Stop Account Takeover to Prevent Loyalty Fraud
Originally published on HospitalityTech.com
As pandemic-related travel restrictions are lifted, many consumers may open their loyalty program accounts for the first time in nearly a year, only to find them drained of points, miles, and bonuses. While travel rewards might seem like an unusual target for fraudsters, these loyalty points, flyer miles and other rewards are a treasure trove for account takeover attacks, as they can often be used as cash equivalents to sell to other fraudsters or to purchase gift cards. This type of fraud is often referred to as loyalty fraud, and it is more common than most people think.
According to the Loyalty Security Association, 72% of rewards program managers surveyed have experienced issues with fraud. Loyalty program accounts can be easy targets for account takeover fraud, as they are often woefully under-protected and under-supervised compared to traditional financial accounts (1 in 3 program members check their balance only once every few months, and 1 in 10 never do).
So, what can hotels, travel managers and airlines do to stop fraudsters? The first step is to strengthen defenses against the techniques most frequently used to defraud travel and hospitality organizations’ reward programs.
Bolster Account Takeover Security in the Call Center
One of the most common ways fraudsters infiltrate travel and hospitality companies is through the call center. Fraudsters take advantage of the helpful nature of call center agents and manipulate them through social engineering — convincing them to give out sensitive account information, which they then use to illicitly access customer accounts.
To prevent these account takeovers, organizations should certainly train their call center staff to better spot this type of fraud, but they also need to improve authentication processes in their call centers. A well-designed interactive voice response (IVR) system with intelligent multifactor authentication can help combat fraudsters looking to score an easy payday.
In implementing such a system, call center managers need to carefully consider the mix of authentication factors and should avoid relying solely or primarily on traditional forms of authentication — such as knowledge-based authentication, where agents ask customers a series of security questions — as these are easily overcome by fraudsters who may have access to stolen customer data.
Pre-answer caller authentication, a service that inspects the integrity of the call path within the network as well as the identity of the caller before their call is answered, combined with voice biometrics (analyzing a caller’s voice), can better secure the call center against agent vulnerabilities while also reducing wait times and improving the overall customer experience. This approach can flag suspicious calls for greater scrutiny by the fraud team — thus preventing fraudsters from reaching the IVR framework or call center agent in the first place.
Include Additional Account Takeover Protections for Digital Transactions
E-commerce is one of the most important channels for travel and hospitality transactions, but online interactions also present challenges in authenticating users. By their very nature, these digital interactions are anonymous — you can’t check someone’s ID or see their face when they perform a transaction.
Considering the vast quantities of personal information readily available to fraudsters through data breaches, social media channels and more, security questions and passwords are no longer reliable ways to verify someone’s identity. Additional digital identity markers are needed — such as location, IP address and data inherent to the device being used, for example.
There are many fraud prevention solutions available that can help travel and hospitality organizations stop criminals from using stolen or fabricated information to access customer accounts. The key to accurately authenticating identities and maintaining account security is to look beyond the legitimacy of each piece of information provided and instead adopt a 360-degree view of identity that draws connections between a customer’s online and offline identity, their devices, and the behaviors seen across the network. An effective authentication solution should examine how long the customer data and behaviors have been connected and how thoroughly they interact with each other. This will give organizations a better understanding of the individual on the other end of each interaction.
Take Care of Those One-Time Passcodes
One-time passcodes (OTP) — unique verification codes sent to a customer’s device via text — have long been considered an effective method of authenticating identity. However, fraudsters have developed many complex scams to defeat this measure, including SIM swapping (where fraudsters divert the routing of the passcode by convincing a customer’s phone carrier to switch that individual’s phone number to the fraudster’s SIM card) and man-in-the-middle attacks (in which the fraudster calls the customer posing as someone from the business and asks the customer to read the passcode out during the conversation). These sophisticated fraud schemes are difficult for travel and hospitality organizations to combat on their own.
If an organization’s call center uses text passcodes or callbacks to verify customer identity, phone ownership must also be established, because calls and texts can easily be intercepted by fraudsters. The call center cannot rely solely on confirmed message or call delivery; the authentication solution must examine information specific to the device and carrier to determine whether it is truly the customer’s phone and whether it poses a fraud risk. The authentication process should, for example, address the following questions: Have there been recent changes to the phone’s SIM card? Has the customer’s phone number been reassigned? Is a phone number being redirected, forwarding calls to another number? Does recent phone activity suggest that the customer is the current victim of a man-in-the-middle attack?
A Holistic View of Identity
As fraudsters continue to develop more complex schemes and new ways to overcome traditional fraud-fighting and authentication methods, travel and hospitality organizations need to implement better tools for verifying customer identity and determining risk.
Loyalty programs may currently be low-hanging fruit for fraudsters, but they don’t need to be. The same types of technologies that are proving effective in protecting traditional financial accounts — intelligent authentication solutions that adopt a holistic view of identity across online, offline and device-based data and behaviors over time — can help travel and hospitality organizations fight fraud and protect their customers’ accounts. Customers will quickly come to expect no less.