The vacation rental industry is about people putting up their homes for rental, on online marketplaces like Homeaway and AirBnB. This opens up unique possibilities for fraud -- where the tenants could be fake, might damage the property or steal from the home. To avoid this, the technology platforms have to conduct "cyber-security" checks such as credit card verification, address verification and more advanced analytics such as velocity checks etc. As an expert in this field, I presented recently at the industry forum for women entrepreneurs.
4. Use fraud tools aka
superpowers to
fight fraud and
build trust.
5. AVS AND CVV CHECKS
CVV in particular is a shared secret between the card
holder and the issuing bank. We ask buyer to provide their
credit card billing address and card verification value/CVV
and verify the same with the issuing bank. Given that e-
commerce merchants CAN NOT store CVV (a PCI
requirement), a fraudster will not have access to it even if
they have card number, expiration date and billing address
information. (Fraudsters typically buy stolen cards pm the
dark web).
MAINTAIN LISTS
Verified traveler, block traveler, watchlists (suspicious) :
Over 10% of all orders are from repeat travelers that have
proved themselves to be legitimate card holders A.K.A. as
verified. Similarly, you can track email IDs amongst other
uniquely identifying attributes from orders that resulted in
fraud chargeback to block them from gaming the system
subsequently.
MACHINE LEARNING & BEHAVIORAL ANALYSIS
Statistical models that learn complex patterns in data.
Behavioral analysis: We know the typical behavior of a
traveler making a $1000 booking. They looks at a few
options, spend, say 15 minutes before they make a booking.
We compare the behavior of traveler with the “expected
behavior” and do all this without introducing any friction to
the process. This also spots bot activity.
DEVICE FINGERPRINTING
It is quite important to uniquely identify the device
(browser) that the booker is making the transaction from.
It is easy to buy multiple emails but much harder to use one
device per order. Similarly, if we know where the device is
located you can determine its proximity from the card
holder’s billing (generally their residential address)
VELOCITY CONTROL
Given that fraudsters are organized crime units, you want
to watch out for “repeat bookings” from the same person:
be it the same email or device and effectively stop them for
perpetuating fraud on your platform
6.
7. Did you know?
Fraudsters are
organized and very
resourceful in
converting stolen
cards to cash
Fraudster
Real Cardholder
Did you know?
They buy stolen
cards on dark net
that other
fraudsters added
from a data
breach
Steals Card
details
1
Fraudster
Completes stay
3
Vacation Rental
website
Books an
immediate stay2
Approve
2
Payment
Processor/
Gateway
Calls bank with anxiety5
Credits the money back to the real card holder and debits the merchant6
Receives credit card statement and recognizes a purchase he didn’t make4
2 2 2
Issuing
Bank
BUYER FRAUD
You, the vacation rental, lose money ($1000)
every time you let a fraudster book your
property . To make this worse, you also get
dinged a chargeback fee and have to work
hard to fight it.
7 7 7
12. AVS AND CVV CHECKS
CVV in particular is a shared secret between the card
holder and the issuing bank. We ask buyer to provide their
credit card billing address and card verification value/CVV
and verify the same with the issuing bank. Given that e-
commerce merchants CAN NOT store CVV (a PCI
requirement), a fraudster will not have access to it even if
they have card number, expiration date and billing address
information. (Fraudsters typically buy stolen cards pm the
dark web).
MAINTAIN LISTS
Verified traveler, block traveler, watchlists (suspicious) :
Over 10% of all orders are from repeat travelers that have
proved themselves to be legitimate card holders A.K.A. as
verified. Similarly, you can track email IDs amongst other
uniquely identifying attributes from orders that resulted in
fraud chargeback to block them from gaming the system
subsequently.
MACHINE LEARNING & BEHAVIORAL ANALYSIS
Statistical models that learn complex patterns in data.
Behavioral analysis: We know the typical behavior of a
traveler making a $1000 booking. They looks at a few
options, spend, say 15 minutes before they make a booking.
