WO2022003547A1 - Fraud protection in subscription flows for mobile application services - Google Patents
Fraud protection in subscription flows for mobile application services Download PDFInfo
- Publication number
- WO2022003547A1 WO2022003547A1 PCT/IB2021/055782 IB2021055782W WO2022003547A1 WO 2022003547 A1 WO2022003547 A1 WO 2022003547A1 IB 2021055782 W IB2021055782 W IB 2021055782W WO 2022003547 A1 WO2022003547 A1 WO 2022003547A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- subscription
- subscription request
- subscriber
- request
- data
- Prior art date
Links
- 238000010295 mobile communication Methods 0.000 claims abstract description 63
- 238000000034 method Methods 0.000 claims abstract description 50
- 238000004891 communication Methods 0.000 claims abstract description 35
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 19
- 230000004913 activation Effects 0.000 claims abstract description 17
- 230000000977 initiatory effect Effects 0.000 claims abstract description 7
- 238000010200 validation analysis Methods 0.000 claims description 29
- 238000012790 confirmation Methods 0.000 claims description 13
- 230000003993 interaction Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 11
- 230000000694 effects Effects 0.000 claims description 10
- 230000000903 blocking effect Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 230000009193 crawling Effects 0.000 claims description 3
- 230000001960 triggered effect Effects 0.000 claims description 2
- 238000001514 detection method Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 238000012544 monitoring process Methods 0.000 description 13
- 238000001994 activation Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 9
- 230000006399 behavior Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000003542 behavioural effect Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000003213 activating effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000001052 transient effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000007717 exclusion Effects 0.000 description 2
- 230000001788 irregular Effects 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- VJYFKVYYMZPMAB-UHFFFAOYSA-N ethoprophos Chemical compound CCCSP(=O)(OCC)SCCC VJYFKVYYMZPMAB-UHFFFAOYSA-N 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000007115 recruitment Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000003362 replicative effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/47—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/48—Secure or trusted billing, e.g. trusted elements or encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/51—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP for resellers, retailers or service providers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/58—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP based on statistics of usage or network monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/64—On-line charging system [OCS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/68—Payment of value-added services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/83—Notification aspects
- H04M15/835—Time or frequency of notifications, e.g. Advice of Charge [AoC]
- H04M15/8351—Time or frequency of notifications, e.g. Advice of Charge [AoC] before establishing a communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/83—Notification aspects
- H04M15/84—Types of notifications
- H04M15/844—Message, e.g. SMS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/83—Notification aspects
- H04M15/85—Notification aspects characterised by the type of condition triggering a notification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/83—Notification aspects
- H04M15/85—Notification aspects characterised by the type of condition triggering a notification
- H04M15/855—Successful event
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/83—Notification aspects
- H04M15/85—Notification aspects characterised by the type of condition triggering a notification
- H04M15/858—Request users acknowledgement prior to use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/24—Accounting or billing
Definitions
- VAS Value Added Services
- MNO Value Added Services
- web fraud involves situations where customers are subscribed and charged for services without their consent, which negatively impacts user experience and ultimately damages an MNO’s reputation. This impacts the customer and undermines confidence in such VAS services offered by or through the MNO.
- security threats and fraud may be carried out via subscriptions that are instigated by non-human entities or by malicious human-led behaviour. Malware inserted in the software of a user’s mobile communication device or other fraud via a user’s device such as hijacking is often capable of collecting personal and private data without user consent and sharing unauthorized information with third parties.
- a DCB subscription request can be submitted by a mobile account subscriber and processed by a billing system of the subscriber’s MNO without the subscriber affirmatively providing any authentication or identification data. This is typically achieved by using identification information that is automatically injected by the MNO into headers of application protocol request messages transmitted from the subscriber’s mobile handset via the MNO’s mobile network.
- identification information that is automatically injected by the MNO into headers of application protocol request messages transmitted from the subscriber’s mobile handset via the MNO’s mobile network.
- the method may include gathering risk data from a mobile communication device with the data associated with the subscriber identifier and/or gathering risk data from the service provider server and using the gathered risk data in the validating of a subscription request.
- Validating may include evaluating the gathered risk data associated with the subscription request from one or more of: profile data gathered and associated with the subscriber identifier; data gathered from an external domain of the service provider server; and the subscription request.
- the step of validating may use algorithms in multiple dimensions to check for known threat patterns in the subscriber request and previously gathered risk data.
- the communication channel may be one of the group of: a web channel, a short message service (SMS) channel, an unstructured supplementary service data (USSD) channel, or other communication channel through which a subscription request can be made.
- SMS short message service
- USB unstructured supplementary service data
- a subscription request via a web channel may be redirected from a user communication device, whereas other subscription channels may be redirected via a service provider server.
- the method may include using header enrichment to extract data from a header of the subscription request for use in the validation. Extracting data from the header may include extracting an identifier injected into the request, and wherein validating may include analysing the validity of the identifier.
- the redirected subscription request may be triggered by a trigger component incorporated into an external domain of the service provider server.
- the method may include deploying a subscriber activity component to an external domain of the service provider server, wherein the subscriber activity component records subscriber interaction with the external domain.
- the step of validating may include: analysing gathered risk data associated with the subscription request to determine the likelihood that the subscription request is legitimate; and, processing the subscription request if the subscription request is determined likely to be legitimate; or, refusing the subscription request if the subscription request is determined not likely to be legitimate.
- the method may include transmitting and receiving data to and from a mobile software application installed on a mobile communication device associated with the subscriber identifier. Transmitting data may include transmitting malware update data to update a malware index stored in the software application and configured for use by the software application in detecting malware installed on the communication device. Transmitting data may also include transmitting untrusted external domain update data to update an untrusted external domain index stored in the software application and configured for use by the software application in evaluating external domains accessed by mobile communication device.
- the method may further include parsing content provided to a subscriber via an external domain and evaluating the parsed content against a regulation schema to determine whether the external domain complies with regulations relating to a subscription request.
- the method may include crawling the web to identify web-based advertisements directing to an external domain; parsing content provided to a subscriber via the web-based advertisements and evaluating the parsed content against a regulation schema to determine whether the web-based advertisements comply with regulations relating to a subscription request.
- the method may include maintaining a subscriber risk profile, including updating the subscriber risk profile with data associated with the subscription request.
- the subscriber risk profile may include data associated with prior subscription requests associated with the subscriber identifier, and wherein analysing the gathered risk data associated with the subscription request may include comparing the subscription request against the prior subscription requests and flagging anomalies detected in the comparison.
- the method may also include providing a clearing period cancellation, wherein the security platform continues validating after the subscription is completed for a clearing period of time to identify either an automated or behavioural fraud pattern, and cancelling transactions of affected users during the clearing period.
- MNO mobile network operator
- the system may include providing code at a service provider server to redirect a subscription request received via a communication channel from the mobile communication device by integrating the code in a service confirmation stage.
- the system may further include providing code at a mobile communication device for gathering risk data related to subscription requests and other data points and associating the gathered risk data with a subscriber identifier.
- a computer program product for fraud protection in subscription flows for mobile application services using direct billing of a subscriber account maintained by a mobile network operator (MNO), comprising a computer- readable medium having stored computer-readable program code for performing the steps of: receiving a redirected subscription request for a direct carrier billing service, wherein the subscription request is provided via a communication channel between a service provider server and a mobile communication device having a subscriber identifier; validating in real time the subscription request at the security platform including evaluating risk associated with the subscription request using the subscriber identifier of the request and by applying fraud detecting algorithms to the subscription request using gathered risk data; and confirming allowance of the subscription request by initiating the activation of the subscription at the MNO allowing access to the mobile application service by the subscriber via the mobile communication device; or blocking allowance of the subscription request.
- MNO mobile network operator
- Figure 1 is a block diagram of a system including a security platform in accordance with an example embodiment of the present invention
- Figure 2 is a schematic diagram of an interaction between a service provider server and a security engine in accordance with an example embodiment of the present invention
- Figure 3 is a flow diagram showing an example subscription flow including validation using a web channel in accordance with an aspect of the present invention
- Figure 4 is a flow diagram showing an example subscription flow including validation from a published advertisement and using Unstructured Supplementary Service Data (USSD) verification in accordance with an aspect of the present invention
- Figure 5 illustrates an example of a computing device in which various aspects of the disclosure may be implemented.
- USB Unstructured Supplementary Service Data
- the described methods and systems provide a security platform that protects MNOs and their subscribers from fraud in online transactions.
- the security platform sits as a gateway between a direct carrier billing system of the MNO and a service provider server to which a subscriber wishes to subscribe using a mobile communication device.
- Analysis tools and techniques are provided by the security platform providing end-to-end protection of the subscription flow, from advert click to subscription to subscriber billing via the subscription.
- the security platform provides a fraud prevention platform for online subscription transactions and enables MNOs to build a healthy, fraud-free subscriber base, using a fraud-protected subscription flow. This allows subscribers to enjoy various digital services increasing customer satisfaction and minimizing customer care issues.
- the security platform provides security for subscription flows that use one of various communication channels between the subscriber mobile communication device and the service provider server including web, Short Message Service (SMS), and Unstructured Supplementary Service Data (USSD) subscription flows.
- SMS Short Message Service
- USSD Unstructured Supplementary Service Data
- the security platform provides code that is integrated with the service provider’s offering such as the web page with a customized consent page in order to intercept and validate a subscription request as part of the subscription flow.
