PBA - 12.09.2013Pass Bureau Association46th Annual Conference Nashville, 12th September 2013 Fraud in the Airline Industry

PBA - 12.09.2013Todays AgendaOverview of IATA Different types of fraudCard data fraud is rampant and easy to commitPCI DSS updateCredit card fraud in the airline industryHow to fight credit card fraudConclusionsQ & A

PBA - 12.09.2013Overview of IATA

Non-profit international trade body, created 68 years ago by a group of airlines in Havana, Cuba.IATA represents 240 airlines from 126 nations, comprising 84% of total air traffic globallyIATAs Mission: To represent, lead and serve the airline industry

Different types of fraudPBA - 12.09.2013Credit card fraudInternet based crime and e-commerceFake Travel Agency websitesSolicitation emails scamsInternal employee fraudFrequent Flyer abuse and brokering schemesAgency fare abuseBaggage fraud???

PBA - 12.09.2013

PBA - 12.09.2013

PBA - 12.09.2013

PBA - 12.09.2013

Frequent flyer fraudFFP Members are not always honestDouble dipping on code share flightsRerouting/cancellations (fraud?) Airline StaffAdding personal FFPs to PNRsCustomer service staff awarding miles to friendsClaiming miles for ID/AD ticketsAccessing a/cs

PBA - 12.09.2013

Frequent flyer fraudTravel Agency staffSelling mileage ticketsAdding FFP numbers to bookingsDouble dipping on code share flightsMay get access to FFP member accounts passwordsFraudsters growth area!!Account take over phishing emailsBuying miles with stolen cardsE-shop/mail frauds

PBA - 12.09.2013

Hackers steal air miles from frequent flyer accountsHackers managed to break into US Airways' frequent flyer accounts and steal the air miles ... US Airways spokesman Bill McGlashen told TravelMole that the carrier "noticed suspicious activity after customers reported that miles were deducted, and so we looked into what was happening, and notified state and federal officials." No credit card or social security numbers were compromised ., McGlashen declined to reveal the exact number of accounts Travel Mole - Friday 16th August 2013

PBA - 12.09.2013

PBA - 12.09.2013

The Target of choice or Target of OpportunityOur industry is dominated by a simple equation:

The era of simple, random attacks has passed. Expect, and prepare for, determined and sophisticated attacks.

If successfully attacked, customer trust and organisational reputation are at risk.PCI DSS has become the minimum that an organisation needs to do to secure their environment.

PBA - 12.09.2013Visa Europe public

Prevailing SymptomsCompromises are becoming much more challenging, because the way cards are used and the way in which businesses are offering services is becoming increasingly complexVulnerabilities are everywhereThey are simpleEasy to exploitBut often very easy to remediate (if the merchant knows that they are there)Most people could detect themselves that they have been breached if they just looked at the logsWeb development practices are very weak indeed

PBA - 12.09.2013

PCI makes good business sense ! SonyPBA - 12.09.2013LulzsecLushEpsilonRSALockheed MartinDropboxTravelodgeData breaches have almost become a statistical certaintyHeartland Payment SystemsWordpressNews round upTJX

List of businesses targeted by global hacking ring that stole 160 mio. card numbers 2005/127-Eleven Inc. Carrefour S.A. Dexia Bank Belgium Discover Financial ServicesDow Jones Inc. Euronet (payment processor)Global Payment SystemsHannaford Brothers Co. Heartland Payment SystemsIngenicard US Inc.\J.C. Penney Co.JetBlue Airways (employee data)Leading Abu Dhabi BankNasdaqSource The Associated Press 27.07.13PBA - 12.09.2013Data breaches have almost become a statistical certainty

PBA - 12.09.2013

PBA - 12.09.2013

The first things you need.

A mask and Internet accessand you can start the hunt forcredit cardsPBA - 12.09.2013

Why One Employee is your greatest security threatSize up the organizationCompromise a user (using social media)Login & begin initial explorationSolidify presence within the organizationImpersonate a privileged userSteal confidential dataCover tracks & prepare for return visit

PBA - 12.09.2013

PBA - 12.09.2013How much for my card details?

