First Published on 31st July, 2017
Ai Editorial: When airlines can actively involve their loyal customers, incorporate their inputs while designing benefits and tier-levels, they can also alert them and highlight the significance of account security and password protection. Is enough being done, questions Ai’s Ritesh Gupta
As of today airlines are suffering as the malice of loyalty fraud is on the rise. The latest news of Canada’s WestJet stating that “some WestJet Rewards member profile data has been disclosed online by an unauthorized third party” has once again underlined the threat of such attacks. Airlines need to quickly assess – the safety of data of members, and their accounts at this juncture – if they haven’t done so in the recent past.
In case of WestJet none of the data contained credit card or banking information, but this is a precarious issue. Rewards cards not only have a customer’s name, address and telephone number, but are frequently linked to partial credit and debit card information as well. It is enough for cybercriminals to work out an “identity” and go on a crime spree.
Are passengers aware or don’t care?
Airlines need to work out stronger means to safeguard members’ privacy. Even as airlines such as WestJet are working with the government, law enforcement agencies and the technology industry to combat the growth of hacking and other cybercrimes, it important that members are conveyed the significance of shielding their respective passwords.
According to digital security specialist, Gemalto, customers “often have thousands of points saved but many never think their frequent flyer points are at risk of being stolen”. The team goes on to add, “…they never think anyone would want access to their points.”
Significance of being aware
There are security challenges that an organization needs to manage, but members, too, need to be aware of how to take small steps to be in control of their own accounts. Considering the number of cases featuring compromised usernames and passwords, program members, too, can be involved in taking appropriate action before the situation goes out of control, and both the brand and customers end up being at the receiving end.
Just like on-board flight safety is imperative (we all go through it despite it coming across as a mundane exercise for travellers on flights) and airlines even find creative ways to convey the message, similarly, airlines need to create awareness about password protection from time to time. For instance, how does malware get installed on a PC? It could be via logging onto a fake website or phishing scam (email that looks as if it’s from airline’s FFP). So why not create awareness about the same? After all, it is for the benefit of loyal members, too.
Carriers must propel them to update their current ID and password, and provide guidelines for making them more secure. How to keep the device safe from malware and viruses?
Among the other areas:
· Airlines can encourage members to check their accounts or status on a regular basis. Is there any redemption they can’t fathom or weren’t involved in? Are miles or loyalty currency being used without the knowledge of a member? Considering the fast-growing market for the tangible value of stolen reward points/ miles and hackers/ fraudsters capabilities to steal the same, this calls for more proactive action.
· Do members of a frequent flyer program treat their respective loyalty accounts as credit card information? This type of fraud is similar to card-not-present fraud. An account can hacked by capitalizing on weak passwords, stealing of identity etc. So it must be highlighted that if fraudsters gains access to an account, they can seize points/ miles and rob loyal members by availing redemption options (other threat is data breach). As Michael Smith, Managing Partner, Airline Information and Co-Founder, (Loyalty Fraud Prevention Association (LFPA) says passengers (or customers at large) should be wary about which Wi-Fi they are connecting to, and also as FFP members they must be cautious about sharing name and account number. “With those two bits of information, fraudsters just need to guess your password and they are in to your account,” he says. Smith asserts that a flyer shouldn’t share or post the picture of a boarding pass, as it features vital information.
So organizations need to inform travellers about simple mistakes that can unknowingly create havoc with loyalty or FFP accounts.
Being more vigilant and proactive
As for airlines, the responsibility is bigger than ever since the use of bots and proliferation of stolen data on the dark web is flourishing.
They have to rely on a set of assessment tools, such as device identification, geo-location, device intelligence and user-behavior profiling.
As Gemalto suggested recently, operators of FFPs or loyalty programs should assess if loyalty account has been accessed from a device that isn’t recognizable or registered, or an unidentifiable device has modified personal or account details, abrupt use of points or miles much higher than done previously, multiple tickets have been purchased with names differing from the account holder etc.
Also, one of the common causes of security breaches involve bad security practice from employees.
As highlighted in one of our recent articles, Botnet attacks on loyalty programs, how to negate them?, airlines need to identify the ways in which account information can potentially be accessed, in all probability via a blend of phishing scams, identity theft, and cracking of feeble passwords. Overall, the fraud prevention initiative, via behaviour analytics, device identification and tightening of data and IT infrastructure, needs to offer protection to loyal members.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 27th July, 2017
Ai Editorial: Many foreign companies, including travel technology entities, are looking at WeChat to serve Chinese travellers. There are 4 key areas they need to look at for the same – business licence, developer account set up and verification, payment issues and data privacy regulations, writes Ai’s Ritesh Gupta
“By integrating with WeChat, a technology company is just one step away from gaining access to a massive chunk of users in China.”
This remark from Maximilian Waldmann CEO of Berlin-based, conichi, aptly summarizes how important it is for airlines, hotels and other companies to capitalize on Tencent’s WeChat platform to serve users of this app. As per the first quarter results of the company, WeChat had 938 million monthly active users.
Before delving into what sort of effort is needed to integrate with WeChat, it must be underlined that being a part of this ecosystem, WeChat isn’t just about messaging. In addition to the communication layer for person to person, there is also a social layer, a media layer and also a connectivity layer (a rich set of API’s connects people to organizations, hardware to software, etc.).
As it turns out, travel companies are diligently finding ways to make the most of connectivity layer and be a part of this robust ecosystem. The user interface has emerged as a vital tool for service and support, whether human-powered, bot-powered or a combination of the two. For instance, in case of conichi, the company is working with hotels to either use a hotel’s app or WeChat to greet guests when they arrive at the hotel, and also focus on hyper local marketing, and GPS geo-fencing. This seems like a pragmatic move, as any message or visual that can add value to a guest/ passenger’s journey or even let them complete a transaction makes for a meaningful interaction with a traveller. And going by the popularity of WeChat, this platform can’t be ignored.
There are interesting developments on the anvil as far as WeChat is concerned.
