$500 Billion Problem Seeking for a Solution.

Let me start with an innocent question:

Is it expected that someone buys Airline Ticket for somebody else?

Yes, it is standard practice for someone to buy an airline ticket for somebody else. People often purchase airline tickets as gifts for family members, friends, or colleagues traveling for various reasons, such as vacations, business trips, family gatherings, or special occasions.

Why are, then, such purchases being rejected online?

Airline ticket purchases being rejected online when buying for someone else could be due to various reasons. While online transactions have become more secure, there are still instances where legitimate purchases might get flagged as potentially fraudulent.

The online purchase process includes submitting personal info and payment card details with Card Not Present (CNP), followed by SCA - Secure Customer Authentication.

Card Not Present (CNP) Fraud:

This is one of the most common forms of e-commerce fraud, where fraudsters use stolen credit or debit card information to make unauthorized online purchases. Since the physical card is absent, verifying the transaction's legitimacy can be challenging.

What are the vulnerabilities in CNP authentication?

Card Not Present (CNP) authentication refers to verifying a cardholder's identity during an online or remote transaction where the physical card is not present. While CNP authentication methods have improved over time to enhance security, there are still vulnerabilities that fraudsters can exploit. Some of these vulnerabilities include:

Stolen Card Data: Fraudsters can obtain stolen credit card information through data breaches, phishing attacks, or other means. This stolen data can then be used to make unauthorized CNP transactions.

Weak Passwords: If a customer's account on an e-commerce website has a weak or easily guessable password, it becomes vulnerable to account takeover. Fraudsters can use various techniques to access these accounts and make fraudulent purchases.

Phishing and Social Engineering: Fraudsters can use phishing emails or fake websites to trick customers into disclosing their card information or other sensitive details. By impersonating legitimate entities, attackers manipulate users into willingly providing their information.

Man-in-the-Middle Attacks: Cybercriminals can intercept communications between customers and e-commerce websites to gain access to sensitive information, such as credit card details and authentication codes.

Transaction Interception: Fraudsters can intercept transaction requests and modify the payment details, redirecting the funds to their accounts instead of the intended merchant.

Synthetic Identity Fraud: Fraudsters create fictitious identities by combining real and fake information. They may use these synthetic identities to apply for credit cards and make CNP transactions.

Account Takeover: Fraudsters can make unauthorized CNP transactions using saved payment methods if a customer's account is compromised.

Insider Threats: Employees of e-commerce businesses with access to customer information or payment systems may misuse their privileges to carry out fraudulent CNP transactions.

Non-Secure Websites: Customers may unwittingly enter their card information on non-secure websites without proper encryption and security, making their data vulnerable to interception.

What is the most common method for SCA?

The most common method for Strong Customer Authentication (SCA) is using multi-factor authentication (MFA), which requires customers to provide two or more verification forms before a transaction is authorized. SCA is a requirement under the European Union's Payment Services Directive 2 (PSD2) regulations and is designed to enhance the security of online payments and reduce fraud.

The specific methods used for SCA can vary depending on the payment service provider, the e-commerce platform, and the user's device. Here are some standard techniques used for each factor:

• Something You Know: This often involves entering a password or PIN or answering a security question during checkout.

• Something You Have: This can involve using a one-time password (OTP) sent to the customer's mobile phone or email address. It can also include using hardware tokens or mobile apps that generate time-based OTPs.

• Something You Are: Biometric authentication methods, such as fingerprint or facial recognition, can be used on devices with the necessary hardware capabilities.

In CNP transactions, fraudsters often employ various tactics to exploit vulnerabilities in the system. While SCA adds an extra layer of security by requiring multi-factor authentication, determined fraudsters may still attempt to find ways to manipulate or deceive the authentication process.

Examples of potential spoofing or fraud-related incidents involving SCA could include:

Social Engineering: Fraudsters could attempt to manipulate or trick the cardholder into providing the authentication factors, thereby bypassing the intended security measures.

Stolen Credentials: If a fraudster gains access to a cardholder's authentication credentials (such as passwords or one-time codes), they could use those credentials to complete fraudulent transactions even with SCA in place.

Phishing Attacks: Fraudsters might use phishing emails or websites to trick cardholders into revealing their authentication information, allowing them to bypass SCA.

SIM Swapping: In mobile-based authentication cases, fraudsters could attempt to execute a SIM swap to gain control of the victim's phone number and receive authentication codes.

Malware or Trojans: Fraudsters may use malicious software to intercept or capture authentication codes, allowing them to complete fraudulent transactions.

Since Card Information can be stolen and SCA can be spoofed, we need additional tools, such as fraud filters.

How does a fraud filter for an e-commerce site works?

Fraud filters for e-commerce sites are sophisticated systems designed to detect and prevent fraudulent transactions automatically. These filters use a combination of rules, algorithms, machine learning, and data analysis to assess the risk associated with each transaction and determine whether it should be approved, declined, or flagged for further review. Here's how they generally work:

Data Collection and Profiling: The system collects a wide range of data related to the transaction, customer behaviour, device information, location, purchase history, and more. This data helps create a profile of normal and suspicious behaviour.

Rules-Based Filters: Initially, the system applies predefined rules to incoming transactions. These rules are based on known patterns of fraudulent activity. For example, if a transaction involves a high-value item being shipped to a different country than the billing address, it might trigger a rule and flag the transaction.

Behavioural Analysis: The system compares the current transaction to the customer's historical behaviour. It looks for anomalies, such as substantial orders, the rapid succession of purchases, or a significant change in purchasing behaviour.

