Slashdot Mirror

← Back to Stories (view on slashdot.org)

We're All Being Judged By a Secret 'Trustworthiness' Score (wsj.com)

Posted by EditorDavid on from the I-am-not-a-number dept.

schwit1 writes: Nearly everything we buy, how we buy, and where we're buying from is secretly fed into AI-powered verification services that help companies guard against credit-card and other forms of fraud, according to the Wall Street Journal.

More than 16,000 signals are analyzed by a service called Sift, which generates a "Sift score" ranging from 1 to 100. The score is used to flag devices, credit cards and accounts that a vendor may want to block based on a person or entity's overall "trustworthiness" score, according to a company spokeswoman.

From the Sift website: "Each time we get an event be it a page view or an API event we extract features related to those events and compute the Sift Score. These features are then weighed based on fraud we've seen both on your site and within our global network, and determine a user's Score. There are features that can negatively impact a Score as well as ones which have a positive impact."

The system is similar to a credit score except there's no way to find out your own Sift score.

Factors which contribute to one's Sift score (per the WSJ):
  • Is the account new?
  • Are there are a lot of digits at the end of an email address?
  • Is the transaction coming from an IP address that's unusual for your account?
  • Is the transaction coming from a region where there are a lot of hackers, such as China, Russia or Eastern Europe?
  • Is the transaction coming from an anonymization network?
  • Is the transaction happening at an odd time of day?
  • Has the credit card being used had chargebacks associated with it?
  • Is the browser different from what you typically use?
  • Is the device different from what you typically use?
  • Is the cadence of the way you typed out your password typical for you? (tracked by some advanced systems)

12 of 135 comments (clear)

  1. Ummm.... by brunes69 · · Score: 4, Insightful

    ... this looks like standard anti-fraud measures that banks and retail have been doing for years and years and years. It's not creating a profile of YOU, its creating a profile of YOUR CARD so it can detect if it's been compromised.

    IE - you definitely want this.

    Nothing to see here.

    1. Re:Ummm.... by brunes69 · · Score: 3, Informative

      False.

      GDPR does not give you access to this data in Europe because it is not personally identifying information.

      Once again, these are standard anti-fraud measures banks have been doing for decades. The fact the OP just discovered how banking works doesn't make it some vast invasion of privacy.

    2. Re:Ummm.... by Applehu+Akbar · · Score: 4, Insightful

      YOU DON'T WANT OR NEED THIS. Your bank is the one on the hook for fraud.

      Ultimately, every banking customer pays for fraud. Businesses don't 'absorb' ongoing costs; they always show up in the fees you pay for service.

    3. Re:Ummm.... by Aighearach · · Score: 4, Informative

      This is the part people are missing; this is a score of the trustworthiness of the transaction, not the trustworthiness of the person.

      The trustworthiness of the person is already tracked more closely by the banking industry in your Credit Score. The only thing that makes this a story is the word "trustworthiness" and the existence of China's new social credit system, which also features a word that translates to "trustworthiness." That's it, that's the whole thing.

      When I had bogus charges on my CC a few years back, they looked at these same records and determined that it was most likely that I was a victim of fraud, and they removed the charges. I've never had a transaction denied. And I use all the ad blockers, JS blockers, etc. etc. That said, I do not make my traffic appear to come from a different legal jurisdiction; I want to do my banking here, where I am, where I am protected by local laws.

      Using a CC is a little bit creepy, but not because of fraud protection; because of transaction history generally.

    4. Re:Ummm.... by Zmobie · · Score: 3, Interesting

      Ok, here is the problem. Yes, they are rating the trustworthiness of the transaction, but in order to do that they are holding and computing vast amounts of heuristic data about you and your shopping/card usage patterns. That type of data is HIGHLY sensitive and can reveal a vast amount about a person, and there is literally nothing governing their usage of that data. They could sell it to almost anyone (probably including sanctioned governments if they get creative enough) and it would have serious implications with virtually no legal liability. Imagine a spy agency having a financial vulnerability list of who to target for recruiting. Think about the fact that they are essentially able to predict your movements and purchases with probably terrifying accuracy. This is a digital gold mine and we have no idea who might entice/force them to give them access.

      Fraud prevention is important, but this type of data collection is fucking scary.

  2. Time for a general Data equiv to the FCRA by Etcetera · · Score: 4, Insightful

    The "Big Data" companies of the day have all become heavily regulated in what they can store, how they can store, how long they can store, and have transparency laws about providing consumers access to their own data reports and challenging information in them.

    It's time for this to extend to all large-scale person-identification projects, and if the data brokers have to be torn apart to do so, so be it.

