Ai Editorial: Managing account takeover fraud – a must in era of personalisation

First published on 24th February, 2017

Ai Editorial: Airlines need to move fast to be ahead of the curve and protect themselves against account takeovers, writes Ai’s Ritesh Gupta


The benchmark for completing a digital transaction – the moment when you are about to pay - is one click or swipe.   

Of course, in order to deliver one-click checkout experience, travel e-commerce players have to garner personal information, store chosen payment method and keep it secure. This transaction-related information is a vital component of overall account personalisation that businesses are keenly looking at today.

But what needs to be noted is that account takeover is the latest fraud tactic that is troubling merchants, and airlines, too, can be victims as merchants.

Account takeover fraud happens when a fraudster/ hacker misuses a user’s personal details saved with a merchant in order to take control of an existing account. Fraudsters bank on stolen credentials and phishing schemes to hack into or take over legitimate user accounts. They are capable of gaining access to accounts via malware, SQL injection attacks, spyware etc. And this can surely have a detrimental impact on trust and loyalty among valued customers.

Being wary of fraud as account personalisation picks up

As we highlighted in one of our recent articles, account personalisation is on the rise. One area where progress is being made is speedy bookings and swift flight check-ins on airline-owned platforms. Ryanair took an exemplary initiative last year, one related to account personalisation. This way the carrier chose to enable passengers to share their travel preferences by setting up a personal profile, and saving passport details etc. The users can also store their payment information.

So if on one had such initiatives are bound to make trip planning, booking and even servicing simpler, more efficient, then on the other  one needs to be wary of the situation where such data related to a user’s account gets stolen. 

Data breaches are dreadful, and this trend can also end up in a massive threat for airlines.

It is becoming common for cyber criminals to hack data, and then reuse the list of email addresses and passwords they have obtained on multiple sites. So here is what would happen - when the user account on one airline’s system is breached, hackers will use the exact credentials to take over the same user’s account on the other airlines’ systems as users seldom differentiate their login credentials.

Similarly, a hacker can take over a user account, and if it has loyalty miles, sell the user account credentials on the black market to fraudsters to redeem the miles for tickets.

Identifying suspicious behavior

Account takeover security comes into action from an early stage – keeping a vigil on new account creation and the way these accounts tend to be used. This helps in assessment of risk with certain level of accuracy. In term of prohibiting fraud from happening, a fraudulent activity say a transaction is stopped before it takes place. Here a flexible rules engine highlights a dubious activity based on users’ behaviour and device attributes. As CyberSource states – an organization can then choose to accept, reject, or challenge the users to authenticate themselves – before the event can occur. One can also spot valuable returning customers.

A user’s device and Internet connection information can prove handy in managing such fraud. The device-based customer authentication can add a layer of defence against account takeover. This is important when assessing whether the real account owner is accessing the account or not. A way to do it is via evaluating a cookie associated with the stored payment method. If the same is missing when the payment method is used, then this person can be asked to re-fill the card number or provide verification code. So if a fraudster is trying to skip recognition by masking their IP address or spoofing geolocation, one can verify the real IP address and compare that to the stated IP to detect risky activity.

Recently, when I forgot my Apple ID password, I was asked to share the ID, filled in a code twice, and then could retrieve password via registered email or by filling out answers to questions registered earlier. And eventually guided about how to work out a strong password. But is it enough for account protection? The best answer is to make sure there is enough human expertise within an organization. And do keep an eye on any new stringent way of security. Behavioral analysis is one area that is becoming increasingly sophisticated. Swipes, taps, cursor movements etc. are being analyzed for navigation flow, time spent etc. to understand the behavior. It is also being suggested that behavioral biometrics, which spots patterns in human activities, needs to be looked upon for continuous authentication, and looked beyond the two-factor authentication (2FA) method. So as airlines analyse more and more data (for example, device authentication, device ID, device fingerprinting etc.), fraudsters will struggle to fully to pass off as genuine. These new measures are must as hackers/ fraudsters are working on machines for getting around these security measures.


Are you bold enough to survive in the brave new world?  Assess your preparedness at 11th Airline & Travel Payments Summit (ATPS).

Date: 03 May 2017 - 05 May 2017   

Location: Berlin, Germany 

For information, click here


Follow Ai on Twitter: @Ai_Connects_Us