Sophos Cloud Optix
With the risks posed by credit card and identity fraud always on the rise, credit card companies are always looking for innovative new ways to strengthen security.
And with figures from the US Department of Justice showing that the median amount stolen per card in 2012 was $399 against a backdrop of $5.55 billion of such fraud worldwide, the huge costs certainly serve as an incentive.
As the recent Target breach has shown, even the mere hint of compromised cards can lead to significant financial losses too – the Consumer Bankers’ Association says that re-issuing at-risk cards has already cost in excess of $172 million.
Such incidents may have prompted MasterCard’s announcement on Tuesday in which it said it has partnered with Syniverse, a mobile technology company, in order to minimise unauthorised purchases made with stolen plastic.
The two companies are currently running an opt-in pilot scheme which allows users to make a credit card transaction only when they have their mobile device switched on and to hand in a specific location.
The service providers then cross-check the locations of both the credit card and the mobile device at the time a transaction is made. If they match, bingo. Otherwise, if the card is in Toronto, for example, and the smartphone is in London, the transaction will be denied.
Joe DiFonzon, chief technology officer of Syniverse told the Guardian:
As soon as a mobile phone connects to the phone network we can see a user's location within miliseconds, just by which mobile phone mast they connect to and it is unspoofable, as we get the data directly from the back end of the network.
The technology should benefit both MasterCard and its customers by making it harder for criminals to use stolen or cloned credit cards.
MasterCard says it’ll offer prepaid data packages at popular destinations so customers aren’t put off from using the service by roaming data charges.
Although this is, first-and-foremost, an anti-fraud technology MasterCard and Syniverse are clearly excited about the chance to make money from knowing where you are:
Mobile network operators and brands can also benefit from the collaboration between MasterCard and Syniverse. In the future, they could implement targeted offers, which will be made more relevant by knowing the location of a mobile device, for example in close proximity to a retail store. A research report for Syniverse from economists at SEEC uncovered a market valued of as much as $44 billion for operators providing services to brands based on opted-in mobile subscribers’ information...
Although the report mentioned in their press release refers to opted-in mobile subscribers it’s not clear what MasterCard and Syniverse have in mind for their own customers.
We hope that they will resist the urge to share their customers’ location data by default.
“We hope that they will resist the urge to share their customers’ location data by default.”
Indeed. But hope is cheap. When you consider this technology in the context of Mr. Snowden’s revelations, it doesn’t take an especially paranoid world-view to recognize the potential for Big-Brotheresque dystopia.
Large scale collective applications of technology are beneficial when those who use them are accountable for the way they use them. In general, the market tends to ensure such accountability. You can fire an incompetent service provider.
It’s the intrusion of non-accountable (authoritarian) influence that creates the potential for pernicious abuse. The centralized protection that government is supposed to provide fails when the protector becomes the predator. You can’t fire Big Brother.
The solution is not to further centralize the protective technologies (in this case, credit card fraud prevention). It seems to me that individualized multi-factor authentication would avoid the downside potential for abuse inherent in collectivized geolocation schemes like the one MasterCard is testing.
I think the chances of them not selling on the data are as remote as them reducing the card interest rate to 0.1%
It sounds plausable for the physical card, but how about virtual purchases? How do they plan on tracing the purchase over IP to the location of the mobile phone?
each merchant has a merchant id/code. That id/code is different from their brick motor store vs. their website. If the card goes up for auth you could automatically approve it based on merchant id.
From the processor side, it is obvious to the merchant bank and the credit issuer not only where the physical device is but what kind of processing is being done. This is good, as it provides fine grained security control, and this concept would restrict the impact of card loss. However, online purchases would still not be protected in this situation — which isn’t that big a deal, as online purchasing already has other security protections in place. For that matter, they could do fuzzy matching between the geolocation of your IP address and your phone — but that would be done on a different layer than what is being proposed here.
Good idea in theory, but … what about when I went abroad and accidentally left my phone at home? Bad enough, but not being able to use my credit card would have been really painful.