    --
    Hire a Linux system administrator, systems engineer,
  3. AWS Crazieness... by aaarrrgggh · · Score: 4, Interesting

    Failed opening an AWS account while in Thailand and using a (cheap) SIP provider for a US number, despite giving them everything they asked for (absurd requests). These systems get annoying and expensive for the people that don’t fit the “normal” profile.

    And today Google locked me out of my business email for the correct password from an IP address that just checked my email successfully.

    Screw this hosted cloud shit. I’m going back to a physical server I have physical control over. (Even if it might have to be in my mom’s basement.)

  4. Not new or unusual. by Martin+S. · · Score: 4, Informative

    I worked on similar fraud prevention system over a decade ago for one of the first major UK ecommerce businesses.

    An important point missed in the write up is that these systems are evaluating the transaction, not the person.

  5. Much ado about nothing by onyxruby · · Score: 4, Informative

    This is an anti-fraud system designed to help reduce online fraud. Think of this as a really sophisticated captcha that is designed to tell if your human or a bot. If certain patterns are detected the transaction is much more likely to be fraudulent.

    Scripted attacks follow patterns because they are designed by humans and humans follow patterns. Take the email address example. It's easy to batch a script that creates unique email address by incrementing each address by one digit.

    Anti-fraud software looks for things like this and many other factors. It's an arms race between those who commit fraud and those who fight it. Fraud raises retailers costs which increase the amount you pay. Software like this is good for consumers as it helps keep prices down. This is really much ado about nothing.

  6. ATMs have had this idea for decades... by west · · Score: 4, Informative

    Banks have used fraud-detection methods exactly like this for over a decade. The ones I dealt with used over a hundred factors including 'did you ask for a receipt', geographic location, and 'is this for amounts you regularly withdraw', etc.

    With the adoption of EMV (chip cards), a lot of this has effort is no longer as necessary and been transferred to Card-Not-Present transactions where fraud migrated when chip killed card-present fraud.

    And of course the reason you can't get your score is that it's not YOUR score, it the score of this particular transaction. Most of the parameters used to come up with a score change with every transaction.

  7. Yes except score not about you, about transaction by raymorris · · Score: 4, Informative

    My gut feeling is the same as yours - consumers should have the right to see information stored about them.

    Understand, though, the score is not about you, in way. It's 100% per-transaction - does this attempt to use your credentials seem risky. I've computed these scores. The system I designed may have been the very first one to use typing cadence in a broadly deployed system.

    Here are three of examples of a dozen data points, three location computations. Is this attempt coming from the same geographic area that the legitimate user is normally in? Is it humanly possible for them to have traveled from where they were last time to this location? (For example if you log in Miami at 10:00 AM, then at noon someone in China claims to be you, that's suspect.) Is the attempt coming from a high-fraud area, such as Russia or China?

    I can show you your typing cadence data; it will be meaningless to you. An attempted TRANSACTION is more trustworthy is the typing matches your normal typing. there nothing about how trustworthy YOU are, it's whether the attempted transaction is suspect based on how well it matches whatever number of criteria.

    If you've you've always used the latest Firefox from Linux and from Android (in Florida), then suddenly someone tries to use your card from and old version of IE on Windows 7 in Nigeria, that's suspect. Not because Linux is more trustworthy, but because it doesn't match how you, the legitimate user, normally does things.

    Some systems even track types of things purchased - if you only ever use your card at Walmart and Chevron, with no purchases over $200, and never use it online, then a $1,500 TV purchase from BestBuy.com is out of the ordinary.

    We combine all of the criteria to compute a score for the transaction. The BestBuy.com purchase may be approved if it's made from Firefox on Linux on Florida - perhaps only if you enter the CVV2 code (the four digits on the back of the card).

  8. 16000 data points is a bit much for that by rsilvergun · · Score: 3, Insightful

    what they're really looking at is how good a customer you are.

    That sounds innocuous until it's not. As the data improves and as companies continue to consolidate and share data (possible because we've completely removed the breaks on mergers and anti-trust law today) the companies will start doing the same sorts of things China plans to do with its "Social Credit" system. We've already seen a bit of this where web sites track you and show higher prices if they think you'll pay it. Sprint also rather famously made a list of the customers who cost the most due to customer service calls and "fired" them.

    Whether it's a mega corporation or a fascist government doesn't matter to me. I don't care if the jackboot on my throat is a public or private one, I don't want a jackboot on my throat. That said I'm not so naive as to think I can avoid powerful government institutions. The anarchist or libertarian route doesn't work, it just makes a power vacuum. If I don't form a government with my fellow citizens a mega corp will fill that void.

    The time is now to either start enforcing anti-trust to prevent these kinds of power concentrations (while making sure voter suppression stops so we don't end up with the public option Jackboot). Either that or heavy regulation, especially for "natural" monopolies (think Google, or your cable company).

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/