Article: What’s the Scam? Protecting Airlines from CNP Fraud
by Stephanie Taylor – Low-Fare & Regional Airlines Magazine
The internet age has brought with it many positives, but industry leaders agree that things are now changing so fast that it's difficult to keep up with the vulnerabilities new technology creates. From the theft of airline miles to identity fraud, many sectors within and outside air travel are collaborating to mitigate the financial and reputational risks to airlines.
"Fraud is such a complex and diversified issue; there's no silver bullet," admits Kristian Gjerding, CEO of CellPoint Mobile. This is certainly true when it comes to the airline industry, whose policies "make it advantageous for not only criminals but others too," expands VP marketing at Kount.
In the 'card not present' (CNP) world, when a customer claims an airline ticket has been bought fraudulently, the carrier is liable. Although this system creates problems regarding genuine fraudulent transactions, the industry also has to contend with 'friendly fraud’.
Keith Briscoe, Chief Marketing Officer of Ethoca, explains. "Some people get buyer's remorse and dispute the transaction. The bank is often hard-pressed to force the cardholder to admit they actually did buy the airline ticket, meaning a customer can use the chargeback process for personal gain," he says.
The chargeback process occurs when a merchant such as an airline processes a sale which is then flagged up as fraudulent by the cardholder with their bank. The bank is obliged to credit the cardholder with the disputed amount, then seeks a refund from the airline.
With friendly fraud or actual fraud, the problem, according to Kount's Bush, is that "the whole cycle of the chargeback process can often take the merchant six weeks to find out about, and at that point, there's nothing airlines can do to stop the seat going empty, the fraudster boarding the flight or someone reselling the ticket fraudulently - it's already happened. “
Ethoca’s platform, Ethoca Alerts, is designed to prevent the chargeback process from happening. "We've worked directly with the card-issuing banks to get their data in real time, then we send it to the airline within hours instead of weeks," avers Briscoe. "Once the airline gets the issuer's data quickly, they can immediately cancel the ticket the fraudster purchased. Essentially, the airline actions the alert from the bank. Through our portal, they also have to let the issuer know what action they took on the alert.
"The card will also be cancelled by the bank so the fraudster can't commit any further fraud on the compromised card in question. The fraudster is prevented from either reselling the ticket or boarding the flight themselves. That enables the airline to resell the ticket to a legitimate customer," Briscoe continues.
“When the airline refunds the purchase to the cardholder, that resolves the dispute and eliminates any chargeback. That's a huge win for them because it's a vastly improved experience for the cardholder, who doesn't need to go through the inconvenience of the claims process."
Ethoca's system operates alongside fraud platforms like Kount, whose developers claim that giving airlines access to detailed information is key to increasing revenues, as well as mitigating fraud. Owing to the consequences of accepting fraudulent transactions, "agencies large and small are usually more conservative and would rather turn a transaction down than have a bad transaction", notes Bush.
"Stopping fraud's pretty easy. If you don't want any fraud, don't sell anything online," he continues. "We work with a large lowfare carrier in Australia which has seen lots of fraud coming out of Africa, after which it turned off those IP addresses and didn't accept transactions there. This airline was turning down as much as 25% of its transactions, and that's not a good revenue model for growth. Our tagline is 'boost sales, beat fraud'; our system gives airlines great information so they can accept the typical 3%-20% of their overall sales which may look a little shifty but are legitimate."
The information Kount provides includes hundreds of parameters explored in real time when the buyer is online and happens within a few hundred milliseconds. "We can look at location, the type of device, whether we've seen the credit card or the persona making purchases before and whether we can connect them with fraud," Bush outlines.
This should be able to identify people who take advantage of the airline's dynamic pricing model by buying tickets early and reselling them for inflated prices, something which Matthew Finn, managing director of AUGMENTIQ, says happens in the rail and hospitality sectors too.
Gauging the type of device that people are buying with is becoming increasingly important, since mobile transactions are growing exponentially. A recent study by US-based iovation revealed that travel transactions completed on mobile devices rose by 14% during the summer months of 2015, and that mobile travel fraud increased by 18% across the same period. With this in mind, Bush says Kount's fourth annual Mobile Fraud Survey worryingly showed "over 40% of respondents cannot tell you what type of device people are making a transaction from", meaning retailers can't identify certain characteristics unique to mobile transactions.
CellPoint Mobile offers payment products, e-wallet products and booking products for an airline's direct channel. Gjerding explains, "We have some specific capabilities using the mobile channel to solve certain fraud issues. If a transaction appears to come from an environment such as a well-known location for fraud, we will initiate a multi factor authentication process, which can be either obtrusive or unobtrusive.”