Barcelona-based Inaki Uriz, co-founder and CEO at Caravelo says if an airline believes they can serve Chinese travellers just by translating or featuring a chatbot on Facebook platform, rather than the WeChat domain, then the effort wouldn’t be too fruitful. Uriz, whose team is working on a chatbot for WeChat for an airline in Europe, says it is important to move from being Chinese compatible to a Chinese friendly interface. “So this (developing a chatbot for WeChat) would mean analyzing what’s so popular about the interface, the use of buttons, the functionality of the entire platform, it is about being an integral part of the customer’s lifestyle etc. Mere translation won’t work,” highlighted Uriz.
But integrating with WeChat is challenging or at least demands preparation on several fronts.
According to Beijing-based experienced Chinese entrepreneur George Cao, Co-founder/ CEO, Dragon Trail Interactive, there are 4 areas where one needs to focus on:
1. Business licence: “There are a few restrictions on the platform. They are primarily related to meeting the requirements stipulated by the government. Any organization that intends to introduce any offering on WeChat or even as simple as opening an account on WeChat, it is must to possess a local licence. You can’t do it as a foreign company. So there are two ways to do the same – register a subsidiary in China and use that business licence to do business with Tencent. Or work with a local company, and use their credentials,” says Cao. This aspect can be time-consuming for any entity trying to leverage digital platforms, including WeChat, in China.
2. Integration/ Verification: Post account creation or for integration, an organization needs to register as a developer. When this entity develops a “Mini-Program” (an initiative taken to deepen the services offering in low-frequency use cases, connect more offline services to online users and offer a way to sample functionalities offered by apps) or leverage the WeChat API, one has to go through the verification process (cross checking of licence). So in addition to setting up an account for publishing content and building dynamic services that run within WeChat, how challenging is it for hardware developers to enable their devices to send and receive information between their products and the user’s WeChat mobile app? How can a travel app let users of WeChat to share your app’s content to friends via chats and their Moments feed, as well as add your content to their “Favorites”?
“Working on a conversational interface or message-based user interface isn’t challenging, its already happening here. These preferred platforms (where users are spending their time and are being offered functionalities such as search, voice messaging etc.) can help in engaging with a potential travel buyer and rather than sending them to a website and eventually them abandoning their purchase, companies can facilitate bookings here,” said Cao. “Like Facebook Messenger API, WeChat API’s can be worked upon for an offering. Companies can build HTML5 –based used interface that are embedded within WeChat. All these are possible and technically not a huge endeavour if one passes through the regulatory requirements.”
Cao also recommends that brands should look at multiple layers of WeChat. “So, for instance, during a conversation with users, companies can send a link to complete a booking. Or one can leverage the content publishing platform – send users information that is already prepared, related to products, or aid the decision-making of users. If you just focus on messaging via chat, and not push contextual content that matches the intent of the users, then you are missing out on opportunities,” asserted Cao.
3. Payments: As for WeChat Pay, options include scaning a one-time transaction code displayed on the user’s phone, scanning a QR code that users scan using WeChat to complete payment, and letting users pay via WeChat Pay within a mobile app, the last one being only available in Mainland China. As for cross-border settlement, users can pay in Chinese Yuan but have the transaction settled in a foreign currency when remitted to the vendor. “Receiving payments from China is more flexible now for foreign companies, as long as there is a local bank in a market or that country that can work with Tencent (money transfer being worked out). So Chinese customers pay in their currency, and the beneficiary can receive payment in a specific country in local currency. In case, a developer is keen on building payment functionality and intend to get the money transferred outside of China then again local licence is needed to do that,” explained Cao.
4. Data-related restrictions: Not specific to WeChat or Tencent, there is one legal issue every foreign company has to deal with and even be wary considering the repercussions that an organization can face in case of not following the law. As widely reported, the country’s new Cybersecurity law introduced last month, is a major initiative in data privacy regulations. It has also been mentioned that authorities haven't provided enough information about how the wide-reaching law will be implemented. And any failure to comply would result in a penalty of US$150,000 etc. The law has been drafted to shield “personal information” and individual privacy.
Personal information – recorded in electronic form or otherwise, which can be used, solely or together with other information, to determine the identity of a natural person, including but not limited to the name, date of birth, ID card number, personal biometric information, and address and phone number of the nature person. Similarly, foreign organizations also need to understand areas – like what does “network operators” and “critical information infrastructure” stand for.
“All customer data or information a non-Chinese travel company collects needs to stay in China – if you are collecting customer contact information, payment-related details etc.,” shared a source. Of course, for travellers going outside of China, name, their address, and other requisite information is forwarded to various airports to make it possible to check them in at airports. So what sort of restriction is being referred to?
As highlighted by CNBC, illegal collection, disclosure and receipt of a citizen’s personal information now constitutes a criminal offense.
“Practically how it (collection and transfer of data) is being done, whether the law is being followed or not as of now – it is tough to say and probably not. It is a complicated issue, lots of brands are struggling right now with what it means.” There is no case as of now, and there are ways to work around this.
Now take the case of a traveller interacting with a foreign brand via WeChat. This traveller shares some information that is related to a trip with an airline, and while interacting with the chatbot, this passenger shared some information about the ground transportation or car rental in China, and intends to carry on with the airline to offer an ancillary product. Can the airline act on this data that is being generated in China and match it with historical purchase behavior stored outside China? Or how to collect and act on data that is being garnered from touchpoints within and outside China? “So the airline could use an identifier of the data stored in China, and use some sort of a key to match with data stored in the central database…to access Chinese customer data, you can access storage in China, it’s possible. The key is to where the law in China stands when it comes to accessing and usage of customer data,” pointed out the source, referring to the current complexity. “It could become an issue if you don’t take the government’s stance seriously.
Questions have been raised about what it means for the foreign companies and is China facilitating free trade and an open global Internet with their new data privacy initiative. For their part, the government has already stated that the new law safeguards national cyberspace sovereignty and security.
Hear from Matt Brennan, WeChat Expert, China Channel at the upcoming Airline & Travel Payments Summit (ATPS) Asia-Pacific 2017 conference, to be held in Bali, Indonesia.
