the system. So limitations of acting on previous attacks have to be ascertained. Since supervised machine learning creates probability scores for each transaction, this means this method results in manual reviews as well. Due to the need for manual reviews, rules-based systems also start to show cracks at high volumes, and curtail an airline’s ability scale on demand.  On the other hand, the promise of unsupervised machine learning, too, needs to be scrutinised closely. It lets the system learn on the fly with real time data collected. 

Specialists recommend that airlines should take control of their payment data, which should not be restricted by default. So closely look at the country, industry, and type of device that is used, and cater their payment offering accordingly.

This data can merged with big data, so that organisations can work out a robust data strategy for curbing of fraud, analysing user behavior to assess the overall shopping pattern etc. Also, by working on their own fraud tools that are able to capitalize on their own sources of data, airlines can even challenge the efficacy of existing mechanisms. For instance, being realistic with Dynamic 3DS, the same is controlled by card issuers and is therefore still working with the same set of data as before. They are unable to tap on the merchants’ data for more information on fraud. But armed with their own data, airlines as merchants can improve upon their situation. Airlines need to update their fraud management systems with information from both internal and external sources, including chargeback data, information traded on the dark web etc.

Follow Ai on Twitter: @Ai_Connects_Us

Ai Editorial: Friendly fraud – a battle that still isn’t easy for airlines to cope up with

First Published on 17th November, 2017

Ai Editorial: Airlines continue to struggle to avert the danger of friendly fraud. There are new developments, ones related to machine learning and biometric authorization, but are they robust enough to protect merchants? probes Ai’s Ritesh Gupta

 

Criminal Fraud, friendly fraud and merchant error are all major sources of chargebacks. The utility of data and technology in combating various forms of fraud is coming to the fore.

As for friendly fraud, it remains probably the biggest challenge and quite often the significance of an effective fraud mitigation strategy is underlined.

Friendly fraud refers to “fraud that is committed when an individual had knowledge of and/or was complicit with and/or somehow benefited from the transaction on their own account, although the individual reported the transaction as unauthorized”.

This type of fraud is a major issue for merchants as it can be tough to detect at the time of purchase, the chargeback process does not adequately address friendly fraud, and also it is time consuming to fight against the same.

Functioning of the industry

“The predicament (pertaining to friendly fraud) is getting worse,” says a senior executive.

The executive pointed out that the available data is limited. Merchants definitely suffer from industry-wide lack of transparency. Their stance is feeble as there are plenty of factors outside merchants’ control that influence their reluctance to make a more substantial effort. “There is hardly enough information available pertaining to chargebacks and friendly fraud. This means there isn’t a strong foundation to bank on, to comprehend the situation. It’s challenging to amass authentic information on the matter without substantial contribution from banks, card networks, and merchants,” added the executive.

As highlighted by Chargebacks911 in one of the interviews with us, until there is a reason code labelled ‘friendly fraud,’ merchants will forever be engaged in a guessing game—is this claim legitimate or friendly fraud? This uncertainty is what drives merchants’ inaction.

It is also pointed out that issuing banks and card networks decline to divulge critical data or specific numbers on chargebacks such as: dispute win rates. They typically don’t keep the kind of comprehensive records on the subject that would enable a broader view of the matter. Merchants need to blend professional assistance with chargeback management technology specifically designed to identify the true source of the transaction dispute.

One can question policies and regulations set forth for the entire industry. Issuers usually accept a customer’s assertion, and there is hardly any scope in terms of collaborating with issuers. It is clear that ecommerce wouldn’t prevail if card networks and issuers hadn’t taken initiatives to step up the buyer confidence when it comes to payment card use and liability. By abating cardholder’s fears about potential losses tied to fraud, networks and issuers have enabled entities to experience optimum profitability via card-not-present transactions. However, by advertising zero liability, issuers have inadvertently incentivized friendly fraud.

New developments

Airlines tend to be at the receiving end, for example, a cardholder buys airline tickets but intends to change the itinerary at a later stage. This could be due to any reason. Since the traveller doesn’t qualify for a full refund from the airline, the same passenger files a friendly fraud chargeback and points out that buy wasn’t authorized—when in fact, it was. So how to cope up with such cases where airlines suffer? In terms of sophistication, fraud prevention specialists are finding ways to evaluate the behavior of consumers and relying on machine learning for the same.

For instance, Nethone, a data science company, highlights that by identifying distinctive behavioural characteristics of each user, one can craft their digital profile and relate the same with behavioural profiles of previously identified fraudsters. The company, in one of their recent blog posts, stressed that it is viable to discover behaviour demonstrating that someone else than the rightful account owner is logged in, before the transaction is done. And this way merchants can secure transactions by activating a conditional authentication layer. Analysis can be around the purchase log from the past, taking into account the frequency of shopping, their average order value, in case there were any chargeback request previously, too, etc. Also, device fingerprinting, too, can be taken into account whether a given device has previously featured before for a fraudulent transaction. Importantly, Nethone also added that any level of additional authentication or “friction” should be added only where it’s essential and the probability of fraud is high.

The industry is also counting on biometric technology and additional layers of security and authentication.

From friendly fraud perspective, biometric authorization can used as a proof that at a customer did validate a transaction.

But this kind of authorization isn’t a complete solution on its own.

Yes, questioning a chargeback hinges on the merchant’s capacity to establish that the cardholder validated the transaction and that the merchant was in compliance with all applicable regulations. Biometrics can end up being a constructive part of evidence for merchants; the fact that biometrics are intrinsically tough to deceit is sound proof that a cardholder did, in fact, validate a transaction. But, as explained by Chargebacks911, the issue is that policies and standards laid down by the card networks do not keep up with the fast development of consumer authentication technologies. Biometrics can show that a cardholder almost definitely authorized a transaction, but if the card network won’t accept biometric data as evidence, that knowledge is useless.

In many ways, card network regulations are stuck in the past, unable to adapt to the rapidly-changing realities of ecommerce and the payments industry,” points out Chargebacks911’s COO, Monica Eaton-Cardone.

It is pointed out that card networks need to make biometric authorization a cornerstone of the dispute process.

Also, the stance of various stakeholders toward friendly fraud definitely needs to evolve, as much as new technologies can help.  

Follow Ai on Twitter - @Ai_Connects_Us

Editorials

  • Ai Editorial: From being NDC-ready to implementing it - how IATA is focusing on it? +

    First Published on 7th December, 2018 Ai Editorial: IATA has been evaluating the performance of NDC - what is missing to attain 20% sales-target that is going to be powered by Read More
  • Ai Editorial: Why even one data breach today is enough to shake a consumer? +

    First Published on 4th December, 2018 Imagine receiving an email early in the morning, stating that your personal data has “possibly” been compromised. It’s disturbing. But the agony doesn’t end Read More
  • Ai Editorial: How to prevent “Starwood guest database breach” -like incidents? +

    First Published on 3rd December, 2018 Ai Editorial: One question that organizations need to dig deep into is – how to go for end-to-end protection for the sensitive data an Read More
  • 1
  • 2
  • 3
  • 4
  • 5