An idea for banks

Last month I posted a status update about how Bank of America froze my credit card after an $18 purchase for Alfred’s Powerpack. The purchase was a UK-based transaction which apparently was too much for a Visa card to handle.

It gave me an idea though. What if a bank gave its customers the ability to set a threshold for fraudulent activity? The bank would let me say, “Do not freeze my card for any purchases below this dollar amount.” Seems easy enough.

If my card or account information was stolen I really wouldn’t be worried about an $18 purchase. What I’m concerned about is someone stealing my information and going on a shopping spree at an Apple store. If they want to drop $18 to support an indie software company that’s fine by me.

While ideally I’d like to not be liable for an $18 fraudulent purchase I don’t need my account frozen because of it. Send me a non-urgent email or a text message but don’t cut off my access.


Andrew Nacin says:

I disagree with the original ideas in the post, but subscribe to the final paragraph.

Bank of America has been fantastic at detecting fraudulent activity on my Visa check card. I purchase random things online all of the time, and yet they still catch the $8 purchase for a bike part from Europe, and rarely have false positives.

Often, fraudulent activity starts with a small purchase, with the intent of it going undetected, to ensure that the information works. From there, they may go big.

That said, Bank of America does do something great, and something you’d like. Sometimes when they’re unsure (perhaps some sort of confidence threshold), they call me. It usually warns me that they’ve detected unusual activity, and if I don’t contact them within a few hours (maybe a day), they’ll kill the card. (As could be inferred, I’ve had fraudulent charges a lot. Easily four different incidents in the last two years.)

Their call is simple – a machine reads you each of the suspicious transactions and lets you confirm that it was you, or that it wasn’t. If it wasn’t, they’ll transfer you to a person.

If you don’t answer their initial call, I think they temporarily cut off the card as well, but I want to say I’ve had it happen where they don’t. Also, that’s not to say they won’t nuke a card that is obviously compromised without calling you — I haven’t had this happen quite enough for me to draw conclusions.

That all said, I stand by an idea I floated a few weeks ago: I want an instant push notification whenever my card is used. You’d know instantly of a fraudulent charge. Seems like the best of all worlds.

I have a PayPal debit card and that’s exactly how it works. Anytime you charge anything, they send an email. As far as I know that’s the only way you can be notified at present, but I really like it. It’s a nice sense of security. Definitely something that a lot more banks should look at adopting.

I can see how 4 fraud issues would make one more wary. The biggest issue, which I perhaps should have mentioned in the post, was that this was a couple days before I left the country for 11 days.

During that trip my (Verizon) phone had no access. It would have been just dandy had the same thing happened a few days later. ūüôā On the web I can make a purchase from any location. For a bank to have their account unlock mechanism be a phone number that may be tied to a specific geographical location is a very sub par user experience.

I got a similar robo-call as you describe but it stated I needed to confirm this activity before my card would be unlocked. Hence the wariness for what *could* have been.

Push notifications would be ideal! I have a Chase account as well but didn’t realize I can get push notifications like Alex mentions below.

Matt Pearson says:

Or even better yet, have a mechanism for approving/denying so-called “suspicious” charges. I’m very much in favor of credit card companies assuming all liability for fraudulent charges; we’ve already been down that road with liability law in England, and laying any liability back on the card-holder is a slippery slope back in that direction.

Setting thresholds is certainly useful, but “the bad guys” already skirt those protections. This is why we have hyper-sensitive time/location-driven heuristics that throw false-positives like what you experienced.

The rub, as I see it, is in how credit card companies react. By freezing a card number, they’re opening card-holders what amounts to a DoS attack. If companies instead used SMS or a similar protocol to alert card-holders of suspicious charges and allow them to approve or deny them, then we’re talking.

Even better, give consumers the ability to easily and proactively kill their cards in a way that lets them receive and activate their new cards with now downtime.

To truly solve this problem, companies need to get off their butts and implement per-user virtual credit cards. If a given credit card number is bound to a specific merchant, then it’s very well-fortified against abuse. Add on the notion of monthly caps or explicit filtering patterns to the authentication loop for a given virtual-card, and we approach bulletproofability.

This “solution” is obviously problematic for physical cards, but I see a possible solution there too. For any person’s “credit card account”, we must decouple all notions of “card” from the account itself, both virtual and physical. A user should be able to generate an arbitrary set of physical cards just as they would virtual cards. Though it’d be impractical for physical cards to be locked to single merchants as virtual cards would be, there’s still significant value in segmenting one’s card use; it’ll make strong filters and caps more effective, and allow fraud-detection heuristics to be much, much smarter. Purchasing a tank of gas two towns over from my house makes perfect sense, but doing so with “my food card” that’s historically only used at restaurants and supermarkets should throw up every red flag available…

…and then trigger the SMS-auth loop mentioned above, rather than immediately and irreversibly killing the card outright of course.

