Search results:

November 12, 2016

What would be some of the best ways to prevent credit card fraud on real-time transactions, like those seen in a system like Uber?

What would be some of the best ways to prevent credit card fraud on real-time transactions, like those seen in a system like Uber?

— What are some of the best ways to prevent credit card fraud on real-time transactions, like those seen in a system like Uber?

TL;DR: To prevent payment fraud on services like Uber, we regard data collection (cross-sectional and longitudinal through a data-hub), data verification (as part of a multi-layered risk reduction strategy), and fast response as three essential levers.

Addressing payment fraud for services like Uber depends on many things, such as the size of your service, the level of trust in the demand and offer sides, your markup for each use of the service, and your distribution channels.

Assuming that the service processes micro-payments in the range of $5–20, you have enough history to derive meaningful trends (e.g., >>1 million), you charge about 15–30% per service use, and your service is distributed via an app on the Apple App Store and the Google Play Store, there are at least three mechanisms: data collection, data verification, and reaction to threats.

Collecting User Data. First, the goal is to collect cross-sectional and longitudinal data about your clients. Cross-sectional data doesn’t change over time, e.g., first name, last name, date of birth, login subscribe date, signup device, etc. On the other hand, longitudinal data refers to time series that measure, e.g., the amount spent on the service, user profile changes, or user’s logins. The data collection, processing, and storage mechanisms for each data type differ significantly, which is why it is important to differentiate them.

For Uber, the signup process requires the user to provide her account credentials (email, password), account details (first name, last name, mobile phone number, language), and a payment method (credit card number, CCV, month, year, zip code). Additional data is logged automatically, e.g., IP address (and its geolocation), timestamps, type of browser (if the signup occurs from a desktop), and phone characteristics (if the signup occurs from a mobile device). Notably, Uber relies on geolocation for its service; that information is provided while the app is in the foreground and when it is in the background. Finally, Uber uses a data hub to centralize the data streams and make them accessible to all departments.

Verifying the Data. To make sure the email address and mobile phone number are correct, Uber sends emails with a verification link and SMS messages with a code. Although these steps are very common today, they allow the service to collect additional information about the client. This matters because possible inconsistencies during the signup process may contribute to the risk of payment fraud.

Uber has also gamified the process of completing a user’s profile. In particular, there is a percent-complete score and a series of questions with shaded checkmarks that prompt the user to complete her profile. Again, this looks fairly standard today, but these steps represent additional layers of security for the service: the more complete the profile, the lower the risk. Last, as mentioned in a previous article [1], the user may link her other accounts (e.g., Spotify and Pandora for Uber), which in turn will help Uber know how old her other social accounts are, how many connections she has on each account, etc.

As we can see, what matters here is not the individual but the cumulative risk-reducing effects of the data collection, verification, and linking mechanisms.

Reacting Rapidly. I refer you to [2,3] for complementary information about how fraud prevention is operated for a marketplace or on Etsy. Here we will focus more on the rapidity of the reaction for services like Uber because they allow users to sign up and potentially use the service within minutes, which might be a marketing argument. However, high velocity is a well-known risk factor for payment fraud. It must be managed.

On the one hand, the service may believe that given the user’s credibility, the place and time where the customer is using the service, and the context of the transaction, it’s ok for the user to ride one or more times. On the other hand, if the calculated risk is significant, the service may limit how much the user can use the service, e.g., spending less than $20 in a new city or country where the service has just been rolled out. Later, as trust in the user increases or if the transaction history shows that payments are safe in this context, limits may be lifted.

With services that compete with one another (e.g., Uber and Lyft), it is important to limit friction during user on-boarding and during customers’ regular use of the service. Hence, companies must carefully weigh the benefits of protection against the losses in revenue opportunities when implementing limits to protect against payment fraud. Companies can estimate this tradeoff every month, every day, or for each transaction, e.g., via a scoring algorithm.

Conclusion. In this article, we discussed how important data collection about users and their usage of the service is to successful risk management. Although they might seem trivial, data verification mechanisms contribute to the multi-layer approach of reducing exposure to fraud risk. With collaborative services like Uber, it is important to react rapidly; this may require dynamic use limits to mitigate the risk.

Fabrice | Book


[1] How can I reduce fraud for a jewelry rental site?

[2] What's the solution to prevent credit card fraud?

[3] How does Etsy prevent credit card fraud?