An interesting idea from Visa (of credit card fame) over in Europe… using card members’ mobile phones as location based tokens to verify credit card transactions and ATM withdrawals. The thinking is that if your mobile phone is in the same location as where a purchase or ATM withdrawal is being made, it is more likely that you too are present and that the transaction is valid.
On the pro side:
Using this as one of multiple factors to validate a transaction seems like a good idea… people tend to keep track of their mobile phones and keep them close and adding a token (something you have in addition to the credit card itself) without requiring the user to do anything provides an extra layer of security without adding inconvenience.
This would be particularly handy for those of us who travel a lot – I usually find my card shut down due to a fraud alert at least once per international trip (even if I provide the card issuer with an itinerary in advance).
On the con side…
Some people may see privacy issues with this… The card issuer already knows where you are based on the transaction data and the phone location information does not really add much to the information being disclosed. However, this assumes that the only time that the issuer avails themselves of the location data from the phone is when a transaction is made. I could conceive of situations where the issuer could use the location data for other reasons – for example, detecting that you are at the mall and offering an incentive to use their card rather than the other cards in your wallet.
This model breaks down if a thief gets hold of my mobile AND my credit card or if I forget to take my phone with me. However, if the phone location is used as one of multiple validation criteria, the system should be able to handle these edge cases.
I think that this could be a good idea IF protections could be put in place to limit the use of phone location data by card issuers to validation of transactions. I could also foresee this as a tool that could be used by enterprises as an additional authentication factor for remote access to systems and networks. If the carriers could provide an API which would allow geolocation of corporate phones and that information could be cross referenced with IP geolocation, we could get alerts or block access when the locations don’t match… this has potential, but the proverbial jury is still out.