Do you read our weekly “Privacy Week in Review” series? Last week’s edition included an item on a group of researchers who recently demonstrated how to identify people by their anonymized credit card spending records.
The upshot of the research: it took only four credit card purchases to identify 90 percent of people in a large dataset. The researchers couldn’t determine anyone’s name, since personally identifiable information was stripped from the data. But given the dates and locations of purchases, the researchers could very quickly figure out who had bought what.
So what does all this mean?
As Phys.org explains in its overview of the study (“Unique in the shopping mall: On the reidentifiability of credit card metadata”),
“Someone with copies of just three of your recent receipts—or one receipt, one Instagram photo of you having coffee with friends, and one tweet about the phone you just bought—would have a 94 percent chance of extracting your credit card records from those of a million other people.”
An important point is that each credit card in the study’s dataset was assigned an identifier so transaction records could be assigned to individual cardholders. Without these identifiers, it would have been all but impossible to link purchases to people.
That seemingly simple detail illustrates how you can protect yourself against rampant data collection and analysis. As this study shows, anonymized records – which are widely assumed to keep individuals’ identities secret – don’t, in fact, afford a whole lot of privacy. The key takeaway is to not trust conventional anonymization.
Instead, the best option for maximum identity protection is a payment technology that’s just now coming into the mainstream: tokenization. In tokenized payment systems, a new, one-use payment code (a token) is created for every transaction. Some tokenized systems, like Apple’s Apple Pay, use a proprietary token. Others, like Abine’s Masked Cards, use an actual card number. The idea is nonetheless the same: create a unique token for every purchase.
Imagine what happens if, after making a brick-and-mortar store purchase with a regular credit card, the retailer’s systems are hacked. Your card number gets released into the wild, at which point it could be used fraudulently. You’ll have to get a new card from your bank, too.
Now think about what would happen if a tokenized payment system is hacked. The tokens, which were designed to be used only once, would be worthless to the hackers. If enough stores were using tokenized payments, large-scale hacks could become very rare – why hack payment systems if there’s nothing valuable inside?
The best part of tokenization is that it’s not some far-out futurist concept: it’s available today. Owners of iPhone 6 and 6 Plus phones can use Apple Pay at many retailers, including Walgreens and Whole Foods. Google Wallet is a credible alternative for Android users (it works on iPhones, too). And our own Masked Cards product brings tokenization to the e-commerce arena – you can use it for all of your online purchases to truly anonymize your credit card number on the web.
You don’t have to stop making credit card purchases to protect your privacy – turn to tokenization instead!