Fraud & Identity Management

A recent Experian study reveals that tax filing, document collection and refund processing are done online more often, yet only 6% of consumers file taxes on a computer with up-to-date antivirus software. 79% filed their most recent tax return online, up from 73% in 2011 18% scan and save their tax documents electronically, up from 6% in 2011 More than 75% of respondents have used EFT for tax refunds As electronic filing continues to grow, identity theft is likely to increase. While consumers should take steps to protect themselves, businesses also need to employ identity theft protection solutions to safeguard consumer information. >> Identify and prevent fraud

Device emulators — wolves in sheep’s clothing Despite all the fraud prevention systems and resources in the public and private sectors, online fraud continues to grow at an alarming rate, offering a low-risk, high-reward proposition for fraudsters. Unfortunately, the Web houses a number of easily accessible tools that criminals can use to perpetrate fraud and avoid detection. The device emulator is one of these tools. Simply put, a device emulator is one device that pretends to be another. What began as innovative technology to enable easy site testing for Web developers quickly evolved into a universally available tool that attackers can exploit to wreak havoc across all industry verticals. While it’s not new technology, there has been a significant increase in its use by criminals to deceive simple device identification and automated risk-management solutions to carry out fraudulent activities. Suspected device emulation (or spoofing) traffic historically has been difficult to identify because fraud solutions rely heavily on reputation databases or negative lists. Detecting and defeating these criminals in sheep’s clothing is possible, however. Leveraging Experian’s collective fraud intelligence and data modeling expertise, our fraud research team has isolated several device attributes that can identify the presence of an emulator being used to submit multiple transactions. Thanks to these latest FraudNet rule sets, financial institutions, ecommerce merchants, airlines, insurers and government entities alike now can uncloak and protect against many of these cybercriminals. Unfortunately, device emulators are just one of many tools available to criminals on the Dark Web. Join me at Vision 2016, where U.S. Secret Service and I will share more tales from the Dark Web. We will explore the scale of the global cybercrime problem, walk through the anatomy of a typical hack, explain how hackers exploit browser plug-ins, and describe how enhanced device intelligence and visibility across all channels can stop fraudsters in their tracks. Listen to Mike Gross as he shares a short overview of his Vision 2016 breakout session in this short video. Don’t miss this innovative Vision 2016 session! See you there.

Identity management traditionally has been made up of creating rigid verification processes that are applied to any access scenario. But the market is evolving and requiring an enhanced Identity Relationship Management strategy and framework. Simply knowing who a person is at one point in time is not enough. The need exists to identify risks associated with the entire identity profile, including devices, and the context in which consumers interact with businesses, as well as to manage those risks throughout the consumer journey. The reasoning for this evolution in identity management is threefold: size and scope, flexible credentialing and adaptable verification. First, deploying a heavy identity and credentialing process across all access scenarios is unnecessarily costly for an organization. While stringent verification is necessary to protect highly sensitive information, it may not be cost-effective to protect less-valuable data with the same means. A user shouldn’t have to go through an extensive and, in some cases, invasive form of identity verification just to access basic information. Second, high-friction verification processes can impede users from accessing services. Consumers do not want to consistently answer multiple, intrusive questions in order to access basic information. Similarly, asking for personal information that already may have been compromised elsewhere limits the effectiveness of the process and the perceived strength in the protection. Finally, an inflexible verification process for all users will detract from a successful customer relationship. It is imperative to evolve your security interactions as confidence and routines are built. Otherwise, you risk severing trust and making your organization appear detached from consumer needs and preferences. This can be used across all types of organizations — from government agencies and online retailers to financial institutions. Identity Relationship Management has three unique functions delivered across the Customer Life Cycle: Identity proofing Authentication Identity management Join me at Vision 2016 for a deeper analysis of Identity Relationship Management and how clients can benefit from these new capabilities to manage risk throughout the Customer Life Cycle. I look forward to seeing you there!