For more, click here
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 21st July, 2017
Ai Editorial: Airlines need to guard themselves against data server breaches, malware or phishing programs in order to protect a loyal traveller’s login credentials and account, writes Ai’s Ritesh Gupta
Fraudsters attacking loyalty program isn’t new, but the threat is stronger than ever before.
The use of sophisticated bots is one reason why airlines and travel merchants need to be wary of the situation today. These are small applications that execute automated tasks. The fact that once a malware has infected a machine and it can be forced to turn infected machines into botnets is a serious concern. Bots are now at the forefront of triggering online fraud at large, and they can be deployed to test login credentials to take over user accounts. Considering that digital shoppers are sharing their personal details and not expect them to fill again while they transact or shop using their favourite loyalty currency, all of this needs to be guarded. Botnets are being counted upon to step up the efficacy of malicious attacks – most commonly account takeover and distributed denial-of-service attacks.
Overall, travel merchants need to guard themselves against data server breaches, malware or phishing programs in order to protect a loyal traveller’s login credentials.
Bots and loyalty fraud
The situation is precarious as fraudsters or hackers are equipped to using artificial intelligence for accessing sensitive data that bots use to serve customers, including for transactions. Such attacks mean once personal information of members is obtained in a nefarious manner and a botnet attack is unleashed to complete illegitimate transactions, for instance, air tickets. Miles are accrued and the fraudster further capitalizes on the loyalty currency for more illegal transactions. Main focus as far as redemption is concerned is on - digital gift cards, tickets and expensive merchandise that is easy to resell. Cybercriminals are adept at comprehending the configuration/ structuring of gift card numbers, and botnets are part of their plans to target gift cards. When a card is breached, they steal the stored value. As the team at Chargebacks911 points out, the actual peril of loyalty program fraud is that the damage is already done by the time airlines come to grip with the fact there had been a breach. If the breach is spotted too late, airlines can’t resell tickets. Also, one has to deal with applicable chargeback fee. What happens to loyalty currency affiliated to an account that has been redeemed? Too many complications resulting from such malicious attacks.
Experts point out that the availability of compromised identity credentials on the dark web in big numbers is major indicator of the fact that the authentication mechanism tends to be poor or at least there is no room for archaic authentication system. For cybercriminals or fraudsters, one of their main weapons is to identify vulnerabilities. So airlines need to identify the ways in which account information can potentially be accessed, in all probability via a blend of phishing scams, identity theft, and cracking of feeble passwords. This unauthorized account takeover results in misuse of the loyalty currency.
So what kind of attacks are these and is the current fraud prevention set up enough to combat botnet attacks, signs of which could be, for instance, abnormal traffic patterns. Fraudsters or cyber criminals work out these attacks to appear like authentic traffic. One of the major issues is coming to grips with low volume, low frequency attacks. Web application firewalls struggle since this layer was devised to avert attacks against web services and not against customer identities. Web application firewalls count on IP reputation services and IP address velocity filters to identify bots. This arrangement is futile considering that botnets rotate IP addresses and have access to previously leaked user credentials.
As for controlling the same, first of all, merchants need to detect any contextual aberration in the way users generally user their respective device, or even there is a signal of deviation based on other dynamic data points such as behaviour, location, networks etc.; identify whether devices or connections have been corrupted with malware; if there is a case of unusual traffic patterns.
According to digital identify specialist, ThreatMetrix, behavioral profiling and analytics constantly record all the actions pertaining to a device, account or persona. This paves way for identification of low volume, low frequency attacks, even if they are distributed.
A rule set to check for an IP address related with numerous email accounts offer information about traffic being botnet related or not.
Other than web application firewalls and aberration from usage pattern based on other dynamic data points, travel e-commerce players also need to count on shared intelligence that is real-time and is accumulated from various industries and markets, botnet proxy detection (new generation of private botnet proxies do not appear on public proxy lists) and keep a vigil on application integrity and malware detection to monitor all devices connecting to digital assets.
Be it for processing transaction data or managing users’ profiles and accounts, data security is a critical part of any loyalty program. It is imperative for airlines to shield their loyal members – right from account creation to managing account/ accrual of miles to redemption of points. All of this shouldn’t hamper the experience at any touchpoint. The fraud prevention initiative, via behaviour analytics, device identification and tightening of data and IT infrastructure, needs to offer protection to loyal members, even if the fraudster knows their password. If I can access my loyalty program account easily, can fraudster be denied a chance to do so? Loyalty fraud security needs to evolve to match today’s threats.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 12th July, 2017
Ai Editorial: A variety of tools and techniques are being used to combat fraud in the mobile channel, but is it enough? Ai’s Ritesh Gupta explores
Mobile commerce demands planning on several counts and one of them is dealing with the malice of fraud.
As much as mobile apps and now even chatbots are ready to facilitate transactions without any hiccup, the risk of fraud can’t be taken lightly or handled just as the way web-based transactions are being managed. And it is imperative for airlines, OTAs etc. to ensure mobile users’ need for speed or overall experience isn’t perturbed while hitting the breaks on fraud.
Mobile fraud is challenging to merchants as transactions that are made through mobiles collect less information than web transactions. Merchants need to explore various areas - Is low use of 3D Secure still a major issue? How much malicious apps are of a concern? If existing fraud rules aren’t fully suited to the mobile channel, how does it impact the risk associated with a transaction? Is the risk of blocking genuine customers higher in case of mobile? Is it true that relatively higher costs are incurred in case of mobile such as greater chargeback rates, lengthier time for manual reviews etc.? All issues need to be dealt with without optimizing the user experience.
According to Kount’s Mobile Payments & Fraud: 2017 Report, merchants “earning more than $500 million annually were much more likely to say being able to detect mobile devices was “Very Important” relative to merchants with annual revenue of less than $5 million, at 61 versus 35%”. This year, the fraud prevention tools, techniques and services used most by merchants to prevent fraud in the mobile channel were card security codes or checking the CVV (58%), AVS (46%), fraud scoring (48%), device ID (38%), velocity checks (35%) and a complete fraud platform (47%).
