One-time Passwords – How Inconvenient!

Posted on by

OTP Key RingAs I immerse myself more into social media (are you following me on Twitter?), I’ve noticed a lot of coverage on the increase in password security breaches and high-profile hackings. Just last month, the daily deals site LivingSocial disclosed that it had suffered a massive cyber attack, requiring 50 million customers to reset their passwords. This is one of the biggest password breaches to date, surpassed only by Sony’s PlayStation network being compromised in 2011, when nearly 100 million accounts were exposed. Obviously, the chatter on this subject certainly seems warranted.

As financial institutions, online services, and social media platforms scramble to more effectively fend off fraud, the opinions on what works, what won’t work, and what might work are filling up cyberspace faster than you can type 140 characters. It seems the solution-du-jour is the implementation of one-time passwords (OTPs). Google, Twitter, Dropbox, and other popular services support the use of one-time passwords, touting them as an extra layer of protection and making it harder for hackers to break in. My opinion? One-time passwords are very intrusive to the end-user. Entering your login credentials, initiating the OTP process, waiting to receive a message from the company (via text message, email, or voice mail) containing a random code, and then entering that code as yet another security input is flat-out inconvenient. And despite these extra security measures, there’s still a chance that the company is hacked, forcing you to come up with a new and ever more complicated password – which we all hate. In fact, according to the 2012 Online Registration and Password study, more than a third of people would rather fold laundry and scrub toilets than come up with new passwords.

Trade-offs exist within all fraud management systems and one-time passwords have their place, but using one-time passwords as the de facto standard is not that place. We all want better security. That’s the entire value proposition behind what we do here at Finsphere, but we believe that risk-based authentication offers a viable, non-intrusive means to provide improved security. If keeping your data safe means you have to go through a series of steps that are intrusive and inconvenient, in my opinion, that’s not a feasible deal to strike.

The almost daily announcement of cyber-hacking has been driven, in part, by the Obama administration’s focus on issues surrounding cybersecurity. The focus has undoubtedly influenced media coverage on cybersecurity threats, meaning news coverage of data breaches has become more abundant. Likewise, data loss disclosure laws now require companies in nearly all 50 states to notify consumers when identity security has been compromised. Accordingly, businesses need to take more aggressive action to protect their customers’ sensitive data. However, one-time passwords should be a fall-back position or incorporated as a part of a less intrusive solution, rather than used for every log-in attempt. Otherwise their use may result in backlash from customers, or worse, losing them altogether.

Tell us what you think about one-time passwords. Have you been in a situation where you were asked to use one? What was your experience like? We welcome your comments, like-minded or otherwise, and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Five Words Nobody Likes to Hear: “Your Credit Card Was Declined”

Posted on by

Card DeclinedAs the CEO of a technology company that develops identity authentication solutions for a variety of industries, including banks and credit card providers, you might think I wouldn’t hear those dreaded five words very often. Well, think again. Like millions of other consumers, having your card declined when the transaction is either legit or you are certain you have sufficient funds, can (and does) happen to all of us.

When a waiter, sales clerk, or even an anonymous screen message comes back with “Your credit card was declined”, most people experience a plurality of visceral responses, ranging from embarrassment to anger, and even panic. So why does it happen?

Good Credit – Bad Call?

Having a card declined when the cardholder is legitimately attempting to make a purchase or when there are ample funds to cover the purchase is known in the banking industry as a false positive. A lot of things happen between the time you swipe your credit card and when you get an approval or a denial. Very simply, the process works like this:

  1. A merchant passes the transaction information (including amount and your credit card information) through the credit card network to the bank or credit card company that issued the card (the card issuer).
  2. Next, the card issuer’s fraud management system evaluates the transaction to determine the probability that the transaction is fraudulent. This evaluation typically starts with generating a fraud risk score between 1 and 999. The higher the score, the higher the probability of fraud.
  3. The transaction information, along with the fraud risk score, is then fed into a decision rule engine, which ultimately determines whether the transaction should be authorized or declined.

The fraud risk score and decision rules are based on an analysis of your normal behavior, prior behavior of all individuals who carry the same credit card, and known fraud patterns. Deviation from your normal card usage behavior will often trigger a decline. This evaluation process is essentially the same for debit cards as well.

