As reported by Inside GNSS: Establishing someone’s immediate whereabouts is emerging as a key element in preventing credit fraud and improving cyber security.
The technique uses location data, derived from GPS and other sources, to estimate the likelihood that the person making a request to enter a building, access a computer network, or use a credit card is actually who they say they are.
“Let's say that I'm in a mall, I just swiped my credit card — am I the person who is really carrying out that transaction or is it somebody else who's got hold of my card,” said Bhavin Shah, vice president of marketing and business development for cell-tracking firm Polaris Wireless. “The simple way to correlate it is the location of my cell phone. There is a very high likelihood — nine times out of ten — that wherever I am, so is my credit card and so is my cell phone.”
Security companies, however, are going beyond just looking at location data. They are combining information on where you are with other elements in risk-assessing algorithms to estimate the risk of fraud. Finsphere, of Bellevue Wash., uses a 207-element fraud model to authenticate the ID of users when they make a credit purchase or access their online accounts.
“The way it works is that cardholders — with their permission, of course — provide us location," said Mary Reeder, Finsphere's chief technology officer. "They can provide us location one of two ways — it depends on the bank on how they want to offer the service. The location function can be embedded in a banking mobile app or can be handled through a network query — which does not require an app, making it usable even if the customer does not have a smart phone.
“So, say we've got a card-present transaction where I have traveled overseas and I've swiped my card at a merchant,” she continued. “The proximity of my mobile phone to that merchant is used to authenticate the transaction.”
This type of service helps banks in two ways, said Breeder,
“All banks are interested in reducing their fraud. . . . That pain seems to be more acute in countries where fraud management is not as mature, say in South Africa,” Breeder explained. “But if you take the U.S., the UK, and the like, almost more important is managing the customer experience — which is basically reducing false positives. Those occasions where you, for instance, travel overseas, swipe your card and it is declined — even though it's a legitimate transaction.”
Though the location data can be from GPS signals, unaided GPS and even assisted-GPS is often too slow for credit card transactions, said Reeder. To speed things up Finsphere often relies on cell tower location for positioning.
“We are leveraging APIs [application program interfaces] that are embedded in underlying operating systems — whether that be Android, iOS, or Blackberry's,” she added. “It’s a public subscription model; so, our app would subscribe to this underlying service that says when there is a significant location change, ‘Take me out of a suspended state, report that information to me,’ and then our app sends it along.”
A significant location change typically equates to a cell site change, Reeder said.
The firm also provides authentication information for access to banking functions and to the computer networks of companies.
Their online banking service can be used at login, but the banks are more interested in using it where you have already logged on and been authenticated — usually through a username or password.
At that point, she said, you can view your balances with read-only access. If you want to do something more risky, such as add a new payee, or transfer funds, then they bank would tap Finsphere’s service.
“In this case,” she said, “[Finsphere] would be pairing the mobile phone location to the location of the GEO IP address of the end user’s browser.”
The exchange is similar in situations where you want to sign into a company’s computer network. “In that case we'd be embedded into the VPN solution, and we would be comparing remote location to your mobile phone location.”
GPS expert Logan Scott points out that location can be used to limit not just who is allowed access a computer system, but where files are sent. "Is a command file for printing a jet engine turbofan using selective laser sintering relevant at a specific location? Is it an authorized manufacture location? If not, don’t release the command file!” he wrote in "Proving Location Using GPS Location Signatures: Why it is Needed and a Way to Do It," a paper to be presented at ION GNSS 2013.
These sort of techniques may soon enter broader usage in cyber security through a program sponsored by the federal government. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is weighing a number of proposals from firms including Finsphere for pilot projects to create a secure, easy-to-use, interoperable identity credentials for accessing online services.
Proposals were submitted in May, and the agency is expected to make its first awards as early as next month. Funding for the pilot projects is expected to range from $1.25 million to $2 million per year for up to two years.