Tuesday, March 16, 2010

Bank Fraud Detection Must Balance False Positives and False Negatives

Krebs posted this morning about commercial bank customers again and Gunnar also picked up on the theme.

In Krebs piece he quotes the customer saying:

"When I first talked to the bank, my question to them was, ‘We’ve always done the same five payroll transactions a month, this was outside the norm, so why didn’t you flag them?’” Diaz recalled. “They told me because [the thieves] answered the secret questions correctly and because the amount was under $10,000 and their daily limit, they let it go just based on the amount.”

I totally understand that sentiment, but I'd also like to offer up a counter. The negative customer experience that goes along with a denied transaction, and our expectation that our bank should follow our instructions and not second guess us.

A few examples are in order. From the "Mercury News Action Line" this week:

Q: For months, Wells Fargo has been harassing me by putting fraud alerts on routine credit card transactions. Wells Fargo declines the transactions outright and blocks my credit cards.

What do we tell this customer when the bank's fraud blocking is being too ambitious?

Or, how about the wonderful story that Gunnar himself recounts about the ATM network and its distributed nature, and how it just works, and did for Robert Morris Sr.
There is a triple boundary in this town that I was in between Norway, Finland and Russia.But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.

So, a guy who isn't usually in Norway puts his ATM card into a machine, and it just works. The bank doesn't throw up a frau alert and say - "WTF, you don't usually take money out from Norway, this must be fraud." It says - "You have the ATM card and passed my security test by knowing the PIN, I'm going to give you money."

My point is that we can't celebrate the ability of an American to take money out of an ATM in Norway and at the same time say that banks should block all transactions out of the ordinary.

Where we strike the balance between false positives and false negatives, and who has the liability for that choice is of course an interesting question, but a one-size-fits-all solution is going to be ugly.