False positives not only cause significant inconvenience and embarrassment for you, they are also responsible for millions of dollars in lost revenue for financial institutions. Depending on the card issuer, false positive ratios – the number of high-risk transactions the system flags as suspicious, compared to the number of transactions that are actually fraudulent – can be as high as 40:1. This means that up to 97% of card transactions flagged as high-risk (initiating a card decline, account block, or intrusive customer contact) are actually legitimate. That is an astounding percentage. This is true in both card present (when you are physically making a purchase with your card in hand) and card not present (when making a purchase online or over the telephone) transactions.

I Am Not A Crook!

I commented in a recent post that credit card issuers are faced daily with new and increasingly sophisticated types of attacks, so in their pursuit to keep our information secure and protect us from fraud, we are often subject to feeling as if we are the criminal.

In a recent study conducted by Penn Schoen Berland, feedback revealed that cardholders would be prepared to increase use of their cards, both domestically and abroad, if they felt more confident that their card would not be declined. The impact on customer satisfaction from having transactions declined and cards blocked, especially when traveling abroad, is considerable. While I wasn’t one of the study participants, I can definitely agree with their perspective.

Because financial institutions are scrambling to more effectively fend off fraud, the many layers of security customers are being asked to navigate are seen as a nuisance. We call our bank before taking a business trip or vacation in hopes our card won’t be declined while trying to pay for a rental car or theater ticket, etc. We are asked to set up alerts so that text messages can be sent to our mobile phones if the bank suspects fraud. And don’t get me started on the elaborate (and not necessarily fool-proof) passwords being demanded of us these days.

How to Reduce False Positives

So what can you do to lessen your chances of hearing those five dreaded words? Here are some tips that may help:

  • Communicate With Your Card Company

Predictive models used to identify fraud are usually based on identifying charges that don’t fit a previous pattern. So, if you’re taking a vacation abroad, or even travelling just outside your own state, let your bank know in advance. It may not always save you from a card decline, but it is still a good idea.

  • Competition is Good – So Carry Several Cards

You’ve probably experienced the (frustrating) situation where your card is declined, but when you present a different card for the same transaction, it’s approved. Because it’s challenging to know which charge may get flagged as a potentially fraudulent transaction, having other cards from competing issuers may help. Think of it as a back-up generator or spare tire.

  • Get a Prepaid Card

If you want a greater likelihood that you won’t get stuck without a way to pay for goods or services, especially if you’re going to be far from home, having a prepaid card on hand is a reliable strategy. They are often sold at airports, so if you’re heading out of town, you could pick one up before take-off.

  • Be Patient

Technology like Finsphere’s that incorporates mobile proximity and location-based fraud analytics has been proven to significantly reduce false positives for both card present and card not present transactions. As adoption of this kind of identity authentication solution grows, your day should get a lot brighter.

Being in the business of identity and financial security, I’ve heard numerous personal stories about being declined. And we know that everyone has a story. So, if you’re so inclined, we invite you to share yours and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

April Fools’ Day Shouldn’t be Celebrated (Year-round…)

Posted on by

april-1-calendar-225x225April Fools’ Day used to be a day generally known for light-hearted pranks played on a family member, co-worker, or friend. This year, even the White House got in on the fun when viewers brought up the White House website, expecting to see the Commander in Chief, and instead seeing YouTube sensation “Kid President” climbing up to the podium. Other online pranks from Google, Twitter, and YouTube all put clever, new twists on the age-old day devoted to the art of duping.

Most of the day’s ruses were fairly easy to spot – and harmless – but sadly, hoaxes or ploys that wreak real-life havoc are increasingly more commonplace. In my last post, we looked at the film “Identity Thief”, an over-the-top farce about a mild-mannered businessman who has his identity stolen by a seemingly harmless woman. But we’re all getting smarter about these types of ploys, right? I mean, who on earth would respond to an email asking for your bank account number because you just won $10 million in the Nigerian lottery?

From ‘Cyber Warriors’ to “Doxxing’

Even though personal vigilance and awareness is on the rise, headlines about security breaches and identity theft dominate the daily news cycle. North Korean “cyber warriors” recently managed to cripple 32,000 computers and servers at three major South Korean TV networks and three major banks. The week before, we heard about high-profile victims of “doxxing”, a process the FBI describes as “obtaining or deducing information about a person based on a limited set of initial information.” Celebrities such as Jay-Z, Beyonce, Kim Kardashian, and even Michelle Obama had highly sensitive information such as social security numbers, mortgage amounts, credit card info, car loans, and banking information posted on the internet.

