Determining Risk And Trust With Geospatial Analysis
Ari Jacoby is the CEO and cofounder of Deduce, a leading provider of cybersecurity solutions powered by real-time customer identity data.
Security teams at businesses, merchants and banks all routinely pose the question: “Are you actually who you say you are?” to their customers. The industry has tried many tactics to answer this question. That was the idea behind passwords, but those quickly fell short. Two-factor and multifactor authentication functions were a step in the right direction but also had their own flaws.
One of the most reliable ways to verify the identities of online users is location data. The technology behind gathering and assessing this data has come a long way in the last decade, and thankfully so—traditionally, it’s not been simple to utilize.
In a perfect scenario, users’ online identities and physical locations would always be in sync, so a quick check that their location matches what’s written down would be all that’s needed. The reality can never be that simple, though. People travel for work. They go on vacation or visit relatives. They may purchase something and have it shipped to a different address than they live or are currently located in.
Online purchases already present a higher risk for merchants, processors and banks, as they’re categorized as “card not present” transactions and are, by definition, more difficult to verify. And according to the U.S. Census, in 2021, 8.4% of people changed their home address from the year before. Simple, reasonable location changes can trick security controls when these discrepancies are mistaken for fraud.
Additionally, research results from Security.org, using Deduce’s data, found that 22% of adults in the U.S. have had an account taken over (ATO). The simple fact is that people get hacked, and without real-time location data for orders, account creation and login activity, many security systems can look at legitimate user activity and see an ATO, unnecessarily locking down the account. This is frustrating for users and eats away at customer loyalty.
Yet, businesses can’t ignore potential fraud. When fraudsters successfully impersonate real users, the costs climb due to chargebacks, higher payment processing rates and a required increase in merchant account reserves.
How Does Geospatial Analysis Work?
Geospatial analysis can unify users’ digital and physical identities in real time, providing crucial context when there are location discrepancies. That context takes many forms, such as behavioral data from anonymized everyday activities, which correlates users’ digital profiles with their observed activity linked to their geographies, networks and related IP addresses that are known to be associated with that user. Geospatial analysis then serves to evaluate the activity and verify an identity based on IP address geolocation, billing and shipping addresses used in the past and the context of that customer’s past location data.
During an analysis, the following questions are asked to confirm whether it’s a trusted user behind the screen or if something fraudulent is going on.
• Is the customer active in their current location? Are they within their billing area?
• What’s the relationship between the customer and the shipping location?
• Are there abnormal/impossible travel patterns?
• Is the customer ordering via a known network, ISP and/or device?
• What threat intelligence exists on the user and their device, network and IP address?
Geospatial Analysis Use Case Examples
In a typical trusted transaction, geospatial analysis could show that IP location, shipping address and billing address are all relatively close to each other and correlate with past activity for that user at that location—for example, an at-home purchase for a ship-to-store pickup a few miles away from the customer’s home. This is a very common online purchase activity across apps and services, and you can have a high degree of confidence that the purchase should be trusted.
Sometimes, a trusted customer will place an order while traveling, meaning their IP geolocation will conflict with their billing address and/or shipping address. This scenario isn’t uncommon but can sometimes result in the security system declining the transaction—what we call a false decline. Here, geospatial analysis goes to work putting locations into context. Identifying that such travel is normal for the customer signifies that this is likely to be a trusted transaction.
Geospatial analysis can identify fraud attempts when an unscrupulous actor has taken control of a customer’s account or has stolen a credit card. Out-of-context location discrepancies trigger red flags. For example, let’s say that 90% of a user’s activity takes place in Miami. So, if someone uses their stolen card in St. Louis through a VPN set up in New York and puts in a Boston shipping address for an order, the analysis can recommend that the system decline the order and block the card.
Reasons To Consider Geospatial Analysis
Beyond simply assessing individual transactions, merchants and banks can track trends for risk and trust across users with geospatial analysis. Our research at Deduce has shown that as the distance between activity centers grows, so does the percentage of transactions that could be labeled as risky.
The ability to verify customers at the time of account creation is extremely important. Linking digital and physical location data is almost impossible for fraudsters to fake online—therefore, utilizing this type of analysis is a nearly fool-proof way to prevent this type of security breach. Banks and organizations in regulated industries have higher requirements for address verification and risk running into multimillion-dollar fines if those aren’t met.
Also, address verification through credit bureaus can delay new account applications or even lose new customers altogether, and secondary reviews can cost around $100 per application. But geospatial analysis can help. A new account request that can be linked to historical activity at both the applicants’ current and previous addresses can allow banks to verify the customer quickly and with accuracy without the need for a manual review.
Depending on your business needs, it’s worth considering geospatial analysis, which can help make identity verification more accurate, less costly and less obtrusive to legitimate users’ online activity—while still catching fraudulent actors in their tracks.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Comments are closed.