We're All Being Judged By a Secret 'Trustworthiness' Score (wsj.com) 135
schwit1 writes: Nearly everything we buy, how we buy, and where we're buying from is secretly fed into AI-powered verification services that help companies guard against credit-card and other forms of fraud, according to the Wall Street Journal.
More than 16,000 signals are analyzed by a service called Sift, which generates a "Sift score" ranging from 1 to 100. The score is used to flag devices, credit cards and accounts that a vendor may want to block based on a person or entity's overall "trustworthiness" score, according to a company spokeswoman.
From the Sift website: "Each time we get an event be it a page view or an API event we extract features related to those events and compute the Sift Score. These features are then weighed based on fraud we've seen both on your site and within our global network, and determine a user's Score. There are features that can negatively impact a Score as well as ones which have a positive impact."
The system is similar to a credit score except there's no way to find out your own Sift score.
Factors which contribute to one's Sift score (per the WSJ):
More than 16,000 signals are analyzed by a service called Sift, which generates a "Sift score" ranging from 1 to 100. The score is used to flag devices, credit cards and accounts that a vendor may want to block based on a person or entity's overall "trustworthiness" score, according to a company spokeswoman.
From the Sift website: "Each time we get an event be it a page view or an API event we extract features related to those events and compute the Sift Score. These features are then weighed based on fraud we've seen both on your site and within our global network, and determine a user's Score. There are features that can negatively impact a Score as well as ones which have a positive impact."
The system is similar to a credit score except there's no way to find out your own Sift score.
Factors which contribute to one's Sift score (per the WSJ):
- Is the account new?
- Are there are a lot of digits at the end of an email address?
- Is the transaction coming from an IP address that's unusual for your account?
- Is the transaction coming from a region where there are a lot of hackers, such as China, Russia or Eastern Europe?
- Is the transaction coming from an anonymization network?
- Is the transaction happening at an odd time of day?
- Has the credit card being used had chargebacks associated with it?
- Is the browser different from what you typically use?
- Is the device different from what you typically use?
- Is the cadence of the way you typed out your password typical for you? (tracked by some advanced systems)
Re: (Score:2, Funny)
You might be very trustworthy but if you walk into a bank with sunglasses and your hands in your pockets, you are going to be noticed immediately by the guard and at a minimum told to take your sunglasses off, and at worst be questioned.
I took them off once and nearly burned the bank down. That guard never asked me to take them off again.
-Scott Summers
Re: So they're admitting it's biased (Score:1)
My bank doesn't allow hoodies or anything obscuring the face.
I am not a number, I am a man (Score:3)
For whatever being a human being is worth these days.
The funny part is that I sort of agree with the idea, but not with the dimensionality or the secrecy. I even agree that many of the criteria they are considering should be considered, but I'm an advocate of MEPR (Multidimensional Earned Public Reputation) that is based on the personal data and actions that you choose to disclose and which should be subject to your own review. That includes allowing you to review how the values of each dimension are calcul
Re: (Score:3)
Additionally, If you always hide your browser signature and you make a request that looks like it is a generic Chrome browser that would be suspicious.
Ummm.... (Score:5, Insightful)
... this looks like standard anti-fraud measures that banks and retail have been doing for years and years and years. It's not creating a profile of YOU, its creating a profile of YOUR CARD so it can detect if it's been compromised.
IE - you definitely want this.
Nothing to see here.
Re: (Score:3, Informative)
Of course it's data about you. Many of the signals are using your personal data, in order to determine if the transactor is really you.
This is why you need strong laws like GDPR, which give you an absolute right to view and correct and have that data deleted. In response most companies in Europe have set up special portals where you can get an automated response to most requests, e.g. you can obtain your credit report for free whenever you want.
Re:Ummm.... (Score:4, Informative)
False.
GDPR does not give you access to this data in Europe because it is not personally identifying information.
Once again, these are standard anti-fraud measures banks have been doing for decades. The fact the OP just discovered how banking works doesn't make it some vast invasion of privacy.
Re: (Score:2)
Since when does the info have to be personally identifying? And simply they wouldn't be able to run this system if they didn't know the attributes applied to you so they must be using a method of identifying you even if that's just your unique CC number.
When I've asked for info under the data protection act which is likely the more relevant / associated law, it's never been reduced to just a handful of bits of 'personally identifying' info, it's been everything and I very much doubt the companies would hand
Re: (Score:2)
A sale of goods is "a contract between the data subject and a data controller", and a seller has a legitimate interest in avoiding payment fraud in such a contract. This means article 22 allows EU sellers to use profiling to avoid fraud so long as the buyer can dispute the denial.