Device Fingerprinting: Each device has a unique digital fingerprint based on attributes like IP address, browser type, and operating system. Fraud filters analyse this information to detect instances where a single device is used for multiple suspicious transactions.

Geolocation Analysis: By examining the geographic location of the customer, the billing address, and the shipping address, fraud filters can detect potential mismatches that may indicate fraudulent activity.

Machine Learning and AI: More advanced fraud filters utilize machine learning algorithms that learn from historical data to identify new and evolving fraud patterns. These systems can adapt and improve over time as they encounter new types of fraud.

Velocity Checks: Fraud filters monitor the frequency of transactions to prevent rapid, high-volume purchases that could indicate fraudulent behaviour.

Manual Review: Transactions that trigger specific rules or exhibit suspicious behaviour are flagged for manual review by fraud analysts. These analysts can decide whether to approve, decline, or further investigate the transaction.

Third-Party Data: Some fraud filters integrate with external data sources, such as blacklists of known fraudsters or compromised credit card details.

Feedback Loop: The system continually learns from its decisions and user feedback. If a flagged transaction turns out to be legitimate, this information can help refine the filter's rules and algorithms.

The decision mechanism

The fraud analysis is a pattern matching where the decision of Approve/Decline Transaction is threshold based. Keeping False Negative (Failed to Decline) low, as requested by Regulators, will imply that False Positives (Decline) will be significant:

What are the reasons for false declines in e-commerce transactions?

False declines, also known as "false positives," occur in e-commerce transactions when legitimate orders are incorrectly flagged and declined as potentially fraudulent by fraud detection systems or payment processors. While these systems play a crucial role in preventing actual fraud, they can sometimes result in rejecting legitimate transactions. Several reasons can contribute to false declines in e-commerce transactions:

1. Unusual Purchase Behaviour: If a customer makes a purchase that deviates from their typical behaviour (e.g., a high-value purchase or buying from a new location), it might trigger a false decline due to the perceived abnormality.

2. Multiple IP Addresses or Devices: A customer accessing an e-commerce site from different IP addresses or devices within a short time frame might raise suspicion and lead to a false decline.

3. High-Risk Geographical Locations: Certain countries or regions may have a higher prevalence of fraudulent activities, causing legitimate transactions from those areas to be wrongly declined.

4. Use of VPNs or Proxies: Customers using virtual private networks (VPNs) or proxy servers may appear as though they are in a different location, potentially triggering a false decline.

5. Fast or Rushed Purchases: Rapid checkout or multiple purchases within a short period can trigger false declines as they may resemble automated or fraudulent behavior.

6. Inconsistent Shipping and Billing Information: Mismatches between billing and shipping addresses or inconsistent personal details can raise suspicion and lead to a false decline.

7. Expired Card or Payment Issues: Sometimes, a legitimate card might be declined due to reasons unrelated to fraud, such as an expired card, insufficient funds, or a technical glitch.

8. New Customer Accounts: First-time customers with no purchase history may be subjected to more scrutiny, leading to false declines.

9. Mismatched Device Information: If the device used for the transaction is associated with previous fraud, it might lead to a false decline for subsequent transactions, even if they are legitimate.

10. Unfamiliar Merchants: Customers purchasing from unfamiliar or new merchants might face false declines as these transactions are perceived as higher risk.

11. Holiday or Sale Periods: During high-traffic periods like holidays or sales, fraud detection systems might become more conservative, leading to increased false declines.

12. Outdated Risk Models: A fraud detection system using outdated risk models or algorithms might result in false declines.

Going to the very first question: the mismatch between the payer payment card Identity and beneficiary of Airline ticket Identity may flag the fraud filter resulting in the purchase decline.

The distributed system and fraud prevention.

The card data is stored everywhere, the Card Issuer performs the SCA, and the E-Commerce site performs Fraud Analysis. This architecture is of a distributed system, which is not particularly focused on fraud prevention.

The money speaks for itself.

Studies show that $331 billion were lost to false declines in 2018, and they estimate that this will cost merchants $443 billion in 2021. Meanwhile, credit card fraud cost merchants $40 billion in 2018, which means that eCommerce merchants are losing eight times more to false declines. One reason for this gap/difference is that higher-value orders tend to raise more red flags, meaning the value of declined orders tends to be 1.6 times higher than the average approved purchase.

To keep false negatives pretty low (~0.01%) – the false positives become significant. A survey published by the Merchant Risk Council found that the average online store has a 2.6% rate of false declines because of suspected fraud. This survey means that 2.6% of the transactions blocked by the average e-commerce shop's overzealous threat detection tools were, in actual reality, legitimate shoppers trying to make legitimate purchases – and being stopped.

Another essential point is that the more expensive the attempted purchase, the more likely the transaction is to be declined. So, for purchases over USD 100, the false decline rate jumps to 3.1% – and so on for even more expensive buys.

So, the sites lose ~3% of the potential revenue. Is it much? This 3% is close to the net profit margin of the e-commerce sites. So, recovering it will be a huge boost!

TRIO vs. CNP e-commerce:

TRIO uses a different approach for E-Commerce Payments. In TRIO -every crypto transfer for payment transaction between Identified Buyer and Identified Seller is audited online to verify its authenticity.

In this regard, binding the payer's credentials for real-time identification and transaction authentication should be a great advantage. Thus, we may be able to skip over fraud filters and recover the lost revenue due to false declines.