For airlines, few other platforms can match the importance their respective websites play in nurturing customer relationships for infrequent travellers and road warriors alike. But as online payment and loyalty programme management technologies evolve, so too do an underworld of fraudsters, who relish in breaching seemingly foolproof security barriers, which can create significant revenue losses for airlines and wreak havoc on unassuming passengers.
A widely circulated report examining online fraud developed by CyberSource in conjunction with Airline Information, a loyalty and merchandising research firm, estimated that in 2010 global airlines lost roughly USD 1.4 billion in revenue from fraudsters successfully exploiting weakness in online sales channels. Yet that number alone does not capture the total costs incurred by airlines as they bolster their fraud-fighting efforts through investments in additional staffing and prevention technologies.
At the same time combating fraud creates a new set of difficulties for carriers as they work to ensure relationships with legitimate customers remain strong while they ferret out the ‘bad guys’.
Fraud groups are essentially active 24/7, remarks TAM senior manager Eloi Assis. “We’re talking about organised crime here, not some guy in a basement, but entrepreneurs.”
TAM has its own anecdotes that reflect the perseverance of fraudsters. Assis recounts a story about an individual who attempted to use 400 different types of credits cards from more than 100 IP addresses. If those attempts were successful, the costs to TAM could have been about USD 1 million.
Airline Information managing partner Michael Smith cites an example of a fraudster attempting to use a stolen credit card to book a flight on Martinair, Air France and KLM, which are all members of the Air France-KLM group. “Fraudsters keep prodding until they find a hole,” he says.
“Fraud saps revenues,” concludes a 2012 WorldPay report examining online booking and payment in the airline business. The report estimated that 1.5 per cent of eCommerce revenues are being drained by fraudsters, while a third, or 29 per cent, of the 51 airlines surveyed by the document’s authors indicated they had seen fraudulent bookings increase during the last 12 months. The majority – 37 per cent – say fraud levels have remained stable rather than decreasing.
FRAUD IS LOCAL
Assis of TAM says most of the fraud attacks on the carrier’s systems are from within Brazil, but the penetration is designed to look as if it originated elsewhere.
CyberSource in association with Airline Information surveyed 142 participants from global airlines between 17 November 2010 and 31 January 2011, and based on those findings determined that fraudulent booking rates among those carriers averaged 0.65 per cent, but varied widely by region and years of experience. Airlines in Latin and Central America had more than twice the fraudulent booking rate at 1.4 per cent while airlines with less than three years of online sales experience reported a rate of 1.6 per cent.
Carriers less seasoned in online sales generally also have a higher rejection rate of online bookings due to suspicion of fraud, according to the report. The authors determined that the overall average rejection rate among survey participants was 3.3 per cent while airlines with less than three years experience of online selling recorded an average rejection rate of 6.8 per cent. The 3.9 per cent rejection rate of full-fare carriers was higher than the 1.4 per cent averaged by their low-fare colleagues.
The lower rejection rates reported by low-cost carriers could stem from the fact that those airlines have one-third the loss rates of full-fare carriers. CyberSource and Airline Information in their analysis noted that fraud screening at low-fare carriers might be less complex, “as low-cost carriers typically sell point-to-point fares (versus multi-leg trips) and may not have frequent-flyer programmes or multiple cabin classes to consider”.
LOYALTY UNDER ATTACK
A new, ripe target for airline fraudsters is frequent-flyer programmes as the use of miles as cash becomes more prevalent (see Non-Air Rewards feature, pg 70). In one instance, says Smith, a fraudster used 110,000 points from the account of a Qantas loyalty programme member to acquire a flat screen television.
While loyalty programme fraud is presently not a huge issue, says Smith, “it is one that is certainly growing” as some individuals are discovering loopholes in the various programmes. He points to a new partnership between United and online payment service PayPal that will allow MileagePlus members to use miles to pay for products from merchants offering PayPal as a form of payment. Suddenly, that tie-up could create a whole new opportunity for fraud, he warns.
A 2011 study of online fraud conducted by network security firm RSA correlates Smith’s conclusions. While the analysis states that frequent-flyer fraud is not yet commonplace, securing access to consumers’ loyalty and reward programme accounts to cash-out available points is growing in popularity. RSA has witnessed multiple phishing attacks recently targeting airline customers with the goal of obtaining their login credentials in order to monetise their reward points.
Work by airlines to combat online fraud is a constant endeavour as fraudsters rarely take a breather in their efforts to penetrate and exploit the online booking process. Unfortunately, as online bookings continue to grow exponentially, so do the efforts and persistence by fraudsters in their attempts to game the system.
