Slashdot Mirror

← Back to Stories (view on slashdot.org)

We're All Being Judged By a Secret 'Trustworthiness' Score (wsj.com)

Posted by EditorDavid on from the I-am-not-a-number dept.

schwit1 writes: Nearly everything we buy, how we buy, and where we're buying from is secretly fed into AI-powered verification services that help companies guard against credit-card and other forms of fraud, according to the Wall Street Journal.

More than 16,000 signals are analyzed by a service called Sift, which generates a "Sift score" ranging from 1 to 100. The score is used to flag devices, credit cards and accounts that a vendor may want to block based on a person or entity's overall "trustworthiness" score, according to a company spokeswoman.

From the Sift website: "Each time we get an event be it a page view or an API event we extract features related to those events and compute the Sift Score. These features are then weighed based on fraud we've seen both on your site and within our global network, and determine a user's Score. There are features that can negatively impact a Score as well as ones which have a positive impact."

The system is similar to a credit score except there's no way to find out your own Sift score.

Factors which contribute to one's Sift score (per the WSJ):
  • Is the account new?
  • Are there are a lot of digits at the end of an email address?
  • Is the transaction coming from an IP address that's unusual for your account?
  • Is the transaction coming from a region where there are a lot of hackers, such as China, Russia or Eastern Europe?
  • Is the transaction coming from an anonymization network?
  • Is the transaction happening at an odd time of day?
  • Has the credit card being used had chargebacks associated with it?
  • Is the browser different from what you typically use?
  • Is the device different from what you typically use?
  • Is the cadence of the way you typed out your password typical for you? (tracked by some advanced systems)

24 of 135 comments (clear)

  1. Ummm.... by brunes69 · · Score: 4, Insightful

    ... this looks like standard anti-fraud measures that banks and retail have been doing for years and years and years. It's not creating a profile of YOU, its creating a profile of YOUR CARD so it can detect if it's been compromised.

    IE - you definitely want this.

    Nothing to see here.

    1. Re:Ummm.... by AmiMoJo · · Score: 2, Informative

      Of course it's data about you. Many of the signals are using your personal data, in order to determine if the transactor is really you.

      This is why you need strong laws like GDPR, which give you an absolute right to view and correct and have that data deleted. In response most companies in Europe have set up special portals where you can get an automated response to most requests, e.g. you can obtain your credit report for free whenever you want.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Ummm.... by brunes69 · · Score: 3, Informative

      False.

      GDPR does not give you access to this data in Europe because it is not personally identifying information.

      Once again, these are standard anti-fraud measures banks have been doing for decades. The fact the OP just discovered how banking works doesn't make it some vast invasion of privacy.

    3. Re:Ummm.... by Applehu+Akbar · · Score: 4, Insightful

      YOU DON'T WANT OR NEED THIS. Your bank is the one on the hook for fraud.

      Ultimately, every banking customer pays for fraud. Businesses don't 'absorb' ongoing costs; they always show up in the fees you pay for service.

    4. Re:Ummm.... by Aighearach · · Score: 4, Informative

      This is the part people are missing; this is a score of the trustworthiness of the transaction, not the trustworthiness of the person.

      The trustworthiness of the person is already tracked more closely by the banking industry in your Credit Score. The only thing that makes this a story is the word "trustworthiness" and the existence of China's new social credit system, which also features a word that translates to "trustworthiness." That's it, that's the whole thing.

      When I had bogus charges on my CC a few years back, they looked at these same records and determined that it was most likely that I was a victim of fraud, and they removed the charges. I've never had a transaction denied. And I use all the ad blockers, JS blockers, etc. etc. That said, I do not make my traffic appear to come from a different legal jurisdiction; I want to do my banking here, where I am, where I am protected by local laws.

      Using a CC is a little bit creepy, but not because of fraud protection; because of transaction history generally.

    5. Re:Ummm.... by Cederic · · Score: 2

      It's difficult to argue with someone who doesn't even understand the basic

      I know, but I'm doing my best.

      It's not your data

      Yes, it is. It's my data as much as it's their data. They are constrained by law in how they can use that data precisely because it's my data.

      you agreed to allow them to collect it when you applied for and started using a card

      My permission or otherwise does not change the status of the data. It's still my data.

      I can write down your name, address, telephone number, email address, credit card number and bra size with or without your permission. I can also broadcast it over the internet, without your permission. I wont be breaking the law.

      The moment I start doing that as a business and not a private individual I am beholden to properly protect that data and use it only in accordance with the law. There are limits to what I can do, whether you give me your permission or not.

      No, you are not directly paying for fraudulent use of your card. That comes out of profits, and is potentially spread across all customers, whether their card was used fraudulently or not.

      So I'm indirectly paying for fraud across all customers. Thank you for agreeing with me.

