How Does Machine Learning Prevent OTA Fraud?

Online travel agencies, more commonly referred to as OTAs, are online booking platforms used to compare prices and book flights, hotels or holiday packages. Well-known OTAs include Expedia, Booking.com and TripAdvisor. While we have seen a significant increase in the use of OTAs for booking travel arrangements in recent years, we have also seen a similar rise in OTA fraud. Total fraud loss to OTAs was predicted to grow by 19% to $25 billion by the year 2020.

What is OTA fraud?

OTA fraud occurs when fraudulent transactions are made, either using stolen credit card details, stolen loyalty points or air miles, or cancellations of legitimate transactions following completion of a trip resulting in chargebacks to the company.

A fraud attack typically begins with fraudsters obtaining either consumers’ credit card numbers and personally identifiable information, a travel agent’s booking system login, or both. The methods vary, from phishing for a travel agent’s login credentials, to a sophisticated bad actor acquiring account information on the dark web.

Why are online travel agencies targeted?

High-value accounts – for example accounts with saved credit card details, or a large number of acquired loyalty points – as well as the high resale value of flights, hotels and other travel bookings are the main contributing factors for OTA fraud.

Four common types of OTA fraud

Credit card fraud

One of the most common types of OTA fraud is credit card fraud, where a booking is purchased using stolen credit card details. Although it is not always clear how fraudsters obtain these credit card details, there is often a high chance that they have been purchased on an underground marketplace on the dark web. While the purchase of credit card details and other stolen information on underground marketplaces is becoming increasingly popular, Netacea found that only 1% of businesses are aware of the underground market where stolen accounts and credentials are being sold.

Bookings made with stolen credit card details are often made less than 24 to 48 hours before the scheduled departure time. This gives the OTA and the fraud victim a limited timeframe to detect the fraud and report it. Research has shown that bookings made on the same day as the departure are 4.3 times more likely to be fraudulent.

Friendly fraud

Friendly fraud is similar to the above, however, instead of a purchase being made with stolen credit card details, a legitimate credit card purchase is labeled by the customer as fraudulent following a trip – resulting in chargebacks. Like with credit card fraud, this is often seen when bookings are made last minute, usually within a 24-to-48-hour timeframe before departure.

Often, even after the cancellation of these bookings, the loyalty points or reward scheme bonuses are still credited to their accounts. Fraudsters are then able to resell these loyalty points or use them for heavily discounted future travel purchases

Phishing

Phishing scams are often used to gain access to either employee or customer accounts. Phishing occurs when people are duped into providing their account credentials or other personal details after receiving an email, text message, or sometimes even a phone call from a fraudster.

Often victims are asked to follow a link that takes them to a webpage disguised to look like the OTA’s website or employee portal, where they are then asked to input their credentials before continuing. This gives fraudsters automatic access to their accounts and account assets, such as loyalty points, employee and customer information, or stored credit card details.

Password fraud

Considering the threat of phishing, as well as the additional threat of adversaries being able to purchase credentials in bulk from underground marketplaces – password security is significantly vulnerable to online travel fraud. Both the risk of attackers gaining access to employee accounts and subsequent insider information, and the threat of a customer accounts becoming compromised, are equally concerning for travel companies.

Credential stuffing and account takeover

When attackers gain access to a multitude of credentials through the above methods, they are then able to perform credential stuffing and gain access to customer accounts. Credential stuffing is a common account takeover technique used to gain brute force access to an account by continually, automatically injecting usernames and passwords into website login forms until they get a match. Between July 2018 and June 2020 there were 63 billion credential stuffing attacks targeted at the retail, travel and hospitality industries.

Loyalty point fraud

Many OTAs and other businesses within the travel industry now have a loyalty point or rewards scheme. For example, Expedia has a scheme called Expedia Rewards; earn points with each booking and you can later redeem them for future rewards. Once an attacker gains access to a customer account they can:

• Cash out the loyalty points to use the rewards for themselves or sell them on for a profit.
• Sell the customers credentials and details of loyalty points on the dark web.
• Change the account details to their own and use the loyalty points for heavily discounted flights, hotels, or other holiday packages.

As well as losing the original value of the loyalty points, OTAs will often have to reimburse affected customers with the loyalty point credits stolen in the attack. Additionally, there is risk of dealing with repercussions due to brand damage and loss of customer trust.

How can machine learning protect travel companies from OTA fraud?

Using a machine learning platform OTAs can collect behavioral data on the visitors that access their website and analyze this data to detect patterns of behavior. The machine learning platform differentiates between genuine customer behavior, bot behavior (both ‘good’ bot behavior, such as google bots, as well as more malicious bots, e.g. credential stuffing or card cracking bots), and fraudulent behavior patterns. This allows OTAs to assess the risk of a user and a transaction before it becomes a chargeback.

Machine learning can be used not only to stop attacks on OTAs, but also to predict when an attack is about to occur and prevent it from happening based on the behavioral data of website visitors.

Netacea’s Intent Analytics® engine uses advanced machine learning techniques to detect fraud attempts by spotting patterns of behavior that appear suspicious.