Top states for billing and shipping e-commerce fraud With more than 13 million fraud victims in 2015, assessing where fraud occurs is an important layer of verification for e-commerce. Experian® analyzed millions of e-commerce transactions from 2015 to identify fraud attack rates across the United States. With the switch to chip-enabled credit card transactions and possible growth of card-not-present fraud, online businesses should utilize advanced fraud solutions to monitor their riskiest locations and prevent losses. >> View the Experian map to see 2015 e-commerce attack rates for all states  

Proven identity and device authentication to minimize identity tax return fraud Identity fraud places an enormous burden on its victims and presents a challenge to businesses, organizations and government agencies, including the IRS and all state revenue authorities. Tax return fraud occurs when an attacker uses a consumer’s stolen Social Security number and other personal information to file a tax return, often claiming a significant refund. The IRS is challenged by innovative fraudsters continually trying to outsmart its current risk strategies around prevention, detection, recovery and victim assistance. And with the ever-increasing number of identity data compromised and tax return fraud victims, it’s necessary to question whether tax preparation companies are doing all they can to keep personally identifiable information (PII) secure and screen for fraud before forms are submitted. “ID theft isn’t just credit card fraud,” said Rod Griffin, Director of Public Education for Experian. A recent Experian online survey indicated that nearly 76 percent of consumers are familiar with ID theft and tax fraud — up significantly from the past two years. And 28 percent of those surveyed have been a victim or know a victim of tax fraud. To protect all parties’ interests, tax preparation agencies are challenged by today’s savvy fraudsters who have reaped the benefits of recent breaches. In order to protect consumers, organizations need to apply comprehensive, data-driven intelligence to help thwart identity fraud and the use of stolen identity data via fraudulent returns. The key to securing transactions, reducing friction and providing a consistently satisfying customer experience, online and offline, is authenticating consumers in a clear and frictionless environment. As a result, it’s necessary to have reliable customer intelligence based on both high-quality contextual identity and device attributes alongside other authentication performance data. Comprehensive customer intelligence means having a holistic, bound-together view of devices and identities that equips companies and agencies with the tools to balance cost and risk without increasing transactional friction. Businesses and agencies must not rely on a singular point of customer intelligence gathering and decisioning, but must move to more complex device identification and out-of-wallet verification procedures. Effective solutions typically involve a layered approach with several of the following: Identity transaction link analysis and risk attribute derivation Device intelligence and risk assessment Credit and noncredit data and risk attributes Multifactor authentication, using one-time passcodes via SMS messaging Identity risk scores Dynamic knowledge-based authentication questions Traditional PII validation and verification Biometrics and remote document verification Out-of-band alerts, communications and confirmations Contextual account, transaction and channel purview Additionally, government agencies must adhere to recognized standards, such as those prescribed by the National Institute of Standards and Technology to establish compliance. The persistent threat of tax fraud highlights the urgent need for businesses and agencies to continue educating consumers and more importantly, to improve the strategic effectiveness of their current solutions processes. Learn more about Experian Fraud and Identity Solutions, including government-specific treatments, and how the most effective fraud prevention and identity authentication strategy leverages multiple detection capabilities to highlight attackers while enabling a seamless, positive experience for legitimate consumers.

