Embed Size (px)
Citation preview
PBA - 12.09.2013
Pass Bureau Association46th Annual Conference
Nashville, 12th September 2013
Fraud in the Airline Industry Fraud in the Airline Industry
PBA - 12.09.2013
Today’s Agenda Overview of IATA Different types of fraud Card data fraud is rampant and easy to commit PCI DSS update Credit card fraud in the airline industry How to fight credit card fraud Conclusions Q & A
PBA - 12.09.2013
Overview of IATA
Non-profit international trade body, created 68 years ago by a group of airlines in Havana, Cuba.
IATA represents 240 airlines from 126 nations, comprising 84% of total air traffic globally
IATA’s Mission: To represent, lead and serve the airline industry
Different types of fraud
PBA - 12.09.2013
Credit card fraud Internet based crime and e-commerce Fake Travel Agency websites Solicitation emails scams Internal employee fraud Frequent Flyer abuse and brokering schemes Agency fare abuse Baggage fraud ???
PBA - 12.09.2013
PBA - 12.09.2013
PBA - 12.09.2013
PBA - 12.09.2013
Frequent flyer fraud
FFP Members are not always honest Double dipping – on code share flights Rerouting/cancellations (fraud?)
Airline Staff Adding personal FFPs to PNR’s Customer service staff awarding miles to friends Claiming miles for ID/AD tickets Accessing a/c’s
PBA - 12.09.2013
Frequent flyer fraud
Travel Agency staff Selling mileage tickets Adding FFP numbers to bookings Double dipping – on code share flights May get access to FFP member accounts passwords
Fraudsters – growth area!! Account take over – phishing emails Buying miles with stolen cards E-shop/mail frauds
PBA - 12.09.2013
Hackers steal air miles from frequent flyer accounts
Hackers managed to break into US Airways' frequent flyer accounts and steal the air miles ……...US Airways spokesman Bill McGlashen told TravelMole that the carrier "noticed suspicious activity after customers reported that miles were deducted, and so we looked into what was happening, and notified state and federal officials."No credit card or social security numbers were compromised ……., McGlashen declined to reveal the exact number of accounts ……… Travel Mole - Friday 16th August 2013
PBA - 12.09.2013
PBA - 12.09.2013Visa Europe Public
Necessary resources
Type of cards targeted
Leading fraud types
Target
Fraudster
AudacityTechnical expertiseInsider informationGlobal connections
All types of credit cardsDebit cardsPrepaid cards
Cross-border data compromiseCNP fraudATM fraud
BanksProcessors
Internationalcrime rings
Today
Technical knowhow
Mass market credit cards
Identity theftPhishingRudimentary data compromise
Larger retailers
Local crime rings
2000
Opportunism
T&E cards
Lost/stolenIntercepted
Consumers
Individuals
1980
Rudimentary knowledge
Premium credit cards
Domestic counterfeiting/skimming
Small retailers
Teams
1990
The evolution of bank card fraud
The Target of choice or Target of Opportunity
Our industry is dominated by a simple equation:
The era of simple, random attacks has passed. Expect, and prepare for, determined and sophisticated attacks.
If successfully attacked, customer trust and organisational reputation are at risk. PCI DSS has become the minimum that an organisation needs to do to
secure their environment.
PBA - 12.09.2013
=
Visa Europe public
Visa Europe public
Prevailing Symptoms
Compromises are becoming much more challenging, because the way cards are used and the way in which businesses are offering services is becoming increasingly complex
Vulnerabilities are everywhereThey are simpleEasy to exploitBut often very easy to remediate (if the merchant
knows that they are there) Most people could detect themselves that they have
been breached if they just looked at the logs Web development practices are very weak indeed
PBA - 12.09.2013
PCI – makes good business sense !
Sony
PBA - 12.09.2013
Lulzsec
Lush EpsilonRSA
Lockheed Martin
Dropbox
Travelodge
Data breaches have almost become a statistical certainty
Heartland Payment Systems
Wordpress
News round up…
TJX
List of businesses targeted by global hacking ring that stole 160 mio. card numbers 2005/12
7-Eleven Inc. Carrefour S.A.
Dexia Bank Belgium Discover Financial Services
Dow Jones Inc. Euronet (payment processor)
Global Payment Systems Hannaford Brothers Co.
Heartland Payment Systems Ingenicard US Inc.\
J.C. Penney Co. JetBlue Airways (employee data)
Leading Abu Dhabi Bank NasdaqSource The Associated Press – 27.07.13
PBA - 12.09.2013
Data breaches have almost become a statistical certainty
PBA - 12.09.2013
PBA - 12.09.2013
The first things you need….
