According to a new study, all it takes is cross-referencing the clues from three transactions to single out a person’s credit card transactions.
The results of the study suggest that anonymous data sets may not be enough to protect a person’s privacy. As data mining becomes more prevalent, the chances that personal information gathered from the metadata increase and illustrate a weakness in the current security system.
“The fact that a few data points are enough to uniquely identify an individual was true in credit card metadata,” said Yves-Alexandre de Montjoye, an MIT graduate student and one of the study’s authors told PC World.
The information is not only available to the financial institution that issued the credit card, although there should be privacy concerns with credit card companies, as well, but from companies who use transaction information to research consumer information. This includes Move Your Money Project Coupons, which helps you compare credit cards and other financial products.
In the study, the researchers were able to determine individuals with ninety percent accuracy using just four pieces of information. If the price information is added, identification just requires three transaction.
“The fundamental scientific question is one of our human behavior,” de Montjoye said. “It’s really how our behavior compares with that of others and eventually makes us unique and identifiable.”
The team looked at three months’ worth of credit card transactions for over 1 million people shopping in over 10,000 retail locations in a single country. The information was given to the team by an unnamed bank for purposes of the study. All the names, credit card numbers, shop addresses and other information was stripped from the transaction information. The metadata that remained: amount spent, type of shop, and a personal code was then correlated and the information was compared with an outside source to determine the names of the credit card users.
The study was set up as a “correlation attack” on the credit card users and even normal security procedures to make it harder to figure out the identity of the credit card user only slowed the process down, it did not stop it.
“What our study shows is that this is not enough to prevent identification,” de Montjoye said. “I don’t think it’s ever going to be 100 percent safe, but there are steps that can be taken.”