2015 data shows where billing and shipping e-commerce fraud attacks occur in the United States Experian e-commerce fraud attacks and rankings now available Does knowing where fraud takes place matter? With more than 13 million fraud victims in 2015,[1] assessing where fraud occurs is an important layer of verification when performing real-time risk assessments for e-commerce. Experian® analyzed millions of e-commerce transactions from 2015 data to identify fraud-attack rates across the United States for both shipping and billing locations. View the Experian map to see 2015 e-commerce attack rates for all states and download the top 100 ZIP CodeTMrankings. “Fraud follows the path of least resistance. With more shipping and billing options available to create a better customer experience, criminals attempt to exploit any added convenience,” said Adam Fingersh, Experian general manager and senior vice president of Fraud & Identity Solutions. “E-commerce fraud is not confined to larger cities since fraudsters can ship items anywhere. With the switch to chip enabled credit card transactions, and possible growth of card-not-present fraud, our fraud solutions help online businesses monitor their riskiest locations to prevent losses both in dollars and reputation in the near term.” For ease of interpretation, billing states are associated with fraud victims (the address of the purchaser) and shipping states are associated with fraudsters (the address where purchased goods are sent). According to the 2015 e-commerce attack rate data: Florida is the overall riskiest state for billing fraud, followed by Delaware; Washington, D.C.; Oregon and California. Delaware is the overall riskiest state for shipping fraud, followed by Oregon, Florida, California and Nevada. Eudora, Kan., has the overall riskiest billing ZIP Code (66025). The next two riskiest ZIPTM codes are located in Miami, Fla. (33178) and Boston, Mass. (02210). South El Monte, Calif., has the overall riskiest shipping ZIP Code (91733). The next four riskiest shipping ZIP codes are all located in Miami. Overall, five of the top 10 riskiest shipping ZIP codes are located in Miami. Defiance, Ohio, has the least risky shipping ZIP Code (43512). The majority of U.S. states are at or below the average attack rate threshold for both shipping and billing fraud, with only seven states — Florida, Oregon, Delaware, California, New York, Georgia and Nevada — and Puerto Rico ranking higher than average. This indicates that attackers are targeting consumers equally in the higher-risk states while leveraging addresses from both higher- and lower-risk states to ship and receive fraudulent merchandise. Many of the higher-risk states are located near a large port-of-entry city, including Miami; Portland, Ore.; and Washington, D.C., perhaps allowing criminals to move stolen goods more effectively. All three cities are ranked among the riskiest cities for both measures of fraud attacks. Neighboring proximity to higher-risk states does not appear to correlate to any additional risk — Pennsylvania and Rhode Island are ranked as two of the lower-risk states for both shipping and billing fraud. Other lower-risk states include Wyoming, South Dakota and West Virginia. Experian analyzed millions of e-commerce transactions to calculate the e-commerce attack rates using “bad transactions” in relation to the total number of transactions for the 2015 calendar year.   View the Experian map to see 2015 e-commerce attack rates for all states and download the top 100 ZIP Code rankings.       [1]According to the February 2016 Javelin study 2016 Identity Fraud: Fraud Hits an Inflection Point.

Loyalty fraud and the customer experience Criminals continue to amaze me. Not surprise me, but amaze me with their ingenuity. I previously wrote about fraudsters’ primary targets being those where they easily can convert credentials to cash. Since then, a large U.S. retailer’s rewards program was attacked – bilking money from the business and causing consumers confusion and extra work. This attack was a new spin on loyalty fraud. It is yet another example of the impact of not “thinking like a fraudster” when developing a program and process, which a fraudster can exploit. As it embarks on new projects, every organization should consider how it can be exploited by criminals. Too often, the focus is on the customer experience (CX) alone, and many organizations will tolerate fraud losses to improve the CX. In fact, some organization build fraud losses into their budgets and price products accordingly — effectively passing the cost of fraud onto the consumers. Let’s look into how this type of loyalty fraud works. The criminal obtains your login credentials (either through breach, malware, phishing, brute force, etc.) and uses the existing customer profile to purchase goods using the payment method on file for the account. In this type of attack, the motivation isn’t to receive physical goods; instead, it’s to accumulate rewards points — which can then be used or sold. The points (or any other form of digital currency) are instant — on demand, if you will — and much easier to fence. Once the points are credited to the account, the criminal cashes them out either by selling them online to unsuspecting buyers or by walking into a store, purchasing goods and walking right out after paying with the digital currency. A quick check of some underground forums validates the theory that fraudsters are selling retailer points online for a reduced rate — up to 70 percent off. Please don’t be tempted to buy these! The money you spend will no doubt end up doing harm, one way or another. Now, back to the customer experience. Does having lax controls really represent a good customer experience? Is building fraud losses into the cost of your products fair to your customers? The people whose accounts have been hacked most likely are some of your best customers. They now have to deal with returning merchandise they didn’t purchase, making calls to rectify the situation, having their personally identifiable information further compromised and having to pay for the loss. All in all, not a great customer experience. All businesses have a fiduciary responsibility to protect customer data with which they have been entrusted — even if the consumer is a victim of malware, phishing or password reuse. What are you doing to protect your customers? Simple authentication technologies, while nice for the CX, easily can fail if the criminal has access to the login credentials. And fraud is not a single event. There are patterns and surveillance activities that can help to detect fraud at every phase of your loyalty program — from new account opening to account logins and updates to transactions that involve the purchase of goods or the movement of currency. As fraudsters continue to evolve and look for the least-protected targets, loyalty programs have come to the forefront of the battleground. Take the time to understand your vulnerability and how you can be attacked. Then take the necessary steps to protect your most profitable customers — your loyalty program members. If you want to learn more, join us MRC Vegas 16 for our session “Loyalty Fraud; It’s Brand Protection, Not Just Loss Prevention” and hear our industry experts discuss loyalty fraud, why it’s lucrative, and what organizations can do to protect their brand from this grey-area type of fraud.