Dealing with risk
Here we assess what’s being recommended to lower the risk of mcommerce fraud:
1. Be informed about mobile behavior: It is vital to recognize or spot anomalous behavior in order to combat fraud. Also, declining of genuine orders, too, can be an issue if behaviour related to mobile usage isn’t considered. For instance, it is important to consider logging onto multiple devices and also mobility of the device. Since mobile users can transact on the move, then how to plan for rules based on IP geo-location criteria. Another aspect about usage is related to the time of the use. According to CyberSource, rules generally identify specific times of the day as more risky than others. So a rule may indicate that an order placed from a local IP address comes at a certain time slot. But what if an order comes via a mobile device at a completely different time. So such dissimilar patterns of use need to be scrutinized.
Travel companies also need to take into consideration hardware and operating systems. For instance, some shoppers still use lower-end devices.
2. Count on data: Data analysis is integral to any fraud detection initiative. When it comes to new technologies, there are supplementary fields or information required to complete a pertinent analysis. Otherwise, fraud exposure may go up. User data garnered during various interactions can improve fraud prevention, for instance, fraudsters rely on older versions of an app to make the most of gaps in security. More specifically, behaviour is also an indicator - swiping or typing? Filling information steadily or erratically?
Another aspect is customising and acting on e-commerce data specifically related to the digital assets of airlines. For instance, considering that each airline’s ecommerce website is unique, the data strategy deployed must be different and customised. It is important to work with airlines and help them utilise all the data that is available on their website. What is being done for airlines’ mobile sites or apps?
Overall, with more options to pay such as mobile or NFC, expect new ways of fraud to appear. It is crucial for the industry to move closer to active monitoring by featuring big data user and entity analytics to evaluate the shopper behaviour behind each payment that comes through. As a majority of fraud acts result from a synchronized attempt from one script, automated to optimize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters.
As for machine learning, it has to be ensured that an airline doesn’t only look at predictive analytics. It enables one to predict future fraud based on historical data. There is a need to incorporate pattern recognition, so even without any prior historical data, the machine is able to detect patterns across different transactions and diagnose if the transaction exhibited bot behaviour or human behaviour. Combined with pattern recognition, the system draws patterns (for both positive and negative behaviour) to map the DNA profile of the user.
As for efficacy of machine learning, it is highlighted that the data must be accurate and the rules must be set properly for it to work.
3. Verification method: It is vital to assess what sort of consumer verification method, say what is being supported by the card networks, when assessing transactions originating from mobile devices. A mechanism is needed to authenticate the user. With which methods users wouldn’t have to worry about typing-in all of their cardholder information for each purchase? If the authentication method is too stringent, it can result in abandonment. But with poor security comes the threat that unauthorized users might make purchases. So in case of iOS, how safe are Touch ID or the device passcode as a device authentication option? What is the role of more conventional means such as PIN, signature for transactions in stores, or 3D Secure for transactions within apps? What is the liability for the fraud? For instance, in case of biometric fingerprint technology being used to authorize a transaction, is the fingerprint attached a compelling evidence in the merchant’s favour in the event of friendly fraud? There needs to be balance between streamlining the process and encouraging customers to buy without first thinking through a purchase. As a result, this could lead to buyer’s remorse, which could mean returns or even chargebacks at a later date.
Also, going by my personal experience, the two-factor authentication (2FA) can be time consuming. Yes, it is a security feature that gives additional security by adding a second-level authentication to access a particular account. But if one gets stuck, it results in disappointment. For instance, as I updated by account details for a subscription-based anti-virus service, the request for a code via SMS didn’t work as it called for another mobile number, whereas the option of downloading an app is always cumbersome as I can never remember by iOS app store password!
Also, as highlighted by Chargebacks911, biometric authorization isn’t a solution on its own for anti-fraud initiative, and there are few pieces of evidence more compelling than a fingerprint or facial scan to suggest that a cardholder did authorize a transaction.
It is recommended that e-commerce organizations need to rely on dynamic threat data to evaluate device health, location of the consumer and irregularities that may indicate fraud—in real time.
With dynamic, digital identity based authentication, airlines can better shield their shoppers’ logins and transactions.
As for the traditional approach of 3D Secure, a major issue has been transactions via mobile. Among the latest developments, 3D Secure 2.0 is being termed as a potential boost for digital commerce with quick, secure authentication, propelled by robust fraud-related intelligence. It strengthens the quality of real-time predictive risk scoring for both merchants and issuers. The new specification that would support app-based authentication and there would be integration with digital wallets, too. Early adoption of the new specification is scheduled to begin in the second half of this year.
4. Rules: Importantly, specialists point out that uniqueness of the mobile channel be it for the way shoppers use their devices or data associated results in differences in fraud rules – especially with the goal of curtailing automatic review or declining of real payments via mobile.
Rules worked out for mobile must rely on the data that can be collected, the behavioral patterns and fraud trends that are deemed to be relevant. Organizations are recommended to collect information about the device type and operating system, as well as mobile chargeback, rejection and review rates.
Airlines have been relying on testing the efficacy of rules on specific transaction types without having to wait for those transaction types or periods to occur in future.
Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year.
Dates: 29 – 31 August, 2017.
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 7th July, 2017
Everything isn’t illegal on the “dark web”, but it is a marketplace where nefarious transactions related to stolen personal data for further unlawful acts take place. So how one remains anonymous, explores Ai’s Ritesh Gupta
Questions related to safety of our digital assets and related IDs – be it for a banking app, email account, frequent flyer program and other accounts like Facebook, Twitter, LinkedIn etc. – do concern us from time to time. It isn’t easy to remember passwords for all accounts, and when you end up having the same password for all, then edginess does grip us. What if this all-important password gets stolen?
