Recorded Behavior as Data Authentication

Taming Credit/Payment Card Fraud and Identity Theft


Why Not Text Me to Confirm Each of My Credit Card Transactions?

Back in the 90s, when e-commerce was in its infancy, one vision held that commerce would come to depend on everyone acquiring certificates and private keys under public key infrastructure (PKI). Under this vision, each actor in commerce would be identified by her unique private key. But she would have to protect her private key as though her life depended on it. If a criminal were to shanghai her private key, he could impersonate her (steal her identity).

The PKI school eventually fell out of favor. One reason is that it assumed ordinary people and corporations could prevent crooks from stealing the private keys.

Today we see that the stealing of data like private keys is not so uncommon.

Peter Huber offers an alternative vision in “Secure I.D.s and the Net,” Forbes, August 13, 2007, p. 64. Recognizing that criminals routinely swipe credit card and social security numbers, he argues that efforts to keep such data elements secret do little to authenticate legitimate users. Instead, what really confirms a person's identity is her recorded pattern of behavior over time.

As multiple, independent databases record the details of our day-to-day march through life, they create a unique profile for each of us. They record that you went through a toll booth here (at 7:15pm), you purchased a hamburger there (at 7:39pm), you scanned a thumbprint some other place and on and on. When it comes time to confirm you are you, a gatekeeper will pull details from these disparate databases and compare them against the person claiming to be you. For instance, when your credit card company wants to confirm it is really speaking to you on the phone (or responding to a cell-phone text message seeking confirmation of a transaction), it will ask you to reveal that you know where you purchased the hamburger the night before.

Here is an article I posted on the law of card data security.

--Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, thought leader in data records management.


  1. your idea and the inevitable trend of enabling cardholders to control the usage of their cards by setting their own user limits that will automatically enable issuing banks to reject or approve card authorization requests and also trigger notifications is a validation of the system and methods I designed and created in 2000, piloted/trialed in 2002 and which has been granted a patent 6931382 by the USPTO in August of 2005. VISA applied an application with similar claims but were over a year later than mine.

  2. Marite: I am pleased to hear from you and about your technology. I'd like to know more. I note that in 1994 an online payments company named First Virtual Holdings (long defunct) launched a system under which a message was sent to the user each time a transaction against his account was initiated. In order for the transaction to proceed, the user had to transmit (via e-mail, text message or the like) an affirmative response. --Ben

  3. Background: I documented the First Virtual payment system in the Second Edition of my book The Law of Electronic Commerce (circa 1995-1997). --Ben

  4. Hello Ben. Yes, there are a couple of systems that are offering that feature of sending a message to the user and waits for the user to respond as a requirement to proceeding with the transaction. In the real world, it is quite difficult to do this - actually not possible with card payments given the context that messages to users are sent each time a transaction against his account is initiated which means that this system is linked with the account (issuer). The authorization process/systems for card transactions are just not capable of 'holding'.

    In anycase, the system that I designed and invented does not work this way.