Paygilant Autonomous Mobile Payments Fraud Prevention - Solution White Paper - Mobile Payments You Can Trust
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Mobile Payments You Can Trust
Paygilant Autonomous Mobile
Payments Fraud Prevention
Solution White Paper
November 2017
1
1 Introduction and Scope
The mobile payments market is growing at an exponential rate as consumers and merchants
alike are adopting new payments and m-commerce solutions as they emerge. With mobile
payments becoming mainstream, fraud will continue to shift to the mobile channel and
threaten this sensitive ecosystem. Banks and mobile payment providers are challenged with
elevating the security of their money transfer and payment solutions while providing a smooth
user experience and maintaining trust.
Paygilant’s on-device mobile payments fraud prevention solution stops fraudulent transactions
at the pre-transactional phase and allows a smooth payment experience. This document covers
the use cases, architecture and benefits of the Paygilant solution.
2 Paygilant, Mobile Payments You Can Trust
Mobile payments fraud is rapidly increasing, as additional mobile payment solutions reach the
market and offer more value to consumers in the form of in store and mobile payments, P2P
money transfer and mobile wallets. Mobile payment providers, card issuers and merchants
alike are challenged with securing their applications and payment channels against device theft,
new account fraud and account take over fraud while providing consumers with the shortest,
seamless payment experience.
In today’s mobile payments environment, this is not an easy task and the approaches differ
from mobile payment provider to another: some mobile payment providers choose to accept
transactions with a small amount always, without any risk assessment while transactions with
high amounts are authenticated always, disregarding the risk level. Other providers choose to
authenticate every transaction and some choose to allow all without any risk assessment. This
creates a lose-lose situation where fraud losses and operational costs are increasing for certain
providers, while for others the adoption of mobile payments is limited due to high
authentication rate.
Paygilant’s on-device solution for mobile payments and money transfer provides the peace of
mind mobile payment providers and banks so desire without impacting the user experience,
while reducing their Total Cost of Ownership (TCO).
2
Autonomous Risk Assessment for Mobile Payments
Paygilant’s mobile fraud prevention solution is a combination of
smart, independent and compact on-device risk engine and powerful
backend analytics to support it. Paygilant’s SDK carries with it the
intelligence required to perform the risk assessment on the device
itself, without involving any backend in the process.
Paygilant’s risk assessment process is based on proprietary transaction-behavioral maps. These
multi-dimensional maps represent the purchasing patterns/behavior of customers and are a
fundamental pillar in Paygilant’s solution. The transaction behavior maps are generated using a
Depth of Field (DOF) approach taken from digital photography and unfold unique capabilities:
They incorporate an extensive amount of identity verification data into the risk assessment
process, all the while remaining compact in size and efficient in processing time, enabling the
risk assessment process to occur on the mobile device itself. Paygilant’s transaction behavioral
maps are constantly updated and maintained over time, thus detecting 3x more fraud then
traditional systems.
Performing the risk assessment on the device itself is key to a winning solution:
• Wealth of Identity Verification data:
By performing the risk assessment on the mobile device itself Paygilant uses a wide set
of identity verification data without extracting any sensitive information from the
device, avoiding data protection considerations.
• Early Detection:
Paygilant identifies the fraud attempts out of the genuine majority at the pre-
transactional phase, providing valuable early detection.
• Decentralized Risk Assessment Environment:
Today’s cyber environment is extremely dynamic. The arms race between hackers and
security solutions is always on the go and no organization is completely safe against
hacker attacks such as: APT attacks, social engineering, trojan horses, watering hole
attacks - which target a specific organization for information theft or ransomware.
The risk for backend based mobile payments prevention solutions is extremely high. If
compromised, such solutions risk failure in delivering anti-fraud protection for an
unknown period of time and exposing the entire user base information to hackers.
