Saturday, July 5, 2014

Tora, Tora, (Location, Location, Location)

I have made known my opinion that the routing of electronic transactions and the authentication of payment system users are separate functions and do not mix well.  There are plenty of solid efficient ways to authenticate users and firms can combine methodologies, add steps, or invent new processes, to ensure the person initiating the movement of funds has authorization to do so. Users may pay for greater assurance that an unauthorized user cannot initiate a payment.  For me, one of the best indicators of the validity of the user giving instructions to pay is the location of the user.

Authorizers use velocity checks routinely in the industry (except apparently in the sub-continent of India) to the point that the detection method is stale and routinely bypassed by professional ne’er-do-wells.  Ridiculously the location data accompanying a request for authorization to pay is the point of sale, which may be on the opposite side of the globe from the user location.  Some shops reduce their fees for cardholder not present (CNP) transactions by adding location data about the home address of the user, which still has nothing to do with the actual location of the user.  

There are plenty of reasons for users not wanting to give away their current locations, and that is a consumer choice that increases risk of an unauthorized transaction. Consumers need to pay the excess fees for their preferences and not retailers.  After all, the public pays excess baggage fees on a commercial airliner if that is their preference.

If the actual present location of the user becomes an element for validation then the resulting risk probability becomes quite simple. If R = the distance between the current location and the last location of the user, and T = the time between the present and the last payment instruction then at some point R/T is a physical impossibility.  For the sake of argument, say that we are in a future age and people can routinely travel at warp 10 (10 times the speed of light for you non Star Trek fans). However, no civilization exceeded warp 20, and only the most advanced battle cruisers can do that.  If a payment user R/T for this future initiation of payment exceeds warp 10 and they do not travel by advanced battle cruiser, then the validation system declines the user access request.  There may be a ratio based on individual R/T which is as unique as a fingerprint, but if there is, it likely won’t discovered until we at least achieve warp one.

Next Blog: Likelihood of accurately predicting the next blog

No comments:

Post a Comment