Compliance definitions LOA, CIP, FACTA, KYC — These acronyms seem endless, and navigating compliance can be both confusing and a painful drain on resources. How do you know the best approach for your institution? Should you look at regulations for Know Your Customer (KYC) or the Customer Identification Program (CIP)? What about the levels of assurance (LOAs) or the Fair and Accurate Credit Transactions Act (FACTA) Red Flags Rule? Does the USA PATRIOT Act affect your industry? The myriad guidelines, rules and mandates surrounding fraud compliance are changing the way organizations do business. Let’s start with some brief definitions. CIP/KYC The Customer Identification Program requires banks to form a reasonable belief that they know the true identity of each customer. The CIP must include procedures that specify the identifying information that will be obtained from each customer, along with reasonable and practical risk-based procedures for verifying each customer’s identity. The Know Your Customer provision is a financial regulatory rule mandated by the Bank Secrecy Act and the USA PATRIOT Act. These guidelines focus on prevention of money laundering and the use of financial institutions to finance terrorist activities. This process has three stages: the CIP, customer due diligence (CDD) and enhanced due diligence (EDD). The last two stages address customer risk from an anti–money laundering perspective. LOA/FACTA (Red Flags Rule) Levels of assurance regarding identity focus on the extent to which electronic authentication may be used to verify that the individual identified in the input data truly is the same person engaging in the electronic transaction. This can be a daunting task — even the National Institute of Standards and Technology acknowledges that electronic authentication of individual people is a technical challenge when performed remotely over an open network. To choose the level of assurance that works within your company structure, you must determine what is needed to maintain the internal compliance and risk thresholds for each business requirement. LOAs are based on two categories: trustworthiness of the identity-proofing process and trustworthiness of the credential-management function (which includes technology and implementation/management). There are four LOA levels: Minimal Assurance Moderate Assurance Substantial Assurance High Assurance The FACTA Red Flags Rule requires institutions to establish a program that identifies ecommerce “red flags.” This program should consist of a pattern, practice or specific activity that indicates the possible existence of identity theft applicable to account-opening activities, existing account maintenance and new activity on accounts that have been inactive for two years or more. Don’t be discouraged In this world of compliance regulations that read like alphabet soup, we understand the challenges of meeting regulations while providing a frictionless customer experience. When an organization strikes the perfect balance between compliance and customer service, it has a competitive advantage that can lead to additional revenue opportunities (e.g., profitably acquiring new customers, detecting fraud and reducing charge-offs, minimizing operational costs, and improving operational efficiencies). To achieve this, businesses need cost-effective, flexible tools that allow them to meet current and future guidelines, manage risk and ultimately authenticate as many true customers as possible — all while segmenting out only the real fraudsters and noncompliant identities. You can be assured that new regulations will come, existing regulations will be redefined and communications on how to comply will be difficult to interpret. To find out more about compliance, click here.

