An idea for banks

Last month I posted a sta­tus update about how Bank of Amer­ica froze my credit card after an $18 pur­chase for Alfred’s Pow­er­pack. The pur­chase was a UK-based trans­ac­tion which appar­ently was too much for a Visa card to handle.

It gave me an idea though. What if a bank gave its cus­tomers the abil­ity to set a thresh­old for fraud­u­lent activ­ity? The bank would let me say, “Do not freeze my card for any pur­chases below this dol­lar amount.” Seems easy enough.

If my card or account infor­ma­tion was stolen I really wouldn’t be wor­ried about an $18 pur­chase. What I’m con­cerned about is some­one steal­ing my infor­ma­tion and going on a shop­ping spree at an Apple store. If they want to drop $18 to sup­port an indie soft­ware com­pany that’s fine by me.

While ide­ally I’d like to not be liable for an $18 fraud­u­lent pur­chase I don’t need my account frozen because of it. Send me a non-urgent email or a text mes­sage but don’t cut off my access.

12 Responses to “An idea for banks”

  1. I dis­agree with the orig­i­nal ideas in the post, but sub­scribe to the final paragraph.

    Bank of Amer­ica has been fan­tas­tic at detect­ing fraud­u­lent activ­ity on my Visa check card. I pur­chase ran­dom things online all of the time, and yet they still catch the $8 pur­chase for a bike part from Europe, and rarely have false positives.

    Often, fraud­u­lent activ­ity starts with a small pur­chase, with the intent of it going unde­tected, to ensure that the infor­ma­tion works. From there, they may go big.

    That said, Bank of Amer­ica does do some­thing great, and some­thing you’d like. Some­times when they’re unsure (per­haps some sort of con­fi­dence thresh­old), they call me. It usu­ally warns me that they’ve detected unusual activ­ity, and if I don’t con­tact them within a few hours (maybe a day), they’ll kill the card. (As could be inferred, I’ve had fraud­u­lent charges a lot. Eas­ily four dif­fer­ent inci­dents in the last two years.)

    Their call is sim­ple — a machine reads you each of the sus­pi­cious trans­ac­tions and lets you con­firm that it was you, or that it wasn’t. If it wasn’t, they’ll trans­fer you to a person.

    If you don’t answer their ini­tial call, I think they tem­porar­ily cut off the card as well, but I want to say I’ve had it hap­pen where they don’t. Also, that’s not to say they won’t nuke a card that is obvi­ously com­pro­mised with­out call­ing you — I haven’t had this hap­pen quite enough for me to draw conclusions.

    That all said, I stand by an idea I floated a few weeks ago: I want an instant push noti­fi­ca­tion when­ever my card is used. You’d know instantly of a fraud­u­lent charge. Seems like the best of all worlds.

    • I have a Pay­Pal debit card and that’s exactly how it works. Any­time you charge any­thing, they send an email. As far as I know that’s the only way you can be noti­fied at present, but I really like it. It’s a nice sense of secu­rity. Def­i­nitely some­thing that a lot more banks should look at adopting.

    • I can see how 4 fraud issues would make one more wary. The biggest issue, which I per­haps should have men­tioned in the post, was that this was a cou­ple days before I left the coun­try for 11 days.

      Dur­ing that trip my (Ver­i­zon) phone had no access. It would have been just dandy had the same thing hap­pened a few days later. :) On the web I can make a pur­chase from any loca­tion. For a bank to have their account unlock mech­a­nism be a phone num­ber that may be tied to a spe­cific geo­graph­i­cal loca­tion is a very sub par user experience.

      I got a sim­i­lar robo-call as you describe but it stated I needed to con­firm this activ­ity before my card would be unlocked. Hence the wari­ness for what *could* have been.

      Push noti­fi­ca­tions would be ideal! I have a Chase account as well but didn’t real­ize I can get push noti­fi­ca­tions like Alex men­tions below.

  2. Or even bet­ter yet, have a mech­a­nism for approving/denying so-called “sus­pi­cious” charges. I’m very much in favor of credit card com­pa­nies assum­ing all lia­bil­ity for fraud­u­lent charges; we’ve already been down that road with lia­bil­ity law in Eng­land, and lay­ing any lia­bil­ity back on the card-holder is a slip­pery slope back in that direction.

