Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fraud in the Airline Industry

Similar presentations

Presentation on theme: "Fraud in the Airline Industry"— Presentation transcript:

1 Fraud in the Airline Industry
Pass Bureau Association 46th Annual Conference Nashville, 12th September 2013 PBA 1

2 Today’s Agenda Overview of IATA Different types of fraud
Card data fraud is rampant and easy to commit PCI DSS update Credit card fraud in the airline industry How to fight credit card fraud Conclusions Q & A PBA 2

3 Overview of IATA Non-profit international trade body, created 68 years ago by a group of airlines in Havana, Cuba. IATA represents 240 airlines from 126 nations, comprising 84% of total air traffic globally IATA’s Mission: To represent, lead and serve the airline industry PBA 3

4 Different types of fraud
Credit card fraud Internet based crime and e-commerce Fake Travel Agency websites Solicitation s scams Internal employee fraud Frequent Flyer abuse and brokering schemes Agency fare abuse Baggage fraud ??? PBA





9 Frequent flyer fraud FFP Members are not always honest Airline Staff
Double dipping – on code share flights Rerouting/cancellations (fraud?) Airline Staff Adding personal FFPs to PNR’s Customer service staff awarding miles to friends Claiming miles for ID/AD tickets Accessing a/c’s PBA

10 Frequent flyer fraud Travel Agency staff Fraudsters – growth area!!
Selling mileage tickets Adding FFP numbers to bookings Double dipping – on code share flights May get access to FFP member accounts passwords Fraudsters – growth area!! Account take over – phishing s Buying miles with stolen cards E-shop/mail frauds PBA

11 Hackers steal air miles from frequent flyer accounts
Hackers managed to break into US Airways' frequent flyer accounts and steal the air miles ……... US Airways spokesman Bill McGlashen told TravelMole that the carrier "noticed suspicious activity after customers reported that miles were deducted, and so we looked into what was happening, and notified state and federal officials." No credit card or social security numbers were compromised ……., McGlashen declined to reveal the exact number of accounts ……… Travel Mole - Friday 16th August 2013 PBA

12 PBA Card Payment Policies and Fraud Prevention

13 The Target of choice or Target of Opportunity
Our industry is dominated by a simple equation: The era of simple, random attacks has passed. Expect, and prepare for, determined and sophisticated attacks. If successfully attacked, customer trust and organisational reputation are at risk. PCI DSS has become the minimum that an organisation needs to do to secure their environment. = PBA Visa Europe public Card Payment Policies and Fraud Prevention

14 Visa Europe public Prevailing Symptoms Compromises are becoming much more challenging, because the way cards are used and the way in which businesses are offering services is becoming increasingly complex Vulnerabilities are everywhere They are simple Easy to exploit But often very easy to remediate (if the merchant knows that they are there) Most people could detect themselves that they have been breached if they just looked at the logs Web development practices are very weak indeed PBA

15 PCI – makes good business sense !
News round up… Sony Lulzsec Wordpress Travelodge RSA Epsilon Heartland Payment Systems Lush Data breaches have almost become a statistical certainty Dropbox TJX Lockheed Martin PCI – makes good business sense ! PBA

16 List of businesses targeted by global hacking ring that stole 160 mio
List of businesses targeted by global hacking ring that stole 160 mio. card numbers 2005/12 7-Eleven Inc. Carrefour S.A. Dexia Bank Belgium Discover Financial Services Dow Jones Inc. Euronet (payment processor) Global Payment Systems Hannaford Brothers Co. Heartland Payment Systems Ingenicard US Inc.\ J.C. Penney Co. JetBlue Airways (employee data) Leading Abu Dhabi Bank Nasdaq Source The Associated Press – Data breaches have almost become a statistical certainty PBA


18 PBA

19 PBA

20 The first things you need…. A mask and Internet access
and you can start the hunt for credit cards PBA

21 Why One Employee is your greatest security threat
Size up the organization Compromise a user (using social media) Login & begin initial exploration Solidify presence within the organization Impersonate a privileged user Steal confidential data Cover tracks & prepare for return visit PBA