A recent Experian survey shows a growing concern over identity theft and tax fraud. 42% of consumers are concerned that someone could access their personal data through their tax return, compared with 35% in 2014 and 38% in 2015 28% of consumers have been a victim or know someone who has been a victim of tax fraud Tax season is a busy time of year for identity thieves. While consumers should take steps to protect themselves, businesses also need to employ ID theft protection solutions in order to safeguard consumer information. >> Identify and prevent multiple types of fraud

What is blockchain? Blockchain is beginning to get a lot of attention, so I thought it might be time to figure out what it is and what it means. Basically, a blockchain is a permissionless, distributed database that maintains a growing list of records (transactions) in a linear, chronological (and time-stamped) ledger. At a high level, this is how it works. Each computer connected to the network gets a copy of the entire blockchain and performs the task of validating and relaying transactions for the whole chain. The batches of valid transactions added to the record are called “blocks.” A block is the “current” part of a blockchain that records some or all of the recent transactions and once completed goes into the blockchain as a permanent database. Each time a block gets completed, a new block is created, with every block containing a hash of the previous block. There are countless numbers of blocks in the blockchain. To use a conventional banking analogy, the blocks would be a full history of every banking transaction for every person, and the blockchain would be a complete banking history. The entire blockchain is sent to everyone who has access, and every user validates the information in the block. It’s like if Tom, Bob and Harry were standing on the street corner and saw a cyclist hit by a car. Individually, all three men will be asked if the cyclist was struck by the car, and all three will respond “yes.” The cyclist being hit by the car becomes part of the blockchain, and that fact cannot be altered. Blockchain generally is used in the context of bitcoin, where similar uses of the structure are called altchains. Why should I care or, at the very least, pay attention to this movement? Because the idea of it is inching toward the tipping point of mainstream. I recently read an article that identified some blockchain trends that could shape the industry in coming months. The ones I found most interesting were: Blockchain apps will be released Interest in use cases outside payments will pick up Consortia will prove to be important Venture capital money will flow to blockchain start-ups While it’s true that much of the hype around blockchain is coming from people with a vested interest, it is beginning to generate more generalized market buzz as its proponents emphasize how it can reduce risk, improve efficiency and ultimately provide better customer service. Let’s face it, the ability to maintain secure, fast and accurate calculations could revolutionize the banking and investment industries, as well as ecommerce. In fact, 11 major banks recently completed a private blockchain test, exchanging multiple tokens among offices in North America, Europe and Asia over five days. (You can read The Wall Street Journal article here.) As more transactions and data are stored in blockchain or altchain, greater possibilities open up. It’s these possibilities that have several tech companies, like IBM, as well as financial institutions creating what has become known as an open ledger initiative to use the blockchain model in the development of new technologies that will enable a wider array of services. There is no doubt that the concept is intriguing — so much so that even the SEC has approved a plan to issue stock via blockchain. (You can read the Wired article here.) The potential is enough to make many folks giddy. The idea that risk could become a thing of the past because of the blockchain’s immutable historical record — wow. It’s good to be aware and keep an eye on the open ledger initiative, but let’s not forget history, which has taught us that (in the wise words of Craig Newmark), “Crooks are early adopters.” Since blockchain’s original and primary usage has been with bitcoin, I don’t think it is unfair to say that there will be some perceptions to overcome — like the association of bitcoin to activities on the Dark Web such as money laundering, drug-related transactions and funding illegal activities. Until we start to see the application across mainstream use cases, we won’t know how secure blockchain is or how open business and consumers will be to embracing it. In the meantime, remind me again, how long has it taken to get to a point of practical application and more widespread use of biometrics? To learn more, click here to read the original article.  

According to a recent Experian Marketing Services study, 36% of companies interact with customers in five or more channels.

