Paygilant Autonomous Mobile Payments Fraud Prevention - Solution White Paper - Mobile Payments You Can Trust
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Mobile Payments You Can Trust Paygilant Autonomous Mobile Payments Fraud Prevention Solution White Paper November 2017 1
1 Introduction and Scope The mobile payments market is growing at an exponential rate as consumers and merchants alike are adopting new payments and m-commerce solutions as they emerge. With mobile payments becoming mainstream, fraud will continue to shift to the mobile channel and threaten this sensitive ecosystem. Banks and mobile payment providers are challenged with elevating the security of their money transfer and payment solutions while providing a smooth user experience and maintaining trust. Paygilant’s on-device mobile payments fraud prevention solution stops fraudulent transactions at the pre-transactional phase and allows a smooth payment experience. This document covers the use cases, architecture and benefits of the Paygilant solution. 2 Paygilant, Mobile Payments You Can Trust Mobile payments fraud is rapidly increasing, as additional mobile payment solutions reach the market and offer more value to consumers in the form of in store and mobile payments, P2P money transfer and mobile wallets. Mobile payment providers, card issuers and merchants alike are challenged with securing their applications and payment channels against device theft, new account fraud and account take over fraud while providing consumers with the shortest, seamless payment experience. In today’s mobile payments environment, this is not an easy task and the approaches differ from mobile payment provider to another: some mobile payment providers choose to accept transactions with a small amount always, without any risk assessment while transactions with high amounts are authenticated always, disregarding the risk level. Other providers choose to authenticate every transaction and some choose to allow all without any risk assessment. This creates a lose-lose situation where fraud losses and operational costs are increasing for certain providers, while for others the adoption of mobile payments is limited due to high authentication rate. Paygilant’s on-device solution for mobile payments and money transfer provides the peace of mind mobile payment providers and banks so desire without impacting the user experience, while reducing their Total Cost of Ownership (TCO). 2
Autonomous Risk Assessment for Mobile Payments Paygilant’s mobile fraud prevention solution is a combination of smart, independent and compact on-device risk engine and powerful backend analytics to support it. Paygilant’s SDK carries with it the intelligence required to perform the risk assessment on the device itself, without involving any backend in the process. Paygilant’s risk assessment process is based on proprietary transaction-behavioral maps. These multi-dimensional maps represent the purchasing patterns/behavior of customers and are a fundamental pillar in Paygilant’s solution. The transaction behavior maps are generated using a Depth of Field (DOF) approach taken from digital photography and unfold unique capabilities: They incorporate an extensive amount of identity verification data into the risk assessment process, all the while remaining compact in size and efficient in processing time, enabling the risk assessment process to occur on the mobile device itself. Paygilant’s transaction behavioral maps are constantly updated and maintained over time, thus detecting 3x more fraud then traditional systems. Performing the risk assessment on the device itself is key to a winning solution: • Wealth of Identity Verification data: By performing the risk assessment on the mobile device itself Paygilant uses a wide set of identity verification data without extracting any sensitive information from the device, avoiding data protection considerations. • Early Detection: Paygilant identifies the fraud attempts out of the genuine majority at the pre- transactional phase, providing valuable early detection. • Decentralized Risk Assessment Environment: Today’s cyber environment is extremely dynamic. The arms race between hackers and security solutions is always on the go and no organization is completely safe against hacker attacks such as: APT attacks, social engineering, trojan horses, watering hole attacks - which target a specific organization for information theft or ransomware. The risk for backend based mobile payments prevention solutions is extremely high. If compromised, such solutions risk failure in delivering anti-fraud protection for an unknown period of time and exposing the entire user base information to hackers. In Paygilant’s solution, every mobile device running a Paygilant protected mobile payments application carries its own specific risk engine. This creates a decentralized 3
