Jeff Wixted has spent the better part of his career fighting online fraud by helping bring to life the solutions and strategies aimed at foiling a determined adversary that continues to become more determined by the day.
In 14 years at Accertify, he led a diverse set of teams to sell, build, implement and market their solutions to protect online enterprises from fraud and abuse. His expertise led him to a seat on the board of the Merchant Risk Council where he also served as treasurer. Wixted recently brought his deep fraud expertise to Signifyd, where he is among those accelerating Signifyd’s growth in travel and new verticals.
I recently sat down with Wixted to talk about the changing face of fraud in the airline industry and why he believes Signifyd is uniquely positioned to tackle it.
Q: When you think about online fraud and airlines, what’s unique about this particular time. Why should airlines be thinking more deeply today about the challenges of fraud and consumer abuse?
A: It probably won’t shock you if I say the pandemic brought about some important changes that affect how airlines need to think about fraud. The airline industry was generally in a mature steady-state mode from 2010 to 2019. Things were good. Business travel was great. If you and I were going to go somewhere over the weekend, we left on Friday, came back on Sunday. It was very predictable. And then COVID hit and everything we knew changed.
Airline passengers’ habits have transformed dramatically
Q: What in particular changed?
While rebounding, business travel has been inconsistent. You and I can fly out on a weekend trip on Wednesday and work a day or two, then enjoy the weekend and fly back on Monday. Traditional tried and true patterns have just gone out the window in the last few years. In addition, new travelers are entering the mix, frequent flyer programs are surging with American Airlines reporting last year that enrollment in its AAdvantage program was up 60% compared to pandemic days and United saying registration for its miles-earning credit card was up 30% year over year. Meanwhile, fliers are willing to splurge on extras like premium economy seating and other benefits.
That’s really wreaked havoc on the incumbent fraud protection providers that rely on static rules and bolted-on machine learning. It “works” for a period of time and then reverts back to the norm — chargeback rates go up, manual review increases and so the natural tendency is to add rules which only exacerbates the problem. As an airline, you’re in a bind. There has to be a better way. I think Signifyd is that.
Q: All that said, in some ways it’s kind of surprising that the airline industry has a fraud problem. I mean, when you buy a ticket, they know everything about you. Your name, address, email, known traveler number, maybe your passport number. How does fraud happen in the airline category?
A: The real answer is it occurs much as it does in other industries — there are account takeovers, card-not-present fraud and first-party abuse. The classic example is I get a hold of your payment card or account credentials (likely via a data breach). I go online. I book a ticket. The ticket is in my name. Obviously, I have to go through security and I have to show someone my ID, so that’s going to have to match up. And so yes, I would be the traveling passenger on the flight and you most kindly would pay for it.
Q: Does the fact that the purchaser and the passenger are different people and have no apparent connection make it easier to spot the fraud?
Passenger/purchaser isn’t necessarily a sign of airline ticket fraud
A: You can screen for that in fraud. I can look and see the person who paid for this ticket is not one of the traveling passengers. It doesn’t mean you’re bad. It happens.
My daughter is in college. I would buy her plane tickets to come back and forth. I’m not traveling but I have status with the airline, we have the same last name, every one of her flights departs or arrives into Chicago which is in close proximity to the billing zip code, she has a .edu email address where the university is in close proximity to the arrival and departure airport. And so on. All the data is there to make accurate, automated decisions; you just have to be able to make use of it.
Q: So airlines have some advantages over your basic retailer when it comes to fraud detection?
A: I mean, on the retail side, you and I could both buy the same T.V., but it’s a different SKU at every retailer and it’s really hard to profile on that SKU beyond a single merchant. In the airline industry, you can profile the airport. I can understand the risk and what’s happening at a particular airport or even a particular route in real time.
I may determine that Chicago to Las Vegas is a high-risk route. There tends to be a higher percentage of fraud on that than there is from, maybe Chicago to Kansas City or Dallas or an average day. You can also pair this with what’s happening in the world. For the Olympic Games perhaps everything in/out of Paris for two weeks in July and August may be at higher risk.
Machine learning sorts airline ticket fraud from legitimate purchases
Or, I live in Chicago. I would never drive three hours to Indianapolis and get on a flight. That doesn’t make any sense even if the fare was cheaper. But perhaps in Mexico this may be a more common pattern.
This is the beauty of machine learning where you can profile every one of these route combinations, combine it with a whole bunch of other data points and construct really powerful model features to discern both good and bad behavior.
Q: So then you can guess my next question: If the airlines have so much helpful data, how is it that airlines have a fraud problem?
A: Airlines have a fraud problem for many of the same reasons all retail categories have a fraud problem – extremely motivated adversaries. Fraud gets very sophisticated and detecting it can become very difficult, especially when it’s carried out by the rightful cardholder, when it’s first-party fraud. When I claim I didn’t buy that or I didn’t book that, that’s much harder to detect.
I’ll say it becomes equally more difficult if I’m able to get into your loyalty account, which you probably have for an airline that you travel with today. I get into that account and then I book a ticket or use your loyalty points through a marketplace to buy a gift card or laptop and then easily resell it. All thanks to your history and hard-earned loyalty.
Q: It does seem like account takeover is a natural for airlines with all the miles programs out there.
Airline accounts are attractive targets for account takeover
A: Not only that, but if you, the victim, were a frequent flier or if you had any type of loyalty or status, chances are the airlines are not going to hang me, the fraudster, up as a result of that despite maybe there being some red flags.
