Slashdot Mirror
We're All Being Judged By a Secret 'Trustworthiness' Score (wsj.com)
schwit1 writes: Nearly everything we buy, how we buy, and where we're buying from is secretly fed into AI-powered verification services that help companies guard against credit-card and other forms of fraud, according to the Wall Street Journal.
More than 16,000 signals are analyzed by a service called Sift, which generates a "Sift score" ranging from 1 to 100. The score is used to flag devices, credit cards and accounts that a vendor may want to block based on a person or entity's overall "trustworthiness" score, according to a company spokeswoman.
From the Sift website: "Each time we get an event be it a page view or an API event we extract features related to those events and compute the Sift Score. These features are then weighed based on fraud we've seen both on your site and within our global network, and determine a user's Score. There are features that can negatively impact a Score as well as ones which have a positive impact."
The system is similar to a credit score except there's no way to find out your own Sift score.
Factors which contribute to one's Sift score (per the WSJ):
More than 16,000 signals are analyzed by a service called Sift, which generates a "Sift score" ranging from 1 to 100. The score is used to flag devices, credit cards and accounts that a vendor may want to block based on a person or entity's overall "trustworthiness" score, according to a company spokeswoman.
From the Sift website: "Each time we get an event be it a page view or an API event we extract features related to those events and compute the Sift Score. These features are then weighed based on fraud we've seen both on your site and within our global network, and determine a user's Score. There are features that can negatively impact a Score as well as ones which have a positive impact."
The system is similar to a credit score except there's no way to find out your own Sift score.
Factors which contribute to one's Sift score (per the WSJ):
- Is the account new?
- Are there are a lot of digits at the end of an email address?
- Is the transaction coming from an IP address that's unusual for your account?
- Is the transaction coming from a region where there are a lot of hackers, such as China, Russia or Eastern Europe?
- Is the transaction coming from an anonymization network?
- Is the transaction happening at an odd time of day?
- Has the credit card being used had chargebacks associated with it?
- Is the browser different from what you typically use?
- Is the device different from what you typically use?
- Is the cadence of the way you typed out your password typical for you? (tracked by some advanced systems)
A lot of the criteria is standard practice for people who seek to avoid data collection and fingerprinting, and has nothing to do with how trustworthy those individuals are.
... this looks like standard anti-fraud measures that banks and retail have been doing for years and years and years. It's not creating a profile of YOU, its creating a profile of YOUR CARD so it can detect if it's been compromised.
IE - you definitely want this.
Nothing to see here.
The "Big Data" companies of the day have all become heavily regulated in what they can store, how they can store, how long they can store, and have transparency laws about providing consumers access to their own data reports and challenging information in them.
It's time for this to extend to all large-scale person-identification projects, and if the data brokers have to be torn apart to do so, so be it.
Hire a Linux system administrator, systems engineer,
Failed opening an AWS account while in Thailand and using a (cheap) SIP provider for a US number, despite giving them everything they asked for (absurd requests). These systems get annoying and expensive for the people that don’t fit the “normal” profile.
And today Google locked me out of my business email for the correct password from an IP address that just checked my email successfully.
Screw this hosted cloud shit. I’m going back to a physical server I have physical control over. (Even if it might have to be in my mom’s basement.)
But this algorithm was developed by private industry, which means it's more accurate and reliable than any algorithm the ogvernment could produce!
I worked on similar fraud prevention system over a decade ago for one of the first major UK ecommerce businesses.
An important point missed in the write up is that these systems are evaluating the transaction, not the person.
I had a whole year where I couldn't cash checks at bakers, because stupid system decided I don't exist just because I pay cash for most things like an honest man.
Once the majority of people realize that all their behavior is turned into these scores, and that these scores have increasing influence over their lives, you will start to see serious chilling effects.
Heck, we are already seeing those.
In the long run this could lead to social cooling, where society becomes more rigid, less able to change.