As consumers, we seek simple logins and frictionless shopping. Should we be more patient? Well, in reality, consumers don’t wait. The idea of answering “security questions” or authenticating something by clicking on a link by logging in another account isn’t appreciated much. So this puts tremendous pressure on the entire digital commerce fraternity.
But, the fact is, the danger of being hacked or being a victim is seemingly getting stronger.
Critical data such as login IDs and passwords garnered by hackers are traded on the dark web. Such credentials are then exploited by cybercriminals for account hacking and online shopping.
Dark web – what is it?
When one reads about what can happen on the “dark web”, it becomes clear that this part of the Internet can’t be reached with the normal tools. Dark web is described as a collection of sites and these can't be indexed by traditional search engines. Also, these can't be opened by using traditional browsers.
It doesn’t come as a surprise when one reads or hears about trading on the dark web, be it for your PayPal account, email id, credit card information etc. – everything has a value.
But, a statistic like an identity getting stolen in two seconds, is menacing. Also, it is being pointed out that it is tough to keep track of the flow of money on the dark web.
It is said that owing to encryption, users can visit dark web websites anonymously. These sites exist within the so-called deep web. Content in the deep web is not automatically or fully concealed or anonymous, but it cannot be indexed in a manner as the surface web can be done. As for the dark web, it is a part of the deep web that is intentionally constrained and closed unless there are precise tools to get in.
So how to get in?
I stumbled upon a post by Brett Johnson, who initiated AnglerPhish Security three years or so ago, sharing information as “a former cybercriminal to combat the very crimes he once committed”. He referred to functioning of the world of dark web and emphasised upon the significance of remaining safe while accessing it.
Johnson shared that accessing the dark web requires particular software, and the most common is TOR. It is used for online privacy. Johnson asserts “criminals love the TOR network” and if “properly used, it provides near bulletproof anonymity”. According to torproject.org, it can’t solve all anonymity problems and focuses only on protecting the transport of data. “You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use Tor Browser while browsing the web to withhold some information about your computer’s configuration,” states torproject.org. “Also, to protect your anonymity, be smart. Don’t provide your name or other revealing information in web forms.”
Anyone who is out to there to fight cybercrime needs to be wary of accessing such marketplace. There are details related to what needs to be done before using the TOR browser. According to dailydot.com, shut every open Internet program, use the VPN protocol to link up to a place considerably away from where one resides. Doing this would mean that the current ISP won’t make out the usage of TOR, and the TOR entry node won’t be able to know the true IP address. One needs to access .onion sites on the TOR network in order to reach out to a marketplace.
What about catching culprits?
Not many cases are reported, but last month, the German police reportedly arrested the alleged administrator of one such marketplace from where a gun was purchased and used for last year’s shooting in Munich.
But the dark web isn’t disappearing. It has triggered various incidents of fraud. The list features point-of-sale attacks and also been behind other malicious developments, say a malware. Payments to sellers can be done via bitcoin in order to ensure details of the transaction don’t get disclosed.
According to a study by Equifax released earlier this year, websites that deal in file sharing on the dark web account for 29% share and leaked data 28%. Travel e-commerce companies are already looking at ways to curb the stealing of air miles, loyalty points etc. This is in addition to other illegal items.
Companies need to be wary of what can result in data theft and security lapses.
Airlines and travel e-commerce organizations need to be vigilant and be aware of where their sensitive information is stored. There is a need for stronger access or password controls (for instance, no passwords for mobile apps, rather a local authentication mechanism such as a fingerprint, PIN or face/voice recognition. Plus, a password complemented by a second factor), availing options such as public key cryptography to create secure authentication credentials etc. Companies including Facebook highlight that using security keys for two-factor authentication provide phishing protection since there is no need to enter a code and the hardware provides cryptographic proof in the machine, interoperability i.e. the same key for any supported online account, and fast login.
Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 22nd June, 2017
Ai Editorial: It is imperative for the industry to assess how to manage co-brands in a challenging enviornment of regulated interchange and the evolution of card free mobile payments, writes Madeleine Anderson.
I recently had the pleasure of moderating a panel populated by some esteemed co-brand credit card industry experts at the Ai Co-brand Conference in Atlanta.
Over recent years, interchange fees have become an increasingly controversial issue in the US, as a result of regulatory changes and antitrust investigations. The Durbin Amendment to the Dodd-Frank Wall Street Reform and Consumer Protection Act was implemented in 2011, capping debit card interchange fees for larger banks at 22 cents + 0.05%. Credit card interchange is not covered by this ruling.
Credit card interchange fees in the United States currently average approximately 2% of the transaction value. This is amongst the highest in the world. By contrast, in the European Union, fees are capped at 0.3% of the transaction value for credit cards and to 0.2% for debit cards. (This cap does not apply to corporate cards).
Our initial discussion was around whether the panel anticipated any changes to regulated interchange within the credit card industry in the foreseeable future. The response from the panel (and the audience) was a resounding no. During his campaign, President Trump frequently stated that he has plans for regulatory financial reforms, including dismantling the Dodd-Frank Act. The general consensus therefore was that the Trump administration is unlikely to introduce reforms around credit card interchange fees.
It would be remiss of us to focus purely on plastic. We are gradually approaching the day when tapping your mobile phone or smartwatch on a retail terminal will replace the need to remove your credit card from your wallet. Whilst the threat to interchange is unlikely to come from regulation initially, it is highly likely that disruption will come from other sources:
1. Large merchants’ ability to negotiate fees
According to CMS Payment Intelligence, merchants have saved more than $8 billion annually as a result of the Durbin Amendment (excluding the effects of subsequent network fee increases and processor absorption of savings). In addition, the legislation has provided merchants with a framework with which to reduce credit card interchange fees.
Merchant groups claim that interchange fees are much higher than necessary. Whilst technology and overall efficiency improvements have been made, this has not led to a reduction of interchange fees. Issuing banks have responded by suggesting that reduced interchange fees would result in increased costs for cardholders, and a potential loss of rewards on cards already issued. In the co-brand world, interchange fees are frequently used to fund rewards.
