Evan Schuman is a guest contributor to the Sift Science blog.


This month saw another leading financial institution—U.S. Bank—add geolocation to “select credit cards” to help with authentication.

“We’ve all experienced that embarrassing moment when your credit card is declined at dinner while on vacation because the bank thinks you should be at home in Minneapolis, but you’re eating dinner in Seattle,” said Clifford Cook, senior vice president and head of product and marketing for the Retail Payment Solutions division at U.S. Bank. “When your phone is on and you’ve opted-in for geolocation, U.S. Bank can validate that the expense is legitimate and avoid customer frustration.”

The truth is that geolocation is a very effective—albeit limited—tool to help authenticate a transaction. But the U.S. Bank exec is wrong when he says the bank can validate the transaction is legitimate. Not quite.

First, let’s define our terms. In this situation, we are talking about in-store geolocation, as opposed to online/e-commerce/m-commerce geolocation. Online geolocation deals with IP address, which can be wrong for various reasons, such as if the shopper is using a VPN (Virtual Private Network). Some browsers (such as Tor) also try and hide IP address. The vast majority of time, online geolocation works well, though.

This is how in-store geolocation is supposed to work: The system assumes that a cardholder’s phone is on their person much of the time—especially when shopping—so it checks to see if the phone is in the same place as the customer. It’s a reasonable assumption and will likely work as designed more often than not.

In-store geolocation is actually two kinds of geolocation used simultaneously. The fintech players check the exact location of that store (and sometimes, even more precisely, the specific POS station where the transaction is happening). Then, they check the exact location of the phone, using one of several means, such as GPS via satellite (typically needs outside access) or triangulation of cellular towers or via a specific Wi-Fi being used (such as that store’s LAN). If the two geolocations are the same – or at least very close – the geolocation authentication is approved.

The cons of geolocation

Consider the following scenarios: What happens if a thief steals a purse, which holds both payment cards and a smartphone? In that case, geolocation can seem to confirm the legitimacy of a thief’s purchases.

Or what if the card holder has their phone off? The assumption for geolocation is that the phone is turned on – and that doesn’t always happen, especially when people are traveling and worried about running down the phone’s battery.

The phone also typically needs to be online, which some NFC transactions such as Apple Pay do not require. (Yes, I’ve used Apple Pay while in airplane mode. It sharply cuts down on carrier charges.) Some geolocation systems want the phone to be on Wi-Fi, which some security-conscious travelers won’t do. And some locations have weak Wi-Fi and cellular signals even for customers who are willing to take the risk.

Speaking of risk, many shoppers are not wild about perceived privacy invasion from geolocation, regardless of how unwarranted such concerns might be.

The pros of geolocation

On the flip side, there’s a lot to like about geolocation authentication. Unlike asking for Zip Code (which is easy for a fraudsters to learn by checking the fraud target’s social media accounts) or seeking a signature (which has no authentication value at all) or asking for identification, geolocation authentication is – for the shopper – non-intrusive and entirely effortless. It’s leveraging a device that most consumers will already have on them and it’s very difficult for a thief to fake.

The only potential fakery that would trick geolocation is if the thief determined the home location of the shopper victim—not difficult if a purse, pocketbook or wallet has been stolen—and then chose to only use the stolen cards near the victim’s home. That’s risky, though, as merchants (or, for that matter, neighbors or friends) may reveal that the thief is not who they claimed to be.

Conclusion

Geolocation is an especially effective and user-friendly tool. Let’s not, though, give it more credit than it merits. Like every other tool in the authenticator’s arsenal, geolocation merely provides one more datapoint. The more data points that analytics software can examine and verify, the higher the probability that the transaction is legitimate. But location alone can’t “validate that the expense is legitimate” any more than a selfie or a PIN can. Effective fraud prevention is about gathering as much data as possible to determine whether the transaction is legit.

Related topics

credit cards

geolocation

You may also like