It used to be that critical thinkers judged stories and their summaries before they were posted to see if they were accurate.
Nowadays anything with clickbait gets posted since it drives ad revenue.
This is an anti-fraud system designed to help reduce online fraud. Think of this as a really sophisticated captcha that is designed to tell if your human or a bot. If certain patterns are detected the transaction is much more likely to be fraudulent.
Scripted attacks follow patterns because they are designed by humans and humans follow patterns. Take the email address example. It's easy to batch a script that creates unique email address by incrementing each address by one digit.
Anti-fraud software looks for things like this and many other factors. It's an arms race between those who commit fraud and those who fight it. Fraud raises retailers costs which increase the amount you pay. Software like this is good for consumers as it helps keep prices down. This is really much ado about nothing.
It already exists. Its called GDPR despite what you think, it is global. This company is subject to GDPR.
However, as I have pointed out in other comments, this summary and article is highly inaccurate. These are standard anti-fraud measures banks have been doing for decades. What is analyzed is the transaction, not the individual.
If you didn't have these protections then online fraud and all credit card fraud (online and off) would go through the roof as would all of your banking fees.
Wonder how piracy will affect my score? Keep me from getting a job?
It's called a credit score, and it has existed for decades, millennials. Seriously: what did your parents teach you? Also, software has been in use for this task for decades and it is not 'AI'.
Mod me insighful, oh secret mods because this post certainly is.
Some drink at the fountain of knowledge. Others just gargle.
Banks have used fraud-detection methods exactly like this for over a decade. The ones I dealt with used over a hundred factors including 'did you ask for a receipt', geographic location, and 'is this for amounts you regularly withdraw', etc.
With the adoption of EMV (chip cards), a lot of this has effort is no longer as necessary and been transferred to Card-Not-Present transactions where fraud migrated when chip killed card-present fraud.
And of course the reason you can't get your score is that it's not YOUR score, it the score of this particular transaction. Most of the parameters used to come up with a score change with every transaction.
Not only is this nothing new, but sift is also fairly small in this arena. Companies like CA (Now part of broadcom), threatmetrix, iovation, lexusnexus and others do far more and have networks of billions of devices, identities, and transactions they use for analysis.
Interesting.
Does anybody know who's measuring this metric? Does Amazon do this? Also it seems if you use a password aggregator it could trigger this.
A credit score doesn't monitor your real time activity.
A credit score is based on past activity and ability to pay.
It doesn't have a bearing on whether or not a particular transaction is a risk, as much as it measures the customer's ability and likelihood to honor their debts. This doesn't really apply if the user's information is being appropriated by scammers.
The system is similar to a credit score except there's no way to find out your own Sift score
Interesting. So, how does a merchant determine your score?
Why you men to whine about is that there is presently no government mandated way for you to determine your score for free.
But, if you subscribe to the service, or some else that subscribes chooses to tell you, you can absolutely determine your score. It's just not public and free.
Maybe, if you're lucky, credit karma et al will provide this as part of their paid service. Maybe they will actually start providing some smidgin of value with their paid service. Nahh.
you all think it's crazy
My gut feeling is the same as yours - consumers should have the right to see information stored about them.
Understand, though, the score is not about you, in way. It's 100% per-transaction - does this attempt to use your credentials seem risky. I've computed these scores. The system I designed may have been the very first one to use typing cadence in a broadly deployed system.
Here are three of examples of a dozen data points, three location computations. Is this attempt coming from the same geographic area that the legitimate user is normally in? Is it humanly possible for them to have traveled from where they were last time to this location? (For example if you log in Miami at 10:00 AM, then at noon someone in China claims to be you, that's suspect.) Is the attempt coming from a high-fraud area, such as Russia or China?
I can show you your typing cadence data; it will be meaningless to you. An attempted TRANSACTION is more trustworthy is the typing matches your normal typing. there nothing about how trustworthy YOU are, it's whether the attempted transaction is suspect based on how well it matches whatever number of criteria.
