Wordloosed

How your bank is tracking your phone

I strongly suspect that my credit card company and my bank have access to my mobile phone location. Here's why:

pa-6820617

A few weeks ago my wife was driving me to the train station. I usually drive to work but sometimes get the train. On the way we got a flat tyre and managed to limp along to the garage opposite the train station. My wife hadn't brought her phone or purse with her so I gave her my credit card to pay for a new tyre, while I caught the train. She knew my PIN and had used it several times before to pay for meals and such without any problem, though always while I'd been there. She managed to pay for the tyre with no problems.

That morning, and for the rest of the day, I didn't use any other payment cards to remove the chance that the credit card company and bank might spot me paying in two places at once.

Special, secret ways

The next day (so first-class post, probably posted in the morning soon after the tyre payment) I received a letter from MBNA credit cards. I knew why they'd written before I'd opened it. It said that they had issued a new card because my current card was no longer to be trusted. I don't remember the exact phrasing, but it didn't say what the problem was, just that they had special, secret ways to detect things and I should no longer use my card and wait for the new one. It arrived a few days later and had a whole new number which meant I had to change all my online payments.

I'd used my card over the years at some strange times of day and in a wide variety of places, but I'd never had a card cancelled before. I couldn't fathom how they'd worked out that it wasn't me using the card. The card companies have long been proud of their clever, secret algorithms that can spot fraudulent usage patterns, and I'd assumed they also took into account the usage location from their card machines: using a card in London at 10:00 and then again in Madrid at 11:00 would probably trigger an alert. But my card was only used once that day. I'd driven to the train station many times over the last few years, so my paying for a new tyre at that time of day wasn't suspicious. I wondered about CCTV cameras in the garage and how male/female face detection might be happening, but ruled them out: the place wouldn't even have cameras.

Aha

It was a few days later, watching my debit card being processed, that I realised what they must have done. They'd tracked my mobile phone and linked it to the card! My phone went with me on the train. At the time the tyre was being paid for, the phone was probably in the office with me, which meant it couldn't be me using the card near the train station.

How?

I've been thinking about how they might be doing it. So, not this, but something like this...

Pattern Matching

Mobile phone companies track the movement of phones. It's fairly easy then to pick out patterns and from these give very valuable hints to the card companies. For example, they could tell if a card is 'at home' or 'has gone to the usual daily place' so the card company could be fairly sure whether the phone has been left at home or is with the owner. They could also tell how long ago the phone had passed through a given area (and at what speed: by car or foot or train etc.), perhaps indicating that the card had been recently dropped or stolen and so making any payment attempt more suspicious. I think this is what happened in my case.

Linking level

I initially thought the card-to-phone linking was being done at a level above the two companies, because I've never had a mobile phone contract and didn't think the phone company new my card number, and I certainly hadn't given the card company my mobile phone number as a contact number. Or maybe the companies were intersecting the card payment times and places with all the mobiles in those areas at those times and growing a database of cards always used in the vicinity of specific mobile phones - quickly refining it to link each card to a single phone? That's still possible, but then I remembered I had recently topped up the phone using that credit card, so the phone company had seen my card number and had already linked it to my phone. Perhaps during the phone top-up my phone number was also passed to the card company, so both parties would know both numbers.

Possible API

There are a number of ways the card company could be asking the phone company for the tracking data. I suspect they involve the phone company charging different fees for each method, but paying those fees would be easily justified by the reduction in fraud:

  1. Before payment time. They pre-emptively and periodically ask where the card owner's phone is and keep track of it in their systems ready for when a payment is attempted. If the attempt is not in the expected vicinity, perhaps based on the phone travelling speed, suspect it.
  2. At payment time, before approval. When a payment transaction begins, they ask where the card owner's phone is and if it's not in the vicinity, suspect it.
  3. After payment time. Some time after a payment has been approved, they ask where the card owner's phone was at the time of the payment and if it wasn't in the vicinity, suspect it.