However, it was while watching a recent segment on NBC’s Dateline about online privacy that really got me to thinking. Mat Honan, a senior writer for the tech-bible, Wired.com, appeared on the show and revealed how he had his “digital life erased” in a matter of minutes. If someone as knowledgeable about digital security as Honan (who admitted some of his passwords were up to 19 characters long and contained letters, numbers, and even symbols) could be hacked – then where did that leave the average consumer? 

There’s 1 Every 3 Seconds

I’m aware that most of us look to financial institutions to keep our information secure and protect us from fraud, however, recent statistics like those found in the Javelin 2013 Identity Fraud Report reveal that identity fraud incidents increased by one million more consumers over the past year. That’s one incident of identity fraud every three seconds. Where were consumers getting hit the hardest? Where Mr. Honan was: in new account fraud (NAF) and account takeover fraud (ATF).

So while financial institutions and private firms continue to invest in identity fraud solutions to provide deeper levels of protection, there are steps we can take to limit our exposure.

Nobody’s Fool

If we take a lesson from Mat Honan, relying solely on your card issuer, email provider, or online merchant to protect your information is a fool’s game. So whether you are an avid social media enthusiast, online shopper, or none of the above – here are some basic steps anyone can take right now to lessen your chances of having an extended April Fools’ Day:

  • Do Not Respond Directly to Requests for Personal or Account Info

Audiences gasped when the character in “Identity Thief” freely offered his full name, date of birth, and account numbers to a scam-artist posing as a bank fraud department employee. While this may have seemed like an obvious gaffe, you would be surprised how frequently this still occurs. As rudimentary as this advice may be, it bears repeating:  Do not respond directly to requests for personal information or account information online, over the phone, in an email, or through your mobile device.

  • Don’t Post Information to Security Questions That Can Be Found Easily Online

Now this seems pretty basic, but you would be surprised how many people use their pet’s name, high school they attended, or other information commonly found listed on their Facebook, Twitter, or other social media profiles as security question answers. Choose something that is not readily known, or as Mat Honan suggests, a bogus answer altogether. Just don’t forget what it is!

  • Take Data Breach Notifications Seriously

If you receive a notification that your data has been breached, don’t file it in a drawer – take action. And if your Social Security number was compromised, guess what? You are 5 times more likely to be the victim of fraud than the average consumer. Consider subscribing to a credit monitoring service or other fraud protection application.

So while most of us enjoy a good-natured prank every now and again, proactively taking steps to lessen the chances of being taken for a fool the other 364 days of the year is something we can all do a better job of. If you have a tip you would like to share with us, or even your own not-so-hysterical personal tale of identity theft, let us know.

Until then, we hope you’ll follow the conversation and share your views here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

What We Can Learn From “Identity Thief” (and Why the Film Isn’t Pure Fiction)

Posted on by

This week, like millions of other moviegoers across the country, I went to see the Melissa McCarthy-Jason Bateman comedy, “Identity Thief”. The movie has raked in over $75 million and has been a surprise leader at the box office. I went to the movie expecting it to be an over-the-top farce with very little relevancy to the real-world problem of identity theft. After all, could an apparently intelligent guy (Bateman) living a relatively unremarkable existence really get his life upended by an amoral grifter (McCarthy) so easily?

Sadly, the answer is “yes” and I’m certain that more than one person reading this blog has a personal story about how it has happened to them or someone they know. The statistics on identity theft grab headlines and make great movie scripts (remember Catch Me If You Can?).

In the film, Bateman’s character receives a phone call from someone claiming to be in the “fraud division” of his bank, alerting him that his account had been compromised. When asked for his social security number, address, birth date, and other personal details, he happily gives them over. In typical Hollywood fashion, wackiness and mayhem ensue.

What Would YOU do?

In a day-to-day world where we routinely use social media and mobile devices, the amount of information we’re sharing, according to Javelin’s 2012 Identity Fraud Report, is having an increasing impact on fraud. Think about it…if you are freely disclosing your pet’s name, where you went to high school, your birth date, even your telephone number – these are all key pieces of personal information that a company would use to verify your identity.

