June 15, 2024

Internet-based transactions, card-less systems, and ticket acquisition from booths that enhance the transition from parking zone to the lift have emerged as essential customer support tools for mountain resorts. Nevertheless, the seamless convenience relished by visitors and the labor savings for resort managers gradually come with an unseen cost: heightened vulnerability to credit card frauds. These frauds include well-structured schemes that operate worldwide, focusing mostly on the outdoor leisure industry.

First-line defenders against these fraudulent actions are the safeguards at the online point of sale provided by the payment processor or additional third-party mechanisms such as Kount or Sift. Yet, when fraudulent dealings sneak past these defenses, operators would sometimes need to tackle the issue head-on.

DEALING WITH CHARGEBACKS

For Mountain Creek Resort based in New Jersey, the first hint of a problem was a surge in credit card chargebacks—a move introduced by a bank to revert charges. This alerted the resort boss, Evan Kovach, and his team that card owners were contesting charges for lift tickets alongside services like lessons and rentals at the mountain.

Following an investigation, Mountain Creek traced the fraud origin to the so-called “dark web,” where tricksters—usually using social media platforms—offer purchasers highly discounted lift tickets and other experiences.

“These malefactors have access to lists of stolen credit cards,” Kovach discloses. “When they ‘sell’ someone this experience, they merely utilize a stolen credit card to buy on behalf of the person attempting to gain the experience. They then receive payment through untraceable digital payments like cryptocurrency.”

The customer will then enjoy the service, such as a resort visit for one day, Kovach informs—sometimes up to more than $2,000 in worth, particularly if snowsports school, rentals, and other amenities are included.

“The fraudster would have already received a digital payment from the visitor, and unluckily, the resort will receive a fraud-related chargeback from their credit-card processor and never receive any of the $2,000 cost for services offered,” says Kovach. “Often, the visitor does not even realize that they were involved in a prohibited transaction; they merely thought they managed to get a fantastic discounted service.”

Significant losses. Ski Big Bear located in northeastern Pennsylvania was affected by chargebacks summing up to between $1,000 and $2,000 before realizing a similar scheme.

“We reported it to the state police, but that’s not a value amount that would necessitate a response,” says general manager Lori Phillips. “For resorts as small as ours, though, it’s a substantial loss. It remains uncertain what the future holds for this, but it’s challenging to discover until the deed is done. It’s indeed a matter of the number of hits you would take before this ceases being just a business cost and compels an investment in prevention.”

DETECTING “GIVEAWAYS”

Ski Santa Fe was amongst multiple New Mexico resorts targeted by credit card fraud last winter. Forewarned by other area resorts, operations boss Tommy Long and his team managed to block deceitful transactions by identifying “giveaways” employed by a certain group of fraudsters: entering identical (stolen) credit card number for numerous, unrelated purchases; using identical mailing addresses; entering guest names using all lower-case letters; and using a full first name but only an initial for the last name.

“We thought we were in the outdoor leisure industry, and instantly, we were in the fraud prevention business,” Long relates.

In New Hampshire’s Pats Peak, Director of Guest Services, Brigid Howell, noticed peculiar email addresses and personal details from individuals located far from the mountain, which raised suspicion.

“How many individuals from California would come here to ski?” she remembers questioning.

Once doubtful of the scam, Pats Peak’s staff made it a practice to review lists of online purchases for dubious transactions every day—a relatively effective, albeit labor-intensive, approach. Straight-talking Howell would then place herself at the ticket booths to intercept persons trying to retrieve passes using fraudulently obtained QR codes. Depending on the day, that meant facing up to 10 groups each morning.

“Most of them could not substantiate their purchase with an ID,” Howell discloses. “I’m quite proficient in reading people; some of them genuinely don’t know” they ended up being an unwitting part of a scam, she admits.

Back in New Mexico, a similar approach was adopted. “Some said, ‘We spotted a deal with your signage on it for 50 percent off lift tickets,’ but admitted that it was probably too good to be true,” marketing manager Reed Weimer from Red River Ski & Summer Area contributes. He also confronted would-be ticket redeemers at booths—and reported the actual names of deceitful purchasers to local law enforcement.

“Countless people engaging in this probably realize there’s some unethical activity happening but are ignorant of the level of crime involved,” Kovach suggests.

Guests of Ski Santa Fe who appeared to ski using the scam tickets were also confronted by resort staff. “We charged them the difference between a full-price ticket if they wanted to ski,” discloses Long.

When Mountain Creek staff caught an individual retrieving a fraudulent ticket from a booth, Kovach believed it an opportunity to intensify his fraud investigation. “We would treat them leniently in exchange for information,” he states, informing guests, “‘We are going to permit you to ski today and not involve the police if you provide us with the information we need.’” 

ADDITIONAL LIABILITY FOR RESORTS

Kovach points out that any pastime or activity-oriented enterprise, like ski resorts, confronts some augmented exposure to fraud due to the link between the consumer (who becomes a guest) and access to the pastime/activity.

“It is unlike a traditional online procurement where a buyer requests something that gets transported to a physical address,” he emphasizes. “As an outcome of this nuance, it’s crucial that the guest-facing purchasing platform that a resort uses is directly connected to both credit-card processing and access control. If these three functions do not coordinate in real-time, it becomes reasonably manageable for lawbreakers to exploit resorts.”

Unquestionably, credit card fraud has been around ever since the introduction of credit cards. Snowsport areas are no strangers to scams involving lift tickets. For instance, managers such as Howell still devote time during their workdays to intercept guests using fraudulently duplicated tickets and passes, alleging to have misplaced theirs so they could hand it over or sell it to another person after doing some initial morning runs.

One ski area in upstate New York was targeted by a ransomware assault precisely scheduled for the week preceding the bustling 2023 Presidents’ Week phase. Cybercriminals locked the ski area out of its servers and threatened to divulge all its data to the public unless their $4 million ransom demand was satisfied. Ultimately, the ski area, whose executives spoke anonymously to SAM, refused to pay, endured the holiday period using paper tickets and other conventional methods, and channeled insurance funds, alongside extra resources, into rebuilding its network.

Upgrading a computer system for enhanced network safety.

A PERSISTENT GLOBAL ISSUE

While ski resorts have increasingly fallen victim to tech-savvy criminals, the problem isn’t exclusive to them. The global credit card fraud industry, as estimated by Juniper Research, generated around $46 billion in 2022. These cybercriminals utilize a blend of purloined credit card data and identity theft to exploit the understated vulnerabilities in the digital payment system.

Maria-Kristina Hayden, CEO and founder of cybersecurity firm OUTFOXM, admits, “It’s hard to see how resorts could avoid this. Sadly, retailers and businesses all over the world have to manage purchases made with purloined credit cards.”

“Inevitably, the primary source of the fraud stems from how credit cards are processed and accepted on American websites,” states Daniel Wakounig, Axess’s Chief Technology Officer. Axess supplies various tech solutions for ski resorts, such as self-service kiosks.

The key to curbing credit card fraud, according to Wakounig, lies within front-end prevention, not at the kiosk. This could involve a two-factor authentication verifying the buyer’s identity, by either requesting a secure code in addition to the credit card information or by asking for a secure ID. The secure code would then be sent via a second channel declared during the credit card contract – usually a mobile device or an app where the legitimate owner is signed in.

“The use of two-factor authorization, while common today outside of the U.S., is rare within the states,” he notes. “[With] two-factor authentication at the point of purchase, a purloined card becomes ineffective for purchasing tickets whatsoever.”  

POTENTIAL ALTERNATIVES

While credit card fraud might be an inherent risk with automated sales and purchases, there are strategies resorts can implement to safeguard themselves. 

Confirming identification – Staff could verify the identity of the ticket collector at either the window or kiosk, to ensure it matches the buyer’s details submitted online. However, this method tends to only be utilized when potential fraud has been flagged. Although effective, it can also hinder the redemption process.

One possible deterrent could be incorporating a pop-up message on kiosks, cautioning users that they may have to present the card used to buy their lift tickets. However, without automatic verification, this is largely an empty threat, Howell suggests.

Credit card verification – Using the kiosks for identity verification, such as requesting a swipe of the credit card used to buy the tickets and services, could also be effective.

“We consistently scrutinize our processes at our devices to avert any possible fraud,” says Wakounig. “Checking the credit card at the pickup is a possible approach – however, as credit cards can’t simply be scanned, a dedicated hardware provided by the payment service providers is needed. This would mean a credit card terminal for each pickup device.”

Wakounig admits that this option isn’t currently supported, but it could conceivably be developed as an option for ski resorts to implement. “[That] decision rests with the ski resorts.” 

Similarly, verifying identity by scanning driver’s licenses would necessitate another reader. “Regrettably, these solutions can severely inhibit the pickup process for all guests by slowing it down,” he adds.

AI Technology – A potentially efficient tool for identity verification at the pickup point is AI-enabled facial detection technology. Wakounig reveals that this technology will be introduced to Axess kiosks in 2024 or 2025, “replacing our current monitoring tool for ticket misuse,” he states. 

SELF-PROTECTION METHODS

Resort operators can take proactive steps towards safeguarding themselves from credit card fraud. This includes broadening their understanding of how these scams operate, closely monitoring online activity that could indicate susceptibility to attacks, meticulously reviewing transactions to unearth potential fraud, and utilizing this information to guide future efforts in preventing fraud. All these measures could potentially result in considerable financial savings for your resort in the long term.