Anonymous credit card data might not be as private as people think, according to a new study in which scientists identified 90% of people in their sample of 1.1 million credit cardholders. The number of cardholders identified by the metadata went up to 94% if they were given an actual price to work with. Their findings were based on just four credit card purchases.
Credit card companies typically remove identifying factors and anonymize credit card information when they transmit it to keep it safe from hackers and other prying eyes. But this study conducted by the Massachusetts Institute of Technology (MIT) showed that anonymous data can be used to actually identify cardholders, so your credit card information may not be as safe as you think.
Some very real privacy challenges
MIT staffers sorted through three months of credit card transactions for just over a million people, and identified 90% of the users based on the locations and dates of four purchases, which had been stripped of names and credit card numbers as well as other identifying information.
The success rate went up and only three pieces of information were needed when they had access to an actual receipt and some additional seemingly innocuous information including social media streams.
What does this mean in the real world? With a copy of a receipt, a tweet about a new TV you bought, and an Instagram photo of you out with some friends for dinner, the scientists had a 94% chance of identifying and extracting specific credit card information from millions of others. According to researchers, the identifying data did not include personal information, such as name, credit card number, or address.
They also looked at other scenarios using different amounts of information. They found that when they had just two data points or pieces of information, they still had enough information to identify at least 40% of the people in the study. When they used five pieces of information, they could unmask just about everyone. Two years ago they released a study looking at mobile-phone records, which showed similar results. The Massachusetts Institute of Technology (MIT) study was published in a recent Journal of Science.