- the security platform also provides code that is executed on a mobile communication device to gather required data points for the security validation as described further below.
- a block diagram shows an example embodiment of a system (100) including a security platform (120) that acts as a gateway between a mobile network operator system (110) and a service provider server (130) providing subscription services.
- the security platform (120) may be provided on one or more servers that may be local to the mobile network operator system (110) or provided via a network including as a cloud service.
- the security platform (120) includes a security engine (160) for ensuring multi-dimensional anti-fraud during a subscription flow between a service provider server (130) and a mobile communication device (140) of a user.
- the security platform (120) may be provided by one or more servers that include a processor for executing the functions of components described, which may be provided by hardware or by software units executing on the server.
- the software units may be stored in a memory component and instructions may be provided to the processor to carry out the functionality of the described components.
- a service provider server (130) may provide a value-added service that can be subscribed to by a mobile network subscriber from their mobile communication device (140).
- the service provider may be related to the mobile network operator or may be independent from it with the service allowing subscription using direct carrier billing of a subscriber billing system (112) and service delivery platform (111) of the mobile network operator system (110).
- the security platform (120) may provide a security component (135) at the service provider server (130) that may be incorporated within a subscription service (132) such that the security component (135) intercepts and validates a subscription request made from a mobile communication device (140).
- the security component (135) includes a redirection component (136) that redirects a subscription flow provided when a subscriber using a mobile communication device (140) makes a subscriber request to a service provider server (130) via a subscription channel (150).
- a subscription channel (150) may be a web channel, an SMS channel, a USSD channel, or another form of communication channel via which a subscriber using a mobile communication device (140) may sign up to a service provided by a service provider server (130).
- the subscription request for a direct carrier billing service may be redirected to a subscription validation component (121) of the security engine (160) at the security platform (120) and the subscription validation component (121) may include a request receiving component (131).
- the subscription validation component (121) may use a fraud detection component (123) to ensure that the subscription flow is valid and not subject to security threats.
- the fraud detection component (123) uses multiple fraud detection algorithms (124) to provide multiple dimensions of security threat detection. This may include monitoring for occurrence of predefined events that are known to be threats and that may be recorded in a threat index (125). There may be multiple algorithms for each type of threat and the algorithms may be used in conjunction with each other to produce the final result (e.g.
- the fraud detection algorithms (124) may take one or more data points as their inputs and may output one or more of a score, value, likelihood or other indication of the probability of the data points being associated with fraudulent activity or security threat detection.
- the data points may include or form part of risk data or security data gathered from one or more of a mobile communication device of a subscriber (e.g. via a security application installed thereon or from the device itself), user interactions with the service provider’s web page (e.g. via a subscriber activity component provided at an external domain of the service provider server which records subscriber interaction with the external domain), and web protocols (such as HTTP messages).
- the security component (135) may gather risk or security data at the service provider server (130), when using subscription channels (150) using USSD or SMS, for use and monitoring by the security platform (120).
- the security platform (120) may include a service provider monitoring component (129) for gathering and monitoring the data from service provider server (130).
- the security component (135) may include a subscriber activity component (137) provided at an external domain of the service provider server (130) to record subscriber interaction with the external domain.
- the subscriber activity component (137) may record data points relating to subscriber interaction with the external domain. This data may be used by the fraud detection component (123).
- the security platform (120) also provides a security application (145) in the form of a mobile software application installed or executed at a subscriber’s mobile communication device (140).
- the security application (145) may include a validation component (146) to validate a subscriber request with the security platform (120) and to gather risk or security data from the mobile communication device (140).
- a mobile communication device (140) has an associated unique identifier provided by the mobile network operator to which the user subscribes, for example, International Mobile Subscriber Identity (IMSI) or Mobile station International Subscriber Directory Number (MSISDN) number. This identifier is used by the security application (145) when gathering data for the security platform (120).
- the security platform (120) may include a mobile device monitoring component (126) for gathering and monitoring the data from mobile communication devices (140). This data may be used by the fraud detection component (123).
- the security application (145) may transmit and receive data from the security platform (120) that may include malware update data to update a malware index stored in the security application (145) and configured for use by the security application (145) in detecting malware installed on the mobile communication device (140).
- the received data may also include untrusted external domain update data to update an untrusted external domain index stored in the security application (145) and configured for use by the security application (145) in evaluating external domains accessed by mobile communication device (140).
- the security platform (120) may include a service monitoring dashboard component (127) for providing a monitoring service to the service provider of past and current security threats and including a mobile communication device identifier monitoring component (128) for monitoring mobile communication devices by their identifiers for security threats.
- a mobile network subscriber using their mobile communication device (140) may respond to an advert (143) received on their mobile communication device (140).
- this may be an advert (143) viewed on a browser (141) of the mobile communication device (140) for a subscription service (142).
