The 40 million credit and debit cards affected by Target's security breach has finally put the dangers of online shopping in the spotlight or, rather, it has highlighted the weakness of real time and accurate verification. There is an answer and social media is an important part of it.
December was an especially bad month for privacy breaches with Snapchat and Skype among those affected. To that list we should add less obvious privacy invasions like Facebook's use of personal messaging for advertising purpose, now the subject of legal action. The theft of millions of credit card details from Target, though, exposed the weaknesses of online commerce more than any other.
The breach might seem like a problem for US shoppers, but in fact non-US credit card details stolen from Target are now fetching a premium on the black market. It is a global problem.
I spoke about the Target breach, by email, with Pat Phelan, CEO of Trustev, one of Forbes' Hottest Global Start-Ups , and a leading provider of social data, behavior profiling and transaction verification for online commerce protection.
Trustev's most active inquiries since the Target breach have come from the mobile industry, in part because of the authentication problem but also because stolen or fraudulently acquired mobile phones sell for very close to their original asking price.
Credit card identity issues are big in mobile. In fact they are a major consequence of mobile. Mobile shoppers have created a new time-led expectation of how online commerce should work. It has to be instantaneous, but entering authentication data is both difficult and an unwanted time constraint.
The problem was recognized as long ago as the early dot.com boom when Finnish mobile carriers first set up Circles of Trust, or common authentication services.
In general mobile carriers have failed to come up with an answer. But why haven't the banks acted sooner? Phelan points out that the real losers in any large sale credit card breach are the merchants who sell the goods (I wrote about the inertia that causes, here). Credit card users will get their money back. The merchants, not the banks, will take the hit.
The banks have been slow to act but that is now changing because of global "know your customer" requirements imposed by regulators on the banking industry.
Meanwhile Lexis Nexis, who estimated that merchants were losing over $100 billion a year by 2010, now estimates that for every loss of $100 to direct fraud, merchants lose $279 of business from customers who avoid their sites. LexisNexis estimate that between 10 and 14 million US customers are victims of fraud each year.
Trustev's solution draws on roughly 80 sources for its verification service, including accessing social media data - with the shopper's permission.
What else does it offer?
"We sit pre-checkout and have a number of algorithmic based tools that allow us to look at a vast number of parameters beside social:
1. Device ID- what device is the user using?2. Are they behind a proxy or VPN? If so crack it and look at the originating IP to get a location.3. Browser Identity, generally fraudsters will hide something here, we detect it when they move pages.4. Digital footprint. This allows us to track the movement on site. Fraudsters move totally differently to any other users on a web page and this really helps us; we establish a footprint for proper users on the site.5. Finally we confirm that mobile number entered in a checkout cart is a genuinely active phone, and its location.Using all the data above, we are stopping fraudsters before they even get to checkout. We check 80 parameters and do all this in real time."
While banks are now obliged to take the extra time to know their customers, this "Know Your Customer" requirement is also becoming an industry standard outside banking because ultimately the banks must deal with the fraudulent transaction, even if they don't suffer from it. There's no question over time they will force more know-your-customer requirements on to merchants.
Here on Forbes Adam Tanner has already proposed wider use of masked credit card numbers, or one-off numbers, as a way of solving the security problem.
But in reality anything that slows down transaction times tends to slow down commerce. And while masked numbers might be better from a security standpoint it is questionable whether they pass the ultimate test of knowing who is buying from your site.
"We sit ahead of the card transaction and make a decision about the human in the transaction rather than the card," says Phelan.
What Trustev is developing is a data-rich source of "Know Your Customer" through social media and behavioral patterns. There are other options for merchants, such as Jumio's Netverify, a product that uses a computer's camera to scan essential documentation like driver license or passport. There's a way to go for social and behavioral data as a verification tool but the Irish firm is ahead of the posse. It would not only have saved Target customers some pain but also the merchants who had no part in the breach.
Follow me on Twitter @haydn1701 or join me on Facebook. I am here on Google