Large Organised Attacks Can Potentially Ruin Merchants

Over 4,000 cards usedOver 500 delivery addressesOver 300,000 of fraud attempted within only 2 weeksPBA - 12.09.2013

Building a websitePBA - 12.09.2013

Building a websitePBA - 12.09.2013

Credit card fraud in the airline industryGlobal Card Fraud Rises 14% in 2012 Nilson Report Aug.2013Acquirers, Issuers and merchants lost $11.27 billionUS accounted for 47.3% fraud losses, but generate just 23.5 % transactions, due to slow EMV (Europay, MasterCard, Visa) migrationAirline Internet fraud, as reported by card issuers: 0.54%CyberSource puts total Airline costs at 1.4% (staff, fees, prevention) for online salesSignificant regional differencesCost of avoided fraud, lost sales, etc. ???Estimated profitability of the airlines 2012 : 0.6%

PBA - 12.09.2013

News from Visa EuropeEvery three minutes a fraud occurs in our industryIncrease 2012 over 2011 24%Increase Jan. May 2013 over 2012 35%Airline fraud accounts for 11% of all fraudAirline fraud accounts for 13% of all CNP fraud (Card Not Present) 82% of Airline fraud is CNP 29% of all Airline fraud is undertaken on US issued cardsNo complete figures are available, as people argue what is fraud, and figures are hard to obtain

PBA - 12.09.2013

PBA - 12.09.2013The total cost of credit card fraudTransactions charged bank (not all fraud is charged back by the acquirer (3D Secure protection, EMV liability shift))Chargeback handling cost (chargeback successful disputed, ADMs issued against a Travel Agent)Lost sales to fraudRejecting, insulting & losing genuine customers. Lost repeat salesCost of fraud prevention/detection activities (3D Secure, EMV Chip & PIN, Profiling systems, Perseuss, etc.)Surcharges and fines levied by the banks or the Card SchemesEtc.

PCI DSS makes good business practiceFirst line of defense against fraudPCI compliance required since 2008PCI is about SECURITYPCI is part of RISK MANAGEMENTProtects your clients dataProtects companys reputationSafe Harbor PrincipleProtects against fines, penalties, forensic investigationsPCI is also plain common sense

PBA - 12.09.2013

PCI DSS - Six Goals: Twelve RequirementsGoal 1: Build and Maintain a Secure Network

Goal 2: Protect Cardholder Data

Goal 3: Maintain a Vulnerability Management Program

Goal 4: Implement Strong Access Control Measures

Goal 5: Regularly Monitor and Test Networks

Goal 6: Maintain an Information Security Policy

PBA - 12.09.2013

PCI DSS updateKey drivers for version 3.0 updates include:Lack of education and awarenessWeak passwords and authentication challengesThird party security challengesSlow self-detection in response to malware and other threatsInconsistency in assessments

PBA - 12.09.2013

How to fight credit card fraudPrevent card compromises PCI DSSFraud prevention, fraud detectionConduct all the basic checksPhysical checks of the card, CVV, AVSUse all security featuresEMV Chip & PIN, 3D SecureSystematic authorization of all transactionsTraining

PBA - 12.09.2013

Visible Security Features on the cardEMV Chip (Contact and/or Contactless)Scheme Logopre-printed 4-digit BINMagnetic StripeSignature Panel (with the card schemes specific printing)SignatureCVV 2 / CVC 2 (helps determine whether the user has possession of the card for card-not-present transactions)Hologram (front or back). some of them will be used in the authorisaton processPBA - 12.09.2013

PBA - 12.09.2013The systematic authorization requestIs absolutely necessaryCardholder name is never verified only card number, expiration date, CVX2 and amount is sent!Only the issuer can verify the card number, expiry date and security code (CVX2)AVS (Address Verification System), if supported3D Secure transactionAuthorization is NOT a payment guaranteeOnly a confirmation that card number is in good standing at the time of the transaction

PBA - 12.09.2013High risk sales patternsOne-way tripUrgent departure for long-haul destinationShort book to fly timeframe (

PBA - 12.09.2013Unusual customer informationA repeat customer is a lesser riskIdentify them so as not to include their tickets in the manual queue for verificationMost sales are local: it is unusual for a customer to purchase an airline ticket outside his country of residenceParticularly true for Travel Agent salesDiscrepancies in the coordinates: country of residence, telephone number country domain name, IP geolocationFree e-mail services (no billing trail)

