What's really mind-boggling about the NY card-skimming fraud

"Technology can already show that an individual (in fact his/her mobile phone) is not in the US when his/her credit card is being used at a POS in New York."

Erm, Not sure I want a card processor (or anyone really) having real-time access to my movements via mobile phone location records.

As I explained in an earlier blog on EU Data Privacy, using mobile telephony to improve security for multiple aspects of banking can offer consumers around the world huge gains in terms of improved security and customer service. But those consumers – as well as banks, retailers, mobile telephony companies, regulators and governments – need to feel absolutely confident about the protection of individuals’ privacy, if these exciting opportunities are going to be realised.

And that is why security companies should go through the complex process of applying for a Privacy Seal from EuroPriSe.

European data privacy laws are arguably the most stringent in the world. That should be great news for companies that meet them when those companies come to offer their services around the world.

The lesson to be learned is quite clear - the US must migrate to EMV chip.

"European data privacy laws are arguably the most stringent in the world."

Perhaps, but they're not worth much if the politicians then decide to share it in places where the data is less well protected:

http://en.wikipedia.org/wiki/Passenger_Name_Record#Regulation_of_PNR_transfers_between_the_USA_and_the_European_Union

The bank, or card processer always knows where you are (at an ATM or POS) – our technology simply confirms this, or in the event that we refute it we never say where the person is, so the bank only works with the information it already has.

So your company tells a card processor if the transaction is more likely to be good or bad?

I imagine the criteria you base your decision on are secret, but one thing that would help you immensely would be to know if the card holder's mobile phone agrees with the card on current location?

Again, I want as few people as possible to have access to information on my movements.  Not sure how many other peopel are like me (probably more in the UK now following the phone hacking scandal!).

I could however see a system being build, with some safeguards, doing as you suggest.  But as you wrote, that is a new trust relationship and would also require a change in the law (I'm thinking in terms of the UK).

Already some cards have other safegaurds - such as requiring a user to contact the issuer or go online and tell the issuer that they are going abroad (good idea, as long as the client knows about this beforehand - a friend of mine didn't, went to HK and found himsefl in trouble - luckily he had just enough cash to call the issue to get the card unblocked).  And issuers have been known to call card owners mid shiopping to query 'unusual' purchases (but then we get ot the question of how does the card issue and the holder mutually authenticate each other?).

Don’t want to breach the rules of engagement of the blog site by going into commercial detail. Briefly we sit as an additional layer of security alongside existing risk engines – the technology already is in place. We check the proximity of the origination of the transaction to the cardholder through the global mobile network. If in proximity then we simply “confirm” what the bank already knows. If we “refute” we never declare where the phone is. Bank has much better quality information to base its decision on whether to accept or decline the transaction. On the privacy front we are fully compliant with UK Data Protection & Data Privacy laws, as we are from an EU Data Privacy regulation perspective also.