Whilst significantly lower interchange fees have been implemented in other countries, such as Australia, savings enjoyed by merchants have not been passed through to consumers. In Europe, this has resulted in rewards programmes closing down, or benefits being reduced.
2. Mobile wallets
The 5th Annual MasterCard Digital Payments Study found that digital wallets were mentioned in 75% of tracked conversations had by social media users regarding new payment methods. Whilst awareness is high, mobile payment usage remains relatively low at present (about 1% of total retail sales in the US in 2016).
Barriers to usage include consumers' continued loyalty to traditional payment methods and patchy acceptance among merchants. Consumers would like to both store their loyalty cards on their wallet and use their phone to make payments. As loyalty programmes are integrated and more consumers rely on their mobile wallets for other features like in-app payments, adoption and usage are likely to grow. Android Pay, Apple Pay and Samsung Pay support loyalty card integration in their mobile wallets, but many major retailers appear to be resistant to loyalty and/or payments integration, to boost adoption of their own wallets.
3. Emerging technologies
The study also highlighted that consumers are also thinking about what comes after mobile wallets. Amongst emerging technologies, the use of wearables for payments attracted the highest amount of interest on social media, followed by the Internet of Things (IoT) and smart assistants (digital assistants such as Amazon’s Alexa, chatbots such as Facebook Messengers).
The panel believed that co-brand objectives are unlikely to change fundamentally, in light of any reduction in interchange fees. What is likely to change is the blend of revenue streams, how customer benefits are funded, the introduction of new revenue streams and cost reductions.
Consumers have generally ended up worse off in other markets. Costs have tended to shift from retailers to customers instead of card partners choosing to innovate.
So, what might we expect to see in the future? Amongst other things:
· Changes to financial models for co-brands
· Revenue streams from new sources/partners
· New/alternative payment methods replacing plastic, with revenue flows coming from monetizing data
· Increased focus on cost reduction – funding, servicing, bad debt and fraud costs
· Security developments to overcome end-user adoption of emerging technologies, including biometric authentication and tokenization
Be complacent at your peril!
First Published on 19th June, 2017
Ai Editorial: Protection of payment card data is becoming a vital issue as businesses across various sectors, including travel, are facing such attacks, writes Ai’s Ritesh Gupta
How safe are you when you make payment at the airport? Is the credit card payment in a common-use environment at airports sturdy enough to avoid a breach as of today? Are airlines being guarded against the dreadful point-of-sale-based malware?
These are critical questions that airlines and other stakeholders in the travel sector need to delve into. The pace with which credit card-related data breaches are taking place and what is being done to curb the same is one intriguing race to watch out for in the world of payments, security and fraud. Hackers, fraudsters etc. need to be stopped and the damage needs to be minimized, as the malice of data breaches is everywhere, across various sectors.
In a recent post on their blog, cyber security specialist Foregenix, referring to the risk associated with credit card details, mentioned that average time it takes to discover such an attack or violation is around six months. Considering the impact of fines such as Visa imposing payment of up to 18€ per customer card lost, waging a battle against breaches can be an arduous task.
Breaches all around
A major mishap is related to point-of-sale based malware.
It has resulted in maximum credit card-related breaches. In the last few weeks only, there have been several reports related to credit card-related breaches: US-based retailer Buckle has been in news for being a victim of a security incident in which a criminal entity accessed some guest credit card information following purchases at some of their retail stores. The company’s store payment data systems were infected with a form of malicious code. The company acknowledged that certain credit card numbers might have been compromised. In late May, Chipotle Mexican Grill identified the operation of malware designed to access payment card data from cards used on point-of-sale devices at certain restaurants. According to the company, the malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the POS device.
Earlier this year, InterContinental Hotels Group also acknowledged the case of a malware searching for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card. It was being routed through the affected hotel server.
These cases can prolong for years, and result in a hefty fine. Recently ,Target was involved in a settlement worth $18.5 million related to a data breach in 2013.
Travel companies have to ensure that the cardholder data remains encrypted at all times and at every “hop” across the electronic transaction.
According to specialists, such code is generally set up via attack on remote administration tools. Once malware comes into action, hackers or fraudsters can remotely garner important details from each card swiped at that cash register. Then the same is sold to those who can encode the stolen data.
Airlines, airports and associated stakeholders are moving forward, facilitating commerce as well as putting measures in place.
A major highlight is use of point-to-point encryption to protect customer data.
This technology is capable of ensuring that account data cant be breached in any illegal way or suspicious parties. The payment card data is encrypted at the point of acceptance and is said to be safe even if stolen or until it reaches where it is supposed to. Also, it can streamline compliance with PCI DSS necessities for airlines and airports by cutting down on addressable needs during a PCI security assessment.
Overall, encryption technology for chip, magnetic stripe and contactless card payment transactions is thoroughly tested to curtail the possibility of any breach.
All of this becomes important as airlines tend to accept payments at airports via a shared IT infrastructure.
There is a also need to look into developments such as General Data Protection Regulation.
As for airlines, security, based on latest industry standards and technology, is only one aspect of the whole initiative that needs to be taken. For instance, making it convenient for customers to buy any ancillary offering is a revenue generation-opportunity. This has remained a challenge for airlines since there are shared check-in desks and these cannot adjust to certain payment needs of multiple airlines and ground handlers. If we look at the infrastructure at the airport, airlines can end up accepting payments at common-use check-in desks, kiosks and bagdrop areas for baggage fees, upgrades and other ancillary charges. Plus, airlines also seek better control over the process, that generally entails multiple stakeholders when one transaction is completed.
The industry is moving in the right direction going by two of the latest developments in the last month.
Recently, SITA came up with an offering point-to-point encryption technology, with EMV and PCI compliant chip card payment terminals, applications and processes. With this solution, as SITA says, there is provision for several merchants to avail the same terminal. The PCI compliance certification requires an end-to-end security review by each airline of its own full payment process.