In Paygilant’s solution, every mobile device running a Paygilant protected mobile
payments application carries its own specific risk engine. This creates a decentralized
3
environment, in which there is no one central backend risk engine containing all the
records of all the users, but rather millions of distributed risk engines, all containing the
information of one specific user at a time. Unlike current solutions, this game-changing
approach diffuses hacker attack scenarios on the Paygilant solution, since it will take
hackers substantial efforts and a long time to attempt and breach each and every
mobile device. In addition, since Paygilant doesn’t collect and store any sensitive or
identifiable information in its backend system, the risk of exposing the entire user base
to theft doesn’t exist.
Smooth Payment Experience
Risk Based Authentication
In today’s mobile payment environment, strong customer
authentication is required at a large scale. This results in a
cumbersome experience for end users as well as increased
operational load.
Paygilant’s risk assessment solution eliminates this burden by analyzing the risk of every
transaction separately and flagging just those which are deemed as fraudulent. This way,
customers are asked to authenticate only in risky situations, payment abandonment is
reduced and customer loyalty is increased.
Unified Risk Assessment for All Cards
Paygilant’s solution performs its risk assessment process on all the cards the end user has
defined in the mobile application, regardless of the card type or brand. Paygilant’s solution
keeps track of all the end user’s transactions and correlates the shopping patterns per card.
Immediate Response, No Latency
Paygilant acknowledges that transaction abandonment can happen very quickly, therefore our
solution is designed with a smooth and seamless user experience in mind.
The fact that Paygilant performs its risk assessment process on the mobile device itself
eliminates any latency or communication issues and allows the risk assessment and
authentication process to complete in milliseconds, increasing customer satisfaction and
loyalty.
4
Face Recognition Authentication
Paygilant uses the most advanced authentication methods available to determine the user’s
real identity. In case a transaction is deemed as high risk, the user will be asked to identify
herself using a face recognition authentication process.
60% TCO Reduction
By authenticating a small percentage of the transactions and
minimizing potential issues at the point of checkout, Paygilant’s
solution reduces customer service and fraud department load and
cuts related TCO costs by approx. 60%.
Paygilant guides your way in a sea of uncertainty and protects your mobile
payments solution from fraud
3 Use Cases and Liability Shift Considerations
The following use cases are handled by Paygilant’s solution:
1. In-store transactions– mobile payments using contactless (NFC), QR code, Bluetooth
performed in the store with the end user present via a mobile wallet or other merchant specific
application. These types of transactions are currently considered Card Present transactions and
the fraud liability lies on the issuer.
2. Mobile payment transactions performed via mobile wallet providers. Mobile payments
performed online via a mobile wallet application or other merchant specific application. These
are currently considered as Card Not Present Transactions and the liability shift is with the
merchant.
Paygilant offers a 3rd model for Payment Processors who integrate the Paygilant solution into
their application: Paygilant Protected Mobile Payments. In this scenario, the Payment
processor offers Paygilant’s solution built-in for fraud prevention and offers a liability shift for
the merchants for the CNP transactions.
5
4 Common Attack Vectors
Paygilant fraud prevention solution covers the following attack vectors:
1. Account Take Over -
In this scenario the end user’s card and credentials have been stolen by a fraudster (by
malware, phishing, etc) and the fraudster is attempting a fraudulent transaction using
those details.
Paygilant’s solution protects against such scenarios by examining the user’s known
purchasing habits, as well as the user’s known devices. Mobile payments which are out
of the normal purchasing habits or from unknown devices will increase the risk score of
the transaction.
2. Fraudulent Device/SIM Swap Fraud -
To protect against scenarios where fraudsters are attempting transactions from new
devices or are have swapped the SIM, Paygilant captures a unique snapshot of the end
user’s device, called Customer Identity Verification (CIV) and stores the CIV at the
Paygilant backend server. The CIV binds the user’s ID to the device so that whenever an
end user is attempting a transaction from a new device it’s CIV is verified.
3. Device Theft -
In this scenario a fraudster is attempting a fraudulent transaction from the end user’s
genuine device. Paygilant protects against such scenarios by examining the user’s known
purchasing habits.
4. MITM/Application Tampering
Paygilant protects against fraudulent mobile payment applications and mobile malware
which are programmed to bypass the bank’s payment application and communicate
directly with the bank’s server. Paygilant’s tokenization protection generates a token
per each transaction using the unique end-user’s private map. The token is verified
against the exact same map which is created in the Paygilant backend server. The
combination of the transaction parameters with the map prevents the alteration of the
transaction and MITM attacks.
5. New Account Fraud-
In this scenario a new user is trying to open an account in the mobile payment
application and the provider has no previous known information on this user. Paygilant
6
protects against such scenarios using its face recognition authentication. The user will
be required to provide a photo ID of herself during the registration process and this
photo ID will be matched against a Selfie to validate the user’s identity.
6. Contactless Relay Attacks-
Paygilant protects against contactless relay attacks using its extensive risk assessment
model. Paygilant’s solution will identify that the fraudster’s transaction is not in-line
with the genuine user’s transaction behavior maps and will flag it as high risk. In
addition, Paygilant’s face recognition authentication can be invoked to verify the user’s
identity.
5 Technical Overview
Paygilant’s mobile payments anti-fraud solution introduces a ground-breaking approach to
mobile fraud prevention. The solution is composed of two main parts:
1. Paygilant SDK - a tailored-for-mobile component which resides on the mobile device and
performs the risk assessment per every transaction. The SDK carries with it the “brain
power” needed to perform the risk assessment itself and is responsible to identify the
data elements which are relevant for risk assessment process.
The SDK also launches the face recognition authentication process for high risk
transactions, if the provider decides to incorporate this authentication method in the
solution.
2. Paygilant Services - a backend component, either an on-premise server or cloud, which
maintains Paygilant’s machine learning algorithms and constantly updates the mobile
component with up-to-date maps.
7
Figure 1: High Level Architecture
On-Device Risk Evaluation
Paygilant’s risk evaluation process is invoked when a mobile payment or money transfer is
attempted by the end user. The application sends Paygilant’s SDK with the transaction
information and an action is taken based on Paygilant’s risk evaluation.
Transaction Behavioral Maps
Paygilant’s risk evaluation process takes into account all the
key information which is relevant for an accurate detection.
Paygilant’s Behavioral Maps are an essential concept in
Paygilant’s solution. The Behavioral Maps represent the
purchasing patterns/behavior of a specific customer and her
nearest neighbors and are created using Paygilant's proprietary machine learning algorithms.
The behavioral maps typically comprise a large amount of information but must be compact
8
enough since they are securely transmitted to the mobile device. To achieve this Paygilant
utilizes its depth of field (DOF) approach from digital photography to compress the information
so that complex calculations that do not require work intensive CPU and memory. A Behavioral
Map shows a clear, high resolution picture of the different risk zones and is a key factor in
determining the risk of a specific transaction and has the following key characteristics:
- User specific: each map is unique, calculated and maintained on a per user basis, therefore
representing a transaction risk level for each customer’s transaction.
- Lightweight: Resolution variations enable maintaining only the necessary data, reducing
the map's weight to a bare minimum.
- Dynamic: As the purchase behavior changes, the map will be modified.
Paygilant Ecosystem
An additional factor in the risk evaluation process is the Paygilant
Ecosystem. Per each user, Paygilant stores the following
characteristics:
For payments:
1. Known User Merchants – merchants visited and shopped
at by the end user
2. Nearest Neighbors Merchants – Merchants with similar characteristics to the
merchants visited by the end user
3. Nearest Neighbors End Users – end users with similar characteristics to a specific
account
For money transfer:
1. Known User Payees – individuals who’ve previously received money transfers from
this account.
2. Nearest Neighbors Payees – Payees who have similar characteristics to Known
Payees
3. Nearest Neighbors End Users – end users with similar characteristics to a specific
account
Using this information, the Paygilant ecosystem influences the risk evaluation process, based on
the fraud and genuine patterns of each merchant or user in each category.
The Paygilant Ecosystem is updated regularly.
9Paygilant Insight
Paygilant Insight enables fraud detection even when
minimal transaction history is available. It tracks and
monitors transactions made by the end user and
sequences of transactions and logs them to create
transaction pattern history. In addition, this element
examines the transitions between merchants and
merchant statistics in the population.
This allows Paygilant to generate a reliable risk assessment for transactions when minimal
transaction history is available. Another valuable benefit is since keeping the end user’s
transaction history is always up to date on the device itself, with no syncing time needed.
Paygilant Risk Hedging
Paygilant offers its customers the option to define certain policies
which take precedenance to the risk scoring process. i.e.
customers can choose to elevate the security level of certain
transactions regardless of the Paygilant risk evaluation. In this case
Paygilant will still analyze the transaction and will determine its
risk level, but will take action based on the pre-defined policy.
Figure 6: Risk Assessment Overview
10Paygilant’s SDK Security
Paygilant’s SDK and behavioral maps are protected by multi-layer security controls. Security
was built into the SDK component from the ground up, to protect against tampering, forging
and bypass and ensure the safe use of the mobile payment application as well as the user
privacy. In addition, the maps data is scrambled and obfuscated which makes it unreadable to
anyone but the Paygilant system. No private or sensitive data is stored as the maps are a
mathematical calculation which represents the purchasing behavioral of the customer.
The Map update is initiated by Paygilant’s back end using notifications. In order to overcome
situations where notifications are disabled, a fail-safe mechanism on the SDK triggers periodic
polling if no update is received.
Paygilant Analytics
Big Data analytics, Machine Learning and High Availability
Whether as an on-premise installation or as a managed service, Paygilant uses a strong backend
infrastructure to perform its core machine learning algorithms. Paygilant’s backend runs on a
big-data platform, for high performance and continuous analytics.
Multi-Dimensional database
Transactions which are relevant for the system’s operation are held in a Multi-Dimensional
Database (MDDB). The MDDB is constantly updated with new transactions, making it up-to-
date with current trends.
Paygilant Behavioral Maps are created at the MDDB, as the final product. Once a day, the
MDDB processes all the new transactions and generates new transaction behavioral maps. The
up-to-date maps are downloaded into the end user’s device, constantly improving the risk
evaluation process.
Map Creation and Update Component
Behavioral Maps are securely stored in the system, structured in such a way that expedites
creation, updating and extraction. The maps are updated every time the MDDB is modified by the
Map Creation and Update (MCU) component. Behavioral maps are stored and processed on the big-
data platform.
Map State Tracker
11The maps are updated with every new transaction made by the end user, which requires
constant validation of the latest maps residing on the end user’s mobile device.
The Maps State Tracker (MST) is responsible for monitoring the mobile device’s current state
and ensuring that it is up-to-date with the most current map. Once a map is updated by the
MCU, the MST will track the map provisioning state. MST stores the state of each map and
exposes an API with the KPIs for monitoring the system's status. MST is updated when a map is
created or modified ensuring the successful provisioning of the map.
The following diagram shows the distribution of tasks and responsibilities between the
Paygilant SDK and the Paygilant server-side analytics:
Paygilant Analytics
Paygilant SDK
126 Summary
As mobile payments applications establish a stronger footprint in our everyday lives, the mobile
fraud rates will keep increasing. Mobile payment providers are challenged with providing the
adequate security levels while maintaining a smooth and seamless payment experience.
Paygilant’s mobile payments anti-fraud solution introduces an advanced approach to mitigating
mobile payments fraud – risk assessment using a smart and compact risk engine integrated into
the mobile payment application, with a powerful analytics platform which generates end users’
private and public maps. Along with Paygilant’s advanced face recognition authentication, fraud
prevention happens in real time, with minimal end user engagement and a seamless payment
experience.
7 About Paygilant
Paygilant’s mission is to deliver a vigilant solution against mobile payments fraud. Paygilant
disruptive technology makes in-store contactless payments or mobile payments easy and
secure, increasing customer loyalty and reducing friction.
Paygilant is recognized by industry leaders as a pioneer. Founded in 2014, we have received the
EU Commission Horizon 2020 grant, participated in Citi’s Innovation Lab and IBM Alpha Zone,
and more. We have been recently chosen by The Mobile Wallet in India to protect its mobile
wallet application and the best is yet to come.
13You can also read
