Did you pack yourself?

In my last year's summer post about travel deals I talked a bit about fraud in the “last minute” type of travel. But when you take a step back you discover quite a lot of fraud in the general airline sector, and it’s always interesting to think of what sort of cash-out options exist in the airline and hospitality categories.

The number of fraudsters who just use a stolen credit card to buy an airline ticket on their own name is quite limited, and their career as professional cyber thugs is probably short lived. I talked to fraud departments in several European airlines, and they have good war stories on not-too-bright cybercriminals being taken off flights and read their rights. Fraudsters that are a bit more clever order such tickets a day or two before travel, pick up the ticket in an automated kiosk, use a name which is slightly misspelled so a direct check won’t match against their own name, and provide fake address information. This minimizes the chances of getting caught, and it’s not like law enforcement services will go after every petty criminal scamming the airlines.

But more sophisticated undercurrents exist beneath the surface of airline fraud. Human trafficking is a major source of online fraud; being an illegitimate operation often calls for illegitimate payment methods when it comes to booking travel, which is essential in this criminal trade. The same issue is true for fraudsters organizing mule operations; in the summer of 2010, a lot of Eastern European mules were recruited and flown over the states. In Operation Trident, US law enforcement arrested dozens of these money mules; they all entered the US under Visa students. The thing is, if you organize something of this magnitude, you don’t want to pay the travel costs. You use a compromised card and by tickets for your mules.

And there are some other activities that often do not use real cards: talking last week to a company specializing in tracing terrorist groups online, they confirmed that a lot of fraud is triggered by such actors. In fact, many politically motivated forums give advice of never using one’s own credit card when booking a flight to, lets say, a sabotage boot camp in Afghanistan. Seems like solid advice to me.

But the majority of fraud comes from more routine financial fraud motivation.

Some airlines now offer gift cards, and they can be subject of fraud. Fraudsters can also use compromised credit cards to buy tickets on other people’s name, selling them in auction websites. Trojans capture frequent flier website credentials, and this information is also fed into the same cash-out machine, which is why account takeover fraud is on the rise. Hotels and hospitality services are also a favorite venue of fraud, and they have less checks when compared to the airlines.

A 2009 Cybersource report on preventing airline fraud listed Verified by Visa and MasterCard SecureCode as the most effective validation tool airlines use against fraud. (60% quoted it as one of the top 3 tools, as opposed to 49% citing CVV checks and 37% mentioning address verification checks). These payer authentication schemes are also quite popular: 61% of surveyed airlines said they use them, second only to CVV checks (96%) and internal black lists (71%). In the UK it’s companies like British Airways, BMI and Easyjet; in the US, Continental, Delta and JetBlue and Travelocity are among the airline websites supporting 3D Secure.

Looking at some RSA data from Verified by Visa and MasterCard SecureCode (see chart below), some trends emerge. In the UK, about 0.75% of travel deals (75 basis points) and 0.4% of airline ticket sales are fraudulent (based on Q1 2010 data); luckily the eCommerce authentication scheme, coupled with risk-based authentication applied to it, catches almost all of that fraud.

In the US the numbers are higher: about 1.2% of online airline sales (120 basis points) are fraudulent. That’s attempted fraud; again, eCommerce authentication and monitoring catches most of it in real time even before the card is sent to authorization, so US merchants supporting 3D Secure enjoy a lower level of undetected fraud, as well as no actual fraud losses given the famous liability shift from merchants to issuers when the transaction goes through the 3D Secure scheme. Interestingly, the Cybersource report puts the loss average at 1.1%; while you can’t directly compared the two metrics, this does indicates a lot of attempted fraud that translates into actual fraud losses. It means a lot of US merchants in the travel space can still benefit from adopting 3D Secure or other dedicated eCommerce protection tools.

Another interesting point is the average good vs. bad transaction. In the UK, average online purchase at airline website is 350 pounds, and average at travel deals website is 300 pounds. The average fraud purchase is far higher: 1100 and 1350 respectively. Fraudsters prefer booking last minute business or first class tickets for obvious reasons. In the US, genuine spend in airline websites is $600, while fraud spend is $1200 on average. Ticket price alone cannot, of course, be an incriminating factor in determining the risk of fraud; airlines specialize in fitting supply to demand by offering just the right fee, and rejecting high-amount orders is going to be rejecting a lot of profitable business. 

To summarize, although airline fraud might be riskier than any other type of fraud, and the items less ‘sellable’, it is still a booming business with unique challenges. Fraudsters are certainly not in a holding pattern when it comes to picking up on this eCommerce vertical.