How your social network can protect your credit card

Payment service WePay uses your social network and online behavior in its suite of antifraud technologies.

Rafe Needleman Former Editor at Large
Rafe Needleman reviews mobile apps and products for fun, and picks startups apart when he gets bored. He has evaluated thousands of new companies, most of which have since gone out of business.
Rafe Needleman
4 min read

The payment service WePay launched a new online ticket store this week that competes in some ways with EventBrite. It's a logical addition to the growing service. But that's not what's interesting about WePay.

I'm seeing payment services companies like this popping up a bit more than I would have expected, given the serious regulatory and security issues involved in handling money in bulk (see Dwolla and Venmo). Talking about that with WePay founder Rich Aberman led to a fascinating discussion about how the company hopes to keep its fraud rate low enough to stay in business. Here's how: It will use online social-network strength, in addition to old-fashioned antifraud methods, to spot bad transactions before they get authorized.

As we've learned recently--thanks, Sony--there's a healthy supply of valid credit card numbers available to bad guys. Even Social Security Numbers aren't too hard to come by. Using various collections of numbers and identifiers to verify that the person on the other end of a Web transaction is the person who owns the credit card being used is standard antifraud practice. It's not nothing, but it's far from foolproof, and credit card companies bake a substantial percentage of transaction write-offs into their balance sheets to account for all the fraud that gets through. Aberman says these old antifraud technologies don't go far enough for a new company like his, which is trying to compete in part by having a lower proportion of uncollectable and criminal transactions.

WePay has launched a ticket sales service on top of its payment processing infrastructure. WePay

It is much harder to fake a social network identity than it is to fake ownership of a number in a database somewhere. Real people have real friends and behave online in ways that are quite different from fake online identities that have fake connections and do fake things like "friend" indiscriminately and send out links to spam or phishing sites. It is thus harder to create or steal a social identity than an individual one. If you tie a credit card number into a social-network identity, you can use that fact to reduce online fraud. As Aberman wrote to me after our meeting, "We are using your online identity to verify your identity in the real world."

Facebook, for its part, uses its knowledge of users' social networks to fight fraud and tamp down account theft and hijacking. Users coming in from computers they've used before, and acting in consistent ways with their groups, don't see Facebook's escalating authorization systems, but start to act oddly (fraudulently) or log in from a computer in Peru one day when yesterday you logged in from Ohio, and you'll get introduced to Facebook's social verification system, which uses your knowledge of your network of friends to make sure you are the person whose account you are logging in to. Fred Wolens, Facebook policy associate, told me the social verification system has been "iterated" to be more reliable for users than it was when it was first rolled out.

Wolens says Facebook doesn't keep scores on individuals rating their authenticity or trustworthiness. Rather, he says, assessments are made when needed. "We have systems to determine what is a fake account or not. For each interaction we look at a number of different things."

Facebook keeps this data to itself at the moment, but it could, in theory, become a major player in the authorization space for other companies like WePay. It's more likely, though, that it will keep this information internal, and use it to make its own payments system more robust.

WePay's Aberman says that the goal for any payment processing company is, "to own the credit card info, and protect it." By running WePay transactions through a social filter--requiring someone using a credit card to go through a social verification process, either overtly or behind the scenes--it may just be able to do a better job of account protection. It's a smart move.

It also indicates just how much power social networks are gaining in our financial lives. Facebook stands to gain from this the most, but Twitter, LinkedIn, and even e-mail providers like Microsoft, Yahoo, and Google could end up profiting from what may become a new and important part of payment authorization to fight fraud. If social verification does become an important part of online transactions, it will shift power away, a bit, from the credit card issuing companies. And for consumers, again as it has been throughout most of our history, the ease with which we navigate the financial world will depend not just on what we know, but who.