A mask and Internet access
and you can start the hunt forcredit cards
PBA - 12.09.2013
Why One Employee is your greatest security threat
1. Size up the organization
2. Compromise a user (using social media)
3. Login & begin initial exploration
4. Solidify presence within the organization
5. Impersonate a privileged user
6. Steal confidential data
7. Cover tracks & prepare for return visit
PBA - 12.09.2013
PBA - 12.09.2013
How much for my card details?
Large Organised Attacks Can Potentially Ruin Merchants
Over 4,000 cards used Over 500 delivery addresses Over £300,000 of fraud attempted within only 2
weeks
PBA - 12.09.2013
Building a website
PBA - 12.09.2013
Building a website
PBA - 12.09.2013
Credit card fraud in the airline industry Global Card Fraud Rises 14% in 2012 – Nilson Report Aug.2013
Acquirers, Issuers and merchants lost $11.27 billion US accounted for 47.3% fraud losses, but generate just 23.5 %
transactions, due to slow EMV (Europay, MasterCard, Visa) migration
Airline Internet fraud, as reported by card issuers: 0.54% CyberSource puts total Airline costs at 1.4% (staff, fees, prevention) for
online sales Significant regional differences
Cost of avoided fraud, lost sales, etc. ???Estimated profitability of the airlines 2012 : 0.6%
PBA - 12.09.2013
News from Visa Europe Every three minutes a fraud occurs in our industry Increase 2012 over 2011 – 24% Increase Jan. – May 2013 over 2012 – 35% Airline fraud accounts for 11% of all fraud Airline fraud accounts for 13% of all CNP fraud (Card Not Present) • 82% of Airline fraud is CNP • 29% of all Airline fraud is undertaken on US issued cards
No complete figures are available, as people argue what is fraud, and figures are hard to obtain
PBA - 12.09.2013
PBA - 12.09.2013
The “total” cost of credit card fraud
Transactions charged bank (not all fraud is charged back by the acquirer (3D Secure protection, EMV liability shift))
Chargeback handling cost (chargeback successful disputed, ADMs issued against a Travel Agent)
Lost sales to fraud Rejecting, insulting & losing genuine customers. Lost repeat sales Cost of fraud prevention/detection activities (3D Secure, EMV Chip &
PIN, Profiling systems, Perseuss, etc.) Surcharges and fines levied by the banks or the Card Schemes Etc.
PCI DSS makes good business practice First line of defense against fraud PCI compliance required since 2008 PCI is about SECURITY PCI is part of RISK MANAGEMENT Protects your clients data Protects company’s reputation ‘Safe Harbor’ Principle
Protects against fines, penalties, forensic investigations
PCI is also plain common sense
PBA - 12.09.2013
PCI DSS - Six Goals: Twelve Requirements
Goal 1: Build and Maintain a Secure Network
Goal 2: Protect Cardholder Data
Goal 3: Maintain a Vulnerability Management Program
Goal 4: Implement Strong Access Control Measures
Goal 5: Regularly Monitor and Test Networks
Goal 6: Maintain an Information Security Policy
PBA - 12.09.2013
PCI DSS update
Key drivers for version 3.0 updates include:Lack of education and awarenessWeak passwords and authentication challengesThird party security challengesSlow self-detection in response to malware and other threatsInconsistency in assessments
PBA - 12.09.2013
How to fight credit card fraud Prevent card compromises – PCI DSS Fraud prevention, fraud detection
Conduct all the basic checksPhysical checks of the card, CVV, AVS
Use all security featuresEMV Chip & PIN, 3D Secure
Systematic authorization of all transactions
Training
PBA - 12.09.2013
Visible Security Features on the card
EMV Chip (Contact and/or Contactless)
Scheme Logo pre-printed 4-digit BIN Magnetic Stripe Signature Panel (with the card
scheme’s specific printing) Signature CVV 2 / CVC 2 (helps determine
whether the user has possession of the card for card-not-present transactions)
Hologram (front or back)
…. some of them will be used in the authorisaton process
PBA - 12.09.2013
PBA - 12.09.2013
The systematic authorization request Is absolutely necessary Cardholder name is never verified – only card
number, expiration date, CVX2 and amount is sent! Only the issuer can verify
the card number, expiry date and security code (CVX2) AVS (Address Verification System), if supported 3D Secure transaction
Authorization is NOT a payment guarantee Only a confirmation that card number is in good standing at the time of
the transaction
PBA - 12.09.2013
High risk sales patterns One-way trip Urgent departure for long-haul destination
