In the spirit of Cyber Security Awareness Month, which is celebrated in October, we delve into a candid Q&A session with Ryan Hiney-Brasil, our Cyber Security Manager, to understand the countermeasures taken by the Cyber Security Team to fight one of the most prolific fraud attempts in the visa sector: appointment fraud, the practice of intermediaries reserving appointments and selling them to applicants for a profit. This year, their focus remains on enhancing security and ensuring privacy for visa customers.
One of the main and recurrent topics in cyber security in the visa sector is appointment fraud. Could you tell us what this fraud is and how it actually happens?
Appointment fraud is driven by scarcity in the market due to the limited appointments provided by government visa departments compared to the demand. Since the demand far exceeds supply, there is a constant race between Schengen visa applicants to book slots. Fraudsters add to the tension by booking all appointments available. They employ one of two tactics: automated or manual mechanisms. Automated scripts, or “online bots”, are programmed to pounce on appointment openings once they are public, while manual methods involve hiring people that refresh appointment pages incessantly and book appointments as soon as they are available. Once acquired, the fraudsters then sell these appointments for profit on the black market. Frustration often leads to desperation, making visa applicants vulnerable to these fraudulent tactics and preventing other applicants from finding slots.
What is TLScontact doing to counter appointment fraud?
TLScontact employs a multi-layered defence approach, from system level controls and fraud prevention technologies to improved internal business processes and user awareness. For example, we utilise Web Application Firewalls (WAFs) for all our websites dedicated to France worldwide to filter traffic based on factors like IP address and country. WAFs help protect web applications from attacks by filtering and monitoring traffic between a web application and the Internet. This helps in identifying suspicious activities originating from unexpected locations.
We also limit the number of user sessions or IP connections in a set amount of time and use automatic bot detection through behavioural analysis and validation via Google reCAPTCHA. All staff undergo annual training, as we believe the human firewall is the most important element in our strategy. Training includes awareness raising and information on how to spot a cyber threat and how to escalate the issue.
How do you ensure that the person booking an appointment online is the final customer who will come to your visa application centre and that appointments are not handed over to another person?
Our defence approach includes multiple checkpoints:
- OTP (One-Time Password) verification: in locations deemed high-risk, we implement OTP as an additional layer of security when booking an appointment online. We strategically deploy OTP where and when needed, ensuring a proactive and dynamic approach to fraud prevention.
- Online checks: we ensure that personal information, such as name and passport details, cannot be changed. These measures are crucial to maintain the integrity of the booking process, so fraudsters cannot book appointments and then sell them to an applicant by changing the name on the appointment.
- Visa application centre checks: our staff members at the welcome desk in all visa application centres check that the information provided matches the applicant’s passport and documents.
Also, as a funny rule of thumb, Mickey and Minnie Mouse, Donald Duck, and Goofy don’t usually need visas, so when we detect their names on an application, which happens more often than you’d think, it’s usually a fraud attempt, albeit quite comical.
Have you seen any concrete results?
Absolutely! We have taken down five websites impersonating TLScontact or participating in appointment fraud. Plus, 15% of traffic on our websites has been blocked because it’s been detected as automated bots or malicious traffic. Thanks to the measures that we have rolled out in certain sensitive locations, the time that an appointment remains open on our website before it is booked has increased from a matter of minutes to over 24 hours So overall, the opportunity for a regular user to book an appointment has improved, despite the scarcity.
Do these issues and measures apply to all our locations across the globe?
No, there are regional variations in data protection regulations that necessitate a shared responsibility between TLScontact and its government clients. By collaboratively designing fraud controls, we ensure that our processes align seamlessly with the legal frameworks of each location. This cooperative approach not only safeguards sensitive information but also fosters a mutual commitment to compliance, strengthening the foundation of our partnership.
Furthermore, tailoring fraud controls is also influenced by cultural nuances and economic contexts. We therefore create a robust system that not only prevents fraud but also respects and adapts to the unique considerations of each locale.
Could you tell us more about the appointment fraud task force?
The appointment fraud task force is a collaborative effort involving various stakeholders and includes country and regional managers, local teams, account managers, product managers, and our team members at the welcome desks in our centres. The task force aims to comprehensively tackle appointment fraud and ensure timely reporting. As the Cyber Security team, we need our frontliners and boots on the ground to be our eyes and ears and be on the lookout for any threat. We remain at their disposal for training, tips, concerns, and of course, if any threat emerges. We all work closely together to make sure there are no loopholes for fraudsters at any touchpoint of the process.
With all these rules and barriers, how do you balance security, ease of access for customers, and respect for their privacy?
Collaboration is key. We understand how security measures can impact the customer experience, so striking the right balance between control and convenience is a continuous effort that involves colleagues, business partners, and stakeholders. For example, we have regular discussions with our product teams to find a middle ground and make sure control doesn’t hinder convenience. The Data Privacy team makes sure that we respect all the rules and regulations related to data protection and privacy. The account managers and operations teams provide us with feedback from the government clients and applicants so we can continue to improve on both security and user-friendliness. Every component is important to make sure that the journey with TLScontact is as safe, yet as convenient, as possible.
With all of this in place, how are fraudsters still managing to operate?
The rule of “the path of least resistance”. As we seal security holes, these fraudsters remain persistent. The demand for appointments far outweighs the supply, driving them to find new ways to exploit vulnerabilities. However, we continue to adapt and strengthen our defences, aiming to be more proactive as threats evolve.
We just celebrated Cyber Security Awareness Month. What are some of the key objectives or goals of the Cyber Security Team this year?
Our main message has always been “see something, say something.” Cyber security is a shared responsibility. We encourage everyone in our organisation to escalate any suspicious activity and ensure it reaches the right people. One of our primary goals is to provide cyber security training for all our staff members, emphasising that security is not the sole responsibility of a single department.
In the complex world of online security and combating appointment fraud, TLScontact’s Cyber Security Team remains vigilant and adaptable. Their multi-layered approach, constant collaboration, and a shared responsibility mindset ensure that visa customers’ privacy and security are at the forefront, even in the face of persistent cyber threats. As the digital landscape evolves, so do their strategies to protect clients and visa applicants.