Howard Patty

Welcome everybody. I apologize for the delay, but it was not Southwest Airlines' fault — to clear the air there. So, yeah, I'm thrilled to be part of this conference and for the invitation to present here today. It's been one of my favorites since I first attended back in 2018.

I'll start with an audience poll. I think if you attended the Clear session, you did the airline travel poll. So I'm going to narrow that down a little bit. How many travel on Southwest Airlines to get here? Now, how many of you are Southwest loyalty members of the Rapid Rewards account? That's a fair representation. Actually, more loyal members. For those of you who did not raise your hand, come see me after the presentation and I'll help you sign up for an account. It'll help with our OKRs for our value stream.

Co-presenter — Tami Eick

There's two people up here. I do want to recognize Tami — she's, so you're stuck with me today. But Tami, my business partner, she couldn't attend. I still want to recognize her and her great partnership through this journey, and how she brought me and my team into her world of revenue protection. She's a seasoned fraud practitioner and an industry leader. She meets with people all across the industry, and she's actually dragged me to several of her fraud manager conferences with other airlines, which were very fun, where I learned all about the fraud problems that different airlines are facing — to bring that back home and help formulate the strategy that we've come up with.

About me

As for me, I've been in tech for about 17 years and going on 10 years of tech leadership. I'm currently responsible for the support teams behind our Chase credit card co-brand program, our identity and access management delivery team. We also have a UI platform team, our test automation platform, and what I call our edge services and security team — which I'm going to talk a little bit about today.

About Southwest Airlines Rapid Rewards

A little bit about the Southwest Airlines Rapid Rewards program. If you saw Lauren's keynote yesterday morning, I hope you did. If not, see the recording. She was fantastic.

I just want to call out a couple things about our operation to help you understand the magnitude of our program. We had over 171 million passengers last year, and on average, we're moving about half a million people a day now — and that sometimes is 25% more than that depending on the busy travel season. A significant portion of those people are loyalty members. And every single one of those people, their journey touches our digital platforms at some point, whether they're checking in, making a purchase, or following up on their loyalty account after the fact.

Going into the loyalty program — airlines, no secret, ever since the first airline co-branded credit cards were introduced about 30 to 35 years ago. Southwest, we got there in 1996. Yes, we're an airline, but we're also a bank. If you dig into our income statement, you'll see that of that $26 billion of operating revenues, only about $23 to $24 billion of that is air travel revenue. That leaves quite a significant number that comes from our ancillaries — things like charters, in-flight drink sales — and then a significant portion for what we get out of our loyalty program.

What business problem were we trying to solve?

Now, the business problem. Fraud is a very broad and complex problem with many stakeholders across the business. And something that I've learned on my journey with Tami over the past year is that in many companies, there's not clear ownership of the problem. There's no centralized ownership, because there are many different types of fraud, which I'll get into here in the next slide. But basically, as bad actors have employed more sophisticated techniques, and our fraud landscape has evolved, something had to be done.

I just want to paint a picture of the size of this problem. Looking at industry insights: about 5% of all online transactions last year were associated with fraud — this came from a TransUnion report released earlier this year. And Fortune Business Insights — this report from 2018 predicted the value of points accumulated in loyalty programs globally in aggregate is going to reach close to $30 billion by 2030. As we saw during the pandemic, redemption of those points didn't happen, and people continued to accumulate. So we're well on our way to that prediction.

Now, fraud loss in the airline industry — there is an international consortium of which all major airlines are members. It's called the International Air Transport Association, IATA. They released a white paper back in 2020 where they stated that 1.2% of revenue from all airlines is fraud loss. That's a lot. And that also tracks to shrinkage rates that you may see in retail. But in the airline industry, where just a few days of disruption can cause hundreds of millions of dollars of loss, every little bit counts. So we need to do better.

Fraud in travel is not new, but it's constantly evolving

It's not a new problem. I'm not going to drain all of these headlines, but one thing I want to highlight: as loyalty programs have evolved and those points balances and miles have become monetized — you can convert those into cash equivalents, like gift cards, you can redeem them to get a Gucci purse or a PlayStation 5 — those things are very valuable merchandise. They're going to be turned around, and it's made our loyalty programs an even bigger target for fraudsters.

When you think about it: the mission of Southwest Airlines is connecting people to what's valuable in their lives through reliable, friendly, and low-cost air travel. Connecting people to what's valuable in their lives. So for me, I don't think of these fraud victims as customers or a stat or a number. They're our friends, they're our family, they're our loved ones. They're trying to go somewhere, whether it's on a once-in-a-lifetime family vacation or trying to get to the bedside of a dying family member. These are critical moments in people's lives. So it's more important than ever for us to protect our digital experience and make sure that we have a secure, reliable, and ultimately trustworthy experience for our customers.

