Ai Editorial: Threat of loyalty fraud looms large with data breaches and stolen credentials

First Published on 9th January, 2018

Ai Editorial: Merchants and fraud prevention specialists need to evaluate several areas such as data breaches, phishing, malware etc. to make it tough for fraudsters to gain access to a loyalty account, writes Ai’s Ritesh Gupta

 

Airlines need to prepare diligently for the threat of account takeover or ATO, especially considering their business falls in the “high ticket value, with a low margin” category.   

Why ATO is proving to be lucrative for fraudsters at this juncture?

There are multiple reasons behind this. First, this type of fraud can be more valuable than credit card fraud. Second, organizations don’t have stringent measures in place to fight against ATO. As the team at Sift Science points out, the time available to exploit the information before detection is typically longer. Third, this type of cheating isn’t easy to detect. Since the account already exists and is related to a genuine customer, the fraud is relatively tougher to spot and the fraudster has more time to operate before they are caught.

One breach - eventually key to many accounts

ATO in the loyalty space (featuring airlines, hotels etc.) is coming under scrutiny owing to data breaches, says Kevin Lee, Trust & Safety Architect, Sift Science, a speaker at the recently held Loyalty Fraud Workshop in Palm Springs, California.

Highlighting how one data breach can impact several verticals, Lee says, “Let’s say a customer has an account in both Uber and United Airlines. And if there is a data breach at Uber, and although United Airlines hasn’t faced any attack and are safe from that perspective, but if a user happens to use the same login credentials for both the companies, then the credentials are vulnerable for illegitimate use at other places. And about 55% of the people in the U. S. re-use passwords.” So in today’s password driven economy, if users are spending majority of their time in using 10-12 apps on their smartphones, it would be unreasonable to expect them to use different passwords for all the apps. “People tend to take a short-cut (when it comes to passwords) and won’t have unique passwords. So this makes them vulnerable to ATO.”

 

So everyone’s credentials have already been compromised? Is it the case?

As Google also pointed in November, account takeover is sadly already a common challenge for users across the web. The company also acknowledged that password stealing tactics pose a risk to all account-based online services. Key findings from a study (analysis spanning over one year till March last year, featuring study of numerous black markets that traded 3rd party password breaches as well as 25,000 blackhat tools used for phishing and keylogging):

·          It was found 788,000 credentials were lifted via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by 3rd party breaches.

·          Password stealing ways mean all account-based online services are under a threat. According to Google, in the case of 3rd party data breaches, “12% of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7% were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25% of attacks yield a valid password”.

·          Also, considering the fact, a password alone is hardly enough for securing access to a Google account, gradually more fraudster plan for garnering sensitive data that is requested when verifying an account holder’s identity. Google underlined that 82% of blackhat phishing tools and 74% of keyloggers tried to obtain a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.

According to Sift Science, fraudsters get access to stolen credentials from a number of sources:

·          From data breaches, sold on the dark web

·          Phishing with fake websites

·          Malware, trojans, spyware

·          Social engineering

·          Hijacking a mobile device

Lee says, “My general assumption is that every one’s credentials have already been compromised.” He added, “We have actually reached the point of no return.” It might not be a straightforward task to gain access to everyone’s account, but just like solving a puzzle or putting several pieces together, fraudsters can sneak through the defence. So from one data beach one can get a vital piece of information about users. And then another breach sharing more details about users and so eventually cracking all details of one account. “So that’s how an entire identify of a user could be worked out,” said Lee.

Certainly organizations can look at preventing “own” credentials from being stolen. So, working in unison with the IT team, it can be ensured that information stored in servers and people accessing them is secure. “Unfortunately your consumers have become your weak spot. If they reuse their credentials and passwords then it remains a big issue (for organizations).

Be as strong as possible in authentication

Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.

So let’s say a user booked a flight and then after a month is redeeming miles from the same device. So from a machine id or device fingerprinting standpoint, that would be a good signal from the authentication perspective.  Also, consistency in the timing of redeeming miles or points could be another indicator. Another area is behavior on the digital interface – the way redeeming is being done, the time taken to reach the checkout stage etc. Such actionable intelligence from all possible data inputs can help in curbing loyalty fraud. Machine learning evaluates massive volumes and varieties of data to deliver real-time decisions. “With enough data it can be observed that the average person – when they redeem gift cards or loyalty points, most likely that’s not their first time. People tend to take their loyalty program or points/ miles seriously. Even before the transaction takes place, with machine learning one can map the holistic behavior. So one keeps on checking a particular redemption option and when they have enough currency, they go for it. It might take them months to complete this. So these are all good indicators. On the other hand these are missing in account takeover (instances).

So even as credentials have been stolen, it is imperative for organizations to bolster the authentication process. This way the risk of loyalty fraud can be minimized. So it comes to down to authentication and one of the tools is machine learning, sums up Lee.

(We will take a detailed look at the role of machine learning in curbing loyalty fraud in the upcoming articles). 

 

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us