Abney Associates Tech Blog
All the worries stirred up by the Heartbleed security flaw highlight why it makes good sense to take precautions with personal data. But sometimes companies erect security barriers so high that they shut out even their own clients.
I recently went online to our Schwab account and requested a wire transfer. After a delay and a second request, followed by verification by telephone, several days passed without any money transfer.
Schwab then said: “In order to complete your request please go to one of our branches and bring a picture ID with you.” In a follow up call, an agent explained that the company grew suspicious based on a computer IP address — the identifying number given to a computing device — that did not match the location they expected.
I had logged in from home, but I was using a secure browser called Authentic8 Silo which masked my location (I’ve recently written about secure browsers here). I turned to experts to learn more about what had happened.
“I am surprised that mainstream companies are relying on that as a security measure, because I think the mechanism is incredibly brittle,” said Scott Petry, Authentic8’s co-founder and CEO. “If you go and travel around, it’s standard operating procedure for you to be picking up different IPs in different regions.”
Yet Schwab is far from alone in its practices. Security experts say companies routinely scope out your IP address whenever you visit their websites.
“Using IP address to prevent fraud and risky web activity is a widespread practice and you can expect almost everybody from online stores to social networks to banks are doing it,” said TJ Mather, president of MaxMind, which offers companies IP intelligence and online fraud prevention tools.
In the last five to eight years, companies have increasingly employed “confidence ranking” filters in which IP address and other data helps them set fraud alerts, said Mark Bregman, chief technology officer at Neustar which helps firms with IT security.
“Companies use a variety of methods for fraud detection, including browser header information, confirming account registration data matches, cookies, device finger printing, and for mobile users, device location,” he said. “This multi-tiered approach is appropriate because each