Fraud in the Airline Industry
Download
1 / 51

Pass Bureau Association 46 th Annual Conference Nashville, 12 th September 2013 - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

Fraud in the Airline Industry. Pass Bureau Association 46 th Annual Conference Nashville, 12 th September 2013. Today’s Agenda. Overview of IATA Different types of fraud Card data fraud is rampant and easy to commit PCI DSS update Credit card fraud in the airline industry

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Pass Bureau Association 46 th Annual Conference Nashville, 12 th September 2013 ' - leanna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Fraud in the Airline Industry

Pass Bureau Association

46th Annual Conference

Nashville, 12th September 2013


Today’s Agenda

  • Overview of IATA

  • Different types of fraud

  • Card data fraud is rampant and easy to commit

  • PCI DSS update

  • Credit card fraud in the airline industry

  • How to fight credit card fraud

  • Conclusions

  • Q & A


Overview of IATA

  • Non-profit international trade body, created 68 years ago by a group of airlines in Havana, Cuba.

  • IATA represents 240 airlines from 126 nations, comprising 84% of total air traffic globally

  • IATA’s Mission: To represent, lead and serve the airline industry


Different types of fraud
Different types of fraud

  • Credit card fraud

  • Internet based crime and e-commerce

  • Fake Travel Agency websites

  • Solicitation emails scams

  • Internal employee fraud

  • Frequent Flyer abuse and brokering schemes

  • Agency fare abuse

  • Baggage fraud

  • ???


Frequent flyer fraud
Frequent flyer fraud

  • FFP Members are not always honest

    • Double dipping – on code share flights

    • Rerouting/cancellations (fraud?)

  • Airline Staff

    • Adding personal FFPs to PNR’s

    • Customer service staff awarding miles to friends

    • Claiming miles for ID/AD tickets

    • Accessing a/c’s


Frequent flyer fraud1
Frequent flyer fraud

  • Travel Agency staff

    • Selling mileage tickets

    • Adding FFP numbers to bookings

    • Double dipping – on code share flights

    • May get access to FFP member accounts passwords

  • Fraudsters – growth area!!

    • Account take over – phishing emails

    • Buying miles with stolen cards

    • E-shop/mail frauds


Hackers steal air miles from frequent flyer accounts
Hackers steal air miles from frequent flyer accounts

Hackers managed to break into US Airways' frequent flyer accounts and steal the air miles ……...US Airways spokesman Bill McGlashen told TravelMole that the carrier "noticed suspicious activity after customers reported that miles were deducted, and so we looked into what was happening, and notified state and federal officials."No credit card or social security numbers were compromised ……., McGlashen declined to reveal the exact number of accounts ……… Travel Mole - Friday 16th August 2013


The target of choice or target of opportunity

=

The Target of choice or Target of Opportunity

  • Our industry is dominated by a simple equation:

  • The era of simple, random attacks has passed. Expect, and prepare for, determined and sophisticated attacks.

  • If successfully attacked, customer trust and organisational reputation are at risk.

    • PCI DSS has become the minimum that an organisation needs to do to secure their environment.

Visa Europe public


Prevailing symptoms

Visa Europe public

Prevailing Symptoms

  • Compromises are becoming much more challenging, because the way cards are used and the way in which businesses are offering services is becoming increasingly complex

  • Vulnerabilities are everywhere

    • They are simple

    • Easy to exploit

    • But often very easy to remediate (if the merchant knows that they are there)

  • Most people could detect themselves that they have been breached if they just looked at the logs

  • Web development practices are very weak indeed


Pci makes good business sense

News round up…

PCI – makes good business sense !

Lulzsec

Wordpress

Travelodge

Sony

RSA

Epsilon

Heartland Payment Systems

Lush

Dropbox

Data breaches have almost become a statistical certainty

TJX

Lockheed Martin


List of businesses targeted by global hacking ring that stole 160 mio card numbers 2005 12
List of businesses targeted by global hacking ring that stole 160 mio. card numbers 2005/12

7-Eleven Inc. Carrefour S.A.

Dexia Bank Belgium Discover Financial Services

Dow Jones Inc. Euronet (payment processor)

Global Payment Systems Hannaford Brothers Co.

Heartland Payment Systems Ingenicard US Inc.\

J.C. Penney Co. JetBlue Airways (employee data)

Leading Abu Dhabi Bank Nasdaq

Source The Associated Press – 27.07.13

Data breaches have almost become a statistical certainty


The first things you need…. stole 160 mio. card numbers 2005/12

A mask and Internet access

and you can start the hunt for

credit cards


Why one employee is your greatest security threat
Why One Employee is your greatest security threat stole 160 mio. card numbers 2005/12

  • Size up the organization

  • Compromise a user (using social media)

  • Login & begin initial exploration

  • Solidify presence within the organization

  • Impersonate a privileged user

  • Steal confidential data

  • Cover tracks & prepare for return visit


How much for my card details? stole 160 mio. card numbers 2005/12


Large organised attacks can potentially ruin merchants
Large Organised Attacks Can Potentially Ruin Merchants stole 160 mio. card numbers 2005/12