    Set­ting thresh­olds is cer­tainly use­ful, but “the bad guys” already skirt those pro­tec­tions. This is why we have hyper-sensitive time/location-driven heuris­tics that throw false-positives like what you experienced.

    The rub, as I see it, is in how credit card com­pa­nies react. By freez­ing a card num­ber, they’re open­ing card-holders what amounts to a DoS attack. If com­pa­nies instead used SMS or a sim­i­lar pro­to­col to alert card-holders of sus­pi­cious charges and allow them to approve or deny them, then we’re talking.

    Even bet­ter, give con­sumers the abil­ity to eas­ily and proac­tively kill their cards in a way that lets them receive and acti­vate their new cards with now downtime.

    To truly solve this prob­lem, com­pa­nies need to get off their butts and imple­ment per-user vir­tual credit cards. If a given credit card num­ber is bound to a spe­cific mer­chant, then it’s very well-fortified against abuse. Add on the notion of monthly caps or explicit fil­ter­ing pat­terns to the authen­ti­ca­tion loop for a given virtual-card, and we approach bulletproofability.

    This “solu­tion” is obvi­ously prob­lem­atic for phys­i­cal cards, but I see a pos­si­ble solu­tion there too. For any person’s “credit card account”, we must decou­ple all notions of “card” from the account itself, both vir­tual and phys­i­cal. A user should be able to gen­er­ate an arbi­trary set of phys­i­cal cards just as they would vir­tual cards. Though it’d be imprac­ti­cal for phys­i­cal cards to be locked to sin­gle mer­chants as vir­tual cards would be, there’s still sig­nif­i­cant value in seg­ment­ing one’s card use; it’ll make strong fil­ters and caps more effec­tive, and allow fraud-detection heuris­tics to be much, much smarter. Pur­chas­ing a tank of gas two towns over from my house makes per­fect sense, but doing so with “my food card” that’s his­tor­i­cally only used at restau­rants and super­mar­kets should throw up every red flag available…

    …and then trig­ger the SMS-auth loop men­tioned above, rather than imme­di­ately and irre­versibly killing the card out­right of course.

    • Totally agree. Hav­ing approval options for things flagged as sus­pi­cious would be great. It’s a good case of a bank hav­ing the right inten­tions but going about it in a really clumsy man­ner that shows they clearly don’t think about an opti­mal user experience.

      The idea of gen­er­at­ing cards tied to activ­ity rather than account is an inter­est­ing one. I dig it.

      • It’s a case of orga­ni­za­tions over­re­act­ing with a bru­tal catch-all. Under U.S. law (to my under­stand­ing), credit card com­pa­nies are liable for all fraud­u­lent charges (past an ini­tial $50) to a card. Nat­u­rally, they have sig­nif­i­cant incen­tive to kill a stolen card as quickly as pos­si­ble to pro­tect them­selves. But there’s no incen­tive to be nice about it or oth­er­wise pro­tect the card-holder. It’s eas­ier and cheaper to nuke a card if it’s sus­pected to be stolen, rather than imple­ment a grad­u­ated response of some kind that can take into account false-positives.

        Debit/check cards are a dif­fer­ent legal story though, as any charges to them are tech­ni­cally account with­drawals rather than accu­mu­lated debt as credit cards are. But it would seem that at least some card com­pa­nies have sim­i­lar fraud-detection mech­a­nisms watch­ing these cards as well, and I’d argue that the same user-side monitoring/throttling tools we’re pin­ing for should apply to both credit and debit chan­nels equally.

        But where’s the incen­tive? BankSim­ple is using stuff like this to dif­fer­en­ti­ate them­selves from the incum­bents. Con­sumers and our expe­ri­ences are sec­ondary in this busi­ness aggre­gate cash flow and over­all fraud rates. Improve­ments to our own secu­rity and expe­ri­ence using these “prod­ucts” are inci­den­tal past get­ting us hooked and open­ing the money spigot.

        Man, I got pes­simistic about this.