I cringed during the scene when Bateman’s character so freely gave up his personal information to a complete stranger, and (admittedly) felt a bit smug, knowing that as a professional in the world of security and fraud detection technology I would never be so foolish. Well…

The Test

Javelin maintains a website that provides information and resources regarding identity fraud, Idsafetynet.com. The site offers a myriad of resources and information on the subject of identity fraud, as well as a quiz consisting of 18 questions designed to help you assess whether your own daily habits are keeping you safe from or contributing to possible identity theft. Questions range from whether you receive your mail in an unlocked mailbox to how you might respond if you receive a data breach notification. My own results were an eye-opener. While I had an above average score, my answers revealed that there was much more I could do to better protect myself against potential identity fraud.

Safety Tips to Protect Your Identity

There are abundant resources to learn more about keeping your private information secure. Javelin recommends that consumers follow a three-step approach to reduce their risk of identity fraud, based on prevention, detection, and resolution. Read their tips here: IDsafety – tips

Another credible resource for information and safety tips comes from the non-profit organization, Identity Theft Resource Center. Here you can find out just about anything regarding identity theft protection and prevention, including how best to protect yourself during tax time, information if you are currently active duty military, and even a test to help keep teens safe online.

While your bank and many companies (including Finsphere) are on the front lines developing solutions to improve upon security, privacy, and data protection – it’s apparent that, as consumers, we need to remain vigilant in our own efforts to prevent fraud from happening in the first place.

Yes, the average cost of movie tickets are at an all-time high, but personally, I feel it’s a small price to pay if a film can spur awareness and action on such an important issue, even amongst a few.

So go ahead, take the test and let us know if anything surprised you about your own results. Until then, we hope you’ll follow the conversation and share your views here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Lessons from the Super Bowl: How the Power Outage Makes a Case for the Importance of Analytics in Improving Fraud Risk Security

Posted on by

Screen Shot 2013-02-06 at Feb 6, 1.38.12 PM copyOkay, so this may seem like a preposterous stretch, but while watching the Super Bowl (along with 164 million other viewers) come to a grinding halt for over 30 minutes – I couldn’t help but think that the power outage presented an optimum teaching moment too good to pass up for the focus of my next blog post.

Over the last several weeks, we have looked at geo-location data that comes from wireless devices and how Finsphere harnesses that data to more accurately assess credit/debit card fraud risk. In fact, we founded the company on the initial concept that the proximity of a cardholder’s mobile device to the transaction location could be a major game-changer in the way financial institutions authenticate your identity when making in-store purchases, getting cash from an ATM, or buying something online. However, as Finsphere evolved, so did our core understanding that the use of mobile and transaction geo-location data, if used on its own, can be misleading and wasn’t enough to contribute to an accurate risk score calculation. There had to be a fail-safe plan. And that’s where the “Blackout Bowl” comes in.

Michelle Goes to New Orleans

You may recall Michelle, our (fictitious) consumer from previous posts that we followed through several scenarios – from frenzied holiday shopping to vacationing in Cancun – to better demonstrate how mobile or transaction geo-location data can be misleading and why we believe there should be a defensive design strategy (analytics and location-based data) to bolster the performance of a risk based authentication solution.

More Than Just a Game – More Than Just a Lunch Tab

When the Super Bowl was unexpectedly halted for 34 minutes in the Superdome, the power outage left fans, advertisers, the network, and both teams - quite literally – in the dark. Not utter, complete darkness, but enough to alter the experience for all involved. No game. No colorful commentary. No way to buy a beer. This could have been a disaster of colossal proportions. Why? Because although there were still lights on in 50% of the arena, they weren’t sufficient to run the event, full-scale. The result could have been tens of millions of dollars lost, ruined confidence in the ability of the city of New Orleans to successfully host such an event, and a myriad of issues for everyone involved.

A similar experience can occur each time you attempt to use your credit/debit card. Enter Michelle, who is having a great time in New Orleans, hosting important prospective clients and trying to buy everyone lunch before heading out to the game. But behind the scenes, when Michelle’s card is processed for payment, the mobile location data relayed to her card issuer is either missing or inadequate. So guess what? Without analytics, it could be “game over” and Michelle’s attempt to impress her colleagues could end up being one big, embarrassing debacle. Much like a reliable back-up generator, analytics are needed to “bolster the power” of geo-location data when authenticating a credit/debit card transaction. Relying on comparisons between the mobile device and transaction location is a good additional authentication factor, but not always adequate; which is why Finsphere sought out data scientists who are recognized experts in the field of financial fraud analytics and built a neural network analytics engine (LASER), which augments geo-location data with predictive analytics. With LASER (Location-Based Analytic Statistically Engineered Response) the way users’ activities, transactions, and events are authenticated is substantially improved upon by correlating vast amounts of data from multiple sources to generate a fraud risk score that represents the probability that an account has been compromised. In other words, this score estimates whether an entity engaged in a particular transaction or activity is, in fact, authorized to do so. LASER’s hybrid solution taps into this rich supply of mobile geo-location data that can be used as a dynamic identity authentication instrument and pairs it with over 200 additional account and transaction data variables to verify the identity of the card user. Lunch (and moving on to the game) is a success!

