I have been traveling quite a bit lately, and last week, I went to Rome for a few days, and spent time at the KDIR conference. Rome is one of my favorite destinations and apart from the architecture and museums, and the restaurants, I also enjoy shopping there.
To my dismay, a gray cloud followed me around this entire trip - in the form of a misfiring fraud detection algorithm. On foreign trips, I always prefer to spend cash via my ATM card to avoid those ridiculous credit card surcharges. And I have used my Schwab card without any issues for many trips.
This time, however, my card was blocked after one withdrawal. This means I had to call back to the States to unblock it. Then, the next day, it happened again. And this continued every day until the last day of the short four-day trip.
Needless to say, I was getting more and more irate as the trip progressed. It makes me wonder about fraud detection algorithms. Are they any good? If they are tuned to be very risk-averse, then you can always prove to your boss that you have prevented a lot of fraud. The flip side is you have always caused a lot of hassle for your good customers. In technical terms, each time my card was blocked, the algorithm committed a false-positive error.
The service reps had not a clue how these algorithms work. On the first day, I was told that it blocked me because I didn't give them warning that I'd be traveling. That made sense until it blocked me again the next day... after I told the rep the exact days I'd be in Rome. The next rep explained that I was getting blocked because Rome is a high-fraud zone, and I was using certain ATM machines. That sounds reasonable, except if those were the reasons, then I might as well throw the card away. The experience got me thinking about the challenges of making a good fraud detection algorithm.
Clearly, when I am traveling, my habits don't match what is in my customer history. I'm going to be engaging in a series of transactions that might look suspicious - like taking more cash out than usual, taking cash from places and machines that I have never used, taking cash out multiple times a day (because there is a per-transaction limit on most ATMs), taking cash out from machines all over town, etc. How can a computer figure out if those transactions are legitimate?
When the algorithm got it seriously wrong, it can be very annoying. One of those days, I had put money down on a suit. It was an hour away from the store's closing time. Because the problem could not be resolved in time, I had to go back the next day, which meant I had to cut other things out of the itinerary. If it happened on the last day of the trip, it would have been a lot of trouble. I racked up probably $100 of international roaming charges for all the calls I had to make to unblock the card repeatedly. There were several moments I had to stand on the street, the phone on one hand, the other hand operating the ATM, testing the machine, pulling out cash, etc. Those moments felt very ironic because the blocking of my card was supposed to make me feel secure.
As a statistician, I want to know the probability of falling victim to the kind of fraud Schwab's algorithm is trying to prevent, and the average cost of such fraud (bearing in mind that you can only take 250 euros per transaction). I suspect that the cost of the inconvenience, both tangible and intangible, may outweigh the potential benefit.