Re: (Score:2)
GDPR does not give you access to this data in Europe because it is not personally identifying information.
My credit card usage data sure as fuck is personal data and that brings it under GDPR.
these are standard anti-fraud measures banks have been doing for decades.
It's reasonable for people to be able to understand how they're being assessed as a fraud risk, especially given the automated nature of those assessments.
The fact the OP just discovered how banking works doesn't make it some vast invasion of privacy.
You don't need to understand how banking works to have your privacy invaded.
Whether it's a justifiable invasion of privacy is a more pertinent question.
Re: (Score:2)
It's reasonable for people to be able to understand how they're being assessed as a fraud risk, especially given the automated nature of those assessments.
Missing the point here...
YOU are not being assessed as a fraud risk.
Individual transactions are being evaluated to determine if they are likely fraudulent.
Put another way: It is not assessing whether or not you are likely to commit fraud, but attempting to determine if a charge being made to your account is likely you vs someone attempting to impersonate you and defraud the merchant.
Re: (Score:2)
Individual transactions are being evaluated to determine if they are likely fraudulent.
How do you determine if a transaction is fraudulent? I'll help you out here: You assure that it originates with someone authorised to make it.
YOU are not being assessed as a fraud risk.
My transaction is being assessed to determine whether it comes from me or not. That means that yes, I am being assessed as a fraud risk.
Without confirming that the transaction comes from me they have to reject it, and that means that they are assessing me.
Put another way: It is not assessing whether or not you are likely to commit fraud, but attempting to determine if a charge being made to your account is likely you vs someone attempting to impersonate you and defraud the merchant.
Exactly. They're using data they hold about me, my possessions and my behaviour to identify me. It's an almost ca
Re: (Score:1)
It's the bank's credit card, not yours. They can revoke it whenever they want. They just authorized you to use it. And the usage data sure as fuck is their business data which they can use to prevent fraud, which they, not you, end up paying for.
Re: (Score:2)
the usage data sure as fuck is their business data
It's also my personal data. Maybe you want to broadcast that you buy ovipositors from dragon dildos but most people would prefer discretion.
they can use to prevent fraud
Sure, I'm not challenging that. I am challenging that it's not my data and that they can process it without me being able to query how and why.
which they, not you, end up paying for
Technically all of their costs are covered by investments, loans and customers, so yes, I am paying for fraud.
Re: (Score:2)
Re: (Score:3)
It's difficult to argue with someone who doesn't even understand the basic
I know, but I'm doing my best.
It's not your data
Yes, it is. It's my data as much as it's their data. They are constrained by law in how they can use that data precisely because it's my data.
you agreed to allow them to collect it when you applied for and started using a card
My permission or otherwise does not change the status of the data. It's still my data.
I can write down your name, address, telephone number, email address, credit card number and bra size with or without your permission. I can also broadcast it over the internet, without your permission. I wont be breaking the law.
The moment I start doing
Re: (Score:2)
these are standard anti-fraud measures banks have been doing for decades. The fact the OP just discovered how banking works doesn't make it some vast invasion of privacy.
Being extant does not imply that it is not an invasion of privacy. That is really weak logic. It isn't new. That's all you demonstrate; your point has nothing to do with privacy.
That said, for people who already know what fraud prevention is, there is nothing here and you already made a decision about the privacy aspects. But for people who wonder why they need to tell their bank before they travel if they're planning to use their card overseas, now they know why.
Re: (Score:3)
GDPR does not give you access to this data [on your usage of the card] in Europe because it is not personally identifying information.
Sorry, but that's simply not true: your payment history (assuming an compromised card, as most are) is a history of your personal behavior.
Although each individual data point cannot be used to identify you, the history of them can. There is only one single person in the whole world that would generate this exact series of data points: you. And if you take location into account, that means the length of history needed to uniquely identify you is considerably shorter.
This is why, under the GDPR, browsing hist
Re: (Score:2)
... this looks like standard anti-fraud measures that banks and retail have been doing for years and years and years. It's not creating a profile of YOU, its creating a profile of YOUR CARD so it can detect if it's been compromised.
IE - you definitely want this.
Nothing to see here.
Still, the secretive nature of the trustworthiness score is unwarranted, and citizens should have access to these scores to correct inaccuracies.
Just as denials for credit application are legally required to followed up with a written notice justifying the decision, transaction denial details based on another scale should be made available to the card holder.
The banking industry has a long history of operating poorly in the dark.