Power of Analytics

As inconvenient, distressing, and expensive as the power outage was to the Super Bowl on Sunday, the same is true for credit card issuers faced daily with new and increasingly sophisticated types of attacks that traditional fraud management strategies are not designed to address. The reduction of false positives for card-present transactions, as well as increased fraud detection and increased value detection rates for both card-present and card-not-present transactions, is of huge significance to a financial institution. Along with the millions of dollars these transactions cost a bank every year, minimizing the impact and inconvenience to customers can mean the difference between keeping them satisfied or having them “change the channel”, so to speak.

Beyond this, other automated activities or transactions requiring security is a challenge that will only get more intense as the technology systems supporting all of our day-to-day lives grow ever more sophisticated in order to protect our information, our identities, and assets. Whether you are engaged in a credit/debit card transaction in person or online, entering a secure facility like an elementary school, or accessing or receiving a medical or government service, you are authenticated by the entity providing the service to ensure and protect your identity. At Finsphere, we are proving that analytics and the use of sophisticated platforms such as LASER are already making an impact on incumbent fraud management systems and paving the way for the future.

So whether your team won or lost on Sunday, the lack of a backup system to get the stadium lights back on could have made the difference in sticking with the game or changing channels to watch the Puppy Bowl. The same critical need to augment geo-location-based variables with the power of predictive analytics to improve upon security, privacy, and data protection is equally essential. It could mean the difference between winning and losing in the game of customer satisfaction, confidence, and loyalty.

In future posts, we’ll examine real-world applications of applying analytics to fraud and identity management and what it means to you as the user. And if you have your own Super Bowl story to share (credit card declined while trying to buy beignets at Café Du Monde?) let us know. Until then, we hope you’ll follow the conversation and share your views here or on Twitter, Facebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Where’s My Card?

Posted on by

It’s 10am at Wal-Mart. Does your credit card company really know where you (and your card) are?

CPT

Location, location, location. It used to primarily apply to the desirable qualities of a home for sale or the best place to start up a new business. With the proliferation of smartphones, tablets, and other devices – geo-location data is being used to measure everything from consumer shopping behavior to who went to bed early on New Year’s Eve.

In my last post we looked at how mobile geo-location data might be used to assess fraud risk, but why, on its own, anomalies exist that can adversely affect the reliability of the results. To accurately assess credit/debit card fraud risk in a proximity comparison with a mobile device, you have to know not just the geo-location of the mobile device, but also where the financial transaction is taking place. In this post, we’ll look at the other half of the equation – anomalies affecting the financial transaction and discuss why the geo-location of the credit/debit card transaction isn’t always sufficient.

Finsphere uses proximity of a cardholder’s mobile device to the transaction location as one of multiple authentication factors for providing risk scores for credit and debit card transactions. However, sometimes the geo-location of the transaction isn’t accurate enough to be used in the risk score calculation. So why isn’t it enough? Credit and debit card transactions are processed through merchant and card association payment networks that are extremely secure and reliable. But there are situations where the location of the financial transaction is not reliable or is not known, making the use of mobile geo-location inaccurate or impossible for developing a risk score. Let’s discuss some of these situations.

Remember our (fictitious) holiday shopper, Michelle, from my last post? Well, she’s back from Cancun but (like many of us) she’s still on a mission – shopping for post-holiday deals, hoping to find all the things she really wanted from Santa but didn’t get. Let’s follow Michelle again, but this time we’ll explore how financial geo-location data (the actual location where the buying transaction is taking place), when used on its own, isn’t enough to contribute to an accurate risk score calculation.

