Credit card data is not as private as it seems. In fact, you can be identified by just four transactions, three if prices are included finds a new study.
Researchers at MIT studied the ‘anonymised’ metadata where names and other personal information like account numbers were scrubbed. The data was provided by an unnamed bank in an undisclosed country and the researchers looked at the credit card transactions of 1.1 million people over 3 months.
Each transaction was linked to a store and timestamped with the date of purchase. With just these two pieces of information about 90% of people could be re-identified using 4 transactions. After identifying the unique purchasing pattern of a person their real identity can be easily found through publicly available information such as social media platforms Facebook and Instagram.
Furthermore, if data like price of the purchase was included that increased the chance of identifying a unique purchasing pattern by 20%. They also found that women were more easily re-identifiable than men, although it is not known why.
These findings are the latest in a string of studies telling us that we expose ourselves more than we think we do. For example, Uber published their findings where they calculated the likelihood that their weekend riders were going to visit prostitutes based on local crime reports. Additionally, a group of researchers from Cambridge University found that your pattern of “likes” on Facebook is better at assessing your personality than your closest friends.
There is a lucrative secondary market for these large datasets. They provide a wealth of personal data for large companies that can then use it to create sophisticated marketing campaigns that target a specific demographic. In fact, data mining was used extensively by Obama to win the 2012 election.
It’s not to say that companies are offering up their credit card metadata for sale. In fact, there are rules set by the Payment Card Industry (PCI) Security Standards group to protect credit card data. However, it seems as though approval by PCI does not necessarily mean your credit card information is safe. Neiman Marcus reported that they had been approved by PCI when customer credit card information may have been compromised during an eight month period. Target was certified just two months before the epic hack of their credit card data.
Now, by this time you’re thinking… do I have to stop using credit cards to protect my identity? My answer for you is no; the solution to this problem is using tokenization. This is where sensitive credit card data information is replaced by unique identification symbols that retain all the important information without compromising its security. The best part of this solution is that it’s available now in the form of Apple Pay for iPhone 6 users and Google Wallet for Android users.
check out this video highlighting the dangers of “big data” by THNKR:
– Siana Lai