Re: (Score:2)
There nothing secretive about denials. They call you and explain it. If they don't call you, call them and they will explain it. If it is actually you doing the transaction they will let it through, no matter how odd it looks to them.
Re:Ummm.... (Score:5, Informative)
This is the part people are missing; this is a score of the trustworthiness of the transaction, not the trustworthiness of the person.
The trustworthiness of the person is already tracked more closely by the banking industry in your Credit Score. The only thing that makes this a story is the word "trustworthiness" and the existence of China's new social credit system, which also features a word that translates to "trustworthiness." That's it, that's the whole thing.
When I had bogus charges on my CC a few years back, they looked at these same records and determined that it was most likely that I was a victim of fraud, and they removed the charges. I've never had a transaction denied. And I use all the ad blockers, JS blockers, etc. etc. That said, I do not make my traffic appear to come from a different legal jurisdiction; I want to do my banking here, where I am, where I am protected by local laws.
Using a CC is a little bit creepy, but not because of fraud protection; because of transaction history generally.
Re:Ummm.... (Score:4, Interesting)
Ok, here is the problem. Yes, they are rating the trustworthiness of the transaction, but in order to do that they are holding and computing vast amounts of heuristic data about you and your shopping/card usage patterns. That type of data is HIGHLY sensitive and can reveal a vast amount about a person, and there is literally nothing governing their usage of that data. They could sell it to almost anyone (probably including sanctioned governments if they get creative enough) and it would have serious implications with virtually no legal liability. Imagine a spy agency having a financial vulnerability list of who to target for recruiting. Think about the fact that they are essentially able to predict your movements and purchases with probably terrifying accuracy. This is a digital gold mine and we have no idea who might entice/force them to give them access.
Fraud prevention is important, but this type of data collection is fucking scary.
Re: Ummm.... (Score:2)
If you have nothing to hide, comrade, you have nothing to fear.
Big Brother knows every detail of our lives, and that's a good thing. We can always trust Big Brother. Because Big Brother loves us all.
Yes except score not about you, about transaction (Score:5, Informative)
My gut feeling is the same as yours - consumers should have the right to see information stored about them.
Understand, though, the score is not about you, in way. It's 100% per-transaction - does this attempt to use your credentials seem risky. I've computed these scores. The system I designed may have been the very first one to use typing cadence in a broadly deployed system.
Here are three of examples of a dozen data points, three location computations. Is this attempt coming from the same geographic area that the legitimate user is normally in? Is it humanly possible for them to have traveled from where they were last time to this location? (For example if you log in Miami at 10:00 AM, then at noon someone in China claims to be you, that's suspect.) Is the attempt coming from a high-fraud area, such as Russia or China?
I can show you your typing cadence data; it will be meaningless to you. An attempted TRANSACTION is more trustworthy is the typing matches your normal typing. there nothing about how trustworthy YOU are, it's whether the attempted transaction is suspect based on how well it matches whatever number of criteria.
If you've you've always used the latest Firefox from Linux and from Android (in Florida), then suddenly someone tries to use your card from and old version of IE on Windows 7 in Nigeria, that's suspect. Not because Linux is more trustworthy, but because it doesn't match how you, the legitimate user, normally does things.
Some systems even track types of things purchased - if you only ever use your card at Walmart and Chevron, with no purchases over $200, and never use it online, then a $1,500 TV purchase from BestBuy.com is out of the ordinary.
We combine all of the criteria to compute a score for the transaction. The BestBuy.com purchase may be approved if it's made from Firefox on Linux on Florida - perhaps only if you enter the CVV2 code (the four digits on the back of the card).
Re: (Score:2)
+1 Informative.
I have taken the headline's bait and been caught clicking, or perhaps more accurately, clucking.
Re: (Score:2)
the CVV2 code (the four digits on the back of the card).
Found the one person who uses Mastercard.
In the real world it is a 3 digit code. 4 digits is only Mastercard or non-visa debit cards.
Re: (Score:2)
In the real world it is a 3 digit code. 4 digits is only Mastercard or non-visa debit cards.
I think you're thinking of Amex. I have a couple Mastercard logo'd cards; they're 3-digit CVV2, just like the Visas.
This post is being judged (Score:2, Offtopic)
Mod me insighful, oh secret mods because this post certainly is.
Re:Ummm.... (Score:5, Insightful)
YOU DON'T WANT OR NEED THIS. Your bank is the one on the hook for fraud.
Ultimately, every banking customer pays for fraud. Businesses don't 'absorb' ongoing costs; they always show up in the fees you pay for service.
Re: (Score:2)
That's because their fraud prevention systems are helping keep their costs so low that they can afford to profitably offer free banking services.
