Ai Editorial: Miles, account takeover, credit card…threat of fraud gets severe

First published on 13th January, 2016

Ai Editorial: Account takeovers and frequent loyalty program miles fraud in addition to credit card fraud are now demanding stringent measures for fraud prevention, writes Ai’s Ritesh Gupta


Every piece of customer data and information is under scrutiny. One can put a price tag on stolen account info – Uber, Facebook etc. and air miles. Today fraud prevention isn’t just about credit cards.

According to Sift Science, account info can yield more money “on the dark web than simple credit card details”. The team indicates that the threat of account takeovers (ATO) needs to be negated.

In fact, findings from the soon-to-be-published Sift Science 2017 Fraud-Fighting Trends report reveal that 48% of respondents observed a rise in ATO last year.

Travel e-commerce – an attractive proposition

Travel e-commerce is a common vulnerable target for cybercriminals as most of their offerings are large ticket purchases. Other than digital goods, this similar mode of thought or reason for hacking can also be found when we look at luxury good providers (also big ticket purchases), or for products that have a high resale value in the black market. Also, since travel e-commerce entities offer digital goods, it requires instant approval delivery to satisfy customers, yet would also open the gates to more fraud. Furthermore, the volatility of the item prices (which changes every minute based on consumer demand) means that merchants cannot afford to deploy manual reviews. Most OTA players simply accept suspicious transactions, absorbing the chargeback losses, instead of declining transactions and risk tarnishing their brand and losing out to the heavy competition.

Too much information up for grabs

Before we delve deep into what threat today looks like, if one were to assess the vulnerability level of travel booking systems, then where do they today and has anything changed?

“Not much hacking is required, as there’s less vulnerability here!” This recent remark from experts, Karsten Nohl and Nemanja Nikodijevic, aptly sums the brittle nature of “global distribution systems” operated by the travel industry today. 

According to details shared at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany in late December (video available here), the industry suffers owing to brittle authentication and web services. The authenticator printed on boarding passes and luggage tags is up for grabs rather easily. “Any person able to find or take a photo of the pass or tag can access the traveller’s information – including e-mail address and phone number – through the GDS’s or airline’s website,  stated Security Research Labs. The company goes on to add: “…many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers’ last names, their bookings codes can be found over the Internet with little effort.” And, too, many people can access information when a booking is generated. For instance, staff the agency, travel providers, GDS involved in any part of the PNR etc. Fraudsters can travel for free, create havoc with one’s frequent flyer account, use payment info etc. Security Research Labs suggests there is a need for “brute-force protection in the form of Captchas and retry limits per IP address” to start off, and bookings need to be protected with appropriate authentication, at the very least with a changeable password.

The point here is how much is being given away to a fraudster.

New areas of concern

There are two relatively new areas of concerns for travel e-commerce entities, according to Justin Lie, Group CEO, CashShield:

·          Account takeovers; for example, when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

·          Frequent loyalty program miles fraud; similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.

“As such, it is advisable for travel e-commerce entities to apply big data and real time machine learning not only on securing payments, but also for securing accounts and monitoring loyalty miles claims,” said Lie.

Tackling issues

Lie says companies should take control of their payment data, which should not be restricted by default. This data can be combined with big data (such as those data fields collected on their websites), so that they can derive a strong data strategy not only for fraud prevention, but also to get a better understanding of the user profiles that surf their website.

Also, fraud is becoming increasingly complicated and sophisticated very rapidly.

“This is especially so as credit card companies push for the adoption of the EMV chip, making it more difficult for card present fraud, thus forcing fraudsters to go online. Instead of implementing a fraud prevention strategy that requires long gaps in training machines with data sets, travel companies should shift towards real time machine learning (or real time automated) fraud systems to get ahead of the fraudsters,” said Lie.

Companies should also move fast to be ahead of the curve and protect themselves against account takeovers and loyalty fraud as well. 80% of all cyber attacks have a financial motive, and it is expected that more fraud syndicates will shift to online fraud, since it is so lucrative.


Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here


Follow Ai on Twitter: @Ai_Connects_Us