Lufthansa Group, in conjunction with Amadeus and Ingenico, worked on a new option to allow passengers to pay for ancillary services with chip-cards (credit/debit cards), compatible digital wallets etc. at the check-in counter. According to Amadeus, “airlines and ground handlers can now reach any passenger with an EMV chip card or an EMV-compliant mobile wallet in any airport worldwide, regardless of the check-in infrastructure”.
Other than being compatible with security standards, the new offering, Amadeus Airport Pay, that Lufthansa is using also gives the group control over its payment infrastructure.
These are all positive developments that would ensure passengers can transact in a much more safer environment, plus they are also being given the flexibility of buying a travel-related offering within the airport environment.
Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 6th June, 2017
Ai Editorial: Completing a transaction via wearable devices or relying on biometric authentication for shopping is exciting. But airlines need to dig deeper to assess potential issues, writes Ai’s Ritesh Gupta
New technology, emerging ways to transact, biometric data for authentication…all of this is exciting indeed.
Say you are the airport, your wearable device guides you to your gate, a transaction can be done via an app or a platform featuring chatbots, in a way you are about to embrace 100% self-service passenger journey. This simplifies travel, a traveller is in more control than ever.
But it isn’t a straightforward process for airlines, as new technology or even payment methods need to be incorporated into their existing infrastructure.
Here is what airlines need to consider to avoid potential issues related to poor customer experience and chargebacks:
One mistake and a chargeback is a possibility: The adoption of wearable devices or the use of biometric technology like fingerprint scanning and facial recognition can’t be ignored. Speed and convenience are definitely major plus points. These develpoments have already showed signs of becoming a norm. Companies like Mastercard are counting on biometrics like fingerprints or facial recognition to verify a cardholder’s identity, simplifying online shopping. The digital check identifies users using unique individual characteristics, like fingerprint or face. Of course, when there is no need to remember a password, the chances of a conversion go up as there is speeding up of the digital checkout experience. According to Juniper Research, the number of OEM-Pay contactless users, including Apple Pay, Samsung Pay, and Android Pay, will exceed 100 million for the first time during the first six months of this year, before crossing 150 million by the end of 2017.
So keeping pace with such developments is a must for any travel e-commerce brand. But it shouldn’t be forgotten that the chargeback process is old-fashioned. It is vital to assess how to keep pace with disruption in payments. If there is claim for a chargeback and airlines attempt to dispute the same, then what will issuers accept as convincing proof needs to be ascertained.
According to Monica Eaton-Cardone, co-founder and COO of Chargebacks911, and the CIO of its parent company, Global Risk Technologies, referring to wearable payments, networks will not have considered the different types of data that will be associated with these technologies and, therefore, will not recognize valuable information as valid forms of evidence.
In a way, card network regulations are stuck in the past, and haven’t made any significant progress.
“It will be years until the data associated with these wearable devices will be recognized by the card networks, leaving merchants liable for billions in losses from undisputable, illegitimate chargebacks,” Monica mentioned. Even in case of biometrics, she underlines that it can be identified that a cardholder “almost definitely authorized a transaction, but if the card network won’t accept biometric data as proof, that information is of no use. She points out that biometric approval is part of a coherent antifraud plan, not a answer on its own.
Even Visa last year acknowledged that one of the challenges for biometrics is scenarios in which it is the only form of authentication.
“Biometrics could result in a false positive or false negative because, unlike a PIN which is entered either correctly or incorrectly, biometrics are not a binary measurement but are based on the probability of a match. Biometrics work best when linked to other factors, such as the device, geolocation technologies or with an additional authentication method,” stated Visa.
Monica is certain that in the absence of a flexible infrastructure that can facilitate options such as wearable payments, the problem of chargebacks will only swell.
Also, payments via chatbots (say on Facebook Messenger) can be integrated in a simple way. Brands need to make the most of such interactions, considering the popularity of messaging apps.
But the team at Chargebacks911 also cautions against poor execution of chatbots, in case they aren’t proficiently managed then there can be user frustration and more chargebacks.
Being aware of new avenues for fraud: A major hurdle with emerging technologies lies in evaluating how they will be implemented and what the response will be.
Visa does recommend that new forms of authentication must reach a balance between speed and security.
Specialists recommend that making judicial use of “friction” during the booking flow or checkout isn’t a bad option.
So friction can result in careful consideration of the booking process. In case a shopper doesn’t take that fraction of second to be in control of the situation, it can result in a buy they weren’t completely sure of or they may even complete a transaction without thinking through it properly.
Do remember that unauthorized transactions by family members are one of the primary causes of chargebacks.
As for being realistic with 3DS 2.0, Chargebacks911cautions that this new development is an effective tool for targeting criminal fraud, but it has little impact on friendly fraud, which is ultimately responsible for most chargebacks.
Airlines, as merchants, can't do away with the need to go for multiple layers of technology such as tokenization, biometrics etc. to protect each and every transaction.
Yes, as much as digital payments strategy is going to revolve around choice, there is also a need to ensure the same meets not only a shopper’s preferences, but also ends up meeting issuer and merchant’s needs, too.
Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).
Follow Ai on Twitter: @Ai_Connects_Us
First Published on 18th May, 2017
Ai Editorial: Awareness among loyalty program members, avoiding data breach and fraudulent loyalty transactions, and being a part of a strong merchant community can bring down the risk of loyalty fraud, writes Ai’s Ritesh Gupta
Airlines need to assiduously take initiatives on several fronts in order to safeguard their loyalty programs. The threat of loyalty fraud can’t be ignored as a fraudulent activity via use of miles would denote a write-off on the balance sheet. This eventually affects margins. So airlines must assess their defence against loyalty fraud.
It is time airlines comprehend how loyalty fraud can involve customers, employees, travel agents, partners, and what can result in data breaches, malware etc. and accordingly train relevant teams and find ways to forge reliability and security across the organization. A recent research by Ai revealed that 72% of airline loyalty programs have an issue with fraud. Additionally, 30% of airline programs reported the problem was growing rapidly year-on-year. However, surprisingly, 10% of airline loyalty programs didn’t know if they had a fraud problem or didn't know that it was possible for loyalty fraud to occur.