Over 4,000 cards used

Over 500 delivery addresses

Over £300,000 of fraud attempted within only 2 weeks


Building a website stole 160 mio. card numbers 2005/12


Building a website stole 160 mio. card numbers 2005/12


Credit card fraud in the airline industry
Credit card fraud in the airline industry stole 160 mio. card numbers 2005/12

  • Global Card Fraud Rises 14% in 2012 – Nilson Report Aug.2013

    • Acquirers, Issuers and merchants lost $11.27 billion

    • US accounted for 47.3% fraud losses, but generate just 23.5 % transactions, due to slow EMV (Europay, MasterCard, Visa) migration

  • Airline Internet fraud, as reported by card issuers: 0.54%

    • CyberSource puts total Airline costs at 1.4% (staff, fees, prevention) for online sales

    • Significant regional differences

    • Cost of avoided fraud, lost sales, etc. ???

    • Estimated profitability of the airlines 2012 : 0.6%


News from visa europe
News from Visa Europe stole 160 mio. card numbers 2005/12

  • Every three minutes a fraud occurs in our industry

  • Increase 2012 over 2011 – 24%

  • Increase Jan. – May 2013 over 2012 – 35%

  • Airline fraud accounts for 11% of all fraud

  • Airline fraud accounts for 13% of all CNP fraud (Card Not Present)

  • • 82% of Airline fraud is CNP

  • • 29% of all Airline fraud is undertaken on US issued cards

    • No complete figures are available, as people argue what is fraud, and figures are hard to obtain


The total cost of credit card fraud
The “total” cost of credit card fraud stole 160 mio. card numbers 2005/12

  • Transactions charged bank (not all fraud is charged back by the acquirer (3D Secure protection, EMV liability shift))

  • Chargeback handling cost (chargeback successful disputed, ADMs issued against a Travel Agent)

  • Lost sales to fraud

  • Rejecting, insulting & losing genuine customers. Lost repeat sales

  • Cost of fraud prevention/detection activities (3D Secure, EMV Chip & PIN, Profiling systems, Perseuss, etc.)

  • Surcharges and fines levied by the banks or the Card Schemes

  • Etc.


Pci dss makes good business practice
PCI DSS makes good business practice stole 160 mio. card numbers 2005/12

  • First line of defense against fraud

  • PCI compliance required since 2008

  • PCI is about SECURITY

  • PCI is part of RISK MANAGEMENT

  • Protects your clients data

  • Protects company’s reputation

  • ‘Safe Harbor’ Principle

    • Protects against fines, penalties, forensic investigations

  • PCI is also plain common sense


Pci dss six goals twelve requirements
PCI DSS - Six Goals: Twelve Requirements stole 160 mio. card numbers 2005/12

Goal 1:Build and Maintain a Secure Network

Goal 2: Protect Cardholder Data

Goal 3: Maintain a Vulnerability Management Program

Goal 4: Implement Strong Access Control Measures

Goal 5: Regularly Monitor and Test Networks

Goal 6: Maintain an Information Security Policy


Pci dss update
PCI DSS update stole 160 mio. card numbers 2005/12

Key drivers for version 3.0 updates include:

  • Lack of education and awareness

  • Weak passwords and authentication challenges

  • Third party security challenges

  • Slow self-detection in response to malware and other threats

  • Inconsistency in assessments


How to fight credit card fraud
How to fight credit card fraud stole 160 mio. card numbers 2005/12

  • Prevent card compromises – PCI DSS

  • Fraud prevention, fraud detection

    • Conduct all the basic checks

      • Physical checks of the card, CVV, AVS

    • Use all security features

      • EMV Chip & PIN, 3D Secure

    • Systematic authorization of all transactions

  • Training


Visible security features on the card
Visible Security Features on the card stole 160 mio. card numbers 2005/12

  • EMV Chip (Contact and/or Contactless)

  • Scheme Logo

  • pre-printed 4-digit BIN

  • Magnetic Stripe

  • Signature Panel (with the card scheme’s specific printing)

  • Signature

  • CVV 2 / CVC 2 (helps determine whether the user has possession of the card for card-not-present transactions)

  • Hologram (front or back)

…. some of them will be used in the authorisaton process


The systematic authorization request
The systematic authorization request stole 160 mio. card numbers 2005/12

  • Is absolutely necessary

  • Cardholder name is never verified – only card number, expiration date, CVX2 and amount is sent!

  • Only the issuer can verify

    • the card number, expiry date and security code (CVX2)

    • AVS (Address Verification System), if supported

    • 3D Secure transaction

  • Authorization is NOT a payment guarantee

    • Only a confirmation that card number is in good standing at the time of the transaction


High risk sales patterns
High risk sales patterns stole 160 mio. card numbers 2005/12

  • One-way trip

  • Urgent departure for long-haul destination

    • Short “book to fly” timeframe (<3 days)

  • Change in passenger name after the original booking

    • Third party sale: legitimate but more fraud prone

  • Multiple purchases by the same customer: there is no windfall!