"If it's unobtrusive, we just query the transaction and deliver the information we find to the airline's fraud team. If it appears we need to take obtrusive steps, we insert a secondary step in the payment flow where we require either one-time password (OTP) or secondary credit card verification," Gjerding continues. "We can shoot an OTP to customers via SMS, and on the return path of this SMS, we can query information about where the payment card belongs geographically with our integration into the telecommunications environment – ‘Is the SMS coming from that country or coming from somewhere else?’”
However, Bush is wary of "adding friction to a transaction", highlighting problems with the 3D Secure model as an example. "3D Secure has its place, but it does put more steps in the payment process, and any time you do that, conversions drop. In the end, fraudsters can buy those IDs and passwords on the market too," he notes.
"We did a case study on a games development company which compared 3D Secure and Kount, and they actually found they were just as secure - if not more so - having Kount alone, and then they don't have the added expense of the 3D Secure model. Our solution happens in the background. It's invisible," Bush stresses.
What the SMS does do is automate the verification process, which is a big bonus. "The manual review process for fraud is expensive and time-consuming, and in the end most agencies still feel 50/50 and just turn the transaction down," Bush reports. "Using that manual process takes out all the scalability of the business being online, and takes away the ease of use and immediacy consumers are used to, which can damage the brand."
While it's still in its infancy, Gjerding predicts that blockchain could prevent fraud in the future. Associated with cryptocurrencies like bitcoin, the blockchain creates a public ledger of transactions in a linear order. A new block can be added to the chain only if it's verified in accordance with previous blocks, making it difficult to tamper with and impossible to edit.
"With blockchain, you have to be accurate from microsecond to microsecond in real time. If just one thing is incorrect, the block gets rejected and the whole hashing of the block restarts. This gives you an idea of the amount of people you have to convince that your reality - the fraud reality - is actual reality. That’s practically impossible.”
"Then comes 'how can we utilize that in a way that's meaningful for an airline merchant to identify and authenticate a passenger and their transaction? "' adds Gjerding. "What you can do is have distributed identities. I can go to one agency - it could be a government - and create and authorize a recognized entity. Once I have my passport issued within this environment using some kind of authentication application, I can approach a transaction and, because of the way the blockchain operates, enable people to validate that I am the person I say I am."
"In the next three to five years, it will dramatically and positively affect how airlines do things online," concludes Gjerding. "For me as a business traveler, I want my digital identity to be tied into my passport."
This raises another problem - payment fraud is undeniably tangled up with identity fraud. "The weak links are everywhere, and I find the easiest way to look at the aviation industry is to think about the passenger," comments AUGMENTIQ 's Finn. "A passenger only becomes an airline customer at the start of the booking phase, but the passenger needed to get a passport and potentially a visa, so their journey starts a lot earlier. We need to look at the integrity of the processes at each of those steps. If a passenger gets a genuine passport issued to a fake identity, then everything else after that has fallen apart.
"If you then look at things like the airport security process, it's really good in terms of detection - checking if you're carrying a prohibited item - but there is no identity component to aviation security," Finn highlights. "As a consequence, airports have to treat every passenger with the equal amount of risk. The reality is that if they knew more about you - could see you travel out of London Gatwick every week - they can conduct a low-risk type of security for you."
No doubt this is why Gjerding wants his digital identity (payment methods included) tied to his passport. It's what Finn calls "single token travel", which is currently an industry buzzword. Finn argues, "The single token travel concept wraps disparate data together into one package, but we've got to be careful with single travel tokens that we don't create a bright, shiny link in an otherwise rusty chain." In other words, we need to create a metaphorical blockchain across the travel industry too.
That's why Finn has set up something called the Security Leadership Lab, which aims to "bring people from different parts of the industry - border security, baggage security, airline security, all of the different stakeholders at the senior level - into a room together to create that safe space where they can talk about lessons learned and experiences they've had without fear of it leaking out into the public domain, offering them a chance to take a more holistic perspective".
Perhaps the necessity of this broader view is what has driven Ethoca to develop its Order Rescue solution, which is the reverse of Ethoca Alerts. "The product helps airlines flag orders they think might be fraudulent, then we send the information to the banks and they call out to the cardholder to confirm whether it's a good transaction or whether it's fraud," Briscoe explains. “What our data shows is that in 42% of the cases where the merchant thought it was fraud, it was actually a good transaction."
Briscoe acknowledges that the next objective with the solution as it stands is the automation element and plans to introduce SMS verification before the product rolls out later this year.
With today's fraud prevention companies giving airlines and travel agencies the confidence to accept more good transactions, it seems like there's an array of technology worthy of investment.