If you've you've always used the latest Firefox from Linux and from Android (in Florida), then suddenly someone tries to use your card from and old version of IE on Windows 7 in Nigeria, that's suspect. Not because Linux is more trustworthy, but because it doesn't match how you, the legitimate user, normally does things.
Some systems even track types of things purchased - if you only ever use your card at Walmart and Chevron, with no purchases over $200, and never use it online, then a $1,500 TV purchase from BestBuy.com is out of the ordinary.
We combine all of the criteria to compute a score for the transaction. The BestBuy.com purchase may be approved if it's made from Firefox on Linux on Florida - perhaps only if you enter the CVV2 code (the four digits on the back of the card).
(I'm saying this as someone who has worked in computers since the mid 70's)
Perhaps if the industry (that's all of us) had done a better job of providing identification and authorization in a manner that was:
1) Effective so it could prevent fraud,
2) Usable in the real world to accelerate adoption, and
3) Optional, to support the legitimate need for anonymity.
then there would be less need for such privacy intrusions and it would be easier to either avoid, opt-out or legislate against their use.
what they're really looking at is how good a customer you are.
That sounds innocuous until it's not. As the data improves and as companies continue to consolidate and share data (possible because we've completely removed the breaks on mergers and anti-trust law today) the companies will start doing the same sorts of things China plans to do with its "Social Credit" system. We've already seen a bit of this where web sites track you and show higher prices if they think you'll pay it. Sprint also rather famously made a list of the customers who cost the most due to customer service calls and "fired" them.
Whether it's a mega corporation or a fascist government doesn't matter to me. I don't care if the jackboot on my throat is a public or private one, I don't want a jackboot on my throat. That said I'm not so naive as to think I can avoid powerful government institutions. The anarchist or libertarian route doesn't work, it just makes a power vacuum. If I don't form a government with my fellow citizens a mega corp will fill that void.
The time is now to either start enforcing anti-trust to prevent these kinds of power concentrations (while making sure voter suppression stops so we don't end up with the public option Jackboot). Either that or heavy regulation, especially for "natural" monopolies (think Google, or your cable company).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
this is basically a private version of that. Same effect but palpable to Americans since it's not the government doing it...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
credit score by any other name. don't like it? don't participate. 40 years on, I still trade IPs for my .hosts
Why not all countries start using a unified social credit score, instead of credit scores, driver license scores, etc, like China???
But not in China, and seemingly (up to now anyway) focussed on retail purchases and not being a good citizen in order to restrict your freedoms. Thin end of the wedge.
Rejecting my transactions because I used a VPN sounds like what Live Nation does. It's a real pain in the ass. The vendor already had my address, because they will be sending need the tickets through the mail, so why would they need my IP address? Life is just turning into a big pain in the ass.
In the past 3 decades even long before "AI" and expert system there were such basic checks. I have been called 2 times to verify if it was me making the transaction (though I can't recall if it was the processor or the bank which called me).
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
The daily "hackers!" blameposting. Ran out of useful topics to write about again, EditorDavid? Scratch that, you lot couldn't find "news for nerds, stuff that matters" if it bit you in the arse, slapped you in the face, and told you to sit down and do your jobs right there and then.
In the US stuff like this is secret in China it's open (and a threat) ... but the title is more suggestive ...
I agree that there is nothing to see here
Rhetorical title.
Maybe you can't see your score, but is there a new industry created to improve your Syft score?
+1 Informative.
I have taken the headline's bait and been caught clicking, or perhaps more accurately, clucking.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
the CVV2 code (the four digits on the back of the card).
Found the one person who uses Mastercard.
In the real world it is a 3 digit code. 4 digits is only Mastercard or non-visa debit cards.
Yeah, no shit. Google is the worst about this. Fucking pricks. They're simply using this to pin down your identity and calling it security. I am a security engineer, and this is exactly why normal people will always, in the back of their minds, be skeptical when someone says something is "for your security." It is almost always a lie.