Totally agree. Having approval options for things flagged as suspicious would be great. It’s a good case of a bank having the right intentions but going about it in a really clumsy manner that shows they clearly don’t think about an optimal user experience.

The idea of generating cards tied to activity rather than account is an interesting one. I dig it.

Matt Pearson says:

It’s a case of organizations overreacting with a brutal catch-all. Under U.S. law (to my understanding), credit card companies are liable for all fraudulent charges (past an initial $50) to a card. Naturally, they have significant incentive to kill a stolen card as quickly as possible to protect themselves. But there’s no incentive to be nice about it or otherwise protect the card-holder. It’s easier and cheaper to nuke a card if it’s suspected to be stolen, rather than implement a graduated response of some kind that can take into account false-positives.

Debit/check cards are a different legal story though, as any charges to them are technically account withdrawals rather than accumulated debt as credit cards are. But it would seem that at least some card companies have similar fraud-detection mechanisms watching these cards as well, and I’d argue that the same user-side monitoring/throttling tools we’re pining for should apply to both credit and debit channels equally.

But where’s the incentive? BankSimple is using stuff like this to differentiate themselves from the incumbents. Consumers and our experiences are secondary in this business aggregate cash flow and overall fraud rates. Improvements to our own security and experience using these “products” are incidental past getting us hooked and opening the money spigot.

Man, I got pessimistic about this.

Matt Pearson says:

@Nacin Most of the big banks do indeed do a fine job with fraud detection nowadays. I’d still argue that they’re not doing a good enough job though. False positives are still a problem, having a card killed (even when truly needed) is still unnecessarily disruptive, and they’re all eating significant costs in “writing-off” fraudulent charges that are small enough to not warrant the cost of investigating. And let’s face it, they’re not making the problem they’re facing very easy to solve.

Untangling fraudulent/legitimate charges from a single molten pool of card activity is very, very hard. If an account had explicit partitions (as in the example of different physical cards in my previous comment), then the problem becomes much easier. Think of how their detection accuracy would skyrocket, if they could apply their already super-powered algorithms to cleaner data?

And all of this fraud detection technology is a backstop against a more fundamental problem: card authentication. The vulnerabilities a card and the card company faces (and the available countermeasures) are very different on the ‘net than in the physical world. Tackling both scenarios is a deeply stupid idea, though sadly that’s the reality they’re faced with. But if users had the tools to build the partitions I described vaguely above, then the game would change a bit. We’d still have the people who don’t get it and don’t care, but then we’d be dealing with an education/outreach problem, not a battle of antiquated technology failing against increasingly well-positioned opponents.

Chase has an app for the iPhone that sets up iOS notifications. On their site, you can set up all of the various thresholds for when they should contact you and via what method.

I have it set up that any time over $1 (the minimum amount) is charged to my card, I get sent both an e-mail and a notification on my phone saying how much and where. It comes through within seconds, sometimes before the cashier even hands my credit card back to me.

They also will call and e-mail me and ask me to confirm when they have a questionable charge on my card.

A lot of people don’t like Chase but frankly I love them.

I have a Chase account and had no idea this was an option. ūüôā

Nice to know it exists though.

Matt Pearson says:

I should’ve said “tackling both scenarios at the same time is a deeply stupid idea”. Both scenarios clearly need tackling, but they’re different beasts that require different treatment.

I know there are some banks and pseudo-banks that already do bits and pieces of this. Push notifications are a trendy topic to tout, and SMS has existed for how long now? But nobody does any of this particularly well across the board (say, both Push when available and an equally useful SMS as a fall-back). Virtual credit cards aren’t new either, but I’ve only seen a decrease in their deployment of late, and their use has always been badly hampered (see Paypal’s erstwhile browser plugin as an example).

Even the idea of filtering and labeling transactions isn’t new. Look at every personal finance system ever.

But nobody has tied the pieces together in a useful way. Charge thresholds are dumb without context. Categories of charges are useless for anything past budgeting without some kind of programmable logic attached to them. Notifications aren’t terribly helpful unless they can be easily acted upon (a phone call with a robot is pretty terrible UX).

Here’s to BankSimple coming through for us and Doing Banking Right.

But nobody has tied the pieces together in a use­ful way. Charge thresh­olds are dumb with­out con­text. Cat­e­gories of charges are use­less for any­thing past bud­get­ing with­out some kind of pro­gram­ma­ble logic attached to them. Noti­fi­ca­tions aren’t ter­ri­bly help­ful unless they can be eas­ily acted upon.

Well said, Matt. I’m also eagerly awaiting what BankSimple does and hope my beta invite arrives sooner rather than later. I can dream, right? ūüôā

Matt Pearson says:

Amen, homeslice. I’m hanging on with BofA for no reason other than it’s a pain to switch banks, waiting for a BankSimple invite to make it my way. And believe you me, BofA is an absolute ghetto of a bank up here. Not all branches in all states are created equal… nor do they share the same backend systems either, apparently. Much badness and sadness.

Comments closed