Ensure you’re protecting consumer data privacy Data Privacy Day is a good reminder for consumers to take steps to protect their privacy online — and an ideal time for organizations to ensure that they are remaining vigilant in their fight against fraud. According to a new study from Experian Consumer Services, 93 percent of survey respondents feel identity theft is a growing problem, while 91 percent believe that people should be more concerned about the issue. Online activities that generate the most concern include making an online purchase (73 percent), using public Wi-Fi (69 percent) and accessing online accounts (69 percent). Consumers are vigilant while online Most respondents are concerned they will fall victim to identity theft in the future (71 percent), resulting in a generally proactive approach to protecting personal information. In fact, almost 50 percent of respondents say they are taking more precautions compared with last year. Ninety-one percent take steps to secure physical information, such as shredding documents, while also securing digital information (using passwords and antivirus software). Many consumers also make sure to check their credit report (33 percent) and bank account statements (76 percent) at least once per month. There’s still room for consumers to be safer Though many consumers are practicing good security habits, some aren’t: More than 50 percent do not check to see if a Website is secure Fifty percent do not have all their Web-enabled devices password-protected because it is a hassle to enter a password (30 percent) or they do not feel it is necessary (25 percent) Fifty-five percent do not close the Web browser when they are finished using an online account Additionally, 15 percent keep a written record of passwords and PINs in their purse or wallet or on a mobile device or computer Businesses need to be responsible when it comes data privacy  Customer-facing businesses must continue efforts to educate consumers about their role in breach and fraud prevention. They also need to be responsible and apply comprehensive, data-driven intelligence that helps thwart both breaches and the malicious use of breached information and protect all parties’ interests. Nearly 70 percent of those polled in a 2015 Experian–Ponemon Institute study said that the increased visibility and media reporting of breaches, including payment-related incidents, have caused their organizations to step up data security efforts. Experian Fraud & ID is uniquely positioned to provide true customer intelligence by combining identity authentication with device assessment and monitoring from a single integrated provider. This combination provides the only true holistic view of the customer and allows organizations to both know and recognize customers and to provide them with the best possible experience. By associating the identities and the devices used to access services, the true identity can be seen across the customer journey. This unique and integrated view of identity and device delivers proven superior performance in authentication, fraud risk segmentation and decisioning. For more insights into how businesses are responding to breach activities, download our recent white paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise. For more findings from the study, view the results here.

It may seem like April is far away, but tax season in fact launches next Tuesday, January 19. And whether you’re a business or an individual, you’ll want to know if you’re eligible for any tax benefits. Thanks to a recent announcement from the Internal Revenue Service (IRS), identity theft protection will now be considered a non-taxable benefit – a nod to the rising importance of the service for all consumers in today’s security landscape. The IRS will treat identity theft protection as a non-taxable, non-reportable benefit—for any employee or company, regardless of whether they’ve experienced a data breach, or whether the identity theft protection is provided by an employer to employees or by a business to its customers. Previously, only employees or customers who were in the aftermath of a data breach could treat identity theft monitoring as a non-taxable event. But after that announcement just four months ago, several businesses suggested a data breach was not a remote risk, but rather, “inevitable.” What does this mean for companies? They can now deduct any cost of offering identity theft protection to their employees or customers. The IRS defines identity theft protection services as: Credit report and monitoring services Identity theft insurance policies Identity restoration services Other similar services It’s important to note that these don’t need to be reported on either W-2 or 1099-MISC forms. However, this new policy won’t apply to cash given to employees or customers in place of identity protection services. Perhaps the change in defining what qualifies was spurred by the IRS’s need to provide identity theft protection last summer, as its online database of past-filed returns and other documents was hacked. That breach affected over 300,000 individuals. Whatever the reason, the announcement means this is a perfect time to sign up for identity theft monitoring services. You can do so through an employer or directly with a retailer. Particularly for individuals, the ability to receive tax benefits while knowing your personally identifiable information is safe and secure is a great feeling. For existing subscribers, upgrading to premium services may now be a more viable option. Does your company offer identity theft protection and monitoring as an employee benefit? If not, would this announcement change their minds? Visit our website for more information on identity protection products you can offer your customers. Learn more