- the advert (143) may be received at the mobile communication device (140) in a message such as an SMS or USSD message, or via another application or communication method.
- the mobile network subscriber may send a subscription request via a subscription channel (150), such as via a web request, an SMS, a USSD, or other message, to the service provider server (130) offering the subscription service.
- the service provider server (130) will activate the subscription service (132) and using direct carrier billing the subscription service fee will be directly debited using the subscription billing system (112) of the mobile network operator system (110).
- the security platform (120) validates the subscription request providing security for the service provider and for the subscriber.
- the security platform (120) may include a header enrichment component (122) for using a header enrichment service (113).
- the header enrichment service (113) may be provided by the mobile network operator to provide a unique identifier of a mobile communication device (140). The unique identifier may be provided to use as a subscriber identifier in subscriber request messages.
- Header enrichment may be used in the validation when the subscription channel (150) is a web channel. Header enrichment may also be used to validate that the unique identifier is not spoofed. Header enrichment is the process of adding data fields in the Hypertext Transfer Protocol (HTTP) header used by downstream servers. This is used in mobile networks by adding unique identifiers such as user and device identifiers such as IMEI, IMSI, MSISDN UID or other data to identify subscriber or mobile communication device details. Additional information may be added to HTTP headers to be processed during the subscription flow.
- the security platform (120) executes end-to-end validation from all subscription and activation requests. During the entire flow, each individual request is analysed in real time on several dimensions, granting security to the subscription process.
- the security platform covers user recruitment (subscription requests) from users connected via the carriers’ or MNO’s network, for example, from both native browsers and in-application requests originating from a Hyper Text Markup Language (HTML) page in which the described security is provided.
- HTTP Hyper Text Markup Language
- consent or confirmation pages of the service provider are integrated with a button for the security platform engine.
- Header enrichment may be provided to all security platform domains (using the Domain Name System (DNS)) with the header enrichment provided to service providers using the security platform.
- DNS Domain Name System
- the security platform prepares landing pages for service providers and the partner service providers make any necessary development or configuration on their side. Requirements from the MNO side may be limited and may for example include enabling header enrichment as described and in some implementations configuration steps for example relating to the clearing process as described.
- the security platform performs all the necessary validation work and, only if a request is approved, the security platform notifies the service provider of the validated attempt with related MSISDN.
- a flow diagram (200) illustrates an example embodiment of the described method carried out at a service provider server (130) and the security engine (160) of the security platform (120).
- the service provider server (130) may provide a subscription service web page (231) and this may include an attestation of compliance (AOC) page in the form of a confirmation or consent page (232) that displays mandatory policies information to the end user.
- AOC attestation of compliance
- the confirmation page (232) integrates the security component (135) for interaction with the security platform (120). This may be by inserting a security button or other form of trigger at the confirmation page (232) for the security engine (160) hosted by the security platform (120) to perform the security validation and anti-fraud protection.
- the security button may include software code that triggers the security engine (160) upon activation by a user.
- the security component (135) identifies the requesting subscriber by a unique identifier. This may use header enrichment provided by the MNO or other methods to include a unique identifier of the subscriber, such as the MSISDN, that is used by the security engine (160) in its evaluation of the security threats associated with the mobile communication device (140) and the subscriber.
- the security engine (160) receives (262) the validation request including the subscriber identifier and validates the request.
- This may include the security engine (160) carrying out checks (263) for fraud and threats.
- the checks may involve multiple dimensions of security validations based on data gathered from the service provider, subscriber devices such as the mobile communication device (140), web protocols and the like.
- the checks (263) may include inputting data points from the gathered data, such as gathered risk data, into fraud detection algorithms (124) for detecting fraud or security threats.
- the checks may include outputting one or more of a score, value, likelihood or other indication of the probability of the data points being associated with fraudulent activity or security threat detection.
- the validation may include checking (264) the subscriber identifier for threats recorded against this identifier.
- the security engine (160) may confirm or deny (265) the subscriber request to the service provider based on the security validation carried out.
- the security platform (120) sends an activation call (266) to the MNO’s service delivery platform (SDP) and/or to the service provider.
- the MNO’s SDP or the service provider activates the user on the service and may notify (267) both the security platform (120) and the service provider.
- the access to the service is granted or denied (244) and, if granted, the subscriber is redirected to the service provider’s web site portal (233) with their authenticated subscription. This may be referred to as a double opt-in flow and summarised as follows: 1. User clicks on ‘subscribe’ button at Service Provider page; 2. User is redirected to the Consent Page where Security Engine button is implemented; 3.
- Security Engine performs validation request and releases only clean traffic for SDP/MNO validation; 4.
- SDP/MNO checks user eligibility for service subscription and/or billing charge; a. SDP/MNO returns response code to Security Engine; 5.
- Security Engine redirects user to Service Provider Portal (website) for successful activation; a. Unsuccessful activations are redirected to a disclaimer page.
- the security platform delivers the security measures necessary to use header enriched flows and avoid one-time password (OTP) flows, which prevent real users from activating. OTP flow protection may also be included with the security platform, but is neither required nor recommended as it does not add to the security provided and may make the user experience worse.
- the security platform may monitor adverts and subscriptions provided via an external domain of a service provider.
- a flow diagram (300) shows an example scenario for a subscription flow starting from a published advertisement and using a subscription web channel from a mobile communication device (140) of a user.
- a user of a mobile communication device (140) sees an advertisement banner from a service provider server (130), for example, displayed (301) on a browser displayed on their mobile communication device (140) and clicks on it to subscribe.
- the security platform (120) may monitor the placement and compliance of advertisements from service providers.
- Clicking on the advert takes (302) the browser to an MSISDN page using header enhancement for MSISDN identification of the mobile communication device (140).
- An MSISDN page may be any web page to which the subscriber is redirected and via which redirection the MSISDN or other unique identifier is obtained through header enrichment.
- a confirmation click may be received (303) on the page to confirm the user’s intention to subscribe to the service.
- the subscription request is redirected (304) to the security platform for validation of the subscription request. Validation may be carried out by the security engine (160) using fraud detection algorithms (124), for example as described above with reference to Figure 2.
- a flow diagram (400) shows an example scenario for a subscription flow starting from a published advertisement and using a USSD verification from a mobile communication device (140) of a user.
- a user of a mobile communication device (140) sees an advertisement banner from a service provider server (130), for example, received (401) via a message displayed on their mobile communication device (140) sent to the MSISDN of the subscriber.
- Clicking on the advert may take the browser of the mobile communication device (140) to visit (402) a landing page for the service.
- a confirmation or subscribe click on the landing page may be received (403) to confirm the user’s intention to subscribe to the service and to activate a USSD prompt that is displayed to the user in order to be confirmed.
- a confirmation response may be received (404) to the USSD prompt in order to confirm the subscription request by the subscriber.
- the subscription request is sent (405) via a server-to-server (S2S) call to the security platform for validation of the subscription request. Validation may be carried out by the security engine (160) using fraud detection algorithms (124), for example as described above with reference to Figure 2.
- a subscription may be initiated via other channels.
- any one of SMS-, rich communication services- (RCS), SatPush-, interactive voice response- (IVR) or email-based channels may be used to activate a prompt that is displayed to the user in order for the service to be confirmed.
- a subscription flow may start from a USSD, RCS, SatPush, IVR or SMS request.
- the security platform (120) may include a service monitoring dashboard component (127) that provides reporting of security threats and associated statistics. This includes data as gathered from the security component (135) at the service provider server (130) and the security applications (145) provided at mobile communication devices (140) as well as the outcomes of the fraud detection component (123) of the security engine (160).
- the security platform may provide a dashboard for monitoring a campaign’s performance for each service provider and service, using a variety of different reports and dimensions, as well as reviewing the interaction history on a subscriber identifier (such as an MSISDN or equivalent) level.
- Reports may include: ⁇ Real time monitoring of subscription flows; ⁇ Overall performance: Main key performance indicators and daily evolution of blocked and cleared traffic; ⁇ Analysis: Breakdown on type of fraud identified; ⁇ Top Blocked Traffic Sources: List of top blocked traffic sources, as shared by the service providers; ⁇ Top Blocked Applications: List of top blocked application, as identified in the activation requests sent by the users; ⁇ Blocked vs successful attempts: Daily aggregated performance of the real time blocking; ⁇ Security Performance: Detailed performance reports, with low level break down and export functionality for offline processing; ⁇ Real time view on the traffic, as processed by the security platform.
- the security platform may maintain a subscriber risk profile, including updating the subscriber risk profile with data associated with a new subscription request.
- the subscriber risk profile includes data associated with prior subscription requests associated with the subscriber identifier.
- Analysing the risk data associated with the subscription request includes comparing the subscription request against the prior subscription requests and flagging anomalies detected in the comparison.
- the security platform may provide a unique identifier search based on unique identifies such as MSISDNs.
- the security platform may provide the option to search for the activation, interaction and infection history of users. This may be done through a MSISDN search page where the MSISDN of a user is used as key on the search.
- MSISDN (or equivalent) search will also give the possibility to check by MSDISN: ⁇ Partner name, service name, IP, browser type/app, device, price, frequency/one-time charge, free trial period, request time-stamp, status of validation; ⁇ Interaction history may be extracted.
- the security platform architecture ensures that the platform will be highly available and with very low response times. For example, response time on client requests will aim not to exceed 1 second, for all the calls related to a browser user experience.