environment, in which there is no one central backend risk engine containing all the records of all the users, but rather millions of distributed risk engines, all containing the information of one specific user at a time. Unlike current solutions, this game-changing approach diffuses hacker attack scenarios on the Paygilant solution, since it will take hackers substantial efforts and a long time to attempt and breach each and every mobile device. In addition, since Paygilant doesn’t collect and store any sensitive or identifiable information in its backend system, the risk of exposing the entire user base to theft doesn’t exist. Smooth Payment Experience Risk Based Authentication In today’s mobile payment environment, strong customer authentication is required at a large scale. This results in a cumbersome experience for end users as well as increased operational load. Paygilant’s risk assessment solution eliminates this burden by analyzing the risk of every transaction separately and flagging just those which are deemed as fraudulent. This way, customers are asked to authenticate only in risky situations, payment abandonment is reduced and customer loyalty is increased. Unified Risk Assessment for All Cards Paygilant’s solution performs its risk assessment process on all the cards the end user has defined in the mobile application, regardless of the card type or brand. Paygilant’s solution keeps track of all the end user’s transactions and correlates the shopping patterns per card. Immediate Response, No Latency Paygilant acknowledges that transaction abandonment can happen very quickly, therefore our solution is designed with a smooth and seamless user experience in mind. The fact that Paygilant performs its risk assessment process on the mobile device itself eliminates any latency or communication issues and allows the risk assessment and authentication process to complete in milliseconds, increasing customer satisfaction and loyalty. 4
Face Recognition Authentication Paygilant uses the most advanced authentication methods available to determine the user’s real identity. In case a transaction is deemed as high risk, the user will be asked to identify herself using a face recognition authentication process. 60% TCO Reduction By authenticating a small percentage of the transactions and minimizing potential issues at the point of checkout, Paygilant’s solution reduces customer service and fraud department load and cuts related TCO costs by approx. 60%. Paygilant guides your way in a sea of uncertainty and protects your mobile payments solution from fraud 3 Use Cases and Liability Shift Considerations The following use cases are handled by Paygilant’s solution: 1. In-store transactions– mobile payments using contactless (NFC), QR code, Bluetooth performed in the store with the end user present via a mobile wallet or other merchant specific application. These types of transactions are currently considered Card Present transactions and the fraud liability lies on the issuer. 2. Mobile payment transactions performed via mobile wallet providers. Mobile payments performed online via a mobile wallet application or other merchant specific application. These are currently considered as Card Not Present Transactions and the liability shift is with the merchant. Paygilant offers a 3rd model for Payment Processors who integrate the Paygilant solution into their application: Paygilant Protected Mobile Payments. In this scenario, the Payment processor offers Paygilant’s solution built-in for fraud prevention and offers a liability shift for the merchants for the CNP transactions. 5
4 Common Attack Vectors Paygilant fraud prevention solution covers the following attack vectors: 1. Account Take Over - In this scenario the end user’s card and credentials have been stolen by a fraudster (by malware, phishing, etc) and the fraudster is attempting a fraudulent transaction using those details. Paygilant’s solution protects against such scenarios by examining the user’s known purchasing habits, as well as the user’s known devices. Mobile payments which are out of the normal purchasing habits or from unknown devices will increase the risk score of the transaction. 2. Fraudulent Device/SIM Swap Fraud - To protect against scenarios where fraudsters are attempting transactions from new devices or are have swapped the SIM, Paygilant captures a unique snapshot of the end user’s device, called Customer Identity Verification (CIV) and stores the CIV at the Paygilant backend server. The CIV binds the user’s ID to the device so that whenever an end user is attempting a transaction from a new device it’s CIV is verified. 3. Device Theft - In this scenario a fraudster is attempting a fraudulent transaction from the end user’s genuine device. Paygilant protects against such scenarios by examining the user’s known purchasing habits. 4. MITM/Application Tampering Paygilant protects against fraudulent mobile payment applications and mobile malware which are programmed to bypass the bank’s payment application and communicate directly with the bank’s server. Paygilant’s tokenization protection generates a token per each transaction using the unique end-user’s private map. The token is verified against the exact same map which is created in the Paygilant backend server. The combination of the transaction parameters with the map prevents the alteration of the transaction and MITM attacks. 5. New Account Fraud- In this scenario a new user is trying to open an account in the mobile payment application and the provider has no previous known information on this user. Paygilant 6