In one of Ai’s conferences, it was highlighted that airlines can be attacked from unexpected quarters.
For instance, the case of “registered users fraud”. It was highlighted that it is a common scenario that a registered user is considered to be a “loyal” or “positive” user. But it is time revisits such notion. Why? As one of the speakers stated, “Because a registered user after an account takeover and without identifying it, could be the most dangerous account in an airline’s user base. The fraudster could use this account to steal any personal details and book via methods with lower friction and probably less fraud analysis. How many of you checking your registered users?”
There are 3 areas where airlines can focus on to combat loyalty fraud:
1. Creating awareness among loyalty progam members: Members need to know how to protect their loyalty accounts. This is even more critical today as the loyalty earning and burning lifecycle has opened new avenues for fraud. Of utmost importance is the realization that loyalty programs are being hacked and what can be done to avoid this? Do members of a frequent flyer program treat their respective loyalty accounts as credit card information? This type of fraud is similar to card-not-present fraud. An account can hacked by capitalizing on weak passwords, stealing of identity etc. So it must be highlighted that if fraudsters gains access to an account, they can seize points/ miles and rob loyal members by availing redemption options (other threat is data breach). As Michael Smith, Managing Partner, Airline Information and Co-Founder, (Loyalty Fraud Prevention Association (LFPA) says passengers (or customers at large) should be wary about which Wi-Fi they are connecting to, and also as FFP members they must be cautious about sharing name and account number. “With those two bits of information, fraudsters just need to guess your password and they are in to your account,” he says. Smith asserts that a flyer shouldn’t share or post the picture of a boarding pass, as it features vital information.
Managing passwords isn’t an easy thing to do considering so many accounts all of us manage. But having one simple password for all log-ins can probably result in worst nightmare – more than one account getting hacked. When the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.
So airlines need to inform about passengers about seemingly simple mistakes that can unknowingly create havoc with FFP accounts.
2. Taking internal measures to avoid data breach and fraudulent loyalty transactions: As an industry, airlines have made rapid progress in dealing with card-not-present transactions. There is no reason why the same can’t be replicated for loyalty fraud, as pointers are quite similar. Airlines have to sharpen their real-time decision making, customize as per their current risk engine and workflow. Lot of organizations are adding multiple layers (of course, not at the expense of shopping experience), for instance, how intelligence behind the email addresses of customers can yield better results? Accertify, in a blog post, underlined that email address is being “highly under-utilized” by many companies as a vital tool in an overall risk assessment strategy. Referring to limitations of a device ID or a phone number in case of global companies, Accertify highlighted that every time email is used it leaves a trail of sorts, and this is strong enough to evaluate to the level of risk associated with a transaction. As a specialist, Emailage points out that email addresses have the same convention globally: user-name, “@” sign and domain. This makes the email address a perfect data point for robust risk assessment. The way that fraudsters use email addresses fall into patterns that are identifiable based on velocity and structure.
In addition to data from 3rd party sources, the fraud specialists within an airline must be supported to speed up the pace and precision of fraud detection – reduction in manual reviews, how to screen for loyalty fraud, access to real-time custom reports etc. Overall, organizations must gear up for login behavior, account changes and evaluation of purchase behavior. CyberSource recommends tracking of user account creation and login behavior, as well as screening for fraud at purchase and redemption of points.
3. Being a part of a strong merchant community: Airlines, as seen in the case of payments fraud, have been a part of a strong merchant community to jointly wage a battle against fraudsters. New organizations and tools are coming up. The Loyalty Fraud Prevention Association, set up last year, is focused on using the experience gained in fighting credit card fraud to deal with loyalty fraud. Also, Perseuss, as merchant community’s answer to the problem of fraud, has developed Theseuss. This new platform gathers loyalty fraud intelligence, and features an active and collaborative community of loyalty fraud experts using the system. Theseuss would enable the exchange of fraud intelligence and evidence to allow the identification of loyalty fraud patterns. One of the highlights is the use of machine learning algorithms to discover potential fraudulent loyalty transactions.
Follow Ai on Twitter: @Ai_Connects_Us
Your credit card or loyalty account was compromised, Facebook might be the reason, says newly formed Loyalty Fraud Prevention Association.
Compromised credit card accounts, and now more than ever compromised loyalty program accounts, are an ever-growing problem for consumers. Fraudsters hack, breach or otherwise steal accounts and then often sell them online. This may be done in plain site via Facebook. The Loyalty Fraud Prevention Association (LFPA) calls on Facebook to police this issue to protect consumers. This problem, among others related to loyalty fraud, will be discussed at the LFPA Conference in Atlanta on May 24th and 25th.
Peter Maeder, Secretary of the Loyalty Fraud Prevention Association says:
“Any quick search for pages in Facebook for stolen credit cards will yield many pages and users selling stolen account data. These fraudsters are now finding loyalty program accounts to be an easier target. Our members, which include some of the largest travel companies in the world, have reported this issue to Facebook, but have had little or no success removing the pages.”
The result is that loyalty programs and their members are becoming the victims of fraud costing tens of millions of Dollars annually. To address the growing phenomenon, the Loyalty Fraud Prevention Association (LFPA) will be gathering executives from loyalty programs from throughout North America and the world in Atlanta on May 24th and 25th of May, 2017. In addition to acting as an industry to stop Facebook and other Social Media sites from spurring fraud, issues to be discussed in this conference will include: Employee-driven loyalty frauds; Bot attacks on loyalty programs; Stopping fraud on the Dark Web; and the latest IT-solutions that combat loyalty fraud.
More information about the conference can be found at www.LoyaltyFraudAssociation.org
About the Loyalty Fraud Prevention Association (LFPA)
The Loyalty Fraud Prevention Association was founded in 2016. Its mission is to support the loyalty industry in its fight to reduce and eliminate fraud. Members consist of airlines, hotels, IT providers, financial services companies and others who operate loyalty programs from around the world.
For more information, visit www.LoyaltyFraudAssociation.org or find us on Linkedin.
LFPA / Press