- Validations Performed by the Security Platform Platform functionalities can be grouped as follows. ⁇ Real-time Automated Fraud Prevention: detection and blocking of bots, clickjacking, hijacked devices, malware apps, etc.
- the security platform broadly classifies all threats encountered as an Automated Threat (i.e.
- malware or bot attacks Such threats may be determined to have happened by a piece of software running on user’s device without user realizing it, or may be determined to originate from malicious software that is server- based.
- Behavioural Fraud Prevention User behaviour analysis to further block unwanted patterns. The security platform broadly classifies all threats encountered that are determined to have happened by a human lead action without the user being able to identify the malicious behaviour, as a mislead human threat.
- Clearing Process payment gateway-like clearing process of purchase and final funds collection. The security platform continues working even after the subscription is completed. Should the system at a later stage identify either an Automated or Behavioural Fraud Pattern, transactions of affected users will be cancelled (during the clearing period), thereby further eliminating fraud post-subscription.
- the security platform is a dynamic system that is constantly evolving to adapt to the changing Internet landscape. To achieve this, the security platform performs the following validations: ⁇ Malicious Bot (Machines replicating human behaviour): The security platform broadly classifies all threats encountered that are determined to have happened by a piece of software running on user’s device without user realizing it, as a Malicious Bot (sometimes referred to as malware or bot attacks). In many cases the various installations of such software communicate with a central server that coordinates and commands such behaviour. It can be increased or increased in pace, switched on/off, informed to switch from one target URL or service to another.
- Malicious Bot Malicious Bot
- ⁇ Malicious on-page Behaviour The security platform classifies in this category all threats encountered that are determined to have happened based on a behavioural pattern on the landing page showing that the activation attempt was not initiated by the end-user.
- ⁇ Header injection / IP Discrepancy The security platform classifies in this category all threats encountered that are determined to have happened based on an attempt to emulate the MSISDN of the user and/or coming from an IP that is not allowed as a legitimate request.
- ⁇ Blacklisted App The security platform classifies in this category all threats encountered that are determined to have happened from specific well-known malicious apps based on the HTTP request header.
- the security platform broadly classifies all threats encountered that are determined to have happened through usage or action patterns that are suspicious, as Behavioural Pattern threat. Such cases typically include irregular subscription attempts, irregular service usage etc. They may have been caused by an automated threat that was not detected as such at the time. Such patterns/threats are a valuable source for feeding back to the automated threat component of the security platform algorithm. Risk data including data points may be gathered from mobile communication devices of subscribers via the security application from the device itself, user interactions with the service provider’s web page, and web protocols, such as an HTTP web request.
- the data points may include one or more of the following: time spent on page, time of day, date of last subscription, HTTP headers, IP address, interaction with the page, application making the request, browser making the request, number of existing subscriptions, device time zone, device language, device screen size, device screen resolution, device message permissions, device JavaScript capabilities, user agent, originating URL, data saving settings, country, user devices.
- Data points may also be gathered from and/or delivered to the service provider server using web protocols such as HTTP GET/POST. Proprietary scripts running on the page may gather data points relating to additional information which can be used to assess the validity of a request.
- Threats that are detected can be further categorized as follows: Automated Threats: ⁇ Header Injection The insertion of a fake Header Enrichment HTTP header in the incoming request in order to subscribe an arbitrary user to a service. ⁇ Pre-installed / Downloaded Malware apps Applications specifically designed (or inadvertently containing malicious SDKs) to perform malicious actions on the user’s device. These apps usually load web pages in the background in order to avoid being noticed by the user. ⁇ Cross-site Scripting (XSS) A type of injection security attack in which an attacker injects data, such as malicious scripts, into contact from otherwise trusted websites.
- XSS Cross-site Scripting
- ⁇ Replay Attacks A category of attacks in which an attacker detects a data transmission and fraudulently has it delayed or repeated. The delay or repeat of the data transmission is carried out by the sender or by the malicious entity, who intercepts the data and retransmits it.
- ⁇ Click Farms Click fraud in the form of large group of workers hired to click on paid advertising links for the click fraudster. The workers click the links, surf the target website for a period of time, and subscribe to services.
- ⁇ Touch/click Hijacking A malicious technique using hidden layers on web pages to trick a user into clicking on something different from what the user perceives, thus allowing involuntary subscription to services while clicking on seemingly innocuous objects.
- Frame Masking Using HTML frames or iFrames to hide the confirmation page and requesting the user to click on a seemingly ‘harmless’ web page while in reality providing consent to the service subscription.
- User Action Simulation Listening for user swipes/gestures/taps and playing them back to provide consent to the user subscription. Usually encountered in malware installed on the user’s device.
- Browserless Clickjacking Causing a user-click on a service confirmation button without using a web browser screen overlays under which malicious apps can hide the actual content of the web page.