22 How much for my card details?
PBA Card Payment Policies and Fraud Prevention

23 Large Organised Attacks Can Potentially Ruin Merchants
Over 4,000 cards used Over 500 delivery addresses Over £300,000 of fraud attempted within only 2 weeks PBA Card Payment Policies and Fraud Prevention 23

24 Building a website PBA

25 Building a website PBA

26 Credit card fraud in the airline industry
Global Card Fraud Rises 14% in 2012 – Nilson Report Aug.2013 Acquirers, Issuers and merchants lost $11.27 billion US accounted for 47.3% fraud losses, but generate just 23.5 % transactions, due to slow EMV (Europay, MasterCard, Visa) migration Airline Internet fraud, as reported by card issuers: 0.54% CyberSource puts total Airline costs at 1.4% (staff, fees, prevention) for online sales Significant regional differences Cost of avoided fraud, lost sales, etc. ??? Estimated profitability of the airlines 2012 : 0.6% PBA

27 News from Visa Europe Every three minutes a fraud occurs in our industry Increase 2012 over 2011 – 24% Increase Jan. – May 2013 over 2012 – 35% Airline fraud accounts for 11% of all fraud Airline fraud accounts for 13% of all CNP fraud (Card Not Present) • 82% of Airline fraud is CNP • 29% of all Airline fraud is undertaken on US issued cards No complete figures are available, as people argue what is fraud, and figures are hard to obtain PBA

28 The “total” cost of credit card fraud
Transactions charged bank (not all fraud is charged back by the acquirer (3D Secure protection, EMV liability shift)) Chargeback handling cost (chargeback successful disputed, ADMs issued against a Travel Agent) Lost sales to fraud Rejecting, insulting & losing genuine customers. Lost repeat sales Cost of fraud prevention/detection activities (3D Secure, EMV Chip & PIN, Profiling systems, Perseuss, etc.) Surcharges and fines levied by the banks or the Card Schemes Etc. PBA Card Payment Policies and Fraud Prevention

29 PCI DSS makes good business practice
First line of defense against fraud PCI compliance required since 2008 PCI is about SECURITY PCI is part of RISK MANAGEMENT Protects your clients data Protects company’s reputation ‘Safe Harbor’ Principle Protects against fines, penalties, forensic investigations PCI is also plain common sense PBA Card Payment Policies and Fraud Prevention

30 PCI DSS - Six Goals: Twelve Requirements
Goal 1: Build and Maintain a Secure Network Goal 2: Protect Cardholder Data Goal 3: Maintain a Vulnerability Management Program Goal 4: Implement Strong Access Control Measures Goal 5: Regularly Monitor and Test Networks Goal 6: Maintain an Information Security Policy PBA Card Payment Policies and Fraud Prevention

31 PCI DSS update Key drivers for version 3.0 updates include:
Lack of education and awareness Weak passwords and authentication challenges Third party security challenges Slow self-detection in response to malware and other threats Inconsistency in assessments PBA

32 How to fight credit card fraud
Prevent card compromises – PCI DSS Fraud prevention, fraud detection Conduct all the basic checks Physical checks of the card, CVV, AVS Use all security features EMV Chip & PIN, 3D Secure Systematic authorization of all transactions Training PBA

33 Visible Security Features on the card
EMV Chip (Contact and/or Contactless) Scheme Logo pre-printed 4-digit BIN Magnetic Stripe Signature Panel (with the card scheme’s specific printing) Signature CVV 2 / CVC 2 (helps determine whether the user has possession of the card for card-not-present transactions) Hologram (front or back) …. some of them will be used in the authorisaton process PBA

34 The systematic authorization request
Is absolutely necessary Cardholder name is never verified – only card number, expiration date, CVX2 and amount is sent! Only the issuer can verify the card number, expiry date and security code (CVX2) AVS (Address Verification System), if supported 3D Secure transaction Authorization is NOT a payment guarantee Only a confirmation that card number is in good standing at the time of the transaction PBA Card Payment Policies and Fraud Prevention

35 High risk sales patterns
One-way trip Urgent departure for long-haul destination Short “book to fly” timeframe (<3 days) Change in passenger name after the original booking Third party sale: legitimate but more fraud prone Multiple purchases by the same customer: there is no windfall! Customer offers one card number after the other, when first authorization request is denied High risk countries and routes Splitting a ticket value on the same card: prohibited by the International Card Schemes Inflight sales (no authorization of the transaction) PBA Card Payment Policies and Fraud Prevention