We compare the behavior of traveler with the “expected
behavior” and do all this without introducing any friction to
the process. This also spots bot activity.
DEVICE FINGERPRINTING
It is quite important to uniquely identify the device
(browser) that the booker is making the transaction from.
It is easy to buy multiple emails but much harder to use one
device per order. Similarly, if we know where the device is
located you can determine its proximity from the card
holder’s billing (generally their residential address)
VELOCITY CONTROL
Given that fraudsters are organized crime units, you want
to watch out for “repeat bookings” from the same person:
be it the same email or device and effectively stop them for
perpetuating fraud on your platform
13. AVS fails
CVV fails
CVV pass
Address Verification Service (AVS) / Card Verification Value (CVV)
Fraudster
Payment
Processor/Gateway
Can’t provide
CVV
Booking declined
Provides correct
CVV/zip
Booking successful
Dark
Web
Obtains a
stolen card
Real Cardholder
Issuing
Bank
Cardholder
Profile
Issue a Credit card2
Registers / creates an account1
3
4
VacationRental.com
Name
Card #
Exp Date
Zip Code
CVV
Submit
VacationRental.com
14. Known Good and Bad Buyers (Maintain Blocklist/Whitelist/Watchlist)
Fraudster
Real Cardholder
Payment
Processor/Gateway
VacationRental.com
Name
Card #
Exp Date
Zip Code
CVV
Submit
Booking declined
Booking successful
Dark
Web
Obtains a
stolen card
Traveler List
Green (Approve)
Orange (Refer)
Red (Decline)
Did you know?
More than 10% of the traffic is
from repeat or known customers
Check if you know the buyer
(use verified elements like
email or phone )
STRONG match on buyer
fuzzy match on card, run
rules by checking against
traveler lists.
1
2
Cardholder
Profile
Issuing Bank
15. Velocity Control (frequency of seeing a buyer)
Fraudster
Real Cardholder
Payment
Processor/Gateway
VacationRental.com
Name
Card #
Exp Date
Zip Code
CVV
Submit
Issuing
Bank
Cardholder
Profile
Dark
Web
Obtains
stolen cards
Counters
IP Address
Email id
Card Number
Multiple bookings from the
same card (Orange/ Risky)
Multiple bookings from
different cards but same
device (Orange/Risky)
The above from a device
proxying itself (red/
decline)
2
TOOL #3
Bookings
declined
Booking
successful
Booking from a
real cardholder
Booking 1
Booking 2
Booking 3
1
3
16. Device Fingerprinting ( IP, Geo location etc.)
Fraudster
Real Cardholder
Payment
Processor/Gateway
VacationRental.com
Name
Card #
Exp Date
Zip Code
CVV
Submit
Issuing
Bank
Cardholder
Profile
Dark
Web
Obtains a
stolen card
TOOL #4
Location:
RUSSIA
Location:
CALIFORNIA
Detect where
the device is
using IP and
geolocation
2
Detect the
device uniquely
using device
fingerprinting
1
Detect the real
device even if
proxy is used
3
* RED FLAG
- Zip verified in California but device is in Russia
- CVV failed
- Multiple bookings
- Immediate stay
- E-mail can’t co-relate to CA either
*
17. Modern Tools – Machine Learning, Behavioral Analysis
Fraudster
Real Cardholder
Payment
Processor/Gateway
VacationRental.com
Name
Card #
Exp Date
Zip Code
CVV
Submit
Issuing
Bank
Cardholder
Profile
Dark
Web
Obtains a
stolen card
TOOL #5
MACHINE LEARNING
- Statistical models can’t handle
more than 2 dimensions well
- Pair Machine learning with Rules to
define Policies such as avoiding
business with sanctioned countries
&/or quick fixes
Machine Learning
Behavioral Analysis - Behavior of a
fraudster is different from that of a
real cardholder. For instance, they use
bots to fill card information and spend
much lesser time reviewing properties