- FIG. 5 illustrates an example of a computing device (500) in which various aspects of the disclosure may be implemented, including the security platform (120) servers, the MNO system (110) servers, the service provider server (130), and the mobile communication devices (140) of the subscribers.
- the computing device (500) may be embodied as any form of data processing device including a personal computing device (e.g. laptop or desktop computer), a server computer (which may be self-contained, physically distributed over a number of locations), a client computer, or a communication device, such as a mobile phone (e.g. cellular telephone), satellite phone, tablet computer, personal digital assistant or the like.
- a mobile phone e.g. cellular telephone
- satellite phone e.g. cellular telephone
- the computing device (500) may be suitable for storing and executing computer program code.
- the various participants and elements in the previously described system diagrams may use any suitable number of subsystems or components of the computing device (500) to facilitate the functions described herein.
- the computing device (500) may include subsystems or components interconnected via a communication infrastructure (505) (for example, a communications bus, a network, etc.).
- the computing device (500) may include one or more processors (510) and at least one memory component in the form of computer-readable media.
- the one or more processors (510) may include one or more of: CPUs, graphical processing units (GPUs), microprocessors, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs) and the like.
- a number of processors may be provided and may be arranged to carry out calculations simultaneously.
- various subsystems or components of the computing device (500) may be distributed over a number of physical locations (e.g. in a distributed, cluster or cloud-based computing configuration) and appropriate software units may be arranged to manage and/or process data on behalf of remote devices.
- the memory components may include system memory (515), which may include read only memory (ROM) and random access memory (RAM).
- ROM read only memory
- RAM random access memory
- BIOS basic input/output system
- System software may be stored in the system memory (515) including operating system software.
- the memory components may also include secondary memory (520).
- the secondary memory (520) may include a fixed disk (521), such as a hard disk drive, and, optionally, one or more storage interfaces (522) for interfacing with storage components (523), such as removable storage components (e.g. magnetic tape, optical disk, flash memory drive, external hard drive, removable memory chip, etc.), network attached storage components (e.g. NAS drives), remote storage components (e.g. cloud-based storage) or the like.
- the computing device (500) may include an external communications interface (530) for operation of the computing device (500) in a networked environment enabling transfer of data between multiple computing devices (500) and/or the Internet. Data transferred via the external communications interface (530) may be in the form of signals, which may be electronic, electromagnetic, optical, radio, or other types of signal.
- the external communications interface (530) may enable communication of data between the computing device (500) and other computing devices including servers and external storage facilities. Web services may be accessible by and/or from the computing device (500) via the communications interface (530).
- the external communications interface (530) may be configured for connection to wireless communication channels (e.g., a cellular telephone network, wireless local area network (e.g. using Wi-FiTM), satellite-phone network, Satellite Internet Network, etc.) and may include an associated wireless transfer element, such as an antenna and associated circuitry.
- the external communications interface (530) may include a subscriber identity module (SIM) in the form of an integrated circuit that stores an international mobile subscriber identity and the related key used to identify and authenticate a subscriber using the computing device (500).
- SIM subscriber identity module
- One or more subscriber identity modules may be removable from or embedded in the computing device (500).
- the computer-readable media in the form of the various memory components may provide storage of computer-executable instructions, data structures, program modules, software units and other data.
- a computer program product may be provided by a computer-readable medium having stored computer-readable program code executable by the central processor (510).
- a computer program product may be provided by a non-transient or non-transitory computer- readable medium, or may be provided via a signal or other transient or transitory means via the communications interface (530).
- Interconnection via the communication infrastructure (505) allows the one or more processors (510) to communicate with each subsystem or component and to control the execution of instructions from the memory components, as well as the exchange of information between subsystems or components.
- Peripherals such as printers, scanners, cameras, or the like
- I/O input/output
- One or more displays (519) may be coupled to or integrally formed with the computing device (500) via a display or video adapter (518).
- a display or video adapter (518) may be coupled to or integrally formed with the computing device (500) via a display or video adapter (518).
- a software unit is implemented with a computer program product comprising a non-transient or non-transitory computer-readable medium containing computer program code, which can be executed by a processor for performing any or all of the steps, operations, or processes described.
- Software units or functions described in this application may be implemented as computer program code using any suitable computer language such as, for example, JavaTM, C++, or PerlTM using, for example, conventional or object-oriented techniques.
- the computer program code may be stored as a series of instructions, or commands on a non- transitory computer-readable medium, such as a random access memory (RAM), a read-only memory (ROM), a magnetic medium such as a hard-drive, or an optical medium such as a CD- ROM.
- Any such computer-readable medium may also reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.
