Ai Editorial: Blacklists and fraud prevention - not an ideal match for sure

First Published on 27^th February, 2018

Ai Editorial: Blacklists rarely work because hackers will never use the same credit card information twice, while whitelists are inaccurate since whitelisted customers can be compromised anytime, writes Ai’s Ritesh Gupta

The introduction of new fraud prevention methods is keenly followed in the travel e-commerce sector. Cutting down on the vulnerability, be it for data breaches or friendly fraud or card not present fraud (CNP), is high on the agenda of travel merchants.

On the flip side, if the fraud prevent strategy ends up being too defensive, then predicament pertaining to blocking of genuine customers surfaces. One area that needs attention is the usage of blacklists.

The rejection of legitimate travel shoppers is indeed a big issue, especially considering the fragmented nature of shopping in this category which tends to culminate after heavy research spanning over multiple sessions in case of a typical holidaymaker. And from the customer experience or conversion perspective, if such rejection takes place on airline.com then it would mean losing out on the shopper after battling for the same with OTAs, meta-search engines etc.!

A case in point: a Singapore-based traveller, who is a tennis enthusiast, intends to visit San Francisco. He has finalized his trip and keen on shopping for tennis-related goods. He decides to get them delivered at a hotel in San Francisco he has chosen to stay. Why? Because he would save on shipping-related expenditure by choosing this option. So what might have been a crucial to-do-list of a holidaymaker’s much-awaited trip, it simply gets ruined due to inefficient fraud detection system. Specialists point out that such authentic buyers can suffer and their orders do get declined as certain shipping addresses can pose glitches for fraud review systems. As it turns out, a number of seemingly dissimilar orders all being shipped to a particular address can be considered to be an aberration. And if one bad or illegitimate order is shipped to one such property, then this address might end up being marked on a blacklist.

Dealing with the issue of blacklists

Initiatives related to spotting suspicious shopping and keeping them at bay by evaluating all the transaction details and adding them to a blacklist isn’t a new practice. This is generally done for cases where a merchant had to face a chargeback, and to block such shoppers again, they are blacklisted and prevented from placing another order in the future.

But such initiatives, where businesses are even automating blacklists i. e. to define rules and automatically block suspicious attempts, needs to be looked upon. It could be about declining a genuine transaction from the same email or IP address that had been marked in the blacklist previously. In such scenario, filters keep a tab on a transaction’s legitimacy by scrutinizing and inspecting a traveller’s IP address, location/ area, credit card number, e-mail id etc. So how this method is failing? In case, one email id is debarred, there is no guarantee that a fraudster can’t find a way around it. This is because a fraudster can amend it to a permutation that isn’t identifiable. For example, in case of Hotmail, users can add a period anywhere in the email address. The average blacklist isn’t able to spot riteshxyz@hotmaill.com, ritesh.xyz@hotemail.com and ritesh_xyz@gmail.com are all the same email address. It is quite common to create a similar-looking email address and circumvent the controls enforced by a system.

As the team at Riskified points out, blacklists can be useful in certain cases, for instance stopping spam email. But when it comes to CNP, it isn’t spam. The team asserts that an airline or any travel merchant using blacklists needs to probe and assess the overall false decline rate, the frequency of analyzing and updating their respective blacklists and to what their top-line revenue is getting impacted.

Counting on real-time machine learning

Blacklists rarely work because hackers will never use the same credit card information twice, while whitelists (skip the review process and are instantly approved – often result in high chargeback rates) are inaccurate since whitelisted customers can be compromised anytime. Whitelists can be an oversimplified solution to improving fraud review accuracy. Also, historical data (which blacklists are categorised as) lose relevance very quickly in the face of unknown cyber threats, since it is difficult for the machine to predict new fraud attacks without any prior information. According to CashShield, real-time machine learning can help against blanket blacklists and whitelists by focusing on the customer’s behaviour instead. It works with real-time live data collected on the merchant’s website, where the system trains itself with each incoming transactions to identify fraud patterns instead.

The team at Riskified underlines that a healthier way to combat fraud is to proactively spot fraudulent patterns using dynamic tagging and linking, and focus on sophisticated fraud detection models.

It is time travel merchants avoid taking steps that are in general reactive and probabilistic solutions. Rather there is a need to cut down on the probability of holding up transactions via a manual review or worse blocking them entirely. So rather than blacklisting, merchants can capitalize on intelligence, say unique data points that an email address provides. It could be name matching, IP address etc. In fact, email ids are part of essential details that are garnered for almost every transaction.

Hear from experts about e-commerce fraud at the upcoming “Getting Ahead in the Digital Age - 12th Airline & Travel Payment Summit”, to be held in Miami (24-26 April, 2018).

For more information, click here

Follow Ai on Twitter: @Ai_Connects_Us