Account takeover fraud isn’t new. Its impact goes beyond the “attack being in motion”. Travel merchants must understand how “peeking” is paving way for unseen damage, writes Ai’s Ritesh Gupta
11th October, 2021
Curbing fraud, be it for stopping illegitimate transactions or unauthorized access to a customer account, is posing new challenges to travel merchants.
Anomaly detection, a concept anti-fraud specialists often refer to for spotting something fishy, is becoming tougher.
Why?
Stopping fraudsters and scammers from going ahead with their illegitimate activities and at the same time ensuring authentic users are separated from bad actors, for instance, not denying a last-minute booker a booking in the wake of travellers constantly checking what’s required to undertake a trip, is making travel merchants dig deep.
“(It is a) constantly evolving problem (of fraudsters accessing accounts like a normal user would do and good users showing signs of being bad actors but they actually aren’t),” pointed out Sift’s Jane Lee, during a recent online session hosted by Ai Events.
A major issue that has been impacting the travel industry are data breaches. Online users using the same password for some or all of their online accounts (as high as 65%) is resulting in a huge problem, paving way for rise in account takeovers (ATOs). Jane also referred to a spike in credential stuffing attacks at this juncture.
According to Karisse Hendrick, Founder, CEO, Chargelytics Consulting, the functioning of fraudsters has evolved. In case of ATO attempts, she referred to the issue of credential stuffing, botnet attacks (a malicious activity attempted by a hacker or cybercriminal using the botnet) and emulator-based attacks. It’s much easier for almost anyone to commit online fraud using an emulator.
Complex behaviour
The whole uncertainty around travel-related restrictions has only meant that a legitimate travel shopper is holding on to their plans. Imagine a loyal shopper intending to use unused miles for last minute-booking. A merchant needs to handle such situations with care. It is vital to assess risk by using users’ background information and contextual data. The industry should continuously look at frictionless experience, say not asking for a password when deemed apt and silent authentication.
Talking of fraudsters, they are indulging in what is being described as “peeking” – which is essentially about fraudsters looking into an account. But just check to it. So apparently for a merchant when something like peeking is happening, the attack isn’t “in motion”. But it is equally damaging for a merchant, as fraudsters are exploiting that knowledge to do scalable damage. This is generally what is happening in a dull phase i. e. between a data breach and fraud which has come out in the open.
How to remain ahead in the race? What to do on an ongoing basis?
Jane pointed out that fraud economy is a sophisticated network of cybercriminals that are collaborating with one another. In this context, merchants, including ones from the travel sector, must look to participate in forums, private set ups etc. and look to be open about what is happening (what sort of scams) to curb fraud.
“Assume all accounts or credentials have been breached,” said Jane, who said merchants must look at ways to be proactive. “Strategically verify risky logins and activity via dynamic friction,” said Jane.
ATO is not just about making money in an illegitimate marketplace. Merchants should also look into how the stolen credentials pave way for card testing and also to check users’ credentials across other high-value accounts. And they rely on credential stuffing and bot attacks as a means to infiltrate associated accounts, according to Sift.
Risk teams must avoid looking at ATO as a “downstream problem” and acting only when payment abuse, unauthorized transactions etc. take place, according to Sift’s Kevin Lee.
