Name, address, credit card number ... data is quickly entered into website fields so you can easily and conveniently order your desired products from webshops. But how shocking then for the customer to find charges for purchases he or she never made—but someone else did—the next time they look at their bank account. The scenario unfolding that basically everybody dreads: falling prey to internet fraud. “Identity theft and fraud using stolen identity data occur frequently on the internet, causing significant harm,” says Michael Meier, Professor of IT Security at the University of Bonn and member of the Transdisciplinary Research Area Sustainable Futures. The victims are private individuals but also the online merchants whose websites are used to commit fraud; they too are harmed and suffer non-payment damages. According to a study by Juniper Research, financial losses caused by online fraud worldwide amount to roughly 36 billion euros annually, and are rising. Yet victims currently have no effective way to protect themselves against fraudulent use of stolen identity data.
The University of Bonn research project DARIA is aimed at changing this situation, the long name of which is “Data protection-compliant information fusion and risk assessment to prevent identity fraud and limit non-payment risk.” Professor Michael Meier and his team are developing an internet platform that allows private individuals to report identity theft and bar usage of their data, and e-commerce merchants to receive data protection-compliant risk assessments on placed transaction orders.
“Until now, merchants have had to broadly collect user data in order to prevent fraud. This data is evaluated and risk is assessed either internally or by an external service provider, like a credit agency,” Professor Meier explains. Credit agencies, like the well-known organization Schufa, collect information on bank accounts, credit cards, guarantees and unpaid invoices among many other things.
Consumer protection advocates have frequently criticized such collection of data and the associated practices of user profiling because these pose weak points that fraudsters can exploit. For example, it is often unclear what data is being collected, and this data can easily be used to identify consumers.
The researchers’ goal is to create a dependable online risk trustee in the form of an online portal that instead of cross-checking available customer data, utilizes effective restriction flags. “Affected consumers report identity theft to the online risk trustee, which then hangs a usage restriction on the data in question,” Professor Meier elaborates. Thus, once reported as stolen, the data will no longer be readily usable for further attempted transactions. “Still, data needs to be stored in protected fashion,” he adds. “Thus, in this project we are looking at fraud protection methods in which the protective data restriction flags do not allow inferring of the identity of the affected individuals.”
Another part of the service is that companies can request data protection-compliant risk assessments on placed order transactions, enabling them to avoid likely fraud attempts. The restriction flags are to be enhanced through ongoing merchant reporting of fraud attempts and the compiling of this data together with existing risk information. University of Bonn researchers examine whether leveraging collaboration and merging different data yields more accurate and robust risk assessments.
Project partners and funding
Professor Franziska Boehm of the Leibniz Institute for Information Infrastructure (FIZ) in Karlsruhe and her team are involved in the project as a partner to oversee and evaluate the development efforts from a legal standpoint, particularly data protection-compliant implementation. Professor Matthias Brand of the Department of General Psychology: Cognition at the University of Duisburg-Essen and his team, on the other hand, are looking at the project implementation from the psychology perspective, for example conducting studies to verify understandability and gauge consumer acceptance and trust in the developed application.
The DARIA project is to receive approximately 1.5 million euros in funding from the Federal Ministry of Education and Research (BMBF) over a three-year period as part of the program titled Anonymization Research Network for Secure Data Usage. Of the total funding amount, 740,000 euros go to the University of Bonn.