    6. Re:Ummm.... by Zmobie · · Score: 3, Interesting

      Ok, here is the problem. Yes, they are rating the trustworthiness of the transaction, but in order to do that they are holding and computing vast amounts of heuristic data about you and your shopping/card usage patterns. That type of data is HIGHLY sensitive and can reveal a vast amount about a person, and there is literally nothing governing their usage of that data. They could sell it to almost anyone (probably including sanctioned governments if they get creative enough) and it would have serious implications with virtually no legal liability. Imagine a spy agency having a financial vulnerability list of who to target for recruiting. Think about the fact that they are essentially able to predict your movements and purchases with probably terrifying accuracy. This is a digital gold mine and we have no idea who might entice/force them to give them access.

      Fraud prevention is important, but this type of data collection is fucking scary.

    7. Re:Ummm.... by Okind · · Score: 2

      GDPR does not give you access to this data [on your usage of the card] in Europe because it is not personally identifying information.

      Sorry, but that's simply not true: your payment history (assuming an compromised card, as most are) is a history of your personal behavior.

      Although each individual data point cannot be used to identify you, the history of them can. There is only one single person in the whole world that would generate this exact series of data points: you. And if you take location into account, that means the length of history needed to uniquely identify you is considerably shorter.

      This is why, under the GDPR, browsing history is personally identifying information. Yes, there are shared browsers. But as a very large part of web traffic these days is from mobile phones only ever used by one single person, the existence of shares browsers/devices is no longer relevant.

  2. Time for a general Data equiv to the FCRA by Etcetera · · Score: 4, Insightful

    The "Big Data" companies of the day have all become heavily regulated in what they can store, how they can store, how long they can store, and have transparency laws about providing consumers access to their own data reports and challenging information in them.

    It's time for this to extend to all large-scale person-identification projects, and if the data brokers have to be torn apart to do so, so be it.

    --
    Hire a Linux system administrator, systems engineer,
  3. AWS Crazieness... by aaarrrgggh · · Score: 4, Interesting

    Failed opening an AWS account while in Thailand and using a (cheap) SIP provider for a US number, despite giving them everything they asked for (absurd requests). These systems get annoying and expensive for the people that don’t fit the “normal” profile.

    And today Google locked me out of my business email for the correct password from an IP address that just checked my email successfully.

    Screw this hosted cloud shit. I’m going back to a physical server I have physical control over. (Even if it might have to be in my mom’s basement.)

    1. Re: AWS Crazieness... by orlanz · · Score: 2

      Do what I do... I tell the CC company that you will be in X country, doing B level of spending, for G type of items. They make pretty good assumptions for B & G if you don't provide it, but don't expect a bunch of Amazon purchases to some random 3rd country to go through.

      I have never had trouble when I provided the "exceptions" to my norms 1-2 business days in advance.

  4. Not new or unusual. by Martin+S. · · Score: 4, Informative

    I worked on similar fraud prevention system over a decade ago for one of the first major UK ecommerce businesses.

    An important point missed in the write up is that these systems are evaluating the transaction, not the person.

    1. Re:Not new or unusual. by squiggleslash · · Score: 2

      Yeah, I think the headline is, not merely misleading, but a complete lie. There's nothing about this system - as described - that's evaluating readers of Slashdot, merely something trying to determine if a transaction might be the result of stolen or faked credentials.

      --
      You are not alone. This is not normal. None of this is normal.
  5. Next stop: chilling effects by mrwireless · · Score: 2, Interesting

    Once the majority of people realize that all their behavior is turned into these scores, and that these scores have increasing influence over their lives, you will start to see serious chilling effects.

    Heck, we are already seeing those.

    In the long run this could lead to social cooling, where society becomes more rigid, less able to change.

  6. Agree! This is why Slashdot has gone so downhill by brunes69 · · Score: 2

    It used to be that critical thinkers judged stories and their summaries before they were posted to see if they were accurate.

    Nowadays anything with clickbait gets posted since it drives ad revenue.

  7. Much ado about nothing by onyxruby · · Score: 4, Informative

    This is an anti-fraud system designed to help reduce online fraud. Think of this as a really sophisticated captcha that is designed to tell if your human or a bot. If certain patterns are detected the transaction is much more likely to be fraudulent.

    Scripted attacks follow patterns because they are designed by humans and humans follow patterns. Take the email address example. It's easy to batch a script that creates unique email address by incrementing each address by one digit.

    Anti-fraud software looks for things like this and many other factors. It's an arms race between those who commit fraud and those who fight it. Fraud raises retailers costs which increase the amount you pay. Software like this is good for consumers as it helps keep prices down. This is really much ado about nothing.

  8. ATMs have had this idea for decades... by west · · Score: 4, Informative

    Banks have used fraud-detection methods exactly like this for over a decade. The ones I dealt with used over a hundred factors including 'did you ask for a receipt', geographic location, and 'is this for amounts you regularly withdraw', etc.

    With the adoption of EMV (chip cards), a lot of this has effort is no longer as necessary and been transferred to Card-Not-Present transactions where fraud migrated when chip killed card-present fraud.

    And of course the reason you can't get your score is that it's not YOUR score, it the score of this particular transaction. Most of the parameters used to come up with a score change with every transaction.