Q: It sounds like loyalty accounts are the golden ticket for fraudsters.
A: It’s one the airlines continue to get beat on — this notion of account takeovers and fraudsters piggybacking on others’ loyalty rather than spending months or years trying to build up a profile of myself. It’s much easier for me to take over your account and do something malicious. In most cases, it’s the customer who finds out first and that creates a trust and reputation problem for the airlines.
Q: So, going back to first-party fraud. I’m kind of baffled. I know it’s difficult to detect, but again with airlines, at least after the fact, I mean, they should know whether that person was on that flight. So how would someone even get away with saying, “I didn’t book that flight.” The airline knows you were on it — right there in Row 7, Seat A.
A: Yes, you’re right. The airline does have a flight manifest. In the case of first-party fraud it’s a “service” issue and not, “I didn’t make or recognize this purchase.” This can occur with ancillary purchases which account for a greater share of airlines’ revenue. Maybe you were on the flight and you bought a drink or WiFi or maybe you checked your bag or you had to pay for a seat. Those come through on your statement as separate charges from your ticket. And so, you may say, “Well, I’m not paying for that. I’ll just dispute it.”
Airline chargebacks are varied, but also winnable for merchants
And for the airline to fight these smaller purchases, there is effort involved and a cost. That’s where Signifyd can come in and automate a lot of these procedures and disputes that come in at a low value. And we can win them.
Q: My first thought was, $8 for a drink, $3 for headphones, who’s going to commit first-party fraud to get that back? But then, you check a bag and it’s $50. Plus the $8 drink and $3 headphones and maybe you had to pay $25 for your seat because the free seats were all taken.
A: Yes. It tends to be stressful generally. Sometimes, you’re charged for these ancillary things when you’re at the gate. You try to board the plane and they tell you your bag is too big. You’ve got to check it and that fee at the gate is probably higher than doing it in advance. And you say, “I’m just disputing this. I’m not paying for this.” That falls into the abuse category and again these are winnable disputes for the merchant.
Q: Or WiFi. Think how many times you’ve paid for WiFi and, well, you get WiFI, but not very useful WiFi. It’s slow. It hangs up.
A: Right. Or in-flight entertainment. Maybe the in-flight entertainment system didn’t work. I didn’t pay for that separately. It was part of my ticket, but I feel like I got taken. They promised me this nice amenity and it didn’t work. They did fly me from point A to point B, but my experience getting there wasn’t great.
Airline fraud protection practices are due for an upgrade
Q: So you’ve been working on online fraud and fraud in the airline industry for some time now. Why Signifyd? How did you decide that Signifyd was where you wanted to continue the battle?
A: I’ve been fortunate to be in this space long enough to understand the mechanisms behind it. And frankly, the incumbent fraud solutions generally tackle this problem in two ways. The first with manual review. So if I wasn’t sure of a decision that I was going to make on this booking, I put it into a queue and let an analyst go through and review it. Ultimately that analyst will make a yes or no decision and while it may reduce false positives, it’s an expensive proposition.
And secondly, behind the scenes, what tends to happen is all these rules get created. So for example, I found a fraud pattern. I’m going to create a new scoring rule that says if I ever see something related to this booking, maybe it’s a phone or email or device, assign it a whole bunch of points that lead to a future decline. Or, enough points to put it in a queue and let an analyst review it.
And you do that millions of times over a year, across a decade and you get this proliferation of thousands of rules that are just unmaintainable. It’s almost impossible to unwind them or take one out. In most cases the only way out is to start over and reimplement but the incumbent fraud provider is unlikely to commit resources to do this because it results in no incremental revenue for the fraud provider.
Change can be difficult with bulky, legacy systems
And so what happens is you just continue to add and add and add, and put more and more and more into the queue and ultimately you overwhelm the analysts. They never get to review all of these bookings and the plane takes off and then hours later you figure out, “Oh no, that was fraud.” I had it in the queue and I was all set to stop the fraud, but I didn’t have enough resources to get to it in time. Or, the inverse happens. The analyst bulk approves all the bookings in the queue to get through and release them only to incur fraud and higher chargeback rates.
These are two big problems that airlines face today with their incumbent provider — heavy reliance on manual review and a ton of stale scoring rules. Over time they’ve added machine learning into their rules engine but all you’ve really done is add more heartburn. What tends to happen are two teams wrestling with each other for control. The team creating rules is empowered but blind to what the team managing the machine learning model is doing and vice versa. Consequently, the machine learning model and the rules double count (overweight) a condition or act as a counterbalance and net out (underweight) a condition. Both teams are frustrated and pointing the finger at each other. In the end, it is the merchant who suffers.
Q: And so you see Signifyd as the answer to the outdated approach the airlines and their fraud prevention partners are taking?
A: To me, what differentiates and makes Signifyd truly wonderful in this space is the ability to flip that around and say, “We’re going to apply machine learning first and we’re going to stand behind it and guarantee the decision. We may incorporate some rules, your policies. Each airline has policies as to who can do what and why. We’ll incorporate all of those, but we’re going to make automated decisions. We’re going to stand behind those decisions and we’re going to use machine learning to continue to understand the patterns and trends and all the things that are happening daily, weekly, monthly in this business without having to have all these static rules that put something into a queue and require a lot of labor to review it and maintain them.”