Short “book to fly” timeframe (<3 days)
Change in passenger name after the original booking Third party sale: legitimate but more fraud prone
Multiple purchases by the same customer: there is no windfall! Customer offers one card number after the other, when first
authorization request is denied High risk countries and routes Splitting a ticket value on the same card: prohibited by the International
Card Schemes Inflight sales (no authorization of the transaction)
PBA - 12.09.2013
Unusual customer information A repeat customer is a lesser risk
Identify them so as not to include their tickets in the manual queue for verification
Most sales are local: it is unusual for a customer to purchase an airline ticket outside his country of residence Particularly true for Travel Agent sales
Discrepancies in the coordinates: country of residence, telephone number country domain name, IP geolocation
Free e-mail services (no billing trail)
PBA - 12.09.2013
There is no windfall! Sales excessively high compared to usual ticket
order Huge orders placed by unknown intermediaries ‘Spam’ e-mail searching for airline tickets Orders for a carrier or a route never sold before
by the Travel Agent Orders placed from a country which is not the
country of departure or arrival
How to fight credit card fraudDedicated, trained teams and:Database – own positive or negative and Perseuss
Sharing of data that has been used in fraudulent transactions
Rules Engine Fully customisable, continual monitoring and analysis
Fraud Scoring Systems Neural scoring
Continuous proactive analysis (chargebacks, reports from acquiring banks, pattern detection)
Continuous training Fraud Prevention working groups
PBA - 12.09.2013
PBA - 12.09.2013
What is IATA Perseuss?
Data base that allows exchange of customer information related to fraudulent ticket purchase
Simple and standardized structure Truly global All relevant customer data can be shared, except
credit card number and transaction amount
PBA - 12.09.2013
Perseuss today 4 Mio. + PNR uploaded 80 + airlines participating 20 + large OTA’s participating API to major fraud profilers Average hit rate between 35 – 45 on “bad” email
addresses Perseuss is a fraud fighter community
Fraudchasers.org ffp-fraudbusters.org
PBA - 12.09.2013
1
2
3
4
5
6
789
10
Fraud chart of 43,91%48 airlines
The top 10 of TA
1 LH
2 CM
3 KL
4 BA
5 LA
6 LX
7 MS
8 AY
9 TB
10 MA
PBA - 12.09.2013
1
2
3
4
5
6
7 8
9
10
Fraud chart of 36,34%54 airlines
The top 10 of CM
1 TA
2 LH
3 BA
4 MS
5 KL
6 LX
7 AK
8 AY
9 LO
10 HV
IATA support to prevent fraud Develop/implement industry wide initiatives
Resolution 890 (Card Sales Rules for Travel Agents) All transactions must be authorized and transmittal of authorization code in
remittance file, CVV mismatch, liability shift in case of fraud
Best Practices Guide, warnings on fraudulent emails PCI and Fraud Prevention Work Groups Training IATA Perseuss Lobbying with Card Brands
PBA - 12.09.2013
Conclusions
Fraud is here to stayFraudsters are usually a step aheadFraudsters have no airline preference –
they attack the weakest linkFraud is “eating” our profit margins
PBA - 12.09.2013
ConclusionsTherefore:Create awareness of pitfalls (phishing emails!)Be alert – unusual behavior Fighting fraud must be a priorityTraining Collaboration on fraud prevention/detection in the industry and with Card Brands (acquirers, issuers)
PBA - 12.09.2013
European day of action targets airline fraudsters The Hague, 28th June 2013
To clamp down on criminals using fraudulent credit cards to purchase airline tickets
International operation with the help of Visa Europe: 38 airports in 16 European countries
200 suspicious transactions were reported by participating airlines, resulting in 43 arrests
Individuals linked to drug trafficking, illegal immigration, counterfeit documents
Note: Active participation of FBI with ARC/GDS Fraud Group
PBA - 12.09.2013
New Payment ArchitecturesEncryption & Tokenisation
Encrypting Registers
Segmenting Device
PCI Compliant Zone
Internal or Public Network
Point of Decryption
PCI Compliant Zone
Segmenting Device
Encrypting PEDs
PBA - 12.09.2013
Data Encrypted
No ability to Decrypt
Data DecryptedData Tokenised
Token not considered security
sensitive
Visa Europe public
PBA - 12.09.2013
1
2
3
4
5
6
7 8
9
10
Fraud chart of 36,34%54 airlines
The top 10 of CM
1 TA
2 LH
3 BA
4 MS
5 KL
6 LX
7 AK
8 AY
9 LO
10 HV
