Date: 19 Mar 2019
Summary: Simple experiences that mean convenience and control for shoppers are welcome. But they also mean a bigger threat as far as fraudulent transactions and account takeover are concerned.
ChinaTravelNews, Ritesh Gupta – Travellers are reaping the benefit of new digital processes. Checking into a hotel or paying for a transaction, such experiences are increasingly becoming seamless and frictionless. But the same digital processes that are letting customers be in control and enjoy convenience are also a threat, be it for data breach or fraudulent transactions.
“Simple customer experiences can complicate fraud prevention,” acknowledges Tao Wei, Director, CyberSource Global Services.
Wei referred to a couple of facets where a hotel guest is being promised a simple experience but at the same time the threat of being attacked by a fraudster/ hacker is also going up:
Seamless check-out experience
As companies allow travelers to create accounts and avail them for their seamless experiences, it is proving to be a fertile avenue for fraudsters. Known as account takeover fraud, a hacker or a fraudster makes illegitimate use of stolen valid credentials after taking over an online account. These accounts when stolen from a hotel or an airline’s site are known as merchant account fraud.
“Fraudsters are shifting focus to target account creation and account takeover,” mentioned Wei.
Account takeover typically happens when a data breach occurs, exposing user credentials which are then sold on the dark web. Fraudsters gain access to these credentials, and use the stolen data to log on to the user’s account. From there, monetization activities such as transferring of funds, utilizing of loyalty rewards, and withdrawing of credits, may be performed.
Citing an example, Wei mentioned a traveler can download a hotel app and books a trip via the same, then the challenge lies in controlling fraud on account creation and storing sensitive debit/ credit card data. There is personal information available within these accounts such as log-in credentials, bank or credit card account number etc. and also drives account-on-file payments (transactions performed using stored payment credentials). On the day of check-in, if a user is using mobile key, then it is imperative to securely enable mobile check-in and room key.
Also, another aspect is fraudulent use of loyalty points that can result from such account takeover, said Wei. The value of points and miles is attractive for fraudsters, and they also take advantage of the fact that consumers possibly don’t check their hotel loyalty account or a frequent flyer account the way they keep track of their bank accounts. Such accounts are luring because of their value – a traveler might make use of loyalty currency to fully or partially fund a trip, shop for a travel ancillary or any other product from an online product catalog being offered by the travel merchant or even go for a financial rebate – could be either cash and/or credit against a bill.
Multi-device/ multi-channel engagement - There is convergence of commerce channels to deliver seamless customer experience. But all of this also complicates accurate customer validation and anomalous behavior modeling, pointed out Wei. It needs to be highlighted that mobile commerce or shopping from a mobile device can’t be treated in the same manner as e-commerce.
Travel e-commerce companies need to dig deep and understand the implications of the mobile channel when it comes to fraud. CyberSource underlines the significance of evaluating behavior. For instance, the freedom of movement with mobile devices can’t be compared with that associated with a PC or even a laptop. So this makes IP geo-location less useful. Also, a rule featuring in a fraud management system which counts on multiple devices logging into an account as suspicious behavior would also lower the acceptance rate. Today companies need to garner information about the mobile device being used - operating system, browser configuration, wireless setting etc. All of this contributes to countering fraud.
Being better prepared
A senior hotel executive in China referred to the issue of feeble internal procedures and this resulting in data breaches featuring an employee or an insider. “The IT staff can easily access and steal information from a customer database of a hotel company. The front staff also can make illegitimate use of a guest’s credit card. There is key information stored at various places in a company and the problem arises when they (the staff) end up accessing a database they aren’t supposed to. So it is better to set up permission-based access, based on the roles/ department and not allowing permanent access.” He added that it is important to train and educate employees about data handling and breach notification, and every individual has a responsibility to ensure their role doesn’t contribute to the leakage of data.
Alex Wang, CEO, Bolin Hotel Group also acknowledged occasional thefts of credit cards by front office workers at hotels, but felt that payments are largely secure, and safety of online payments is trustworthy.
From an airline’s perspective, Xuewu Wang, Head of Data Labs at China Eastern Airlines, shared that data security, like passenger safety, is very important to airlines. “We have adopted many data security systems, data usage specifications, and network monitoring to prevent data leakage and ensure the security of data,” he said.
From a shopper’s perspective, specialists like CyberSource point out that shielding customers from payment fraud shouldn’t mean that minimizing fraud ends up in a conflict with denial of genuine transactions – that is denying a genuine customer a transaction. One has to be cautious about introducing more rules within a fraud system or implementation of two-factor authentication or multifactor authentication.
Overall the onus is on merchants themselves in a better position to control such threats.
6 initiatives that can help in curbing fraud are:
1. CyberSource stresses upon the significance of a holistic approach to keeping a vigil on fraud - from account monitoring (right from who is creating the account to account login to updates being made) to transaction screening (be it for card-not-present fraud or miles/ points redemption).
2. As new payment methods emerge, travel merchants have to prepare for new methods of fraud. For e.g., the use of app cloners and machine learning techniques to create synthetic device identities (fake identity created by using some authentic information) is trend that is troubling merchants. Using app cloners, hackers/ miscreants can pose as numerous users to dupe systems since various transactions or logins will be perceived as unique devices.
3. Sharper fraud prevention approach: Rules-based engine helps you automatically screen and sort orders based on your business rules. While a merchant has to make judicious use of rules in a fraud system, they also need to incorporate supervised machine learning, or conventional machine learning (relying on historical data to prepare an astute algorithm), while unsupervised machine learning allows the system learn on the fly with real-time data garnered. As much as machine learning’s role is on the rise, setting realistic expectations is also important. So just focusing on historical data would mean that unknown fraud attempt would pass, too. In this context, the role of unsupervised machine learning is coming to the fore. It spots patterns and correlation amidst the new data collected, and in doing so classifying authentic travel shoppers as much as discovering fraudsters. With such an approach, hotels or airlines also need to find ways to cut down on human verification of the legitimacy of a transaction and make the process more automated.
4. Creating awareness among consumers: It is time travel companies create awareness around the monetary value of loyalty points, keeping different passwords for various accounts (so if one account then the other doesn’t get affected) and also updating passwords on a regular basis.
5. Collect data and act: Distinctive merchant data (for instance, behavioral biometrics which is about how a user is moving mouse on a PC or swipes the screen), along with industry data, can help fraud specialists to strengthen real-time pattern recognition technology. Such initiative can help in anomaly detection and work on a proactive approach towards fraud prevention.
6. Identity verification: New methods to authenticate an identity have emerged in the last few years. These include document authentication (name, address etc.), software that checks a user’s voice, typing style, etc. for authentication, digital footprint verification (for instance, co-relating the profile with social accounts on Facebook, LinkedIn etc.) etc.