All this idea does is require your phone to be stolen along with your credit card!
25 years ago I proposed encrypting a photo of the card holder onto the card with the merchant terminals decoding it and displaying it to the merchant, so they could see if the purchaser looked like they should. This would stop a lot of fraud – partly by providing a barrier to passing off – you would need to know what the owner of the card looked like.
Or the U.S.A. could introduce the chip-and-pin system like used in Europe to reduce the amount of fraud!
What happens when your in an area with no cell phone service?
I just laughed when I read the headline. There are so many times I am without my cellphone and I end up walking into a corner store to buy something – such as when I go running, when I just have to walk to the drugstore at the corner of my block, and in so many instances when I know I wont be out for long. Well, I guess I’ll just have to stop using Mastercard altogether.
Just when security experts tell us to turn Geolocation OFF, MC now thinks it is a usable security ‘feature’ !?
I frequently buy books on-line from a store in London. Obviously my phone is not there and this “security feature” would prevent their purchase. In fact, now that I think of it, I buy lots of things from places I am not! Goodbye MasterCard.
My card company do not know whether I have a mobile phone and they have no need of that information. Likewise they have no need to know where I am when I make a purchase nor even when I don’t make a purchase. I never allow location settings to reveal anything, not even on my PC. Far too dangerous and far too much like ‘Big Brother is watching!’
Never had any of these problems when we all used good exchangeable currency in the form of bank notes and coins.
Last Friday my card company phoned me on my mobile because my card had been cloned and the fraudster had tried to change the phone contact details as well as run up £5k worth of transactions on the card. Without the card company knowing my mobile number I would be unaware of the fraud until next statement date – a month more fraud as the current statement had just arrived and I had just started to query only one small unrecognised transaction. This transaction had probably been made as a test that wouldn’t raise suspicion compared to the other later transactions which would have been recognised once they appeared on a statement.
This solution might work for those that carry a smart phone with them all the time but I’m certainly not one of them. I’m not the kind of guy (and there are many more like me) who keeps his phone with him all the time to stay in constant contact. I consider my phone a useful tool but not something to carry with me all the time. On the other hand, I could be at a store and at the drop of a hat see something I want to purchase, so out comes my card. I’m sure the store owner won’t like it if I can’t make a purchase just because I don’t have a phone with me.
Great site. Lots of useful info here. I’m sending it to some buddies ans also sharing in delicious.
And obviously, thank you for your sweat!
Okay, this security extra works only for those who have a mobile phone always at hand. But for those there would be an easy way to do this without revealing the location:
Send an SMS to the mobile which indicates the details of the upcoming purchase (store name, item, price etc.). Only if user confirms by a reply SMS, then the purchase is considered legitimate.
And incidentally this two factor identification would work also for online purchases.
The presence of such a straight-forward solution – nothing brand-new here – and the choice not to use it is a clear hint, what the real purpose is here: Definitely not customer security. The excitement factor is the bucket fillled allegedly with 44 billion $ .
Is the proposed location check really secure? I have some doubts. Do the location data really come “directly from the back end of the network”? No way for the crooks to plant some fake location data? Another opportunity for security by hope.
You could be on to something with that idea, although even easier would be for the card issuer to send a one time password by SMS. Only if the correct pin AND one time password is entered at point of sale does the transaction get authorised. That would be easy for them to implement and would not rely on them tracking your location via mobile phone signal.
The location check is secure. It is a fundamental part of the operation of the mobile network, and as MasterCard are in partnership with the phone company, they will have access sorted out.
The police can (and do!) use this data as evidence someone (or at least their phone) was in a certain area.
However, there are many, many other issues that mean I won’t be getting involved in any way!
Not sure if anyone knows, but you can spoof your geolocation on smartphones. I believe that while this sounds like a logical solution, it will only provide a piece of mind over a real solution as the criminals will still find a way, while the good people remain good. Might need to look at this as a possible risk. It will boil down to if they are using IP address to determine geolocation or using the phone’s actual location.