The 40 million credit and debit cards affected by Target’s security breach has finally put the dangers of online shopping in the spotlight or, rather, it has highlighted the weakness of real time and accurate verification. Last week’s breach might seem like a problem for US shoppers, but in fact non-US credit card details stolen from Target are now fetching a premium on the black market. It is a global problem.
December was an especially bad month for privacy breaches with Snapchat and Skype among those affected. To that list we should add less obvious privacy invasions like Facebook’s use of personal messaging for advertising purpose, now the subject of legal action. The theft of millions of credit card details from Target, though, exposed the weaknesses of online commerce more than any other.
In the aftermath of the Target breach I spoke, by email, with Pat Phelan, CEO of Trustev, one of Forbes’ Hottest Global Start-Ups , and a leading provider of social data services for online commerce protection.
Credit card identity issues are big in mobile. In fact they are a major consequence of mobile. Mobile shoppers have created a new time-led expectation of how online commerce should work. It has to be instantaneous, but entering authentication data is both difficult and an unwanted time constraint.
Phelan points out that the real losers in any large sale credit card breach are the merchants who sell the goods (I wrote about the inertia that causes, here). Credit card users will get their money back. The merchants won’t. Until now the banks have been slow to act. That is now changing.
Meanwhile Lexis Nexis, who estimated that merchants were losing over $100 billion a year by 2010, now estimates that for every loss of $100 to direct fraud, merchants lose $279 of business from customers who avoid their sites. LexisNexis estimate that between 10 and 14 million US customers are now victims of fraud each year.
But Trustev’s most active inquiries since the Target breach have come from the mobile industry, in part because of the authentication problem but also because stolen or fraudulently acquired mobile phones sell on for very close to their original asking price. Trustev draws on roughly 80 sources of data for its verification service, including accessing your social media data – with your permission.
What else does Trustev offer?
“We sit pre-checkout and have a number of algorithmic based tools that would allow us to look at a vast number of parameters beside social: 1. Device ID- what device is the user using? 2. Are they behind a proxy or VPN? If so crack it and look at the originating IP to get a location. 3. Browser Identity, generally fraudsters will hide something here, we detect it when they move pages. 4. Digital footprint. This allows us to track the movement on site. Fraudsters move totally different to any other users on a web page and this really helps us, we establish a footprint for proper users on the site and fraudsters move around the site totally different to normal users. 5. Finally we confirm that mobile number entered in checkout cart is a genuinely active phone and its location Using all the data above, we are stopping fraudsters before they even get to checkoutwe check out 80 parameters and do all this in real time.”
In the banking world, currently, banks are obliged to take the extra time to know their customers. This “Know Your Customer” requirement is also becoming an industry standard outside banking because ultimately the banks must deal with the fraudulent transaction. There’s no question over time they will force more know-your-customer requirements on to merchants.
Here on Forbes Adam Tanner has already proposed wider use of masked credit card numbers, or one-off numbers, as a way of solving the security problem.
But in reality anything that slows down transaction times tends to slow down commerce. And while masked numbers might be better from a security standpoint it is questionable whether they pass the ultimate test of knowing who is buying from your site.
What Trustev is developing is a data-rich source of “Know Your Customer” through social media and behavioral patterns. There are other options for merchants, such as Jumio’s Netverify, a product that uses a computer’s camera to scan essential documentation like driver license or passport. There’s a way to go for social and behavioral data as a verification tool but the Irish firm is ahead of the posse. It would not only have saved Target customers some pain but also the merchants who had no part in the breach.