There are two main scenarios where the financial transaction geo-location results may not be valid or sufficiently relied upon for authentication:

Situation 1) Michelle leaves home and stops at the nearest gas station, which is part of a well-recognized, national brand fuel chain and uses her credit card to fill up her gas tank. This type of transaction is called a “card-present” transaction. The transaction is processed through the fuel chain’s payment system, but the location of her local gas station isn’t passed to the card issuer for use during the authorization process; rather the location of the fuel chain’s centralized regional or national payment processing center is sent as the merchant location to the card issuer. In this situation, the merchant location does not represent where the actual transaction is taking place.

Situation 2) Michelle stops for a latté, pulls out her iPad (one of the gifts she actually wanted!), and uses the cafe’s Wi-Fi to hop online and look for a blouse she couldn’t find at the store. Quickly finding it, Michelle uses her credit card to purchase the shirt online. This type of online transaction is called a “card-not-present” transaction. In this particular scenario, the merchant does not pass the location of the iPad (the IP address) over the payment processing network to Michelle’s credit card issuer for use in authorizing the transaction. Thus, the transaction location is not known.

What’s the takeaway? The two common scenarios outlined above where the credit/debit card transaction location data was either misleading or wasn’t available would lead to inaccurately assessing the fraud risk of these financial transactions.

So, in the event I’ve failed to adequately communicate where I stand on the use of geo-location data alone as an additional factor to assess fraud risk – let me definitively do so from this point on. Geo-location is not enough…you need more, you need data analytics. For the past several years, Finsphere has diligently worked to develop and refine a platform based on precision analytics neural network models to accommodate the anomalies we’ve highlighted here and substantially improve upon the way users’ transactions and login events are authenticated.

In my next post, we’ll dive into the topic of analytics and how it bridges the gaps to improve fraud risk scoring. Until then, we hope you’ll follow the conversation and share your views here or on Twitter, Facebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

“Ho! Ho! Ho!” How Did Your Credit Card Treat You Over the Holidays?

Posted on by

CreditCard_Trap

Since my last post, most of you are likely recovering from the frenzied holiday shopping season. Along with bloated spending, did the actual experience of using your debit or credit card leave you feeling a little less merry?

My last post dealt with the topic that, while geo-location of a mobile device could be a highly credible data source for authenticating an activity (such as a financial transaction) with the mobile device acting as a “proxy” for an individual, geo-location, alone, is not enough. Finsphere uses the proximity of a mobile device to a financial transaction as one authentication factor for providing risk scores for credit and debit card transactions, but this simple location proximity comparison is insufficient to assess fraud risk in all cases.

So why isn’t it enough? It’s true that mobile phone service is provided through a wireless network that is extremely secure and reliable. Further, your mobile phone number is unique and can only be in one location on the worldwide wireless network at any given time. If your mobile number is known and permissions have been granted, your phone number can be reliably located most anywhere in the world. But there are still situations where mobile location is not reliable or is not known, making the use of proximity comparison, alone, imperfect. Let’s discuss some of these situations.

Michelle, a fictitious person, is on a mission – she is shopping in the post-holiday madness to nab some of the best deals in town. She’s done her homework, so Michelle is using her credit card – a lot (sound familiar…?). Here are a few scenarios where mobile phone geo-location, while accurate, may not be valid for the purposes of assessing fraud risk and cannot be relied upon for authentication. The result may be exactly what turns her holiday shopping into a “Bah! Humbug!” experience:

Situation 1) Michelle leaves her mobile phone at home. Her mobile phone can be found but it’s nowhere near where she is shopping. Thus, the mobile location does not represent where the cardholder is while making legitimate transactions.

Situation 2) In-between stores, Michelle’s phone battery dies. The mobile location where her phone was last reported no longer represents where Michelle is now attempting to make a purchase.

Situation 3) Michelle finds a bargain basement sale, quite literally in the basement of a building. Michelle snaps up some great bargains but there is no mobile network available in the basement of the building. The mobile network would report her last known location, which does not represent where Michelle is presently.

Situation 4) That’s it! Michelle has had enough of the crowds and decides to catch the next flight to Cancun. Michelle’s plane lands in paradise and the first thing she does, of course, is turn on her mobile phone! It may be blue skies and sandy beaches for Michelle, but for her mobile phone it means one thing: roaming on a different mobile network. The mobile phone works fine but the mobile network may only provide the country where Michelle’s phone is located. This may be fine in some situations but not for detecting compromised financial transactions within the same foreign country.

These are just some of the common situations where mobile phone geo-location data may not be available, may be misleading, or may be invalid for helping successfully assess the fraud risk of Michelle’s financial transactions.

