The present invention relates to using location information to enhance fraud risk scores for debit/credit card payments in the process of being authorized, while providing privacy protection for the location information.
In 2012, payment card issuers, merchants, and their acquiring banks worldwide lost $11.27 billion to fraudulent transactions, up 14.6% from 2011. The United States accounted for about half of the global credit/debit card feud losses ($5.3 billion) and feud losses continue to rise year over year. As mobile devices with OPS capabilities are becoming pervasive, payment card processors are beginning to embrace solutions that use location information to improve the precision of fraud risk scores for payments in process. A payment transaction with a fraud risk score above a certain threshold will be categorized as having a high probability of being fraudulent, and therefore will be declined. The use of location information for determining a fraud risk score is based on the premise that today's consumers usually carry their smartphones with them at all times, and therefore their smartphone will be in the same location as the consumer attempting to make a purchase. When a consumer swipes her payment card at a point of sale terminal or submits the card information online, the card issuer responsible tor authorizing the payment checks two pieces of location information and returns a score that lowers the fraud risk score if the locations are the same or a score that increases the fraud risk score if they are different. The first location is that of the payment, referred to as the payment location. It is the physical address/geographical coordinates of the point of sale or the approximate physical address/geographical coordinate of the computer from which an online payment was submitted. The computer location is determined from its IP address through IP-to-geolocation techniques. The second location, referred to as cardholder location, is the real-time location of the consumer's smartphone obtained from the consumer's phone's GPS or through the mobile service provider (e.g., AT&T, Sprint, Verizon etc.) using cellular tower or Wi-Fi positioning technologies. The cardholder location is compared with the payment location. If they are the same or they are spatially proximal based on a distance parameter, a negative score is returned to reduce the fraud risk score. If they are different, a positive location score is returned that will increase the fraud risk score.
Existing solutions using location information to enhance fraud risk scores do not consider the privacy of consumers' location information or other personal information. For example, the service provider obtains information each time the cardholder makes a purchase, as well as the location of the purchase. This can allow a service provider to correlate purchases from the same location over time and potentially infer relationships between cardholders and merchants. Additionally, the card issuing bank is also able to track the cardholder's location. As privacy awareness continues to rise consumers will increasingly object to any use of location information (including for fraud detection, purposes) that does not guarantee the privacy of their location. In addition, solutions that release non-specific location information are preferred to those that leak exact location coordinates because consumers will more readily consent to the use of their non-specific location information than their exact location information. With the current solutions, issuing banks require the consent of the consumers/cardholders before providing their mobile numbers to service providers to obtain their location information. Similarly, a service provider needs consumer consent before it can provide customer location information to banks. Consent to use exact location information of consumers is difficult to obtain in practice and rarely ever scales for large user populations. Some financial institutions overcome the need to obtain consent by providing an app to the consumer (e.g., online banking app). Again, only a small fraction of consumers installs such apps, and when they do, the apps still require permission from the users to access their location information. It would therefore fee desirable to have solutions that can protect consumer location information yet still enable the use of such location information in the determination of fraud risk scores.
The present invention alleviates the problems described above by providing solutions that protect consumer location information yet still enable the use of such location information in the determination of fraud risk scores.
In accordance with embodiments of the present invention, cryptographic techniques of private information retrieval (PIR) and homomorphic encryption are used to protect consumer location information even as it is used to enhance fraud risk scores. PIR is used to enable an issuer to retrieve non-specific location information using a consumer mobile number as the query criterion without needing to share or disclose the mobile number with the service provider. Homomorphic encryption is used to protect location information of mobile consumers, while ensuring card issuers are only able to learn non-specific information about the location of the consumer.
Therefore, it should now be apparent that the invention substantially achieves all the above aspects and advantages. Additional aspects and advantages of the invention will be set forth in the description that follows, and in part will he obvious irons the description, or may be learned by practice of the invention. Moreover, the aspects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out in the appended claims.
The accompanying drawings illustrate presently preferred embodiments of the invention, and together with the general description given above arid the detailed description given below, serve to explain the principles of the invention. As shown throughout the drawings, like reference numerals designate like or corresponding parts.
In describing the present invention, reference is made to the drawings, wherein there is seen in
Each of the issuer bank(s) 10 and service providers(s) 16 operate a respective server 20, 22. Servers 20, 22 may be coupled to a database mot shown), which may be any suitable type of memory device utilized to store information. The servers 20, 22 may be coupled to a network, such as, for example the internet, to allow communication with other servers. Servers 20, 22 may be a mainframe or the like that includes at least one processing device. Servers 20, 22 may be specially constructed tor the required purposes, or may comprise a general purpose computer selectively activated or reconfigured by a computer program (described further below) stored therein. Such a computer program may alternatively be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, which are executable by the processing device. One of ordinary skill in the art would be familiar with the general components of a computing system upon which the method of the present invention may be performed.
According to the present invention, the system illustrated in
In step 34, the payment information is forwarded to the server 20 of the issuer bank 10 through the merchant bank. In step 36, using the payment information, the server 20 determines the payment location (locp). In step 38, based on the identification of the cardholder 12 in the payment information, the server 20 obtains information associated with the cardholder that it maintains in a database that includes the number of the cardholder's mobile device 14. In step 40, the server 20 then computes a fraud risk score using known techniques, (e.g., using payment velocity, proxy detection, profiling and related techniques). In step 42, it is determined if the fraud risk score is below a certain threshold (as may be determined by the issuer bank 10). If in step 42, the fraud risk score is below the predetermined threshold (meaning the issuing bank 10 believes there is little risk of tire current transaction being fraudulent), then in step 44 the transaction is approved as being as non-fraudulent.