For whatever being a human being is worth these days.
The funny part is that I sort of agree with the idea, but not with the dimensionality or the secrecy. I even agree that many of the criteria they are considering should be considered, but I'm an advocate of MEPR (Multidimensional Earned Public Reputation) that is based on the personal data and actions that you choose to disclose and which should be subject to your own review. That includes allowing you to review how the values of each dimension are calculated, but going beyond that, you should be able to determine how the MEPR scores you use are calculated (for example by tilting the weights), you should be able to challenge bad data, you should have a right to audit any uses of your MEPR scores, and you should even have the option to withdraw your MEPR scores from public view (along with clear explanations of the ramifications).
Near as I can tell, the reputation of Sift should be about 2 points out of 100. I think that's more than a minor clash of principles.
I think this is the first time I've heard of Sift, but I am NOT at all surprised by any aspect of it. However I would be shocked if there were any way to opt out of being judged in this secret Star Chamber.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
I urge you [brunes69] to consider the Categorical Imperative, especially from the perspective of someone who thinks the number of his "trustworthiness" ought to be higher. Alternatively, I'd ask you to consider what happens when complex multidimensional concepts are reduces to singular values.
My longer thoughts are in my initial reaction to this story, but I'm reacting to your comment based on the heavy positive moderation that it received. However, I will add that as part of MEPR, I think the reputation f the evaluators should be taken into account, even on a per-dimension basis. Symmetry is important.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
In solution terms, it would be nice if we were allowed to retain possession of our own personal data, or at least specify where it is being held and who is allowed to make permanent copies. Or at least give us a cut of the loot.
As things now stand, the only response is "Surrender, Dorothy!"
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Your support for libtard ideas and libtard democrat party will be used against you and youre familys (wifes, children, etc). Keep opposing our amazing president at your own risk. You have to been warned.
In the real world it is a 3 digit code. 4 digits is only Mastercard or non-visa debit cards.
I think you're thinking of Amex. I have a couple Mastercard logo'd cards; they're 3-digit CVV2, just like the Visas.
Autopay it for you in case they cut you off from your account management, wherever you are. I've had a LOT of problems as an exclusive non-javascript tor user with exactly these kinds of issues. It would be fine if it actually protected us, but every site with these kinds of over the top measures has been hacked within a year of me signing up, leading to the need for a new more secure site for email or other services. Today the only thing that can be ensured is that they will have over the top metrics to fake your identity on any side, and an extensive trade in these sorts of passively gathered metrics.
It won't benefit you, just the criminals and corporations.
Headline: " ... Secret 'Trustworthiness' Score" ... From the Sift website: blah blah"
Body: "
Google searches, finds in moments (after filtering out the amino acid and flight test results...)
Secret Clickbait headline.
Started and tweaked in China...rolling out in the rest of the world for the "New world order".
Since they (companies/governments) steal alot themselves, who will check them out for their trustworthiness ???
Who are these fuckers that think they are somehow better than anything else ???? Bunch of failed kindergarten teachers is what they are.
Criminals accusing everyone of the crimes they themself commit. Sycophants.
"Nearly everything we buy, how we buy, and where we're buying from is secretly fed into AI-powered verification services that help companies guard against credit-card and other forms of fraud, according to the Wall Street Journal."
I'm not saying that it isn't "AI-powered", but I am getting a little annoyed at the dilution of the term 'AI' in every MSM tech article. It's getting ridiculous now.
by law you can see exactly what makes it and submit corrections to it that they must either honor or prove invalid. Also your credit score just says how likely you are to pay bills and how much money they can loan you until you can't pay it. If they've really got 16000 points of data they can do a hell of a lot more than that.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
being chinese makes you a risk by default ... going through a chinese IP on your daddy's money's laptop makes your daddy's credit rating orange-lighted ?
A.I. ... the WAY to the future :p
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?