The fake-travel-agent / loyalty-brokerage use case

I'll take you through a somewhat complex use case here — stick with me. This fake travel agent use case — in the industry, we call it loyalty brokerage, or account brokerage, or points brokerage. Hopefully you'll be able to see the broad spectrum of motives of bad actors. Could be something as simple as a travel agent adding an extra fee, violating our policies, booking on behalf of a customer — or something as extreme as somebody phishing to steal your identity.

I'll start with googling cheap flights to Hawaii. Something comes up for Southwest Airlines — sorry, Hawaiian Airlines — but it's a fake travel agency. That fake travel agent has a call center located somewhere overseas. I call them up and they're selling me on a really good deal. As customers in the travel industry, we're conditioned to freely divulge our personal information. I will give my date of birth, my passport number — what else do you want to know? My social? Maybe not. But I'll give you all this information.

Then they'll create a fake account on your behalf. They will collect your payment information. So now they're in control of your credit card, and they have all of the little bits and pieces that they need in order to authorize that transaction. They may charge your card directly and not actually use your card for that transaction. With Southwest Airlines, they would maybe use a card they stole from another customer.

Then, moving along, they're maintaining control of your account. By maintaining control of the account, they could harvest your points, your travel funds, drop your itinerary, cancel it altogether — and then you're a customer stuck at the airport without ever knowing you were flying, and you were never notified that it was cancelled. There are other customer service issues that happen there, because now your contact information is obfuscated from the airline. So if there's some operational issue, we can't text you and say, "Your flight's going to be early."

Then that rolls up to the brokerage piece. They have all this information and they could package it up and sell it on the dark web. Because that would be a very valuable package — a credit card with validated, highly-validated contact information. Or they're leveraging those stolen assets to defraud more customers.

Beyond direct revenue loss

So the complexity of this problem goes really deep. Constructing a business case on trying to solve this problem is really hard. As a technologist, someone who's passionate about cybersecurity, fraud is a concern — but it's really a business problem. Fraud at our company is basis points on revenue. But the big question is: how much of that risk is acceptable to the business?

You've got to consider more than just the direct revenue loss. You have the interaction with the call center agent — there's a cost to that, and there may be multiple interactions, and there are interactions at the airport if there are issues. There are the fraud analysts, if there's escalation to recover those assets and make that customer whole again. And even if that customer understands that they were defrauded and it's no fault of Southwest Airlines, they're still going to associate that bad experience with your brand.

And then you have regulatory penalties. British Airways, for example, in October 2020, they were fined £20 million by the European Union under GDPR for a security breach — a government agency fining the company for not having a certain control in place. So it's more important than ever that we do that. Regulation is coming to the US. In a highly-regulated industry, we have all kinds of security directives coming in from various regulatory agencies that we're having to learn how to comply with. Once those become formal regulations — if they're not already — there may be fines associated with that.

From "managing fraud" to "mitigating fraud" — the customer-journey Sankey

This is Tami's slide, so I'll do my best. Going back some years, our fraud landscape focused solely on payments. This made sense, because that's where fraud hits your pocketbook. And while Tami's payments fraud team is very good at managing this type of fraud — they've been doing it for well over a decade — they were only managing that fraud. It's kind of like looking through a keyhole. That evolving fraud landscape that I just illustrated is now a burning platform for us to do more.

Where is fraud mitigation needed? How do we evolve from just managing that fraud to mitigating that fraud before it occurs? First, we had to classify the types of fraud and understand the behavior patterns.

Looking at this Sankey chart, you can see there are many stages in the customer journey — in our funnel — where we can apply friction and apply controls to mitigate against the type of behavior you might expect from a fraudster. We still have a couple of problems here. One: these different areas of our website are managed by different teams, or maybe different product managers in the business, who are responsible for KPIs, goals, and results in those different pieces of our flow. No one is really looking at it from a holistic fraud point of view. It's not really a problem for, say, the search people or the general ingress into the website. But this presented an opportunity for us to evolve what our Edge Services team was doing.

What value did we create? The Fraud Funnel — defense in depth, applied to fraud

What do we do about it? Our wins, as we worked with Tami over the years, made a tangible impact on our fraud costs, and ultimately justified this Digital Operations & Security Team (what I call our Edge Services team) growing into a cloud security team. They're equipped with the deep context of our platform — how our APIs work, the use cases, the relationships — all that social circuitry you need in order to accomplish something across a broad spectrum of teams.

This diagram, which I call our Fraud Funnel, basically represents how we've taken the defense-in-depth concepts and arranged them around fraud. Let me walk you through some of these layers.

Distribution & Edge Logic — load balancing, for example. We have general controls — that ingress layer — and we have our WAF. But then we can take the context of our application — say, look at our API documentation — and only allow supported methods in the requests coming through, to protect those resources farther down at origins. You'd be surprised how many websites allow traffic to flow all the way through — malformed traffic, unsupported requests — and only respond back with an error. That's a waste of resources.

We implemented specialized rate controls focused on the behavior patterns of our customers. The out-of-the-box rate controls aren't necessarily applicable to our industry. Say you're in Denver Airport and there are thousands of people getting ready to go on a flight, and there's a weather event, and all of a sudden everyone's trying to hit your website. We don't want our rate controls to start blocking people if they're on the Denver Wi-Fi. So we need to adjust those rate controls.

We implemented bespoke bot defense policies. We partnered with our API gateway team to manage and tighten up our authorization scopes. We implemented a new event risk scoring tool — that Sankey chart represents the events we're monitoring the risk on. Using those scores, we informed our Identity and Access Management solution for adaptive auth, to trigger challenge flows (MFA/2FA), for example. Then you have observability — and we're also responsible for PCI compliance input for the digital organization. You also have purchase auth and payment-card-industry controls, and post-authorization fraud management controls. All of those things working in concert together, in partnership with the business, have actually made a significant impact on the amount of fraud that is coming out at the bottom.

The team — embedded skill sets

A little bit about the team and how we put this together. We assembled an embedded team with skill sets typically spread out in other parts of the organization. We have site reliability engineers for observability — digging into different platforms, bringing data together, reducing toil. We have cloud engineers who know how things are implemented. We have a special cybersecurity engineer who is an expert in our bot defense platform. And we also partnered with our cybersecurity organization to embed a special cybersecurity resource in our team. This is the first time that was done at our company — embedding people into the organization.

I think there was a really good talk yesterday from Disney where they were talking about embedded SREs. This is a great practice — to get embedded cybersecurity professionals — because then they're not just looking at risk and managing risk, providing generalized controls and directives. They're now boots on the ground in your team, understanding your applications, knowing your issues, and partnering with you to better evolve your platform.

What did we deliver?

What value did we create? There are a lot of numbers I can't share, because they're privileged of course. But a couple of things I can share.

Tami and I did a presentation at the Merchant Risk Council back in March. It's the largest merchant conference in the world. We got to know a lot of different merchants and their problems. Loyalty fraud was actually a big concept, a big theme of that conference.

One thing that we did share: flight credit redemptions were reduced by 27% year-over-year in the last holiday period. That's a big amount of fraud reduced.

We've also improved credit card authorization rates. Tools like your rate limiting or bot defense may capture those scripted credit-card stuffing attacks. But when you have somebody that has a spreadsheet they bought off the dark web or downloaded somewhere, and they're copy-pasting credit card numbers, that's manual — that's going to slip through. That's where that risk scoring was able to detect and mitigate those payment attempts, credential stuffing, and bot attacks.

We actually identified a loyalty and data broker in India. His office was responsible for about 40% of the fraud we were seeing in the loyalty space when it comes to the brokerage of flight-credit transfers and points brokerage. We blocked millions of fake accounts.

The business team now has more data at their fingertips, more tools available, to help with fraud recovery, helping fraud analysts do their job better.

We also doubled our web traffic capacity. Let me explain this a little bit. Going back to 2017-2018, when bot management tools first started to come to market and gain attention and become more of a standard thing, we discovered that over half of our traffic was unwanted automation — whether probing, or a majority of it was scraping our airfares off of our website. By implementing that control, we've reduced that traffic by more than half — conserving those resources and allowing our business to grow without incurring additional infrastructure costs.

Lastly, it's not just about reducing fraud or avoiding cost or optimizing those controls. We've actually improved conversion rates and loyalty engagement by introducing those adaptive-auth capabilities that normally reduce friction in the customer journey. That has netted a lot of additional money. I can't say, but it's a big number.

What I need help with — let's chat

What do I need help with? I want to hear your stories. Are you involved with fraud? Is fraud in your orbit? Are you in a cybersecurity team and people are coming asking you about fraud? Or on the digital team coming to ask you about fraud and you don't know what to do about it? Or maybe you're farther along in the journey and you've done something really cool — come tell me. I want to learn. That's been part of my journey the past year — meeting with different airlines and companies and merchants to understand how they're fighting fraud and how they're organizing around fraud in their organizations.

I also want to hear about how you are connecting those improvements in your cybersecurity organization — those incremental improvements — to tangible business value. When you think about it, that "what keeps you up at night" business case only takes you so far. Now we're protecting and recovering millions in revenue, and that's profitability — or, as I like to characterize it, the number of salaries that we can cover, because our margins are so low.

And in closing, I want to thank you for spending your time with me this afternoon. I know you had many choices, and I hope you learned something valuable. Let's chat. Thank you.