Banks, Bounty Hunters and Blowback – Inside the tug-of-war over smartphone and location data

May 22, 2019

We live in privacy-sensitive times, where consumers can feel numb about eroding digital privacy one minute – then shocked into action the next. Take smartphone location data, for example. Earlier this year a gripping story by Joseph Cox in Motherboard reported that bounty hunters were gaining access to AT&T wireless customers’ location information through data sharing channels. An outcry ensued and carriers including AT&T and T-Mobile announced restrictions to their practices. Security restored – case closed, right?

Not so fast. Here at BehavioSec, we’ve been working with big financial services firms dealt a security setback by AT&T and others’ well-intentioned data restriction moves. We are posting this blog to call attention to some of the unintended consequences and stir a deeper discussion on rethinking the types of data banks and other businesses traditionally “must” collect for security. The financial world gets all types of cybercriminals’ and fraudsters’ best shot every day, so this industry often requires a vast array of tools and data sources to try to keep the losses under control.

Here’s the problem: For years, banks have relied on IP geolocation data and device ID as digital cornerstones of their anti-fraud efforts. These data sources have been prescribed to anti-fraud teams as essentials. After all, factoring a user’s location history and device fingerprint into log-in attempts is traditionally one way to spot suspicious activity, like a user who appears to be in two places at once or who tried to log in on a succession of devices in mere seconds – clear signs of compromised credentials and account takeover. More recently, as smartphone apps became more functional and started allowing activities like peer-to-peer financial transactions, the attack surface grew, so banks started to collect more location data directly from the smartphone GPS, or even from the carrier.

Yet, the problem for banks, credit unions, brokerages and other institutions is that they must rely on third-parties for much of this anti-fraud fuel – carriers who own location information, vendors who connect the banks with carriers, and users to accept the request to share location data. It is a fraught relationship, because it leaves banks at the mercy of carriers and tech firms who can arbitrarily decide to tighten the cost and terms of data-sharing or cut off access altogether, as we saw in blowback after the AT&T revelations.

Because data breaches and consumer privacy have become major sources of headlines recently, the carriers and smartphone stakeholders are locking things down. As carriers like AT&T pledge to revamp how they handle location data, Apple quietly added tougher device ID restrictions several years ago into iOS and Google has added similar restrictions into the next version of Android.

Security, privacy and data are complex issues – nothing is black and white and there are always trade-offs. Taken together, these moves might alleviate privacy scrutiny on some of the biggest names in tech and the Silicon Valley, but they also trip up security pros in the finance world racing to protect consumers and contain or even slash fraud costs every day.

What is the way forward? Increasingly, it means recognizing that there are going to be more polarizing conversations about data access everywhere, and businesses no longer have the luxury of making data-collection decisions outside the periphery of consumers, journalists and policymakers’ interests. Businesses cannot assume the third-party data they rely on today will be available under the same terms months later or next year, let alone indefinitely. They need to have a well defined collection and storage policy, as well as a comprehensive strategy including contingencies for data loss due to policy, regulatory, or legal changes. Fraud strategy should be resilient, like any part of a business that requires continuity.

Businesses also have to discover and prioritize new data-driven defenses within their own walls they can put into play immediately in transparent, straightforward ways resonating with consumers. Behavioral biometric data is a perfect example. The BehavioSec platform gives banks enhanced, GDPR-compliant anti-fraud defenses – based on their data that is not subject to carriers’ or OS makers’ restrictions. With BehavioSec, businesses and app developers take individuals’ own typing patterns, touchscreen pressures, cursor movements and other innate behaviors and use them for continuous authentication based on how a user acts during logins and transactions. This adds a powerful new line of defense against rampant account takeover (ATO) vectors like credential-stuffing, password theft and malware lurking in browsers and devices.

When consumers learn their bank or favorite store has surreptitiously been ingesting data from their phone carrier or smartphone maker, it can reflexively lead to suspicious of privacy invasions and overreach – the institution must articulate how the data is used to protect accounts or credit scores. But if you clearly articulate to your customers that you are using their own digital behavior in a bank or business to spot imposters, it makes for a more straightforward message about your concern for their account security and, more importantly, their personal privacy.

Contact us and share your take on Twitter and LinkedIn if you are writing about privacy/security trade-offs or helping your organization recalibrate the most important factors to use in assigning and managing digital identities.