Can Your Social Network Protect Against Fraud?
In the not-too-distant future, credit card companies, online merchants and websites may ask your Facebook friends to vouch for you before doing business with you.
And, in turn, you may be asked to share information about people in your online social network in order to confirm their trustworthiness as well.
Welcome to the new world of "social network authentication," where confirmation from your social network contacts provides fraud-wary websites the verification they need to determine that you are who you say you are in order to safely do business with you.
Registering with a social network authentication service can benefit you, too. First, these services can prevent people from adopting your identity (called e-personation) and masquerading as you around the web, possibly damaging your online reputation. Second, the services are typically free, and allow all users to see the trustworthiness "scores" of other users. This means they can help you figure out who you can and can't trust online.
"In the classified advertising business, we have fraud problems where people will advertise a known commodity at a much lower price than market, and there will be a scam involved," says Joe Fuller, CIO of Dominion Enterprises, an online marketing services company that lets users buy and sell such items as used cars and real estate. It can be hard for people to know whether they're dealing with a scam artist. Someone who's been cited as honest by a large number of Facebook friends is more likely to be a legitimate seller or buyer.
Old verification methods failing
As new and better methods of fraud emerge online, it's increasingly difficult for to know who to trust. For banks and merchants, traditional authentication tools such as passwords are rapidly losing their punch, according to Don Thibeau, executive director of the OpenID Foundation, which is seeking to establish authentication standards. "It turns out people have a hard time creating better, more-difficult-to-guess passwords, or one-time passwords," he says.
Many financial institutions use Caller ID to confirm identity, for instance when customers must call from a home phone to authorize a new credit card. Not great, Thibeau says. "It turns out it's fairly easy to spoof caller ID. You can make a call appear to come from your former spouse or your friend, or the president of the United States."
That leaves knowledge-based authentication, in which a user supplies information only he or she is supposed to know, such as a mother's maiden name or childhood school.
Ironically, however, social networks such as Facebook are making this approach less effective. With people joining groups based on school affiliations and detailing their relationships to other Facebook members, supposedly secret information is less and less so. "Once upon a time, someone's mother's maiden name was closely held information, but not anymore," Thibeau says.
The power of the social network
This is where social network authentication services have an edge over old-style methods. Trulioo (sounds like "truly you"), a social network authentication company based in Sunnyvale, Calif., provides users with a "Trulioo ID Card" or profile that it likens to an 'e-passport' that verifies your identity to websites, merchants and services.
As the service gains popularity, you may be asked by a credit card company, merchant or even a prospective online date to provide a Trulioo profile. When you sign up, the service will ask permission to query five of your friends on such matters as your approximate age and where you live. Their answers provide the basis for your profile. For instance, if your five friends confirm that you live in Wyoming, the profile will list that as your home state with a "high" likelihood of being true, and giving an online merchant more confident that the Wyoming address you gave is legit. For the moment, Trulioo only works by polling your Facebook friends, though it plans to add Google+ circles and other social networks soon.
"It was kind of fun," says Angela Wingenbach, a graphic designer who recently signed up for Trulioo. "It asked me what I thought of five of my friends and gave multiple choices, and there were some funny things in there. Then it sent word to my friends that I had answered questions about them."
Once users sign up for Trulioo and allow it to poll five of their friends, those friends are also invited to sign up for the service, and many of them do. Thus, Trulioo has grown virally and completed verifications on more than 25,000 people so far, according to co-founder Stephen Ufford. "We want to have done 1 million verifications by the end of 2012," he adds.
A social FICO score
For many of the early users who've tried it, the logic of social network authentication is compelling. Unlike a credit score, your score or "vouches" are visible to anyone who signs up for these services, which are typically free.
Where Trulioo picks five Facebook friends at random to vouch for you, AssertID, another new social verification service, allows you to select which Facebook friends to query. While AssertID is newer and has fewer members signed up, the two services are similar. "Our users have a trust score. Think of it as similar to a FICO score," says Kenneth R. Dennis, president. "If it's 125, you might make a leap of faith and trust users to be who they say they are. If the score is 25, you might not."
Then there's Connect.me, which lets users vouch for each other in specific ways, for instance by recommending a contact's work or confirming his or her expertise in a particular subject, and lets other Connect.me users see what was said. Currently, Connect.me has not yet officially launched, so you're only able to join by invitation. More than 65,000 people have requested invitations so far.
Though not specifically designed to combat fraud, Connect.me is well suited to that purpose, its founders note. They compare the service to eBay, where shoppers can judge by the quantity and quality of a seller's reviews whether it's safe to buy or not. "EBay's reputation system works only on eBay," says co-founder Drummond Reed. "Connect.me is something you can use anywhere. Let's say you're considering buying something from on craigslist. If the seller has been vouched for by someone you know to be trustworthy, you can buy with more confidence."
The downside of vouching
The primary drawback to depending on Facebook to judge trustworthiness is that no one can be held actually responsible if things go wrong. "It's one thing to vouch for someone you know. But what if that person steals a credit card and buys all kinds of junk?" asks James Kobelius, senior analyst for social network and graph analysis at Forrester Research, which reports on technological trends. "Does the person who vouches bear some liability?"
Also, if social networks such as Facebook become widely used for authentication, what happens to those who do not have Facebook or other social network accounts? In time, might not having enough Facebook friends -- or not using Facebook at all -- make it harder to get credit or even buy or sell things online?
"That's an entirely valid concern," says Adam C. Engst, publisher of the Apple news website TidBITS, and a Connect.me member. "Let's say I'm buying a used bicycle in San Francisco. There are a huge number of used bicycle ads." With no easy way to check out the people selling the bikes, he says, he'd be likelier to choose sellers who have been vouched for by their social network. "It could become a differentiator."
Nonetheless, with well over 1 billion active social network accounts worldwide, he still sees the rise of social network authentication as a good thing. "We've needed to bring trust into our online system for a long time," Engst says. "I've been waiting for something like this to happen."