Brute forcing and ignorance in travel fraud

The latest travel fraud story to hit the UK front pages ticks the boxes required to strike fear into the heart of Middle England – Russian cybercriminals are hacking travel loyalty schemes and living a life of luxury at the expense of hardworking Brits by selling these points on the dark web.

The source is a blog posted by Flashpoint, a New York-based business risk intelligence specialist.

The gist of the post is that cybercriminals – euphemistically described as “actors” – are accessing loyalty and rewards accounts by guessing passwords – a technique known as “brute forcing”. Once in, the actors are then using the points to buy flights, rent cars and book hotel rooms. This inventory is then sold on the dark web to travellers who end up getting a holiday at a substantial discount.

While the headline on the front page of UK broadsheet The Times talks about Russians, Flashpoint references English and Spanish-speaking actors as well.

It is not clear from the post how this specific type of fraudulent activity actually transpires in practice. When the actor books the hotel using stolen points, in whose name is that booking made and how does that booking transfer into the name of the person turning up at the hotel?

However, Flashpoint says that it has been monitoring this activity on dark web forums and claims that one actor had 3,601 customers between March 2015 and December 2016, so someone somewhere has found a way to make it work.

What is clear from the post is how this type of fraud can be prevented, or the threat reduced – “practicing stringent password hygiene.”

If the actors were unable to access the account in the first place, we wouldn’t be asking how they were able to buy and resell travel products and how the buyers of the de facto stolen goods were able to take a trip.

The post concludes:

“The difficulty of guessing a password increases exponentially along with its character length and complexity.”

“Fraud” is a complicated, emotive and expensive subject which covers a multitude of sins. IATA said that in 2016 payment fraud cost the airline industry $1.2 billion.

There are many fraud prevention businesses and initiatives active in travel, but a sad part of the fraud landscape is that criminals are criminals and when one door is slammed shut in their face they find another one. The levels of sophistication around credit card fraud prevention – AI, machine learning, big data – has, some say, pushed the criminals to softer targets – such as accessing loyalty schemes.

The good news is that digital identity verification providers are starting to make their presence felt in travel, integrating biometrics and image verification into the payment flow. Biometric tech is progressing and it is possible that the “user name and password” means of accessing an account will become the exception rather than the rule over time.

Until then, maybe the broadsheets should be angling fraud stories around “don’t use ‘password’ as your password” rather than blaming Russian cybercriminals.

Related coverage from tnooz:

The tension between fraud prevention and user experience in the travel industry (Nov17)
How defeated web scrapers with Distil Networks (Oct17)
As mcommerce grows in travel, so does the need to understand mobile fraud (Oct16)
Airlines face new and unexpected security threat – loyalty fraud (Nov12)

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *