Geolocation [An updated definition for identity, authentication, and fraud prevention]
When people hear the word geolocation, they typically think of the use of GPS technology or perhaps IP address, as standard methods for identifying the geographical location of a digital user. The definition of geolocation is now changing.
Geolocation data has been used for online authentication and fraud prevention since the early days of the internet. In its simplest form, geolocation of the IP address is used to detect the city where the user is located. Then, that real-time data is compared to the history in terms of frequency (how many times was this user seen at this city) and distances (current city to latest city).
Little to no innovation has been created around the ability to analyze IP address location, even though using an IP address for geolocating a user is notoriously inaccurate. While IP-based geolocation is reasonably good for getting a user’s country, the accuracy drops off rapidly, providing only a 50% to 75 % accuracy for a user's city. And now fraudsters have developed multiple techniques to hide their true IP location including the use of VPNs, Proxies, and Tor.
With the increasing popularity of smartphones, users now widely use GPS in navigation, travel, games, and delivery apps. To enable developers to test these location-based applications, the mobile operating systems developed a feature that, while in developer mode, allows changing the coordinates of the geolocation API or faking the location. This feature designed for developers has unfortunately enabled the creation of many apps that spoof geolocation information and misguide mobile applications. Today, any end user can download these apps to spoof geolocation data. In addition, more sophisticated methods, including emulators and instrumentation tools, have also been created to spoof this data.
With IP and GPS being so easily spoofed, geolocation data has not been leveraged to its full potential because of the lack of reliability and accuracy.
Incognia is changing the definition of geolocation. This has been in the making for more than ten years.
While I was a computer science undergrad, my colleagues and I started working on a project that envisioned enabling IoT devices to interact seamlessly using geolocation data. But we recognized in 2010 that the location tech available at the time wasn't good enough. IP-based geolocation only identifies the city, and GPS can barely identify which exact building you are in. We needed a location technology to detect the device's environment and the specific unit or room inside a building. We then decided to build a proprietary location tech. Four years later, in Berlin, we were awarded by some of the top academic institutions (ACM, IEEE, Microsoft Research) for the precision of our technology (8 feet or 2.8 meters). This paper describes how it worked at the time. Eight years later, it has kept constantly evolving.
In 2020, with the rampant growth of trust and safety and fraud issues on the internet, it was finally time for a new approach to authentication and digital identities and we launched Incognia, the first location identity solution.
With one of the most powerful location technologies available, one that is spoofing resistant and multiple times more precise than the GPS (30x) and IP location, Incognia has redefined location data for online authentication. This high precision has enabled Incognia to develop a digital identity solution that is 17X more precise than FaceID, with an error rate of 1 in 17,000,000.
Let's break down the three key use cases enabled by spoofing-resistant and more precise location technology:
- Location watchlists for suspicious locations
- Address validation using location behavior
- Trusted locations for frictionless authentication
These use cases are not possible with IP and GPS technology which is easily spoofed and unreliable, making it useless for security purposes. In addition, the lower precision of these technologies would lead to high false positive rates, with entire cities, neighborhoods, and buildings blocked if the old type of location data was used to stop fraud, negatively impacting the user experience.
Location watchlists for suspicious locations
Location watchlists consist of flagging specific locations as suspicious, so apps can block sessions that originate from them. In this case, the lower precision of GPS and IP location technologies would lead to high false positive rates because entire cities, neighborhoods, and buildings would be blocked, negatively impacting the user experience for many legitimate users.
Location watchlists are used to prevent fraud by detecting and flagging the location of fraud farms (or device farms) related to organized fraud operations. Location watchlists can also re-identify recurring bad actors and scammers that operate professionally by creating multiple fake accounts or taking over legitimate user accounts.
Address validation using location behavior
Many online applications like eCommerce apps use static PII information like bureau data to validate a user’s physical address. Due to recent data breaches, this type of verification is no longer useful because fraudsters already have the data to create fake profiles with stolen information. Matching address information to IP or GPS data is also useless because this location tech is easily spoofed.
By leveraging spoofing resistant location tech, Apps can verify if a device lives or frequents a specific address based on historical location behavior information. With this new form of address validation, apps can more accurately detect synthetic identities, preventing the creation of fraudulent accounts and payment fraud. In addition, this new technique is being used to ensure the successful delivery of physical goods and the integrity of local listings at lodging and travel apps.
Trusted locations for frictionless authentication
An interesting stat is that 90% of the sessions and 95% of the high-risk mobile transactions occur at “trusted locations,” Incognia's definition for the environments that a user most frequently visits. With that in mind, Incognia has developed a way to use location as an actual authentication factor, enabling users to experience frictionless login or authentication for high-risk transactions when located at these “trusted locations”, such as their home or workplace. This allows, for example, users to authorize new devices to access their accounts with less friction caused by the use of multiple authentication factors.
By redefining geolocation as a highly precise and spoofing-resistant location technology, we can see that location data can enable new use cases for fraud prevention and can contribute significantly to providing a frictionless authentication experience with the highest security. The power of geolocation is now so much more than IP address and GPS.