What Airline Loyalty Schemes Can Learn From Banks

Fraudsters love banks…

It’s no surprise that banks remain the number one target for fraudsters; they obviously hold money to steal, but, as importantly, they give criminals the means to move money around to enable extrication. 

Since the advent of digital and mobile banking, an elaborate cat and mouse game has evolved where banks continue to invest in sophisticated anti- fraud solutions, and the fraudsters develop ever more ingenious ways to try and circumvent them.

While the criminals will never stop targeting banks, they are turning their attention to less well-defended targets that contain monetary equivalents and where their established tools and processes can be more effective – airline loyalty schemes.

… but airline loyalty schemes are an increasingly attractive alternative. 

Airline loyalty schemes are a longstanding part of the flying economy and they are an effective way to retain and reward frequent flyers. Once the preserve of full-service airlines, loyalty schemes are now being launched by traditional low-cost carriers such as SouthWest. 

Many airlines have broadened their offering to include earning via credit cards and spend in other retail channels. Points can now be redeemed not just for travel but on a wide variety of goods and can be transferred to partner schemes and extracted there.

With that diversity comes increased targeting from criminals, loyalty fraud is believed to cost the industry between $1-2 billion annually. Ghost brokering is a particular concern: it combines a variety of methods to enable airline inventory to be fraudulently acquired and sold to unsuspecting customers. 

Let’s look at the most common attack vectors and how airlines can learn from banks in defeating them.

Multi Account Creation

To successfully execute loyalty fraud, criminals need control of customer accounts to receive and launder stolen points. Unlike banks where strict Know Your Customer (KYC) processes need to be followed; an airline loyalty account can be opened with just an email or phone number.

However, banks still experience high volume account creation attacks which often employ bots or similar scripted attacks to create large numbers of fake accounts. Criminals frequently use ‘phone farms’: hundreds of individual devices acting in concert to sign up via airline apps or websites.

Banks defeat this by forensically analyzing the configuration and behavior of the devices behind the account opening request. Even though steps are taken to obscure the device profile, the right fraud solution can spot patterns such as lack of device movement, consistent light exposure and continually being on charge. Even the number of apps installed on a device can be a give-away; as can unnatural typing, touch or mouse behaviour. Use of VPNs, suspicious network profiles and direct API access can uncover bot activity - even low and slow attacks.

Account Takeover

Fraudsters will target high-value accounts to extract their points balance or transfer to a compromized account. Good account security is the starting point here with banks enforcing multifactor authentication, however this is often optional for loyalty schemes which prioritize customer experience. 

Banks have become skilled at detecting suspicious login behaviour, looking for the same or similar device targeting multiple accounts. Credential stuffing attacks, where usernames and passwords from previous data breaches are tested, can be detected with high-resolution and persistent device fingerprinting. Suspicious logins can be challenged, and potentially compromised accounts flagged for review or blocked from high-risk activity like transfer or redemption. Inversely, customers returning with a known trusted device can be given a ‘white glove’ journey with minimal disruption.

A key defense against ATO is to watch what a device does immediately after login: while a legitimate user may just want to confirm account activity, a criminal will move immediately to changing contact details and redeeming or transferring points. Therefore, it is important for the airline’s fraud system to have visibility across the customer journey to separate malicious intent from an anomalous event.

Scams

As bank’s digital defences have improved, criminals have become increasingly reliant on scams: where the end user is socially engineered into performing the money transfer on behalf of the fraudster, bypassing all the usual security controls.

The victim will receive a call purporting to be from the bank or will be sent an alarming text or email flagging an immediate security risk. The scammer will use a persuasive script to convince the victim to give them control of the device to ‘fix the problem’. In reality, they are draining the account value. 

To prevent this attack, banks employ sophisticated real-time detection of the device being in a call, screen sharing or using remote access technology (RAT). Combined with unusual account behavior such as excessive points transfer, these events can be detected and shut down.

Think like a bank and keep the fraudsters out

While fraudsters have a proven suite of attack methods, the banking and fraud industry has seen them all before and has developed effective defences that combine real-time network, device and behavioral biometrics intelligence, looking across the whole customer journey, to defeat both individual and highly scaled attacks.

Discover more about Darwinium and Airline Fraud, including in theory demos.