SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow4463
Mastercard is Using A.I. to Make Online Paying Easier
Mastercard wants to make paying for items online both a little easier and a little safer — and it’s using some pretty fancy tech to make that happen. The company announced the new Mastercard Digital Wellness program, which is aimed at deploying new standards and implementing a ton of tech to enable businesses to protect their customers’ data.
As part of the new program, Mastercard plans on deploying EMVCo’s (Europay, Mastercard, Visa) standards, which includes a new click-to-pay checkout system — replacing old key-entry checkout systems and making it much easier to make purchases. The system is compatible across systems, too — it can be used for all kinds of online shopping, multiple devices, and across cards.
"We launched Mastercard Digital Wellness today because we believe that businesses shouldn't have to sacrifice safety or choice as they build the best experiences for their customers," Mastercard executive Jess Turner said in a statement. "Any changes to how we shop online must deliver enhanced levels of security, transparency, and flexibility for everyone"
[...] Of course, just because the new Digital Wellness program is available to merchants, that doesn’t necessarily mean that merchants will actually adopt it.
(Score: 4, Informative) by AthanasiusKircher on Tuesday June 11 2019, @06:16PM (3 children)
First, let's be clear on how the product works. It appears to be "passive biometrics," as described in TFA:
I followed some links to this NuData company (which was bought by Mastercard a few years ago), and here are a few more bits of info from here [nudatasecurity.com]:
A couple more articles I found on this here [digitaltransactions.net]and here [mastercard.com].
While I'm sure such systems may help to prevent fraud, here are just a few concerns:
(1) Privacy, obviously. I'm sure many of us here aren't surprised to realize we are now being profiled even by how we hold our phones, our scroll speed, our clicking patterns, and hundreds of other data points. Good for perhaps helping to check that I am who I say I am, but history tells me marketing and other annoyances are going to grab this data and use it for worse stuff -- not to mention perhaps aggregating and selling your personal "profile" to the highest bidders. Everybody was worried about the day you'd have a tracking chip in your arm or something -- but ways of tracking individuals are becoming much easier and less invasive.
(2) I surely hope that "+99% accuracy" is a lot higher than 99%, if they intend to roll this out as a payment system that won't require a password. False positives for fraud aren't a huge issue with modern cards -- I don't mind getting an email every other month asking if a transaction was mine and having to click a button. But false negatives for fraud are a huge issue here (as they will let fraudulent activity through), and I certainly hope the accuracy is much better than 99% on those.
(3) I sincerely hope that any such system still allows for an option that would require me to enter a password or something in addition to the passive biometric element. We already have too many situations and too many devices that want to authorize payments without sufficient verification. I NEVER want something like Amazon's 1-click turned on. I ALWAYS want to be prompted to confirm at least twice that I want to purchase something before a card is charged. Having to enter a password is at least one more barrier to accidental charges (let alone fraudulent ones).
(4) While I'm sure this may help in the short term, how long before fraudsters pick up on ways to fake this stuff? Today we have keyloggers that get surreptitiously installed on some devices and are used to steal passwords. What happens when nefarious apps or malware like that start collecting the passive biometric datapoints too from your various sensors and elements on your device? Then a fraudster buys that data and simulates it on another device... at the moment, that may sound complicated or far-fetched, but I bet in 10 years if this system catches on, it might well be feasible and a potential problem. For anything that really matters, I'd prefer multi-factor authentication rather than some black box algorithm that guesses it's me.
(5) What about end runs around this security? It seems to me that such a system is bound to flag some people as "fraudulent" for some sort of random reason. Maybe you just don't tap at the speed you used to. Maybe some weird combination of biometric feedback isn't as consistent for you as it is for 99% of other people, and the system is just confused by you. Which means there will inevitably be cases where people are calling up a credit card company to get authorization or whatever. Let's just make sure the secondary checking systems are secure, though, because every amateur hacker knows it's often 100 times easier to steal an account through an insecure password reset feature than by guessing/stealing the password itself. If you have a system that requires people to sometimes verify through alternate methods, it needs to be even more secure -- which could pose challenges.
Overall, I don't know how I feel about it. But I have assumed this stuff was coming for years anyway, and I doubt there's any way around it. Most people are already being poked and prodded and their "digital profiles" collected electronically by every web browser and lots of apps... and almost nobody cares. Whether this stuff will end up being overall a net good or bad in our lives is way too early to tell.
(Score: 0) by Anonymous Coward on Tuesday June 11 2019, @06:44PM
Let the consumers suffer as long investors benefit. In the future when you're filthy rich , denote to a charity or something and get worshiped like a God.
(Score: 2, Interesting) by Anonymous Coward on Tuesday June 11 2019, @09:54PM
I've been getting burnt by this tech for a while now. Ever since I wrote a Javascript based security tool that would run live in any web page / form, which became a product but started out as a "betchya can't" experiment one weekend in 2012, I have entered PCI data "chaotically" in payment forms. I knew what would eventually happen and this year has been a royal pain in the arse. As heuristics are applied I show up as an outlier .. transaction gets blocked all over the place, sometimes in the stores security extensions (so the bank never sees the attempt) and sometimes in the payment gateway or the card co. itself. Once a horizontal service flags you, you then have a reputation that makes subsequent checks more sensitive and the problem cascades - Ive had the same fraud guy from my banks investigation team apologise three times to me in one night (shirts, after shave and gym gear purchases). The application of heuristics to every domain in order to improve security is going to break things badly - not all humans are in the middle of the bell curve and out culture.is not static - we will see the same problems that complex CAPTCHAs have created in the past, apply to big chunks of society and people are going to get hurt unnecessarily.
(Score: 2) by Joe Desertrat on Tuesday June 11 2019, @09:56PM
I suspect we will find in the near future that opting out or trying to block such tracking will make it harder to legitimately transact business on the internet, while hardly slowing the fraudulent activity. That will of course show the true reason behind their methods to "protect" us.
I hate the fact that too many sites automatically save your payment information, even if you uncheck the box that "asks" if you want to do so. Does it cost them that much business if people have to enter in their card numbers? One has to wait until the charge is made and then log back into the site to delete the saved form of payment if you do not want your credit cards sitting out there on the internet.
I also had trouble with a recent vendor that apparently blocked my transaction because I used a VPN (according to their support). Why that should be an issue with them I'm not sure, it has not been anywhere else, but I hope that is not the future of such transactions. I did let them know I did not make a purchase because of this and that I was able to successfully make a purchase at a competitor's site instead, and that I was able to make purchases at any other sites I've used without a problem. If this does become a common issue, well maybe it will drive more business back to physical retail stores.