Facebook Posts Help Credit Bureaus Sniff Out Fraudsters
Credit bureaus and payment companies are testing ways to use social media -- say, a Facebook Inc. (FB) post about a recently purchased Corvette -- to verify a person’s identity and even assess consumer creditworthiness.
Equifax Inc. (EFX), EBay Inc. (EBAY)’s PayPal and Intuit Inc. (INTU) have begun trials to see whether social posts can help prove identities, and, in some cases, detect whether customers are lying about their finances.
Users of Facebook, Pinterest Inc. and Twitter Inc. share personal details every day through public postings, status updates and location check-ins. That information is proving useful in validating identity, evaluating whether to make a loan and sniffing out fraud that cost U.S. online retailers $3.5 billion last year, according to CyberSource Corp. EBay set aside $580 million, or 4.1 percent of net revenue, to cover transaction and loan losses last year.
“We are investing a lot in how can we use unstructured data that is sitting out there in social media that can help us understand a little more about identity,” Rajib Roy, president of Equifax Identity and Fraud Solutions, said in an interview.
While the companies can only access public information or what people choose to share, a great deal is readily accessible. Many young people allow the public to see certain parts of their Facebook profiles, as well as accounts on Twitter and LinkedIn Corp. Consumers also leave traces of themselves on blog posts, Yelp Inc. (YELP) reviews and online forums.
Public data can include photo tags, local check-ins, and a person’s network of friends on Facebook. Credit bureaus such as Equifax and Experian Plc (EXPN), and payment-processing companies such as Intuit, Braintree Payment Solutions LLC and WePay Inc., are all in the early stages of using social media more often to verify that merchants and consumers are who they claim to be.
As Internet purchases rise -- U.S. e-commerce revenue increased 15 percent in the first quarter from a year earlier, according to the U.S. Department of Commerce -- more would-be thieves are trying to find ways to intercept transactions facilitated by online payment providers, steal information transmitted in the process, or dupe buyers into sending money to phony companies.
Social media has helped detect red flags. If a business claims to be a hairdresser in Pittsburgh, for example, WePay can match the phone number from its application to the one listed on Yelp, see consumer reviews, and check that the business’s e-mail matches the one it uses on its Twitter account. WePay can also look at the length of time the business has had a presence on Yelp, Twitter and Facebook to verify its legitimacy.
Suspicious activity can take the form of a person who claims to own a run-of-the-mill business, yet whose transactions might indicate something is awry. That could mean a housekeeper in San Francisco who receives electronic payments from people with IP addresses in Barbados, New York and Nicaragua, said WePay Chief Executive Officer Bill Clerico.
While scouring the Web can help companies combat scams, it can heighten concerns among consumers and privacy advocates who say social-media sites don’t do enough to protect users’ data. The U.S. Consumer Financial Protection Bureau and Federal Trade Commission have started examining how debt collectors use Facebook and Twitter to contact potential debtors.
“I think consumers have consistently traded information for convenience,” Bill Ready, CEO of Braintree, said in an interview. “When you start using it to lend and extend credit, that’s where you start getting into privacy concerns.”
That hasn’t stopped companies from sifting through the swelling reams of publicly available information -- from searching for e-mail addresses on Google Inc. to reading through LexisNexis and other databases that compile evidence of consumers’ online presences.
Facebook and LinkedIn provide software tools that let companies automatically import information from profiles on the social networks, with users’ permission -- something that consumers are allowing more often, opting for the ease of signing into a website through Facebook, for instance, instead of filling out a separate form.
Intuit, the largest seller of personal-finance software and a provider of payments systems, has begun using LinkedIn to help verify the identities of users, whose profiles on the professional-networking site list detailed descriptions of employment history and often include endorsements and recommendations from colleagues.
“There’s definitely enough meat on the bone there,” said Ken Miller, vice president of strategic risk at Intuit, who was also an early employee of PayPal and helped develop that company’s fraud and risk engine.
Even grammar can indicate something about users, he said, recalling a friend request he received on Facebook from someone who tried to pass himself off as a young American, yet used language that suggested “it’s someone who’s definitely around eastern Europe or Russia,” he said. “There are certainly algorithms you can build around that.”
Creditworthiness is another area of experimentation. Equifax is teaming up with governments, both state and federal, to help detect whether citizens who are receiving benefits are truly eligible. The bureau must verify identity, state of residence, whether a criminal history exists and income level, an area where Roy says social media has potential.
Consumers may share photos of new cars they’ve purchased on Facebook, check in on expensive flights and post pictures of items they own on Pinterest, all data that may show if a person is being truthful about disposable income, he said.
One problem is that there’s little to stop fraudsters from creating fake social-media profiles and fooling the companies monitoring the data. On Fiverr, a marketplace where people can sell online services for $5, one user is offering to add 50 friends to any Facebook account in 24 hours.
Enter startups such as Trulioo, which is helping companies mine social data to verify customer information and identity. A real, connected online social presence takes years to build, according to Trulioo founder and CEO Stephen Ufford. Among other sources, Trulioo analyzes data available from the Common Crawl Foundation, a cache of all publicly available Internet information dating back to 2008.
There are ways to distinguish real from manufactured profiles, Ufford said. The average social-network user is tagged by others in photographs more than 70 times a year, and members’ friends are almost always connected to one another. Diagnostics of photo albums -- whether a profile is filled with stock photos, for example -- also may eventually help detect a profile’s validity.
“Facebook has always made it so you have to be a real person, so start with that as a base,” said Braintree’s Ready. “All the richness about the things people do -- that’s hard to recreate. If you have hundreds of friends on Facebook that have existed for many years, fraudsters would have had to start many years ago and collaborate with hundreds of people.”
Another question is the trustworthiness of data originated by consumers themselves. Credit bureaus refer to social-media posts and photos as self-efforted data, or information voluntarily provided by the consumer, which can be inferior to data gathered from banks and phone companies. The problem with the user-provided information is the same as it was in 1999, when chat rooms were filled with purported 21-year-olds who were actually 12.
Even so, most people have robust and mostly accurate online presences, a plethora of information that’s available to enrich data submitted by financial institutions, Equifax’s Roy said. That’s often enough to assist the credit bureaus in spotting potential warning signs.
“If your Facebook shows this morning you posted in Richmond, Virginia, and at the same time, another person with the same name, same boarding pass checked in at some other airport outside the country, something is wrong,” he said.
To contact the editor responsible for this story: Tom Giles at firstname.lastname@example.org