It is virtually impossible to create completely fail-safe mechanisms for fraud prevention in an absolute sense, concludes Assis of TAM. The moment one door closes, fraudsters are already looking for another leak in the system, he states.
A fairly common and effective tool used by airlines is device fingerprinting, which, simply explained, is an ability to collect and identify hardware and software settings of machines used for online purchases.
CyberSource in its analysis states that device fingerprinting was the one of the leading fraud detection methods airlines planned to implement during 2011, as one in five carriers surveyed, or 20 per cent, planned to adopt that specific tool during the year. Assis explains that fingerprinting “allows us to detect the same guy all over the place”.
There are also many developments underway in software detection technology, explains Smith, including methods of detecting if credit card numbers used in bookings are being cut and pasted, and systems that can measure typing speeds during the booking process.
SHARE AND SHARE ALIKE
One of the most important defences airlines can adopt against online fraud is data management and information sharing. Telchar Fraud Consultancy CEO Jan-Jaap Kramer says the European airline industry sensed the problem with fraud earlier than other global regions. The typical fraudster is acting as a travel agency, is not the passenger himself, and does not have a preferred
carrier. With the implementation of codeshares it became even more important to share information about fraudsters in order to preserve revenue sharing that serves as a key pillar of those agreements. Kramer says collaboration among carriers to combat fraud is definitely growing as airlines seek to gather and share best practices.
Assis, meanwhile, also believes it is important for airlines to keep collecting as much data as possible as they continue build their online fraud arsenals. He also stresses that it is vital to increase the sophistication of algorithms used to apply a set of values to the data collected to ensure the information is being used accurately.
The authors of the CyberSource report determined that no single tool can detect and prevent fraud, “but the more data you have to analyse, the better able you are to detect fraud faster and more accurately”. They recommend using an arsenal of tools to create a layered defence. Other widely used fraud prevention and screening mechanisms include ‘MasterCard SecureCode’ and ‘Verified by Visa’. Additional obvious red flags to airlines for potential fraudulent bookings include one-way flights, cardholders making reservations who are not actually travelling and bookings made less than 12 hours until departure.
In its findings, CyberSource reported that during 2010, for every fraudulent website booking, airlines on average rejected an additional 5.1 bookings due to suspicion of fraud. The overall 3.3 per cent rejection rate reported among those carriers was an increase of a 2.8 per cent rate reported in a previous survey.
THE GOOD EGGS
A significant challenge accompanies the rise in rejection rates – the risk of alienating legitimate, paying customers. Unfortunately, no easy solution exists to striking the right balance between robust fraud prevention and ensuring genuine customers are not being mistakenly shut out of the normal booking process.
“It is a constant dilemma,” remarks Smith. He explains that carriers are always seeking to strike the right balance in just how sensitive to make their various fraud settings. The ways airlines apply those detection rules are becoming just as important as the fraud detection arsenals being built. If the settings become too sensitive obviously the risk of fraud decreases but the potential of lost sales increases. Referencing a conclusion offered by a colleague at TAM’s merger partner LAN, Assis states, “If you want no risk you need to be prepared for no sales.”
But customer awareness and tolerance of the security checks necessary to ensure legitimate booking and payment might be higher than some airlines realise. In addition to surveying airlines, WorldPay in its report engaged 4,500 consumers that had purchased an airline ticket within the last 12 months. “Many of the customers we surveyed say that they are ready and willing to sacrifice a faster, ‘easier’ payment process in order to safeguard their payment details and identity,” the report concluded.
Roughly 71 per cent of those customers noted they would prefer slower and more rigorous checks on their payment information to keep it safe, while only 29 per cent stated a preference to compromise risk for a faster purchasing process. However, among frequent flyers that number rises to 46 per cent as those passengers purchase and book air travel on a much more regular basis. But overall, 84 per cent of the consumer panel stated website security was either extremely or very important to their overall online experience.
Even as consumer awareness is high of the security necessary to safeguard their important information, their tolerance does appear to have limits. WorldPay through its calculations found that about 63 per cent of air travel shoppers say they are comfortable with the number of security questions posed when purchasing airline tickets, while 22 per cent say the questioning is excessive. “Clearly, balance is key, and an airline’s ability to communicate the necessity of security to a customer is more important than over,” WorldPay states.
Assis remains realistically optimistic about strides being made in fraud prevention as he believes “Latin America is quickly catching up”. However, with a wide array of distribution channels that include the Internet, mobile offerings and call centres, fraudsters have a huge base to attack.
He concludes that it remains challenging to catch up with the nimbleness exhibited by fraudsters, “What we’re trying to do is to be as less behind as possible”.