By Alex Salkever
Whenever someone uses a credit card to buy something, the processing company that authenticates the transaction awards it a score that rates the likelihood of fraud. It does this with the help of specialized software programs that look for patterns common to fraudulent transactions. For example, if the transaction occurs between 1 a.m. and 3 a.m., takes place online, and involves a credit-card with a mailing address on the West Coast, the bank would likely give it a high risk rating.
That rating goes off the charts if the transaction covers $5,000 of computer software or hardware and has a Los Angeles-area mailing address (sadly, L.A. is a hotbed for online fraud). The bank then can choose to reject that transaction based on the likelihood of fraud, or it can give the choice to the vendor. Over the past decade, these systems have also been refined for use by brokerage houses to monitor stock-trading activity and by banks to spot money laundering.
Now, airlines and the Federal Aviation Administration are taking a hard look at pattern-recognition systems as a way to fight terrorism. It's about time. Installing these systems could represent the first big step towards a more realistic way of managing risk in the transportation system. They could also alleviate long lines and unnecessary searches endured by innocent passengers, and create a more focused security effort that looks primarily at the riskiest cases.
To date, airlines have done some enhanced security screening on international flights. Most of their efforts involved checking for known terrorists, rather than looking for new assailants. But such screening is almost nonexistent on domestic flights. "In the U.S. today...there is no airline or carrier doing this type of screening. We need to be doing this on 100% of our domestic flights," says Ron Stewart, global managing partner for consultancy Accenture's travel and transportation industry group.
Pattern recognition could have flashed a red alert on September 11. A handful of men purchased last minute, one-way, first-class tickets and paid in cash. Their tickets were for flights on the same day, departing at nearly the same time. And those on the same plane asked to be seated in close proximity. In addition, all of them were traveling on unusual routes that hopped from city to city with no stopovers, and took a decidedly roundabout path to California via Canada and Portland, Me. Today, everyone knows the result of this ominous confluence. It's precisely the type of behavior that a pattern-recognition system can flag.
Although industry experts are reluctant to discuss precise details due to the sensitive nature of the systems, here are some obvious elements of how they would operate. A passenger buys a ticket and thereby enters his or her name in the system. That triggers the pattern-recognition software, which then brings up a record of past flights taken by this person and establishes a baseline for known behavior.
The system could then crosscheck with an FBI database of criminals and terrorist suspects. Ideally, the system would also check with the Immigration & Naturalization Service to examine past entrance and exit records for this individual, or if that person had committed a crime in the U.S. Those are the most basic screens, but ones that would not have caught most of the September 11 hijackers.
More effective are screens that examine behaviors exclusive of identification. The software will then run through a checklist of indicators. Was the ticket purchased with cash? Obviously, cash purchases in air travel are rare and could indicate a desire to evade the record that might come with a credit-card purchase. Was the ticket booked at the last minute? That could also indicate an effort to evade scrutiny. Was the ticket booked with a request that the passenger be seated next to someone else or a group of individuals? That could indicate groups acting in conjunction. Beyond these obvious criteria, airlines could screen for passengers that have entered the system at weak spots, such as countries or individual airports known for feeble security. Strange patterns of movements might also trip a wire.
Of course, such an itinerary could describe the peripatetic wanderings of a traveling salesperson. But that salesperson would likely have a history of undertaking exactly these types of trips and, therefore, would be considered a lower risk due to his or her past history.
All of these factors would then be combined to create a risk score for each passenger. That score wouldn't depend on race, religion, or creed, limiting the dangers of racial profiling. "Based on those risk numbers, you can screen the top-risk passengers, eliminate the majority of people who will be low-scoring from security screening, then question the top people as to their destination and intent," explains Joseph Sirosh, the executive director of advanced technology solutions at credit-card fraud-prevention company HNC Software.
Taken to its furthest extension, airlines could potentially spot coordinated attacks by noting groupings of high-risk travelers on different airlines moving at the similar times. Throw international cooperation into the mix, and partnering nations could gain important insights into unusual travel patterns.
"The student that claims to be going to Indiana to study farming but turns out to be bopping down to Cairo and losing his passport doesn't fit the [safety] profile. Then you start there, rather than saying all Arab students should be scrutinized," explains Stephen Flynn, a research fellow at the Council on Foreign Relations in New York.
For his part, Accenture's Stewart advocates taking the system even further -- flagging post office boxes as addresses, employment records, and whether a passenger has recently been wired money. Add rental cars and hotels to that mix, and the accuracy of a pattern-recognition system might improve dramatically.
Yes, all this raises the ire of privacy advocates and civil libertarians, who are already leery of congressional moves to augment the capabilities of law enforcement. Even the prospect of airlines linking their databases to create system-wide customer profiles, they claim, would start to violate privacy by creating explicit records of people's movements. That's a concern and something that deserves serious debate.
The alternative, for now, seems far more grim and authoritarian. To prevent terrorism in our open system, National Guard troops have been deployed everywhere, and each passenger is assumed to be a potential terrorist until they prove they are not. That's why folks are getting thrown off of planes for carrying books deemed subversive, even for packing a pair of tweezers.
IN THE WORKS.
As Flynn points out, creating more transparency in our system by tracking movements and people would enable us to maintain more open commerce flows, rather than shutting down the system whenever an event occurs. Says Flynn: "When you look at everything, you see nothing. It doesn't buy you a great deal of security and it undermines your economic vitality."
Already, a number of companies are moving to roll out these types of pattern-recognition systems. HNC Software has already teamed up with airline yield-management company PROS Revenue Management to develop a pattern-recognition product that airlines could mesh with their existing reservation systems.
Accenture is pushing a broad effort involving the airlines, the federal government, and local law enforcement agencies to better spot terrorists. That might be too much too soon. But at the very least, installing systems that screen for risk in our overtaxed air transportation system is a necessary and long-overdue first step.
Salkever covers computer security issues twice a month in his Security Net column, only on BW Online
Edited by Douglas Harbrecht