protects against such scenarios using its face recognition authentication. The user will be required to provide a photo ID of herself during the registration process and this photo ID will be matched against a Selfie to validate the user’s identity. 6. Contactless Relay Attacks- Paygilant protects against contactless relay attacks using its extensive risk assessment model. Paygilant’s solution will identify that the fraudster’s transaction is not in-line with the genuine user’s transaction behavior maps and will flag it as high risk. In addition, Paygilant’s face recognition authentication can be invoked to verify the user’s identity. 5 Technical Overview Paygilant’s mobile payments anti-fraud solution introduces a ground-breaking approach to mobile fraud prevention. The solution is composed of two main parts: 1. Paygilant SDK - a tailored-for-mobile component which resides on the mobile device and performs the risk assessment per every transaction. The SDK carries with it the “brain power” needed to perform the risk assessment itself and is responsible to identify the data elements which are relevant for risk assessment process. The SDK also launches the face recognition authentication process for high risk transactions, if the provider decides to incorporate this authentication method in the solution. 2. Paygilant Services - a backend component, either an on-premise server or cloud, which maintains Paygilant’s machine learning algorithms and constantly updates the mobile component with up-to-date maps. 7
Figure 1: High Level Architecture On-Device Risk Evaluation Paygilant’s risk evaluation process is invoked when a mobile payment or money transfer is attempted by the end user. The application sends Paygilant’s SDK with the transaction information and an action is taken based on Paygilant’s risk evaluation. Transaction Behavioral Maps Paygilant’s risk evaluation process takes into account all the key information which is relevant for an accurate detection. Paygilant’s Behavioral Maps are an essential concept in Paygilant’s solution. The Behavioral Maps represent the purchasing patterns/behavior of a specific customer and her nearest neighbors and are created using Paygilant's proprietary machine learning algorithms. The behavioral maps typically comprise a large amount of information but must be compact 8
enough since they are securely transmitted to the mobile device. To achieve this Paygilant utilizes its depth of field (DOF) approach from digital photography to compress the information so that complex calculations that do not require work intensive CPU and memory. A Behavioral Map shows a clear, high resolution picture of the different risk zones and is a key factor in determining the risk of a specific transaction and has the following key characteristics: - User specific: each map is unique, calculated and maintained on a per user basis, therefore representing a transaction risk level for each customer’s transaction. - Lightweight: Resolution variations enable maintaining only the necessary data, reducing the map's weight to a bare minimum. - Dynamic: As the purchase behavior changes, the map will be modified. Paygilant Ecosystem An additional factor in the risk evaluation process is the Paygilant Ecosystem. Per each user, Paygilant stores the following characteristics: For payments: 1. Known User Merchants – merchants visited and shopped at by the end user 2. Nearest Neighbors Merchants – Merchants with similar characteristics to the merchants visited by the end user 3. Nearest Neighbors End Users – end users with similar characteristics to a specific account For money transfer: 1. Known User Payees – individuals who’ve previously received money transfers from this account. 2. Nearest Neighbors Payees – Payees who have similar characteristics to Known Payees 3. Nearest Neighbors End Users – end users with similar characteristics to a specific account Using this information, the Paygilant ecosystem influences the risk evaluation process, based on the fraud and genuine patterns of each merchant or user in each category. The Paygilant Ecosystem is updated regularly. 9
Paygilant Insight Paygilant Insight enables fraud detection even when minimal transaction history is available. It tracks and monitors transactions made by the end user and sequences of transactions and logs them to create transaction pattern history. In addition, this element examines the transitions between merchants and merchant statistics in the population. This allows Paygilant to generate a reliable risk assessment for transactions when minimal transaction history is available. Another valuable benefit is since keeping the end user’s transaction history is always up to date on the device itself, with no syncing time needed. Paygilant Risk Hedging Paygilant offers its customers the option to define certain policies which take precedenance to the risk scoring process. i.e. customers can choose to elevate the security level of certain transactions regardless of the Paygilant risk evaluation. In this case Paygilant will still analyze the transaction and will determine its risk level, but will take action based on the pre-defined policy. Figure 6: Risk Assessment Overview 10
Paygilant’s SDK Security Paygilant’s SDK and behavioral maps are protected by multi-layer security controls. Security was built into the SDK component from the ground up, to protect against tampering, forging and bypass and ensure the safe use of the mobile payment application as well as the user privacy. In addition, the maps data is scrambled and obfuscated which makes it unreadable to anyone but the Paygilant system. No private or sensitive data is stored as the maps are a mathematical calculation which represents the purchasing behavioral of the customer. The Map update is initiated by Paygilant’s back end using notifications. In order to overcome situations where notifications are disabled, a fail-safe mechanism on the SDK triggers periodic polling if no update is received. Paygilant Analytics Big Data analytics, Machine Learning and High Availability Whether as an on-premise installation or as a managed service, Paygilant uses a strong backend infrastructure to perform its core machine learning algorithms. Paygilant’s backend runs on a big-data platform, for high performance and continuous analytics. Multi-Dimensional database Transactions which are relevant for the system’s operation are held in a Multi-Dimensional Database (MDDB). The MDDB is constantly updated with new transactions, making it up-to- date with current trends. Paygilant Behavioral Maps are created at the MDDB, as the final product. Once a day, the MDDB processes all the new transactions and generates new transaction behavioral maps. The up-to-date maps are downloaded into the end user’s device, constantly improving the risk evaluation process. Map Creation and Update Component Behavioral Maps are securely stored in the system, structured in such a way that expedites creation, updating and extraction. The maps are updated every time the MDDB is modified by the Map Creation and Update (MCU) component. Behavioral maps are stored and processed on the big- data platform. Map State Tracker 11
The maps are updated with every new transaction made by the end user, which requires constant validation of the latest maps residing on the end user’s mobile device. The Maps State Tracker (MST) is responsible for monitoring the mobile device’s current state and ensuring that it is up-to-date with the most current map. Once a map is updated by the MCU, the MST will track the map provisioning state. MST stores the state of each map and exposes an API with the KPIs for monitoring the system's status. MST is updated when a map is created or modified ensuring the successful provisioning of the map. The following diagram shows the distribution of tasks and responsibilities between the Paygilant SDK and the Paygilant server-side analytics: Paygilant Analytics Paygilant SDK 12
6 Summary As mobile payments applications establish a stronger footprint in our everyday lives, the mobile fraud rates will keep increasing. Mobile payment providers are challenged with providing the adequate security levels while maintaining a smooth and seamless payment experience. Paygilant’s mobile payments anti-fraud solution introduces an advanced approach to mitigating mobile payments fraud – risk assessment using a smart and compact risk engine integrated into the mobile payment application, with a powerful analytics platform which generates end users’ private and public maps. Along with Paygilant’s advanced face recognition authentication, fraud prevention happens in real time, with minimal end user engagement and a seamless payment experience. 7 About Paygilant Paygilant’s mission is to deliver a vigilant solution against mobile payments fraud. Paygilant disruptive technology makes in-store contactless payments or mobile payments easy and secure, increasing customer loyalty and reducing friction. Paygilant is recognized by industry leaders as a pioneer. Founded in 2014, we have received the EU Commission Horizon 2020 grant, participated in Citi’s Innovation Lab and IBM Alpha Zone, and more. We have been recently chosen by The Mobile Wallet in India to protect its mobile wallet application and the best is yet to come. 13
You can also read