- Flowchart illustrations and block diagrams of methods, systems, and computer program products according to embodiments are used herein. Each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, may provide functions which may be implemented by computer readable program instructions. In some alternative implementations, the functions identified by the blocks may take place in a different order to that shown in the flowchart illustrations.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
ZA2020/04038 | 2020-07-02 | ||
ZA2020/04038A ZA202004038B (en) | 2020-07-02 | 2020-07-02 | Fraud protection in subscription flows for mobile application services |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022003547A1 true WO2022003547A1 (en) | 2022-01-06 |
Family
ID=76797039
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2021/055782 WO2022003547A1 (en) | 2020-07-02 | 2021-06-29 | Fraud protection in subscription flows for mobile application services |
Country Status (2)
Country | Link |
---|---|
WO (1) | WO2022003547A1 (en) |
ZA (1) | ZA202004038B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1955564A1 (en) * | 2005-11-30 | 2008-08-13 | Telecom Italia S.p.A. | Method and system for updating applications in mobile communications terminals |
US7620690B1 (en) * | 2003-11-20 | 2009-11-17 | Lashback, LLC | Privacy control system for electronic communication |
US20140040975A1 (en) * | 2009-01-28 | 2014-02-06 | Headwater Partners I Llc | Virtualized Policy & Charging System |
GB2547231A (en) * | 2016-02-11 | 2017-08-16 | Vodafone Ip Licensing Ltd | Apparatus, method and computer program product for use in authenticating a user |
US20180324201A1 (en) * | 2017-05-08 | 2018-11-08 | KnowBe4, Inc. | Systems and methods for providing user interfaces based on actions associated with untrusted emails |
-
2020
- 2020-07-02 ZA ZA2020/04038A patent/ZA202004038B/en unknown
-
2021
- 2021-06-29 WO PCT/IB2021/055782 patent/WO2022003547A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7620690B1 (en) * | 2003-11-20 | 2009-11-17 | Lashback, LLC | Privacy control system for electronic communication |
EP1955564A1 (en) * | 2005-11-30 | 2008-08-13 | Telecom Italia S.p.A. | Method and system for updating applications in mobile communications terminals |
US20140040975A1 (en) * | 2009-01-28 | 2014-02-06 | Headwater Partners I Llc | Virtualized Policy & Charging System |
GB2547231A (en) * | 2016-02-11 | 2017-08-16 | Vodafone Ip Licensing Ltd | Apparatus, method and computer program product for use in authenticating a user |
US20180324201A1 (en) * | 2017-05-08 | 2018-11-08 | KnowBe4, Inc. | Systems and methods for providing user interfaces based on actions associated with untrusted emails |
Also Published As
Publication number | Publication date |
---|---|
ZA202004038B (en) | 2021-07-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101919219B (en) | Method and apparatus for preventing phishing attacks | |
US9071600B2 (en) | Phishing and online fraud prevention | |
US20110072499A1 (en) | Method of identity authentication and fraudulent phone call verification that utilizes an identification code of a communication device and a dynamic password | |
EP2611106A1 (en) | System for automated prevention of fraud | |
US9544317B2 (en) | Identification of potential fraudulent website activity | |
US20160142398A1 (en) | Method of network identity authentication by using an identification code of a communication device and a network operating password | |
CN108605037B (en) | Method for transmitting digital information | |
Tommasi et al. | Browser-in-the-Middle (BitM) attack | |
Sharieh et al. | Securing apis and chaos engineering | |
Carrillo-Mondéjar et al. | On how VoIP attacks foster the malicious call ecosystem | |
KR102185000B1 (en) | System and method for analyzing malicious application of smart-phone and service system and service method for blocking malicious application of smart-phone | |
KR101258972B1 (en) | Method for user authentication | |
Hamandi et al. | Messaging attacks on android: vulnerabilities and intrusion detection | |
WO2022003547A1 (en) | Fraud protection in subscription flows for mobile application services | |
US8503636B1 (en) | Systems and methods for blocking an outgoing request associated with an outgoing telephone number | |
US20220012771A1 (en) | Method and system for click inspection | |
US20220038469A1 (en) | Domain reputation system | |
CN111917742B (en) | Terminal web browsing isolation protection system | |
TW201112720A (en) | Method of communication device recognition code and dynamic code for network identification and telephone fraud certification | |
TWI609287B (en) | Using communication device identification code and network operation password as methods for network authentication | |
KR102148189B1 (en) | Apparatus and method for protecting malicious site | |
US20210377302A1 (en) | Systems and methods for preventing the fraudulent sending of data from a computer application to a malicious third party | |
Pirilä | An overview on web cookies and privacy | |
US20230362187A1 (en) | Event and rule-based dynamic security test system | |
Memon et al. | Anti phishing for mid-range mobile phones |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21737792 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21737792 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11.07.2023) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21737792 Country of ref document: EP Kind code of ref document: A1 |