Looking at true fraud rate I’ve talked with many companies over the years about their fraud problems. Most have a genuine desire to operate under the fraud prevention model and eliminate all possible fraud from their systems. The impact on profit is often the primary motivation for implementing solutions, but in reality most companies employ a fraud management schema, offsetting the cost of fraud with the cost of managing it. There are numerous write-ups and studies on the true cost of fraud. What most people don’t realize is that, for each item lost to fraud, a business operating on 10 percent net profit margins will need to sell 10 times the amount of product in order to recover the expense associated with the loss. These hard costs don’t include the soft dollar costs, such as increased call center expenses to handle customer calls. Recently, some organizations have started to add reputational risk into their cost-of-fraud equation. With the proliferation of social media, a few unhappy customers who have been victims of fraud easily can impact an organization’s reputation. This is an emerging fuzzy cost that eventually can be tied back to lost revenue or a drop in share price. Most companies say with pride that their acceptable fraud rate is zero. But when it comes time to choose a partner in fraud detection, it almost always comes down to return on investment. How much fraud can be stopped — and at what price? More informed organizations take all operational expenses and metrics into consideration, but many look at vendor price as the only cost. It’s at this point that they start to increase their acceptable fraud rate. In other words, if — hypothetically — Vendor A can stop only 80 percent of the fraud compared with Vendor B, but Vendor A costs less than 80 percent of what Vendor B costs, they’ll choose Vendor A. All of a sudden, their acceptable fraud rate is no longer zero. This method of decision making is like saying we’ll turn off the security cameras for 20 percent of the day because we can save money on electricity. On the surface, I understand. You have to be accountable to the shareholders. You have to spend and invest responsibly. Everyone is under pressure to perform financially. How many executives, however, take the time to see where those lost dollars end up? If they knew where the money went, would they change their view? We must be vigilant and keep our acceptable fraud rate at zero.

Payments and the Internet of things has been colliding for a while now – and it surfaced again recently with Mastercard announcing that it is working with an array of partners including Capital One to launch payments in connected devices. The thinking here seems to be that payments is a function in the Marlow’s pyramid of needs for any new consumer device. I am conflicted on this point – not that I don’t believe the Internet of Things isn’t important, but that we may be overthinking in how payments is important to be shoved inside everything that has a radio baked in. And not everything will have a radio in the future, and the role of a smartphone as the center of the connected device commerce universe isn’t going away. It is important to keep perspective here – as this announcement is less about coat sleeves hiding NFC chips with tokenized credit cards – rather it’s the commerce enablement of devices that we may carry on our person so that they can be armed for payment. Though I may disagree on whether a coat sleeve or jewelry are essential end-points in commerce, a platform of capabilities to challenge, authenticate and verify, and ultimately trust and provision a tokenized representation of something, whether its a card or a fragment of a consumer's identity, to a device that itself represents a collection of radios and sensors is very exciting. It is exciting because as device counts and assortments grow, they each have their own residual identity as a combination of things and behaviors that are either deterministic or probabilistic. The biggest shift we will see is that the collective device identities can be a far better and complete representation of customer identity that the latter will be replaced by the former. Name-centric identities will give away to algorithmically arrived ones. As Dan Geer puts it, no longer will I need to announce that I am Cherian, but my collection of devices will indeed do so on my behalf, perhaps in consultation with each other. More over, none of these devices need to replicate my identity in order to be trusted and tethered, either. Coming back to Payments, today my Fitbit’s claim to make a successful payment is validated way before the transaction, when I authorized provisioning by authenticating through a bank app or wallet. What would be interesting is when the reverse becomes true – when these class of devices that I own can together or separately vouch for my identity. We may forget usernames and passwords, fingerprints may prove to be irrevocable and rigid, but we will always be surrounded by a fog of devices that each carry a cryptographically unique and verifiable signature. And it will be up to the smartphone, its ecosystem and the devices that operate in its periphery to individually negotiate and establish trust among each of them. So this is why I believe the MasterCard effort in tokenizing devices is important when you view it in conjunction with the recent launch of SwiftID from CapitalOne. Payments getting shoved in to everyday things like wearables, disguises the more important effort of becoming a beachhead in establishing trust between devices, by using tokenization as the method of delivery. As you may have gathered by now, I am less excited of pushing cards in to devices (least of all – cars!) and more about how a trusted framework to carve out a tamper proof and secure cache within an untrusted device, along with the process to securely provision a token or a signed hash representing something of value, can serve as the foundation for future device – and by extension – user identity. On a side note, here’s a bit about pushing cards in to cars, and mistaking them for connected cars. To me there are only two connected car classes today. One is Tesla where each car on the road is part of the whole, each learning separately and together as they examine, encounter and learn the world around them to maneuver safely. The other is a button in an app that I hit to have a car magically appear in front of me. Other than Tesla and Uber, there are no other commercial instances of a connected car that appeals (Google has no cars you can buy, yet).