Mumbai: Online travel is one of the sweet spots of the Internet business here, as it is in most parts of the world, and this makes the space vulnerable to fraud.
While details on the extent of these frauds isn’t known, a recent report by MarkMonitor, a San Francisco-based firm that works in the area of brand protection, thought instances of brandjacking—the act of hijacking brands through cybersquatting, phishing, false brand associations, pay per click scams or domain kiting—in the online travel space significant enough to separately study it in the Spring 2008 MarkMonitor Brandjacking Index, a quarterly report put out by the firm.
Brandjacking is also gaining mileage in India. Amitabh Pandey, president and head of e-business with Thomas Cook (India) Ltd, one of the leading travel services companies with an online travel portal, and the man behind Indian Railways’ online ticketing initiative (he used to work for Indian Railways) said India’s online space is increasingly becoming unsafe as in other countries. “Online frauds are there ever since the Internet started and credit cards were introduced. Obviously, the travel space is getting more affected by frauds as online ticketing outpaces other transactions,” Pandey said.
The online travel business in India has increased manifold in the recent past
Many of the instances of online fraud concerning travel sites have to do with stolen credit cards. In recent months, there have been reports of stolen credit cards being used to book online tickets of Kingfisher Airlines, Jet Airways and Simply Deccan.
Neelu Singh, chief operating officer of Ezeego1.com, an online travel portal promoted by Cox and Kings Ltd, said the size of the online travel market is about $2 billion and expected to grow to $6 billion by 2010. Prospects for business and scams are hence huge, especially since India raced past other countries in Internet usage (33%) last year, and with the Internet population in the country expected to cross 100 million by the end of 2008.
Still, brandjacking of travel sites here remains unsophisticated—for now.
Ashwin Damera, founder and chief executive officer of Mumbai-based travel portal Travelguru.com, said phishing is common in sectors such as banks, but not among travel sites here. “Apart from phishing, one of the other common frauds is skimming, which is the theft of credit card information used in an otherwise legitimate transaction. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim’s credit card out of their immediate view. The skimmer will typically use a small keypad to unobstrusively transcribe the three or four digit card security code which is not present on the magnetic strip,” Damera added.
The Brandjacking Index Spring 2008 report looked at two different segments of the global travel industry: the consumer-facing elements of online hotel and air travel bookings and the B2B or business-to-business elements of purchasing spare aircraft parts. Both witnessed a spate of fraudulent incidents.
The US sees a brisk online trade in airline ticket vouchers with deep discounts of 80%. While most airlines have a policy that these vouchers are non-transferable, the trade still flourishes. MarkMonitor teams tested this theory and purchased several and, as expected, the voucher numbers could not be validated by the airline when they tried to use them to pay for a flight.
Online scammers are also combining various frauds and “blended abuses” have emerged as a new way to trap victims. MarkMonitor cites how a website’s pay-per-click travel ads can lead to malware that gets installed on a user’s machine. The malware helps collect usernames and bank account information.
Pandey of Thomas Cook admitted that fraudulent practices will have a significant impact on the online travel space here. “There could be fraudsters launching a website similar to an established website of a travel portal with slight spelling changes. If a customer makes a small spelling error, naturally he will be diverted to that fraud site,” he said.
Pandey, however, added that there is no “rocket science” involved in ensuring the safety and security of online commerce.
Damera of Travelguru.com said his website used to advise his customers to scratch out the last three digits (CCV, credit card verification, or card code verification number) printed on signature panel of a credit or the debit card, after noting it down in a safe place. “As when the card is used for any transaction in a shop or restaurant, it is swiped and the machine reads data from the magnetic strip. CCV is needed only when an online transaction is done,” Damera added.
An executive at a travel firm claimed that the main issue here is the absence of “collaboration”. This person said that his agency had pointed out a clear instance of credit card fraud to the bank that issued the card and asked it to block the card. The bank, this person added, refused to do so until it heard from the card holder. “There should be collaboration among banks, travel agents and other security agencies to make the online travel space clean,” he said.
What is brandjacking?
Phishing: It is the act of fraudulently obtaining information by pretending to be a trustworthy site. It is typically carried out by mail where a link is provided. This link takes the user to a site that resembles that of his bank or payment gateway or credit card company. The user enters account information that is used by the phisher to carry out an actual transaction on the actual site of the bank or credit card company.
Cybersquatting: The act of “squatting” on a URL that is actually a trademark or a brand name that belongs to someone else.
False brand associations: An online-claimed association with a large and well-known brand that lulls the user into a feeling of safety and encourages him to share personal financial information.
Pay-per-click scam: Also called click fraud, this is essentially where a person or a code imitates a person.
Domain kiting: Or domain tasting, this is the practice of firms or individuals using the five-day cushion they have at the beginning of a domain registration to test its saleability. In this period, the company or individual sees which domain is most lucrative. These are typically misspellings, domains that were previously used but have since expired (these are still indexed by search engines). Domains can be returned within a five-day period for a full refund.
Read the entire report at www.markmonitor.com