We're All Being Judged By a Secret 'Trustworthiness' Score

schwit1 writes: Nearly everything we buy, how we buy, and where we're buying from is secretly fed into AI-powered verification services that help companies guard against credit-card and other forms of fraud, according to the Wall Street Journal.

More than 16,000 signals are analyzed by a service called Sift, which generates a "Sift score" ranging from 1 to 100. The score is used to flag devices, credit cards and accounts that a vendor may want to block based on a person or entity's overall "trustworthiness" score, according to a company spokeswoman.

From the Sift website: "Each time we get an event be it a page view or an API event we extract features related to those events and compute the Sift Score. These features are then weighed based on fraud we've seen both on your site and within our global network, and determine a user's Score. There are features that can negatively impact a Score as well as ones which have a positive impact."

The system is similar to a credit score except there's no way to find out your own Sift score.

Factors which contribute to one's Sift score (per the WSJ):

• Is the account new?
• Are there are a lot of digits at the end of an email address?
• Is the transaction coming from an IP address that's unusual for your account?
• Is the transaction coming from a region where there are a lot of hackers, such as China, Russia or Eastern Europe?
• Is the transaction coming from an anonymization network?
• Is the transaction happening at an odd time of day?
• Has the credit card being used had chargebacks associated with it?
• Is the browser different from what you typically use?
• Is the device different from what you typically use?
• Is the cadence of the way you typed out your password typical for you? (tracked by some advanced systems)

Re:Ummm....

[AmiMoJo]

Of course it's data about you. Many of the signals are using your personal data, in order to determine if the transactor is really you.

This is why you need strong laws like GDPR, which give you an absolute right to view and correct and have that data deleted. In response most companies in Europe have set up special portals where you can get an automated response to most requests, e.g. you can obtain your credit report for free whenever you want.

Not new or unusual.

[Martin+S.]

I worked on similar fraud prevention system over a decade ago for one of the first major UK ecommerce businesses.

An important point missed in the write up is that these systems are evaluating the transaction, not the person.

That system screws honest folk

[edris90]

I had a whole year where I couldn't cash checks at bakers, because stupid system decided I don't exist just because I pay cash for most things like an honest man.

Re:Ummm....

[brunes69]

False.

GDPR does not give you access to this data in Europe because it is not personally identifying information.

Once again, these are standard anti-fraud measures banks have been doing for decades. The fact the OP just discovered how banking works doesn't make it some vast invasion of privacy.

Much ado about nothing

[onyxruby]

This is an anti-fraud system designed to help reduce online fraud. Think of this as a really sophisticated captcha that is designed to tell if your human or a bot. If certain patterns are detected the transaction is much more likely to be fraudulent.

Scripted attacks follow patterns because they are designed by humans and humans follow patterns. Take the email address example. It's easy to batch a script that creates unique email address by incrementing each address by one digit.

Anti-fraud software looks for things like this and many other factors. It's an arms race between those who commit fraud and those who fight it. Fraud raises retailers costs which increase the amount you pay. Software like this is good for consumers as it helps keep prices down. This is really much ado about nothing.

ATMs have had this idea for decades...

[west]

Banks have used fraud-detection methods exactly like this for over a decade. The ones I dealt with used over a hundred factors including 'did you ask for a receipt', geographic location, and 'is this for amounts you regularly withdraw', etc.

With the adoption of EMV (chip cards), a lot of this has effort is no longer as necessary and been transferred to Card-Not-Present transactions where fraud migrated when chip killed card-present fraud.

And of course the reason you can't get your score is that it's not YOUR score, it the score of this particular transaction. Most of the parameters used to come up with a score change with every transaction.

Yes except score not about you, about transaction

[raymorris]

My gut feeling is the same as yours - consumers should have the right to see information stored about them.

Understand, though, the score is not about you, in way. It's 100% per-transaction - does this attempt to use your credentials seem risky. I've computed these scores. The system I designed may have been the very first one to use typing cadence in a broadly deployed system.

Here are three of examples of a dozen data points, three location computations. Is this attempt coming from the same geographic area that the legitimate user is normally in? Is it humanly possible for them to have traveled from where they were last time to this location? (For example if you log in Miami at 10:00 AM, then at noon someone in China claims to be you, that's suspect.) Is the attempt coming from a high-fraud area, such as Russia or China?

I can show you your typing cadence data; it will be meaningless to you. An attempted TRANSACTION is more trustworthy is the typing matches your normal typing. there nothing about how trustworthy YOU are, it's whether the attempted transaction is suspect based on how well it matches whatever number of criteria.

If you've you've always used the latest Firefox from Linux and from Android (in Florida), then suddenly someone tries to use your card from and old version of IE on Windows 7 in Nigeria, that's suspect. Not because Linux is more trustworthy, but because it doesn't match how you, the legitimate user, normally does things.

Some systems even track types of things purchased - if you only ever use your card at Walmart and Chevron, with no purchases over $200, and never use it online, then a $1,500 TV purchase from BestBuy.com is out of the ordinary.

We combine all of the criteria to compute a score for the transaction. The BestBuy.com purchase may be approved if it's made from Firefox on Linux on Florida - perhaps only if you enter the CVV2 code (the four digits on the back of the card).

Re:Ummm....

[Aighearach]

This is the part people are missing; this is a score of the trustworthiness of the transaction, not the trustworthiness of the person.

The trustworthiness of the person is already tracked more closely by the banking industry in your Credit Score. The only thing that makes this a story is the word "trustworthiness" and the existence of China's new social credit system, which also features a word that translates to "trustworthiness." That's it, that's the whole thing.

When I had bogus charges on my CC a few years back, they looked at these same records and determined that it was most likely that I was a victim of fraud, and they removed the charges. I've never had a transaction denied. And I use all the ad blockers, JS blockers, etc. etc. That said, I do not make my traffic appear to come from a different legal jurisdiction; I want to do my banking here, where I am, where I am protected by local laws.

Using a CC is a little bit creepy, but not because of fraud protection; because of transaction history generally.