As outlined in my last post, and ideally further clarified using the above-mentioned hypothetical (but reality-based) scenarios, our view at Finsphere remains – geo-location, alone, is not enough. In my next post, I’ll be discussing the validity of using the geo-location of the credit/debit card transaction. Confused? Don’t be. As the conversation continues, we’ll dive into the missing link: analytic models and how they accommodate for anomalies of geo-location data to improve fraud risk scoring and help protect each of us.

Until then, let me know how your holiday fared at the checkout counter (or the hotel gift shop in Cancun) and join the conversation.

Mike Buhrmann,

CEO, Finsphere

Geo-Location…It’s Not Enough!

Posted on by

Location_Map

The mobile phone has become an extension of most people’s lives. It is usually on or near every one of us, most of the day and night. In fact, the majority of us actually sleep with our mobile phones next to our beds! Now, more than ever, if you know where the mobile phone is, you likely know where the person is. Finsphere was founded in 2007 on this very premise – if a mobile phone is generally found on or near its owner roughly 24 hours a day, then that mobile device could act as a “proxy” for that individual – and could be a highly credible source for authenticating an activity, such as a financial transaction.

Banks today use a variety of scoring tools and fraud risk models to determine the likelihood that a credit or debit card transaction is valid or not valid (i.e. likely fraud). If the bank gets it right, they prevent fraud and issues with their customer. If they get it wrong, they likely deny a legitimate transaction, which means the customer has to find other means to pay or spend considerable time on the phone convincing the bank’s customer service that they really are the person making the transaction!

The premise we set out to evaluate was whether geo-location of a mobile device could enhance the authentication process. After establishing Finsphere, we quickly developed an extensive portfolio of pending and approved patents and began trials with some of the world’s leading financial institutions to validate the model in a variety of situations including:

  • Card-present transactions – when a person and their credit or debit card are both present, like at an ATM or during an in-store purchase
  • Card-not-present transactions – when the person and card are both remote from the merchant, like when making a transaction online from a desktop or mobile device.

Based on our ongoing bank trials, we determined that mobile phone geo-location worked very well as an added factor in reducing denials of legitimate transactions, but did not work well for fraud detection or card-not-present situations, by itself. In these cases, geo-location had to be combined with other financial and mobile factors to make it a stronger predictor for fraud. After years of evaluation, we did just that. We built an analytics engine that combines geo-location data with over 200 identified disparate factors. The results thus far? A significant decrease in legitimate transaction declines and fraud in card-present and card-not-present study groups.

Geo-location, alone, clearly is not enough. But geo-location, when used in an analytics engine that incorporates a multitude of other factors, significantly improves fraud model scoring. For the consumer, this means banks getting it right more often in the future.

I’ll be taking a deeper dive into this topic in future posts. I look forward to your feedback and hope you’ll join the conversation.

Mike Buhrmann,

CEO, Finsphere

Opening Comments

Posted on by

My name is Mike Buhrmann and I’m proud to be the co-founder and CEO of Finsphere. I’ve been in the wireless industry for many years and have seen it grow from only a few hundred in-car cell phones to over 5 billion mobile phones that fit into the palm of your hand. The mobile phone has gone from a simple communications device, allowing two people to talk while they were moving around, to something that now allows us to send messages, connect to the internet, take photographs, and do some pretty cool things with the use of hundreds of thousands of different apps.

The mobile phone has become so personal and important to us that you hardly ever leave home without it. In fact, because the mobile phone is so personal, you carry it with you all the time and everywhere you go, creating a unique one-to-one relationship. If you think about it – wherever you are, your phone is. And wherever your phone is, you are. This unique relationship makes it possible to use your mobile phone as a proxy for your identity.

Finsphere was founded in 2007 on the vision that your mobile phone can be that proxy for you – a proxy for your identity. The value of this proxy is that it can actually protect and safeguard you when you’re surfing the internet or doing something in the digital world. Your mobile phone can provide identity protection and assurance anytime you need an event to be authenticated, validated, or verified. A good example of this would be when you’re traveling and using your credit card. Many people have had their credit or debit cards declined when traveling because the card issuer is unsure that it’s really you. With our service, this need never happen again!

Future blogs will present you with some great insights and thought-provoking ideas on how your mobile phone can help protect and secure your identity. I hope you join the conversation.

Mike Buhrmann,

CEO, Finsphere