Who Are You?
Banks are using mobile technology to build better profiles of credit card customers that will be harder to fake—or shake off.
I often travel to different countries chasing stories. It’s hard for me, let alone my credit card issuers, to predict where I’ll be at any given time. This summer, for example, I moved from Madrid, Spain, to Oaxaca, Mexico, and in November I made quick trips to both California and Nicaragua. Confused by my unpredictable spending patterns, my credit card companies often block my legitimate transactions.
In this mobile, data-driven era, there must be some better way. After all, California friends may have heard about my trip ahead of time via Facebook, and my U.S. mobile operator might have noticed my new location when I plugged its SIM card into my phone at the border. But still, “your bank is the last to know,” says Loc Nguyen, chief marketing officer of Feedzai, a mobile payments firm in San Mateo, California. Sure enough, when I tried to buy a bunch of hiking gear on arrival in California, my card froze and I had to call the issuer to verify my identity.
Banks and merchants want to know who is wielding a given credit card because they, not the cardholder, are on the hook for fraudulent transactions. And such fraud is rising, according to the 2014 Lexis Nexis annual fraud study. Worldwide, fraudulent card transactions have reached around $11 billion a year, and the U.S. may account for about half of that. Europe’s share was 1.33 billion euros ($1.7 billion), according to a European Central Bank report.
New technologies try to address this problem by merging a broader range of financial data, mobile-phone data, and even social-networking data to better establish the likelihood it’s actually you behind the transactions racking up on your cards or mobile device. Nguyen says that Feedzai’s system can improve fraud detection rates from 47 percent to almost 80 percent. Chirag Bakshi, founder and CEO of Zumigo, a company in San Jose, California, that provides location-based mobile services, says his company’s data algorithms reduce fraud losses by at least 50 percent.
“When fraudsters steal your identity, what they can’t do is steal your behavior,” Nguyen says. That, in fact, has long been the principle behind credit card fraud alerts. But a conventional credit card company is relying on information from your past to guess whether each attempted transaction is genuine. Today’s new technologies tap into your mobile phone and its more up-to-date information to see if your current behavior matches your purchase.
“[We can use] a SIM card as a proxy for a person,” says Rodger Desai, CEO of Payfone, which works with banks, mobile operators, and fraud detection companies to assess the legitimacy of a given payment. Payfone builds a profile of a user and tracks more than 400 types of data to create what it calls a persistent identity. Change phone company? Noted. Someone steal your phone or clone it? The company will catch that, too. Even if you’ve canceled your cellular data plan, it has ways of flagging the activity of someone who then tries to use the phone’s Wi-Fi connection.
Zumigo adds location information gleaned from partnerships with mobile network operators. It checks the name and address attached to the mobile device in a given transaction against Equifax’s credit records to confirm the buyer’s identity. Feedzai’s software combines that kind of information with current and historical location data to draw inferences such as whether it would be possible to travel from the site of an already approved purchase at, say, the airport to a shop in town in the amount of time between the transactions. The use of this method, Nguyen says, is what allows Feedzai to detect 80 percent of fraudulent transactions, rather than the 47 percent achieved by conventional methods, without adding more of the sort of false alarms to which I am growing accustomed.
Some companies are trying to build deeper identity profiles for mobile payments based on social-network data. It’s a tempting target. If I ask my friends for advice on rain jackets and I’m a member of a mountaineering club, it would lower the odds I might trigger a fraud alert at a shop selling outdoor gear. But that kind of information requires permission from users, and experts say it can be a source of false signals as well as reliable information.
Mobile-data-based identity systems have their limits. After my November trip to Southern California, I flew to Nicaragua. At the airport, I called my card providers to alert them to my travel. But in Managua, I paid cash for a local SIM card at the bus station, to avoid the roaming charges from my home mobile operator. It required no registration forms, and I hopped on the bus to read the news and handle e-mail. Without trying, I might have outpaced the futuristic systems designed by Feedzai, Zumigo, and Payfone. Could I have then booked a hotel for the night on my phone with the new SIM card while riding the bus? Probably not.
Keep up with the latest in security at EmTech MIT.
Discover where tech, business, and culture converge.
September 11-14, 2018
MIT Media Lab