Perhaps they use a variety of these. Maybe 2 (at payment time) for higher value transactions, and 3 (after payment time) otherwise, since it's cheaper. Also, 3 (after payment time) is less vulnerable to any slow-down in real-time processing by any of the checking systems, but risks having to approve payments before being able to suspect them based on the phone location.

But surely this is illegal

Checking at or after payment time (2 or 3) might make the illegality of finding out a person's location moot, since the card company would already 'know' the person's location from the payment initiation. This might be a strong reason to prefer this approach.

Another way, perhaps to reduce the privacy intrusion, would be to re-phrase the question. Instead of asking where the card owner's phone is or was, ask whether it is or was in the vicinity of the transaction. The yes/no answer perhaps wouldn't constitute giving away the location but would still allow the location checks to be made.

To link cards to the variety of phone companies, a single point of contact would likely be needed (either per country or perhaps on a larger scale). The existing card-processing body may have taken on this role. This could then either route the card questions to the appropriate phone company or, more likely, have access to a central 'anti-fraud' database, collating relevant phone movement details, and answer the questions from one place.

So my guess is that the phone companies 'share' their phone movement data with a third-party 'security provider', possibly with some government protection (remember how keen they were to prop up the banks in the national interest?). The payment processor would then make a simple API call to this third-party asking for a probability that the card owner is with the card at a specified place and time. The response could be "don't know" if the phone seems to be 'at home' or is switched off. Or it could be 1 if the phone is very close to the given place at that time (which could be 'at home' for online payments from your home IP address). Or close to zero if the phone is nowhere near the place and has recently moved: getting closer to zero as the movement pattern approaches the standard pattern for that phone. Or maybe 0.5 if the phone was last tracked some time ago but within travelling distance of the place.

A better way to avoid privacy issues with data-sharing would be for the 'security provider' to just forward the "if one of your mobile phones has been linked to this card, what's the probability that the owner is in this place at this time?" question to a number of phone companies at once and return any response. I think it would be easier to justify since the card company can say that they already 'know' the user's location, as does the phone company, and all they are doing is checking that they both agree, with one of them legally holding a mapping of the card to the phone number internally. This type of continuous fact-confirming could also enable the phone company to build up and maintain a mapping of cards to phones based on proximity, as mentioned earlier. They could pre-tokenise the card numbers too, so the actual checking appears to be a random-looking number, a position and a time, with a single score as a response.

So are they breaking any laws? I don't know. Maybe they don't apply to this location 'meta-data' or especially not to the inferred meta-data if they're using the "just checking we both agree and building co-incidence mappings" approach. But I'd like them to be more open about what they're doing and their relationships. And I'd be interested to know when and how it first began.

I don't think the Freedom of Information Act applies to these companies. The UK Data Protection Act should make them say which details they have about a person, but I know the information they have and that isn't the thing. It's how they're inferring the connections between the information that matters. This sort of tracking and data-joining is inevitable, and privacy was probably only a brief interlude in the grand history of things.

Global

I don't think that this is just a UK thing. My bank used to ask me for the dates when I was travelling abroad so I could use my debit card without them declining it. A few years ago they stopped asking, and now the latest advice on their website is:

"Our fraud detection systems are constantly verifying transactions to ensure your security when you use your debit card abroad. This means you can have peace of mind that your card is protected from unauthorised use and you don't need to let us know before you travel. If we think a payment could be high risk, it may be declined so that we can get in touch to check it's genuine.

To help us provide you with the best service, please keep your contact details (including mobile number) up to date, so we can get in touch with you if we need to."

In other words, "we have new, special, world-spanning ways that you don't need to know about. And, by the way, we very much think that you ought to give us the mobile number that you should have with you when you use your card." And of course, you will be taking your mobile with you everywhere.

I realise this could all be a touch of paranoia (have you seen how they're tracking your smartphone's wifi signal around shops?)! I should really test my theory by buying a tyre with my phone on me, and then another day handing off my phone for someone to take to my office while I buy another tyre, but maybe it needs to be a payment above a certain amount. I think I'll wait until I need another two tyres. Until then, I'd love to hear from anyone who can corroborate any of this.

Tags