  • Customer offers one card number after the other, when first authorization request is denied

  • High risk countries and routes

  • Splitting a ticket value on the same card: prohibited by the International Card Schemes

  • Inflight sales (no authorization of the transaction)


Unusual customer information
Unusual customer information stole 160 mio. card numbers 2005/12

  • A repeat customer is a lesser risk

    • Identify them so as not to include their tickets in the manual queue for verification

  • Most sales are local: it is unusual for a customer to purchase an airline ticket outside his country of residence

    • Particularly true for Travel Agent sales

  • Discrepancies in the coordinates: country of residence, telephone number country domain name, IP geolocation

  • Free e-mail services (no billing trail)


There is no windfall
There is no windfall! stole 160 mio. card numbers 2005/12

  • Sales excessively high compared to usual ticket order

  • Huge orders placed by unknown intermediaries

  • ‘Spam’ e-mail searching for airline tickets

  • Orders for a carrier or a route never sold before by the Travel Agent

  • Orders placed from a country which is not the country of departure or arrival


How to fight credit card fraud1
How to fight credit card fraud stole 160 mio. card numbers 2005/12

Dedicated, trained teams and:

  • Database – own positive or negative and Perseuss

    • Sharing of data that has been used in fraudulent transactions

  • Rules Engine

    • Fully customisable, continual monitoring and analysis

    • Fraud Scoring Systems

    • Neural scoring

    • Continuous proactive analysis (chargebacks, reports from acquiring banks, pattern detection)

  • Continuous training

  • Fraud Prevention working groups


What is iata perseuss
What is IATA Perseuss? stole 160 mio. card numbers 2005/12

Data base that allows exchange of customer information related to fraudulent ticket purchase

Simple and standardized structure

Truly global

All relevant customer data can be shared, except credit card number and transaction amount


Perseuss today
Perseuss today stole 160 mio. card numbers 2005/12

  • 4 Mio. + PNR uploaded

  • 80 + airlines participating

  • 20 + large OTA’s participating

  • API to major fraud profilers

  • Average hit rate between 35 – 45 on “bad” email addresses

  • Perseuss is a fraud fighter community

    • Fraudchasers.org

    • ffp-fraudbusters.org


43,91% stole 160 mio. card numbers 2005/12

48 airlines

Fraud chart of

The top 10 of TA

9

8

7

4

1 LH

2 CM

3 KL

4 BA

5 LA

6 LX

7 MS

8 AY

9 TB

10 MA

6

2

1

10

3

5


36,34% stole 160 mio. card numbers 2005/12

54 airlines

Fraud chart of

The top 10 of CM

7

8

1

1 TA

2 LH

3 BA

4 MS

5 KL

6 LX

7 AK

8 AY

9 LO

10 HV

3

10

4

5

6

9

2


Iata support to prevent fraud
IATA support to prevent fraud stole 160 mio. card numbers 2005/12

  • Develop/implement industry wide initiatives

    • Resolution 890 (Card Sales Rules for Travel Agents)

      • All transactions must be authorized and transmittal of authorization code in remittance file, CVV mismatch, liability shift in case of fraud

  • Best Practices Guide, warnings on fraudulent emails

  • PCI and Fraud Prevention Work Groups

  • Training

  • IATA Perseuss

  • Lobbying with Card Brands


Conclusions
Conclusions stole 160 mio. card numbers 2005/12

  • Fraud is here to stay

  • Fraudsters are usually a step ahead

  • Fraudsters have no airline preference – they attack the weakest link

  • Fraud is “eating” our profit margins


Conclusions1
Conclusions stole 160 mio. card numbers 2005/12

Therefore:

  • Create awareness of pitfalls (phishing emails!)

  • Be alert – unusual behavior

  • Fighting fraud must be a priority

  • Training

  • Collaboration on fraud prevention/detection in the industry and with Card Brands (acquirers, issuers)


European day of action targets airline fraudsters the hague 28 th june 2013
European day of action targets airline fraudsters The Hague, 28th June 2013

  • To clamp down on criminals using fraudulent credit cards to purchase airline tickets

  • International operation with the help of Visa Europe:

    • 38 airports in 16 European countries

  • 200 suspicious transactions were reported by participating airlines, resulting in 43 arrests

  • Individuals linked to drug trafficking, illegal immigration, counterfeit documents

    Note: Active participation of FBI with ARC/GDS Fraud Group


Maederp @iata org tel 41 79 691 71 35

Questions & Answers

[email protected]

Tel:+41 79 691 71 35


New payment architectures encryption tokenisation

Visa Europe public

New Payment ArchitecturesEncryption& Tokenisation

Data Encrypted

Data Decrypted

Data Tokenised

No ability to Decrypt

Token not considered security sensitive


36,34%

54 airlines

Fraud chart of

The top 10 of CM

7

8

1

1 TA

2 LH

3 BA

4 MS

5 KL

6 LX

7 AK

8 AY

9 LO

10 HV

3

10

4

5

6

9

2


ad