PBA - 12.09.2013There is no windfall!Sales excessively high compared to usual ticket orderHuge orders placed by unknown intermediariesSpam e-mail searching for airline ticketsOrders for a carrier or a route never sold before by the Travel AgentOrders placed from a country which is not the country of departure or arrival

How to fight credit card fraudDedicated, trained teams and:Database own positive or negative and PerseussSharing of data that has been used in fraudulent transactionsRules EngineFully customisable, continual monitoring and analysisFraud Scoring SystemsNeural scoringContinuous proactive analysis (chargebacks, reports from acquiring banks, pattern detection)Continuous training Fraud Prevention working groups

PBA - 12.09.2013

PBA - 12.09.2013What is IATA Perseuss?Data base that allows exchange of customer information related to fraudulent ticket purchaseSimple and standardized structureTruly globalAll relevant customer data can be shared, except credit card number and transaction amount

PBA - 12.09.2013

Perseuss today4 Mio. + PNR uploaded80 + airlines participating20 + large OTAs participatingAPI to major fraud profilersAverage hit rate between 35 45 on bad email addressesPerseuss is a fraud fighter community Fraudchasers.org ffp-fraudbusters.org

PBA - 12.09.2013

12345678910Fraud chart of43,91%48 airlinesThe top 10 of TA

1 LH

2 CM

3 KL

4 BA

5 LA

6 LX

7 MS

8 AY

9 TB

10 MAPBA - 12.09.2013

12345678910Fraud chart of36,34%54 airlinesThe top 10 of CM

1 TA

2 LH

3 BA

4 MS

5 KL

6 LX

7 AK

8 AY

9 LO

10 HV

IATA support to prevent fraud Develop/implement industry wide initiativesResolution 890 (Card Sales Rules for Travel Agents)All transactions must be authorized and transmittal of authorization code in remittance file, CVV mismatch, liability shift in case of fraudBest Practices Guide, warnings on fraudulent emailsPCI and Fraud Prevention Work GroupsTrainingIATA Perseuss Lobbying with Card BrandsPBA - 12.09.2013

ConclusionsFraud is here to stayFraudsters are usually a step aheadFraudsters have no airline preference they attack the weakest linkFraud is eating our profit margins

PBA - 12.09.2013

ConclusionsTherefore:Create awareness of pitfalls (phishing emails!)Be alert unusual behavior Fighting fraud must be a priorityTraining Collaboration on fraud prevention/detection in the industry and with Card Brands (acquirers, issuers)

PBA - 12.09.2013

European day of action targets airline fraudsters The Hague, 28th June 2013To clamp down on criminals using fraudulent credit cards to purchase airline ticketsInternational operation with the help of Visa Europe:38 airports in 16 European countries200 suspicious transactions were reported by participating airlines, resulting in 43 arrests Individuals linked to drug trafficking, illegal immigration, counterfeit documentsNote: Active participation of FBI with ARC/GDS Fraud Group PBA - 12.09.2013

maederp@iata.orgTel:+41 79 691 71 35Questions & Answers

New Payment ArchitecturesEncryption & TokenisationPBA - 12.09.2013Data EncryptedNo ability to DecryptData DecryptedData TokenisedToken not considered security sensitive

Segmenting Device

PBA - 12.09.2013

12345678910Fraud chart of36,34%54 airlinesThe top 10 of CM

1 TA

2 LH

3 BA

4 MS

5 KL

6 LX

7 AK

8 AY

9 LO

10 HV

**

*

Card Payment Policies and Fraud Prevention*Card Payment Policies and Fraud Prevention***Card Payment Policies and Fraud Prevention*Card Payment Policies and Fraud Prevention**Card Payment Policies and Fraud Prevention*Card Payment Policies and Fraud Prevention*Card Payment Policies and Fraud Prevention*Card Payment Policies and Fraud Prevention*Card Payment Policies and Fraud Prevention*Card Payment Policies and Fraud Prevention*Card Payment Policies and Fraud Prevention**Name of presentation****