However, if in step 42 it is determined that the fraud risk score exceeds the threshold, then the server 20 will utilize the location information of the cardholder 12 to adjust the fraud risk score. In step 46, the server 20 of the issuer bank 10 encrypts the payment location (locp) and sends the encrypted payment location along with the number of the cardholder's mobile device 14 to the server 22 of the service provider 16. In step 48, the server 22 determines the location of the mobile device 14, which is deemed to be the location of the cardholder 12, using its mobile location data, and computes using the public key received from the issuer bank 10 a homomorphically blinded encryption of the difference between the payment location (locp) and the cardholder location (locc); that is response=E(r(locp−locc)), where r is a random non-zero integer. The variable r is utilized to blind the result of (locp−locc). Without r, it would be possible for the issuer bank 10 to indiscriminately determine the location of any customer at any time by making a request to the service provider 16, even if the customer was not doing any transaction. Note that the server 22 is able to carry out this computation only having the encrypted value of locp, and therefore is never actually provided with the location of the purchase made by the cardholder 12. In step 50, the server 22 returns the encrypted response back to the server 20 of the issuer bank 10 issuer. In step 52, the server 20 of the issuer bank 10 decrypts the response using the private key. The result of decrypting E(r(locp−locc)) is either zero or any other random integer. In step 54 the server 20 determines if the payment location and cardholder location are the same or spatially proximal. Locations are spatially proximal if they are located in the same grid. A spatial grid structure having a plurality of cells is utilized to quantize and index locations. A grid can be defined in many ways, provided that each location with a given latitude/longitude is associated with a unique cell of the grid. For example, the United States can be divided in many 100×100 meter cells that are each associated with a unique identifier. The longitude and latitude of a user's current location will determine the grid used to situate the user. It should be understood, of course, that the cell size need not be limited to the example provided above, and could be any size and shape, e.g., hexagonal, as desired. When the result from step 52 is zero, if means the locp is the same as locc, e.g., is within the same grid, (a “yes” determination); otherwise the locations are not the same, e.g., they are in different grids (a “no” determination). The difference is hidden (blinded with r). If in step 54 it is determined that the payment location (locp) and cardholder location (locc) are the same, then in step 56 the server 20 of the issuer bank 10 uses a negative location score to reduce the fraud risk score, whereas if in step 54 it is determined that the payment location and cardholder location are not the same, then in step 58, it uses a positive location score to increase the fraud risk score. In step 60, the server 20 of the issuer bank utilizes the adjusted fraud risk score to determine if the transaction will be approved or not.
While the processing described in
Referring now to
In step 86, the payment information is forwarded to the server 20 of the issuer bank 10 through the merchant bank. In step 88, using the payment information, the server 20 determines the payment location (locp). In step 90, based on the identification of the cardholder 12 in the payment information, the server 20 obtains information associated with the cardholder that it maintains in a database that includes the number of the cardholder's mobile device 14. In step 92, the server 20 then computes a fraud risk score using known techniques, (e.g., using payment velocity, proxy detection, profiling and related techniques). In step 94, it is determined if the fraud risk score is below a certain threshold (as may be determined by the issuer bank 10). If in step 94, the fraud risk score is below the predetermined threshold (meaning the issuing bank 10 believes there is little risk of the current transaction being fraudulent), then in step 96 the transaction is approved as being as non-fraudulent.
However, if in step 94 it is determined that the fraud risk score exceeds the threshold, then the server 20 will utilize the location information of the cardholder 12 to adjust the fraud risk score. In step 98, the server 20 uses PIR to encode the mobile number of the cardholder into a PIR query, which it forwards to the server 22 of the service provider 16. In step 100, the server 22 encodes a result containing the cardholder location, (locc) using the received query in conjunction with its list of encrypted locations to determine the location of the user. In step 102, the server 22 returns the encoded result, i.e., an encryption of locc, back to the server 20 of the issuer bank 20. Note that because PIR is utilized, the service provider 16 does not learn any information about the mobile number included in the query or the corresponding encrypted cardholder location (locc) that was returned back to the issuer bank 10. In step 104, the server 20 of the issuer bank 10 uses the public key received from the service provider 16 to compute a response that is a homomorphically-blinded encryption of the difference between the payment location (locp) and the cardholder location (locc), that is response=E(r(locp−locc)), where r is a random non-zero integer. It does this without learning locc. In step 106, the server 20 sends the computed response to the server 22 of the service provider 16. In step 108, the server 22 decrypts the response using the private key to obtain a yes/no answer to the query of whether the payment location is the same as the cardholder location (as described above with respect to
While preferred embodiments of the invention have been described and illustrated above, it should be understood that these are exemplary of the invention and are not to be considered as limiting. Additions, deletions, substitutions, and other modifications can be made without departing from the spirit or scope of the present invention. Accordingly, the invention is not to be considered as limited by the foregoing description but is only limited by the scope of the appended claims.