Determining risk and trust with geospatial analysis
Ari Jacoby is CEO and co-founder of Derivea leading provider of cyber security solutions powered by real-time customer identity data.
Security teams at businesses, merchants, and banks all routinely ask the question, “Are you who you say you are?” to their customers. The industry has tried many tactics to answer this question. That was the idea behind passwords, but they quickly fell short. Two-factor and multi-factor authentication features were a step in the right direction, but also had their own faults.
One of the most reliable ways to verify the identity of online users is location data. The technology behind the collection and assessment of this data has come a long way in the past decade, and thankfully so – traditionally it hasn’t been easy to use.
In a perfect scenario, users’ online identity and physical location would always be in sync, so a quick check that their location matches what’s written down would be all that’s needed. However, reality can never be that simple. People travel to work. They go on holiday or visit relatives. They can buy something and have it sent to a different address than where they live or are located.
Online purchases already pose a higher risk to merchants, processors and banks, as they are categorized as “card not present” transactions and are, by definition, more difficult to verify. And according to the US Census, in 2021, 8.4% of people changed their home address from the previous year. Simple, inexpensive location changes can fool security checks when these discrepancies are mistaken for fraud.
In addition, research results from Security.org, using Deduce’s data, found that 22% of US adults have had an account taken over (ATO). The simple fact is that people get hacked, and without real-time location data for orders, account creation and login activity, many security systems can look at legitimate user activity and see an ATO unnecessarily locking the account. This is frustrating for users and erodes customer loyalty.
Still, businesses cannot ignore potential fraud. When fraudsters succeed in impersonating genuine users, costs rise due to chargebacks, higher payment processing speeds and a required increase in merchant account reserves.
How does geospatial analysis work?
Geospatial analysis can unite users’ digital and physical identities in real time, and provides crucial context when there are location discrepancies. This context takes many forms, such as behavioral data from anonymized everyday activities, which correlates users’ digital profiles with their observed activity related to their geographies, networks and related IP addresses known to be associated with that user. Geospatial analysis then serves to evaluate the activity and verify an identity based on IP address geolocation, billing and delivery addresses used in the past and the context of the customer’s past location data.
During an analysis, the following questions are asked to confirm whether there is a trusted user behind the screen or whether something fraudulent is going on.
• Is the customer active in their current location? Are they within your billing range?
• What is the relationship between the customer and the shipping point?
• Are there abnormal/impossible travel patterns?
• Does the customer order via a known network, ISP and/or device?
• What threat intelligence exists on the user and their device, network and IP address?
Examples of use cases for geospatial analysis
In a typical trusted transaction, geospatial analysis can show that the IP location, delivery address, and billing address are all relatively close to each other and correlate with past activity for that user at that location—for example, a home purchase for a ship pickup to a store a few miles away from the customer’s home . This is a very common online purchase activity across apps and services, and you can have a high degree of confidence that the purchase will be trusted.
Sometimes a trusted customer will place an order while traveling, which means their IP geolocation will conflict with their billing address and/or shipping address. This scenario is not uncommon, but can sometimes cause the security system to reject the transaction – what we call a false rejection. Here, geospatial analysis begins by putting locations into context. Identifying that such journeys are normal for the customer means this is likely a trusted transaction.
Geospatial analysis can identify attempted fraud when an unscrupulous actor has taken control of a customer’s account or stolen a credit card. Out-of-context position deviations trigger red flags. For example, let’s say 90% of a user’s activity takes place in Miami. So if someone uses their stolen card in St. Louis through a VPN set up in New York and enters a delivery address in Boston for an order, the analysis might recommend that the system decline the order and block the card.
Reasons to consider geospatial analysis
Beyond simply assessing individual transactions, merchants and banks can track risk and trust trends across users with geospatial analytics. Our research at Deduce has shown that as the distance between activity centers increases, so does the percentage of transactions that can be described as risky.
The ability to verify customers at the time of account creation is extremely important. Linking digital and physical location data is almost impossible for fraudsters to fake online – so using this type of analytics is an almost foolproof way to prevent this type of security breach. Banks and organizations in regulated industries have higher requirements for address verification and risk running into multi-million dollar fines if they are not met.
Address verification through credit bureaus can also delay new account applications or even lose new customers altogether, and secondary reviews can cost around $100 per application. But geospatial analysis can help. A new account inquiry that can be linked to historical activity at both the applicants’ current and previous addresses can enable banks to verify the customer quickly and accurately without the need for manual review.
Depending on your business needs, it’s worth considering geospatial analytics, which can help make identity verification more accurate, less expensive and less intrusive to legitimate users’ online activity – while still catching fraudulent actors in their tracks.
The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology leaders. Am I eligible?