NB: This is a guest article by Justin Levitte, senior director for channel management and sales at 41st Parameter.
While fraud within the travel industry is not a new phenomenon, the expansion of loyalty programs has created new vulnerabilities for airlines and new opportunities for fraudsters to exploit.
Airline fraud has traditionally involved purchasing tickets with stolen credit cards or other fraudulent payment formats.
Fraudsters will often purchase tickets under names slightly misspelled to avoid any flags from prior suspected activity, provide false address information and usually purchase tickets close to flight time.
Luckily, payment authentication solutions and internal fraud detection systems within the credit card companies and financial institutions offer an additional line of defense for airlines.
Background
When it comes to loyalty and frequent flyer programs, the most common way fraudsters attack is by gaining access to legitimate customers’ accounts through hacking weak login credentials, phishing campaigns or even by compromising a less-than-trustworthy internal employee.
Once they have access to an account, there are a number of ways that fraudsters take advantage of loyal customers’ earned airline miles.
The most direct method is to use pilfered miles to purchase tickets. Once purchased, these tickets can either be used by the fraudsters themselves, or sold to a third-party through sites such as Craigslist in the US or eBay almost everywhere else.
Once they've traded the tickets for cash, the fraudster is in the clear. Either the unsuspecting purchaser or the carrier will bear the loss.
As loyalty programs have expanded, groups such as Star Alliance have arisen to aggregate loyalty programs across carriers, giving fraudsters even larger pots to steal from. This is a large problem – but ticket fraud is only part of the story.
The proliferation of new options that allow travellers to use miles to buy products that are unrelated to travel, such as gift cards, retail goods – and in some cases even convert loyalty points to cash – has added a new wrinkle to this type of fraud.
With these new ways of converting miles to sellable goods or cash, fraudsters can even more quickly turn stolen miles into profit. The complexity of these programs has made them both increasingly appealing to fraudsters and more difficult for carriers to monitor and protect.
This problem is not going away either.
There are now reports that the fraudster community has been observed leveraging loyalty points and airline miles to purchase malware kits from each other on the underground market.
As fraudsters increasingly associate loyalty points with real value, the problem will continue to grow and the airlines’ most valuable customers will be targeted.
Unfortunately, loyalty fraud can be very difficult to combat.
Fixes
A relatively simple solution is for airlines to impose more Draconian requirements for ticket purchases – such as requiring that the name on the ticket match the name of the account owner – but unfortunately that will negatively impact a carrier’s loyal customers the most.
Airlines can restrict capabilities such as flexible ticket transfer options, again negatively impacting their most valued customers.
That’s the dilemma – by clamping down on loyalty fraud, airlines can be forced to punish their best customers because they are the targets. A better approach is to treat loyalty accounts like the bank accounts they essentially have become.
Airlines should encourage members to employ strong passwords that are not repeated from other accounts.
Customer service communications should also remind members that the airline will never ask for their password and that they should be wary of any unsolicited emails requesting account information.
Airlines should employ back-end security measures such as device recognition and account monitoring to detect and stop fraudulent transactions before purchases are confirmed or tickets redeemed.
In the same way that banks determine whether to present additional security identification questions when a customer logs into an account, airlines might consider doing the same.
By combining account monitoring with device recognition and analytics, airlines can audit account activity and determine if a transaction is being requested by the actual account holder. Airlines can analyze details beyond just the user ID and IP address to reveal potential red flags:
- Accessing a loyalty account from an unrecognized device
- Changing or even viewing account details from an unrecognized device
- Observing when one device is accessing multiple accounts during a period of time
- A sudden influx of miles to an account with a previously consistent history (for example, fraudsters using stolen credit cards to buy miles as a money laundering technique)
- Use of mileage at much higher rate than in the past
- Multiple tickets purchased with names differing from the account holder’s
While many travel professionals recognize that this is a growing problem, it is critical that airlines start to truly understand the size of this problem and provide full visibility across the organization.
Accounts for loyal travellers need to be treated as the valuable and vulnerable assets that they are. While financial institutions have employed sophisticated security measures for some time, the changing nature of loyalty programs now requires the same of the travel industry.
Loyalty rewards have expanded beyond travel amenities and airfare – they are now a new form of currency, and it’s time to grant them the same protection.
NB: This is a guest article by Justin Levitte, senior director for channel management and sales at 41st Parameter.
NB2: Security image via Shutterstock.