  3. @Nacin Most of the big banks do indeed do a fine job with fraud detec­tion nowa­days. I’d still argue that they’re not doing a good enough job though. False pos­i­tives are still a prob­lem, hav­ing a card killed (even when truly needed) is still unnec­es­sar­ily dis­rup­tive, and they’re all eat­ing sig­nif­i­cant costs in “writing-off” fraud­u­lent charges that are small enough to not war­rant the cost of inves­ti­gat­ing. And let’s face it, they’re not mak­ing the prob­lem they’re fac­ing very easy to solve.

    Untan­gling fraudulent/legitimate charges from a sin­gle molten pool of card activ­ity is very, very hard. If an account had explicit par­ti­tions (as in the exam­ple of dif­fer­ent phys­i­cal cards in my pre­vi­ous com­ment), then the prob­lem becomes much eas­ier. Think of how their detec­tion accu­racy would sky­rocket, if they could apply their already super-powered algo­rithms to cleaner data?

    And all of this fraud detec­tion tech­nol­ogy is a back­stop against a more fun­da­men­tal prob­lem: card authen­ti­ca­tion. The vul­ner­a­bil­i­ties a card and the card com­pany faces (and the avail­able coun­ter­mea­sures) are very dif­fer­ent on the ‘net than in the phys­i­cal world. Tack­ling both sce­nar­ios is a deeply stu­pid idea, though sadly that’s the real­ity they’re faced with. But if users had the tools to build the par­ti­tions I described vaguely above, then the game would change a bit. We’d still have the peo­ple who don’t get it and don’t care, but then we’d be deal­ing with an education/outreach prob­lem, not a bat­tle of anti­quated tech­nol­ogy fail­ing against increas­ingly well-positioned opponents.

  4. Chase has an app for the iPhone that sets up iOS noti­fi­ca­tions. On their site, you can set up all of the var­i­ous thresh­olds for when they should con­tact you and via what method.

    I have it set up that any time over $1 (the min­i­mum amount) is charged to my card, I get sent both an e-mail and a noti­fi­ca­tion on my phone say­ing how much and where. It comes through within sec­onds, some­times before the cashier even hands my credit card back to me.

    They also will call and e-mail me and ask me to con­firm when they have a ques­tion­able charge on my card.

    A lot of peo­ple don’t like Chase but frankly I love them.

  5. I should’ve said “tack­ling both sce­nar­ios at the same time is a deeply stu­pid idea”. Both sce­nar­ios clearly need tack­ling, but they’re dif­fer­ent beasts that require dif­fer­ent treatment.

    I know there are some banks and pseudo-banks that already do bits and pieces of this. Push noti­fi­ca­tions are a trendy topic to tout, and SMS has existed for how long now? But nobody does any of this par­tic­u­larly well across the board (say, both Push when avail­able and an equally use­ful SMS as a fall-back). Vir­tual credit cards aren’t new either, but I’ve only seen a decrease in their deploy­ment of late, and their use has always been badly ham­pered (see Paypal’s erst­while browser plu­gin as an example).

    Even the idea of fil­ter­ing and label­ing trans­ac­tions isn’t new. Look at every per­sonal finance sys­tem ever.

    But nobody has tied the pieces together in a use­ful way. Charge thresh­olds are dumb with­out con­text. Cat­e­gories of charges are use­less for any­thing past bud­get­ing with­out some kind of pro­gram­ma­ble logic attached to them. Noti­fi­ca­tions aren’t ter­ri­bly help­ful unless they can be eas­ily acted upon (a phone call with a robot is pretty ter­ri­ble UX).

    Here’s to BankSim­ple com­ing through for us and Doing Bank­ing Right.

    • But nobody has tied the pieces together in a use­ful way. Charge thresh­olds are dumb with­out con­text. Cat­e­gories of charges are use­less for any­thing past bud­get­ing with­out some kind of pro­gram­ma­ble logic attached to them. Noti­fi­ca­tions aren’t ter­ri­bly help­ful unless they can be eas­ily acted upon.

      Well said, Matt. I’m also eagerly await­ing what BankSim­ple does and hope my beta invite arrives sooner rather than later. I can dream, right? :)

      • Amen, home­s­lice. I’m hang­ing on with BofA for no rea­son other than it’s a pain to switch banks, wait­ing for a BankSim­ple invite to make it my way. And believe you me, BofA is an absolute ghetto of a bank up here. Not all branches in all states are cre­ated equal… nor do they share the same back­end sys­tems either, appar­ently. Much bad­ness and sadness.