36 Unusual customer information
A repeat customer is a lesser risk Identify them so as not to include their tickets in the manual queue for verification Most sales are local: it is unusual for a customer to purchase an airline ticket outside his country of residence Particularly true for Travel Agent sales Discrepancies in the coordinates: country of residence, telephone number country domain name, IP geolocation Free services (no billing trail) PBA Card Payment Policies and Fraud Prevention

37 There is no windfall! Sales excessively high compared to usual ticket order Huge orders placed by unknown intermediaries ‘Spam’ searching for airline tickets Orders for a carrier or a route never sold before by the Travel Agent Orders placed from a country which is not the country of departure or arrival PBA Card Payment Policies and Fraud Prevention

38 How to fight credit card fraud
Dedicated, trained teams and: Database – own positive or negative and Perseuss Sharing of data that has been used in fraudulent transactions Rules Engine Fully customisable, continual monitoring and analysis Fraud Scoring Systems Neural scoring Continuous proactive analysis (chargebacks, reports from acquiring banks, pattern detection) Continuous training Fraud Prevention working groups PBA

39 What is IATA Perseuss? Data base that allows exchange of customer information related to fraudulent ticket purchase Simple and standardized structure Truly global All relevant customer data can be shared, except credit card number and transaction amount PBA

40 March 31, 2017 PBA Name of presentation

41 Perseuss today 4 Mio. + PNR uploaded 80 + airlines participating
20 + large OTA’s participating API to major fraud profilers Average hit rate between 35 – 45 on “bad” addresses Perseuss is a fraud fighter community PBA

42 43,91% 48 airlines Fraud chart of 9 8 7 4 1 LH 6 2 1 10 5 3
The top 10 of TA 9 8 7 4 1 LH 2 CM 3 KL 4 BA 5 LA 6 LX 7 MS 8 AY 9 TB 10 MA 6 2 1 10 5 3 PBA

43 36,34% Fraud chart of 54 airlines 7 8 1 3 10 4 5 6 9 2
The top 10 of CM 7 8 1 1 TA 2 LH 3 BA 4 MS 5 KL 6 LX 7 AK 8 AY 9 LO 10 HV 3 10 4 5 6 9 2

44 IATA support to prevent fraud
Develop/implement industry wide initiatives Resolution 890 (Card Sales Rules for Travel Agents) All transactions must be authorized and transmittal of authorization code in remittance file, CVV mismatch, liability shift in case of fraud Best Practices Guide, warnings on fraudulent s PCI and Fraud Prevention Work Groups Training IATA Perseuss Lobbying with Card Brands PBA

45 Conclusions Fraud is here to stay Fraudsters are usually a step ahead
Fraudsters have no airline preference – they attack the weakest link Fraud is “eating” our profit margins PBA

46 Conclusions Therefore: Create awareness of pitfalls (phishing emails!)
Be alert – unusual behavior Fighting fraud must be a priority Training Collaboration on fraud prevention/detection in the industry and with Card Brands (acquirers, issuers) PBA

47 European day of action targets airline fraudsters The Hague, 28th June 2013
To clamp down on criminals using fraudulent credit cards to purchase airline tickets International operation with the help of Visa Europe: 38 airports in 16 European countries 200 suspicious transactions were reported by participating airlines, resulting in 43 arrests Individuals linked to drug trafficking, illegal immigration, counterfeit documents Note: Active participation of FBI with ARC/GDS Fraud Group PBA

48 Tel:+41 79 691 71 35
Questions & Answers Tel:

49 New Payment Architectures Encryption & Tokenisation
Visa Europe public New Payment Architectures Encryption & Tokenisation Data Encrypted Data Decrypted Data Tokenised No ability to Decrypt Token not considered security sensitive PBA

50 PBA

51 36,34% Fraud chart of 54 airlines 7 8 1 3 10 4 5 6 9 2
The top 10 of CM 7 8 1 1 TA 2 LH 3 BA 4 MS 5 KL 6 LX 7 AK 8 AY 9 LO 10 HV 3 10 4 5 6 9 2

Download ppt "Fraud in the Airline Industry"

Similar presentations

Ads by Google