Re: (Score:2)
... this looks like standard anti-fraud measures that banks and retail have been doing for years and years and years. It's not creating a profile of YOU, its creating a profile of YOUR CARD so it can detect if it's been compromised.
IE - you definitely want this.
Nothing to see here.
Is the browser different from what you typically use?
Is the device different from what you typically use?
Is the cadence of the way you typed out your password typical for you? (tracked by some advanced systems)
Tell me something Ignorant One, does that shit sound like it has anything to do with that piece of plastic in your wallet?
Wake up.
16000 data points is a bit much for that (Score:4, Insightful)
That sounds innocuous until it's not. As the data improves and as companies continue to consolidate and share data (possible because we've completely removed the breaks on mergers and anti-trust law today) the companies will start doing the same sorts of things China plans to do with its "Social Credit" system. We've already seen a bit of this where web sites track you and show higher prices if they think you'll pay it. Sprint also rather famously made a list of the customers who cost the most due to customer service calls and "fired" them.
Whether it's a mega corporation or a fascist government doesn't matter to me. I don't care if the jackboot on my throat is a public or private one, I don't want a jackboot on my throat. That said I'm not so naive as to think I can avoid powerful government institutions. The anarchist or libertarian route doesn't work, it just makes a power vacuum. If I don't form a government with my fellow citizens a mega corp will fill that void.
The time is now to either start enforcing anti-trust to prevent these kinds of power concentrations (while making sure voter suppression stops so we don't end up with the public option Jackboot). Either that or heavy regulation, especially for "natural" monopolies (think Google, or your cable company).
Re: (Score:2)
what they're really looking at is how good a customer you are.
Horse shit, that's called your Credit Score.
Re: 16000 data points is a bit much for that (Score:2)
Stalker organizations, public and private alike, keep dozens of secret scores and dossiers on every American. Your "credit score" is just one of them, albeit the only one you are allowed to see.
Totalitarianism is not a risk for the future - it is the reality of today.
Your credit score isn't made of 16000 data points (Score:2)
Said the man who is confident he has a good number (Score:2)
I urge you [brunes69] to consider the Categorical Imperative, especially from the perspective of someone who thinks the number of his "trustworthiness" ought to be higher. Alternatively, I'd ask you to consider what happens when complex multidimensional concepts are reduces to singular values.
My longer thoughts are in my initial reaction to this story, but I'm reacting to your comment based on the heavy positive moderation that it received. However, I will add that as part of MEPR, I think the reputation f
Re: (Score:2)
I am from Eastern Europe. I work US-time shift, which means I am usually awake at 2-3-4 AM my time, which is when I usually shop. So there, two factors that would raise flags for me.
Time for a general Data equiv to the FCRA (Score:5, Insightful)
The "Big Data" companies of the day have all become heavily regulated in what they can store, how they can store, how long they can store, and have transparency laws about providing consumers access to their own data reports and challenging information in them.
It's time for this to extend to all large-scale person-identification projects, and if the data brokers have to be torn apart to do so, so be it.
It already exists (Score:2)
It already exists. Its called GDPR despite what you think, it is global. This company is subject to GDPR.
However, as I have pointed out in other comments, this summary and article is highly inaccurate. These are standard anti-fraud measures banks have been doing for decades. What is analyzed is the transaction, not the individual.
If you didn't have these protections then online fraud and all credit card fraud (online and off) would go through the roof as would all of your banking fees.
AWS Crazieness... (Score:5, Interesting)
Failed opening an AWS account while in Thailand and using a (cheap) SIP provider for a US number, despite giving them everything they asked for (absurd requests). These systems get annoying and expensive for the people that don’t fit the “normal” profile.
And today Google locked me out of my business email for the correct password from an IP address that just checked my email successfully.
Screw this hosted cloud shit. I’m going back to a physical server I have physical control over. (Even if it might have to be in my mom’s basement.)
Re: AWS Crazieness... (Score:3)
Do what I do... I tell the CC company that you will be in X country, doing B level of spending, for G type of items. They make pretty good assumptions for B & G if you don't provide it, but don't expect a bunch of Amazon purchases to some random 3rd country to go through.
I have never had trouble when I provided the "exceptions" to my norms 1-2 business days in advance.
Re: (Score:2)
Not to sound snooty, but I have a private banker that I went over all of this with before departure, and a regular co-op account that I did the same with. This didn’t stop the need for an hour on hold for a international calls for “verified by visa” transactions. The AWS one was really mind blowing though, and 100% on Amazon’s shoulders.