  9. password cadence by humankind · · Score: 2

    Is the cadence of the way you typed out your password typical for you? (tracked by some advanced systems)

    Interesting.

    Does anybody know who's measuring this metric? Does Amazon do this? Also it seems if you use a password aggregator it could trigger this.

  10. Yes except score not about you, about transaction by raymorris · · Score: 4, Informative

    My gut feeling is the same as yours - consumers should have the right to see information stored about them.

    Understand, though, the score is not about you, in way. It's 100% per-transaction - does this attempt to use your credentials seem risky. I've computed these scores. The system I designed may have been the very first one to use typing cadence in a broadly deployed system.

    Here are three of examples of a dozen data points, three location computations. Is this attempt coming from the same geographic area that the legitimate user is normally in? Is it humanly possible for them to have traveled from where they were last time to this location? (For example if you log in Miami at 10:00 AM, then at noon someone in China claims to be you, that's suspect.) Is the attempt coming from a high-fraud area, such as Russia or China?

    I can show you your typing cadence data; it will be meaningless to you. An attempted TRANSACTION is more trustworthy is the typing matches your normal typing. there nothing about how trustworthy YOU are, it's whether the attempted transaction is suspect based on how well it matches whatever number of criteria.

    If you've you've always used the latest Firefox from Linux and from Android (in Florida), then suddenly someone tries to use your card from and old version of IE on Windows 7 in Nigeria, that's suspect. Not because Linux is more trustworthy, but because it doesn't match how you, the legitimate user, normally does things.

    Some systems even track types of things purchased - if you only ever use your card at Walmart and Chevron, with no purchases over $200, and never use it online, then a $1,500 TV purchase from BestBuy.com is out of the ordinary.

    We combine all of the criteria to compute a score for the transaction. The BestBuy.com purchase may be approved if it's made from Firefox on Linux on Florida - perhaps only if you enter the CVV2 code (the four digits on the back of the card).

  11. 16000 data points is a bit much for that by rsilvergun · · Score: 3, Insightful

    what they're really looking at is how good a customer you are.

    That sounds innocuous until it's not. As the data improves and as companies continue to consolidate and share data (possible because we've completely removed the breaks on mergers and anti-trust law today) the companies will start doing the same sorts of things China plans to do with its "Social Credit" system. We've already seen a bit of this where web sites track you and show higher prices if they think you'll pay it. Sprint also rather famously made a list of the customers who cost the most due to customer service calls and "fired" them.

    Whether it's a mega corporation or a fascist government doesn't matter to me. I don't care if the jackboot on my throat is a public or private one, I don't want a jackboot on my throat. That said I'm not so naive as to think I can avoid powerful government institutions. The anarchist or libertarian route doesn't work, it just makes a power vacuum. If I don't form a government with my fellow citizens a mega corp will fill that void.

    The time is now to either start enforcing anti-trust to prevent these kinds of power concentrations (while making sure voter suppression stops so we don't end up with the public option Jackboot). Either that or heavy regulation, especially for "natural" monopolies (think Google, or your cable company).

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  12. My first thought was China's social credit score by rsilvergun · · Score: 2, Insightful

    this is basically a private version of that. Same effect but palpable to Americans since it's not the government doing it...

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  13. I am not a number, I am a man by shanen · · Score: 2

    For whatever being a human being is worth these days.

    The funny part is that I sort of agree with the idea, but not with the dimensionality or the secrecy. I even agree that many of the criteria they are considering should be considered, but I'm an advocate of MEPR (Multidimensional Earned Public Reputation) that is based on the personal data and actions that you choose to disclose and which should be subject to your own review. That includes allowing you to review how the values of each dimension are calculated, but going beyond that, you should be able to determine how the MEPR scores you use are calculated (for example by tilting the weights), you should be able to challenge bad data, you should have a right to audit any uses of your MEPR scores, and you should even have the option to withdraw your MEPR scores from public view (along with clear explanations of the ramifications).

    Near as I can tell, the reputation of Sift should be about 2 points out of 100. I think that's more than a minor clash of principles.

    I think this is the first time I've heard of Sift, but I am NOT at all surprised by any aspect of it. However I would be shocked if there were any way to opt out of being judged in this secret Star Chamber.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  14. Re: So they're admitting it's biased by Anonymous Coward · · Score: 2, Funny

    You might be very trustworthy but if you walk into a bank with sunglasses and your hands in your pockets, you are going to be noticed immediately by the guard and at a minimum told to take your sunglasses off, and at worst be questioned.

    I took them off once and nearly burned the bank down. That guard never asked me to take them off again.

    -Scott Summers

  15. Re:So they're admitting it's biased by micheas · · Score: 2
    If a credit card is always used with a Tor IP address, and then makes a request that is not from a Tor IP address the request not from Tor would be suspicious.

    Additionally, If you always hide your browser signature and you make a request that looks like it is a generic Chrome browser that would be suspicious.

    --
    Work bio at MMWD