Friday, November 28, 2014

The computer says no - algorithmic auto-dialer credit card security?

An acquaintance was telling me they had their credit card refused recently when attempting to purchase a couple of items online.

Minutes later the phone rang. Lucky enough they were at home to receive the call. It was an automated dialer claiming to be from the bank that the credit card was issued by. The automated voice asked if they were the holder of the credit card.

They were the joint holder of the card but the auto-dialer was asking if they specifically were the other card holder...

If yes press 1, if no press... you get the picture.

No was pressed, called ended, card continued to be blocked.

Later in the evening the auto-dialer tried again. This time the other joint cardholder happened to be the one at home and answered the phone.

Are you Jo Soap? If yes press 1, if no...

Jo pressed 1.

On it went with verification questions -

  • Here's three years, we'd like you to pick the one you were born in
  • Enter the day and month of your birth
  • Confirm whether the following transactions or attempted transactions were at your instigation
There followed, in quick succession, details of 4 transactions using the credit card in the previous couple of weeks which they were asked to verify or disown. My acquaintance's partner verified and got an automated message to say the card would now be unblocked and could be used again.

Now I don't know about you but I have very little recollection of my precise credit card transactions of the past couple of weeks. There have been some fuel purchases but I couldn't tell you exactly how much - somewhere in the £50 to £60 ballpark. Anything online? When did I get that obscure maths book via Amazon? What about the trip to the dentist? Months ago surely? Christmas presents - not organised enough for that? Don't recall exactly?

At no point did Jo speak to a real person. The machine made the decision. What would have happened s/he had not been able or prepared to verify the listed items who knows, other than having the block on the card continue and the need to get into telephone tag hell with the credit card company, through one or other of their "help"-lines.

Can credit card or security folks familiar with current practices tell me if this is for real?

What happens, particularly at this busy time of the year, if someone under pressure on the phone cannot instantly remember or confirm the precise details of recent purchasing or attempted purchasing transactions?


What happens if the card is jointly held by two card holders and the person automatically dialed is not the card holder whose transactions are being doubted?

What happens if unbeknownst to one partner, another is arranging a surprise purchase?

What happens if one partner is overseas and has their card blocked and the one home alone is not allowed to verify and can't reasonably be expected to instantly verify attempted transactions?

What happens if the person automatically dialed doesn't recollect the full details of recent credit card transactions sufficiently confidently to verify the list the auto-dialer requires an instant response to?

Well in all these circumstances the card will inevitably be blocked and the card holder gets to experience pariah-hood, inconvenience, stress and embarrassment.

All because an algorithm didn't like the look of that transaction they were innocently attempting to expedite and treated them like a criminal.

Incidentally on the other end of the scale, what happens if in the thick of the pressure of this, er, security check, the card holder confirms/verifies a purchase on which there was an overcharging error by the retailer?

I'd guess the credit card company would highlight the cardholders mistake in refusing and responsibility if the error was later noticed...

So, Dear Mr credit card company,

If you'd like to do a security check that's fine. But running it via autonomous algorithms and auto-dialers absolutely does not cut-it.

Signals and algorithmic intelligence is all very fine and dandy, really useful indeed if appropriately deployed when it comes to security. However, when it comes to people there is no match for caring human intelligence.

No comments: