The Problem With How Most Banks Use IP Address Checks To Fight Fraud

The growing cost of online fraud – and finding ways to detect it – has long been a costly concern of financial institutions (FIs). But GeoGuard CEO David Briggs told Karen Webster in a recent conversation that FIs could eliminate most fraudulent transactions with the proper use of a readily available and proven technology – geolocation checking. He said banks and payment processors already have this technology on hand – they’re just not using it correctly. 

“If you beat the geolocation fraud, you beat all the fraud,” Briggs said. “Most consumers are very surprised by the degree to which their banks are not using location to keep their accounts safe.” 

Chief security officers and most FinTech space players would typically say they already look at geolocation as part of their risk scoring, considering it critical to their fraud detection efforts. However, Briggs said, what they mean is that they’re looking at IP addresses.  

“The reality is that most people are still making the most of geolocation [the way they did] 10, 15, 20 years ago,” he noted. “We’re really here to explain that you can do a lot more with what you have.” 

The VPN Problem  

As Briggs pointed out, many more students and employees work remotely and use virtual private networks (VPNs) to get online these days. That opens an often-overlooked loophole that fraudsters can use to mask themselves.  

For businesses that onboard countless merchants and process hundreds of millions of transactions, checking to see if a merchant uses a VPN when they create an account for the first time should be a no-brainer – but Briggs said it often isn’t. 

“It’s not happening because people are not used to it, they’re not aware of it as a security flag, and they don’t have the rules in place,” he said, adding that fear of losing business is also a factor. “Everyone is concerned that they’re going to put too much friction into the process and that competitively, they’ll be at a disadvantage.”

For instance, Briggs recalled that he was once blocked from paying some large bills online while traveling in Italy. But by simply logging into the same account through a VPN located in Seattle, he was able to quickly access the account and complete the previously flagged transactions without detection.

“One minute I was in Italy, the next minute I was in Seattle – and I’m coming in from a data center, right? Those are very simple things to build a risk engine around,” he said. 

Looking at Geolocation Tools All Wrong

Briggs described filling that security gap as an evolutionary step that will give banks and customers something they all want. But the problem, he said, is that the banking industry has never had to consider whether it’s getting geolocation wrong. 

“As far as [the banks] are concerned, they’ve been getting it right for a long time,” Briggs said. “There’s no one really saying to them, ‘hey guys, my Words With Friends app knows my location and I give it to them. Why doesn’t my banking app?'”

But since updated use of geolocation isn’t something the industry currently focuses on, FIs aren’t getting a clear signal that they need to examine it – so it gets deferred and put aside.  

“There’s a lot of fraud out there, and a lot of consumers who are concerned, and a lot of people who shouldn’t be making a lot of money out of crime who are making a [lot] of money out of crime,” Briggs said.

But he believes that a feasible fix is to simply check the location of devices where people’s apps are installed. “There is one solution that could be used today to tighten up security on users’ accounts,” he said. “With a small change and good use of that logic, you can really tighten up [security] with remarkably low friction.” 

What About Privacy Concerns?  

Of course, any discussion about using geolocation data would be incomplete without mentioning privacy concerns, along with fears that customers could find such tactics off-putting. 

But Briggs argued that that’s not the case.

“Consumers are actually okay with providing permission to be [checked],” he said. “There is no issue with a user sharing data such as location to an app [to allow] that app to do what it is meant to do.”

As far as promoting the adoption of such a technological change, Briggs thinks it would be easier for B2B solutions to adopt it, as that wouldn’t require rollout to a massive consumer user base. But that’s not to say enhanced geolocation security isn’t compelling for B2C businesses, either. 

“If you can offer a better deal to customers in terms of interest rates or cash back because you’ve nearly eliminated fraud by using better geolocation data, that’s a strong commercial proposition that would drive change,” he said.

The 5G Catalyst

Another issue to consider is the ongoing rollout of 5G wireless technology, which will see even more transactions done on mobile devices. It’s a trend that Briggs said will likely see IP addresses disappear, leaving payment facilitators with no location data at all.

“So those rules engines that have been there for 20, 15 or 10 years are going to really be out of date,” he said. “You’re effectively saying that there is no geolocation going on in a risk engine once you move to 5G, because you just don’t know where that person is.” 

The bottom line: With the cost – and pain – of fraud increasing exponentially, Briggs thinks the future of enhanced geolocation security looks bright.

“It’s going to change,” he said. “It has to change.”