fb-pixel Skip to main content
data dive

The credit cards and the antifraud arms race

The algorithm follows you everywhere. It stores your history and mines it. It learns your habits. It tracks your location. It can predict your future. And it’s getting smarter.

But in a society rightly suspicious of big data, surveillance, and tracking, there is perhaps one area where both consumer advocates and corporations generally agree that unleashing algorithms is a net positive: the prevention of credit and debit card fraud.

Visa, Mastercard, American Express, and others in the industry are all using increasingly sophisticated data science techniques, involving artificial intelligence, machine learning, and “neural networks” — self-learning computational systems inspired by the human brain — in their cyber arms race with criminals intent on exploiting the next great data breach.

“It’s a great application for machine learning because you have something clear and defined to predict,” says Vernon Marshall, who runs a global team of more than 100 data science experts for American Express. In 1.2 milliseconds, machines make a decision on whether to approve a transaction. And with $1 trillion in Amex transaction volume annually, that’s a lot of high-velocity decisions.

Tracking global patterns of fraud is even more efficient with a new generation of artificial intelligence that went live last year. “It’s just good for society,” Marshall says.


Specialists can train the algorithms with more comprehensive data, which means that outlier patterns or unusual activities are immediately flagged. Consider a criminal organization several years ago that was dedicated exclusively to purchasing baby carriages with stolen cards.

At Mastercard, three different algorithms specialize in areas such as foreign or domestic purchases, says Johan Gerber, a senior vice president at the company who runs its fraud security product team. Transactions are scored depending on degrees of suspicion and risk; the algorithms are looking for “highly predictive attributes,” and put various weights on purchase amount, frequency, time of day, country of purchase, e-commerce or in-store purchase, and other attributes.

Over time, the models are getting more subtle, moving from assigning a blunt fraud score to a more nimble decision score that blocks legitimate transactions less frequently.


Many of these algorithmic judgments can be made with ease, such as transactions where a single card is used simultaneously in Boston, Boise, and Beijing. But many others involve borderline statistical calls. Of course, all of the high-level mathematical modeling doesn’t mean that there still aren’t mistakes and associated hassles for consumers — friction, as the card companies call it. As virtually every cardholder knows, getting your card blocked for the wrong reasons is frustrating. Depending on circumstance, it can also be embarrassing — those clients who have to pay your dinner bill — or even dangerous — a late-night cab ride.

A major new advantage in the fight against fraud is the ability to contact cardholders in real-time to verify charges when the algorithm flags a transaction. Most problems unfold like the one encountered recently in a Berlin airport by Nicholas Diakopoulos, a University of Maryland professor who also happens to study algorithms for a living. His card was blocked when he arrived, and it took two phone calls with the card company to resolve it.

“I travel a lot, so I kind of expect their algorithm to understand me,” Diakopoulos said by phone from Berlin. It would be helpful if the card companies were more transparent, he notes, and maybe even had public benchmarks to help consumers compare records of failure or success. It would be good if they could, in a sense, “train people how not to be false positives.”


When he entered the industry a decade ago, Gerber of Mastercard says, one in every 25 fraud alerts was legitimate, a rate of false positives he calls “horrifying.” Now, he says, it’s often down to a ratio of around 1:1 or 1:1.5.

Ed Mierzwinski of US PIRG, a consumer watchdog and research group, says that the card companies are getting better and are helping consumers by more quickly turning off cards that have been compromised. “For years, the banks just wrote it off,” he says. “But now they are facing pain because real money is involved, and so they are doing a better job. The increase in breaches has finally got their attention.”

There is real pain faced by card issuers and merchants who share the cost of bogus online transactions. Roughly 8 percent of cards see fraudulent activity and a little under a half percent of all transactions may be fraudulent. That costs many of billions annually for US companies.

The problem is not that the criminals are getting orders of magnitude more sophisticated; the shelf life of stolen cards is in fact getting shorter, and crooks can’t typically spend as much per card as they used to. But industry experts say that the sheer scale of data breaches these days magnifies the opportunities for crime.

New card-based computer chips, or EMV technology, are being implemented this year in the United States to help cut down on in-person use of stolen cards and information. Yet all sorts of possibilities remain for fraudulent online card use, and observers expect e-commerce fraud to increase as physical point-of-sale fraud becomes harder. That means the algorithm arms race will become even more important.


There is typically no liability on the part of consumers for credit card fraud, provided fraudulent charges are reported promptly. (Technically, liability is $50, but it’s rarely enforced.) Debit cards are trickier, and consumers can be on the hook for up to $500 if fraud isn’t caught within two days. It can take a while for cash to be reinstated in accounts. In that way, debit card fraud can really hurt lower-income families, which typically have less cash on hand, causing bounced checks and late payments.

Magnus Carlsson of the Association for Financial Professionals said that card fraud has been on the increase for businesses over the past two years, with some 34 percent reporting some card fraud in the 2015 survey his organization released (and nearly two-thirds reporting payment fraud of one kind or another, including checks and wire fraud). For businesses and other large organizations such as charities, he says, the cost is often a hidden one, as recurring payments — cards on file — are disrupted, and cardholders don’t always bother to renew the payment with the new card. A dependable fraction of revenue is lost when new cards have to be issued and new information has to be manually reentered.

Ultimately, the payment card game of mathematical roulette comes down to maintaining a fine balance between the gratitude customers have for being kept safe and the shrinking reservoir of good will associated with a frequently frozen card.


John Wihbey works at the Harvard Kennedy School’s Shorenstein Center on Media, Politics and Public Policy.


Big data changes the way you buy a home

Like Airbnb, but for algorithms?

Why we need to learn to trust robots

The race to preserve disappearing data