We have basically switched from 90% credit card transactions to 90% cash, and it gets messy.
Re: AWS Crazieness... (Score:1)
Some of us never stopped using our own servers. But you all just called us pessimistic and migrated to the cloud anyways.
How is that bed you made now?
Re: (Score:2)
Did you warn your bank that you would be traveling to Thailand, and give them dates?
If I traveled to Asia without telling my bank, I'm quite sure the same thing would happen.
Possession is nine points of the law (Score:2)
In solution terms, it would be nice if we were allowed to retain possession of our own personal data, or at least specify where it is being held and who is allowed to make permanent copies. Or at least give us a cut of the loot.
As things now stand, the only response is "Surrender, Dorothy!"
Re: (Score:2)
...Sieg heil the homeland, fatherland and motherfingland! AE911Truth Org
Aaaand right here is an example of a post hosted from mom's basement!
Not new or unusual. (Score:5, Informative)
I worked on similar fraud prevention system over a decade ago for one of the first major UK ecommerce businesses.
An important point missed in the write up is that these systems are evaluating the transaction, not the person.
Agree! This is why Slashdot has gone so downhill (Score:3)
It used to be that critical thinkers judged stories and their summaries before they were posted to see if they were accurate.
Nowadays anything with clickbait gets posted since it drives ad revenue.
Re: Not new or unusual. (Score:2)
Yeah, I don't think there is anything here. Transaction trustworthy is like atleast 25 years old. And it got really good about 15 years ago.
It's actually a really impressive system. Most of which just hides in the background and tries to be very unintrusive. It wouldn't be that hard to provide a score for every transaction via text, but it would be pretty much useless for the buyer... Even the seller hardly cares... it just indicates the chance of fraud.
Re: (Score:3)
Re: (Score:2, Informative)
Re: (Score:1)
Re: (Score:2)
Next stop: chilling effects (Score:3, Interesting)
Once the majority of people realize that all their behavior is turned into these scores, and that these scores have increasing influence over their lives, you will start to see serious chilling effects.
Heck, we are already seeing those [washingtontimes.com].
In the long run this could lead to social cooling [socialcooling.com], where society becomes more rigid, less able to change.
My first thought was China's social credit score (Score:3, Insightful)
Much ado about nothing (Score:5, Informative)
This is an anti-fraud system designed to help reduce online fraud. Think of this as a really sophisticated captcha that is designed to tell if your human or a bot. If certain patterns are detected the transaction is much more likely to be fraudulent.
Scripted attacks follow patterns because they are designed by humans and humans follow patterns. Take the email address example. It's easy to batch a script that creates unique email address by incrementing each address by one digit.
Anti-fraud software looks for things like this and many other factors. It's an arms race between those who commit fraud and those who fight it. Fraud raises retailers costs which increase the amount you pay. Software like this is good for consumers as it helps keep prices down. This is really much ado about nothing.
Re:Yes (no) (Score:2)
A credit score doesn't monitor your real time activity.
A credit score is based on past activity and ability to pay.
It doesn't have a bearing on whether or not a particular transaction is a risk, as much as it measures the customer's ability and likelihood to honor their debts. This doesn't really apply if the user's information is being appropriated by scammers.
ATMs have had this idea for decades... (Score:5, Informative)
Banks have used fraud-detection methods exactly like this for over a decade. The ones I dealt with used over a hundred factors including 'did you ask for a receipt', geographic location, and 'is this for amounts you regularly withdraw', etc.
With the adoption of EMV (chip cards), a lot of this has effort is no longer as necessary and been transferred to Card-Not-Present transactions where fraud migrated when chip killed card-present fraud.
And of course the reason you can't get your score is that it's not YOUR score, it the score of this particular transaction. Most of the parameters used to come up with a score change with every transaction.
late to the game, and talkig to a small player (Score:1)
Not only is this nothing new, but sift is also fairly small in this arena. Companies like CA (Now part of broadcom), threatmetrix, iovation, lexusnexus and others do far more and have networks of billions of devices, identities, and transactions they use for analysis.
password cadence (Score:3)
Interesting.
Does anybody know who's measuring this metric? Does Amazon do this? Also it seems if you use a password aggregator it could trigger this.
Re: (Score:2)
Why not all countries start using a unified social credit score, instead of credit scores, driver license scores, etc, like China???
Canada is way ahead of even China on this, with a Social Credit Party that dates back to 1935.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
Not new (Score:2)
SEO = Syft Engine Optimization ? (Score:1)
Maybe you can't see your score, but is there a new industry created to improve your Syft score?
Duh! (Score:2)
interesting bits (Score:1)