WO2022003547A1

WO2022003547A1 - Fraud protection in subscription flows for mobile application services

Info

Publication number: WO2022003547A1
Application number: PCT/IB2021/055782
Authority: WO
Inventors: Guy Stephane Krief; Dimitrios Maniatis
Original assignee: Upstream Mobile Commerce Limited
Priority date: 2020-07-02
Filing date: 2021-06-29
Publication date: 2022-01-06
Also published as: ZA202004038B

Abstract

A computer-implemented method and a system are provided for fraud protection in subscription flows for mobile application services using direct billing of a subscriber account maintained by a mobile network operator (MNO). A security platform server receives a redirected subscription request for a direct carrier billing service, where the subscription request is provided via a communication channel between a service provider server and a mobile communication device having a subscriber identifier. The security platform validates in real time the subscription request at the security platform including evaluating risk associated with the subscription request using the subscriber identifier of the request and by applying fraud detecting algorithms to the subscription request using gathered risk data. The security platform may confirm allowance of the subscription request by initiating the activation of the subscription at the MNO and allowing access to the mobile application service by the subscriber via the mobile communication device.

Description

FRAUD PROTECTION IN SUBSCRIPTION FLOWS FOR MOBILE APPLICATION SERVICES CROSS-REFERENCE(S) TO RELATED APPLICATIONS This application claims priority from South African patent application number 2020/04038 filed on 2 July 2020, which is incorporated by reference herein. FIELD OF THE INVENTION This invention relates to fraud protection in subscription flows for mobile application services. In particular, the invention relates to fraud protection when using direct billing of a subscriber account maintained by a mobile network operator (MNO). BACKGROUND TO THE INVENTION Direct carrier billing (DCB) is an online mobile payment method which allows mobile subscribers who subscribe to a mobile network operator (MNO) to make purchases by charging payments to their mobile phone carrier bill or prepaid airtime account. Many of the services provided to mobile phone subscribers over mobile networks are run by third party merchants as Value Added Services (VAS). Within the MNO VAS ecosystem, web fraud involves situations where customers are subscribed and charged for services without their consent, which negatively impacts user experience and ultimately damages an MNO’s reputation. This impacts the customer and undermines confidence in such VAS services offered by or through the MNO. From the service provider’s perspective, security threats and fraud may be carried out via subscriptions that are instigated by non-human entities or by malicious human-led behaviour. Malware inserted in the software of a user’s mobile communication device or other fraud via a user’s device such as hijacking is often capable of collecting personal and private data without user consent and sharing unauthorized information with third parties. With fraud rife in the VAS ecosystem, it is increasingly difficult for MNOs to effectively recruit users for VAS services with a minimum risk of a range of possible fraud. A DCB subscription request can be submitted by a mobile account subscriber and processed by a billing system of the subscriber’s MNO without the subscriber affirmatively providing any authentication or identification data. This is typically achieved by using identification information that is automatically injected by the MNO into headers of application protocol request messages transmitted from the subscriber’s mobile handset via the MNO’s mobile network. Such a feature makes DCB payments convenient and frictionless for mobile subscribers but susceptible to abuse by fraudsters. There is accordingly scope for improvement. The preceding discussion of the background to the invention is intended only to facilitate an understanding of the present invention. It should be appreciated that the discussion is not an acknowledgment or admission that any of the material referred to was part of the common general knowledge in the art as at the priority date of the application. SUMMARY OF THE INVENTION According to an aspect of the present invention there is provided a computer-implemented method for fraud protection in subscription flows for mobile application services using direct billing of a subscriber account maintained by a mobile network operator (MNO), wherein the method is carried out by a security platform server and comprises: receiving a redirected subscription request for a direct carrier billing service, wherein the subscription request is provided via a communication channel between a service provider server and a mobile communication device having a subscriber identifier; validating in real time the subscription request at the security platform including evaluating risk associated with the subscription request using the subscriber identifier of the request and by applying fraud detecting algorithms to the subscription request using gathered risk data; and confirming allowance of the subscription request by initiating the activation of the subscription at the MNO allowing access to the mobile application service by the subscriber via the mobile communication device; or blocking allowance of the subscription request. The method may include gathering risk data from a mobile communication device with the data associated with the subscriber identifier and/or gathering risk data from the service provider server and using the gathered risk data in the validating of a subscription request. Validating may include evaluating the gathered risk data associated with the subscription request from one or more of: profile data gathered and associated with the subscriber identifier; data gathered from an external domain of the service provider server; and the subscription request. The step of validating may use algorithms in multiple dimensions to check for known threat patterns in the subscriber request and previously gathered risk data. The communication channel may be one of the group of: a web channel, a short message service (SMS) channel, an unstructured supplementary service data (USSD) channel, or other communication channel through which a subscription request can be made. A subscription request via a web channel may be redirected from a user communication device, whereas other subscription channels may be redirected via a service provider server. Where the communication channel is a web channel, the method may include using header enrichment to extract data from a header of the subscription request for use in the validation. Extracting data from the header may include extracting an identifier injected into the request, and wherein validating may include analysing the validity of the identifier. The redirected subscription request may be triggered by a trigger component incorporated into an external domain of the service provider server. The method may include deploying a subscriber activity component to an external domain of the service provider server, wherein the subscriber activity component records subscriber interaction with the external domain. The step of validating may include: analysing gathered risk data associated with the subscription request to determine the likelihood that the subscription request is legitimate; and, processing the subscription request if the subscription request is determined likely to be legitimate; or, refusing the subscription request if the subscription request is determined not likely to be legitimate. The method may include transmitting and receiving data to and from a mobile software application installed on a mobile communication device associated with the subscriber identifier. Transmitting data may include transmitting malware update data to update a malware index stored in the software application and configured for use by the software application in detecting malware installed on the communication device. Transmitting data may also include transmitting untrusted external domain update data to update an untrusted external domain index stored in the software application and configured for use by the software application in evaluating external domains accessed by mobile communication device. The method may further include parsing content provided to a subscriber via an external domain and evaluating the parsed content against a regulation schema to determine whether the external domain complies with regulations relating to a subscription request. In another feature, the method may include crawling the web to identify web-based advertisements directing to an external domain; parsing content provided to a subscriber via the web-based advertisements and evaluating the parsed content against a regulation schema to determine whether the web-based advertisements comply with regulations relating to a subscription request. The method may include maintaining a subscriber risk profile, including updating the subscriber risk profile with data associated with the subscription request. The subscriber risk profile may include data associated with prior subscription requests associated with the subscriber identifier, and wherein analysing the gathered risk data associated with the subscription request may include comparing the subscription request against the prior subscription requests and flagging anomalies detected in the comparison. The method may also include providing a clearing period cancellation, wherein the security platform continues validating after the subscription is completed for a clearing period of time to identify either an automated or behavioural fraud pattern, and cancelling transactions of affected users during the clearing period. According to another aspect of the present invention there is provided a system for fraud protection in subscription flows for mobile application services using direct billing of a subscriber account maintained by a mobile network operator (MNO), including a security platform server including: a request receiving component for receiving a redirected subscription request received via a communication channel between the service provider server and a mobile communication device having a subscriber identifier; a subscription validation component for validating the subscription request at the security platform including evaluating risk associated with the subscription request using the subscriber identifier of the request and by applying fraud detecting algorithms to the subscription request using gathered risk data; and a subscription activation component for confirming allowance of the subscription request by initiating the activation of the subscription at the MNO allowing access to the application service by the subscriber; or blocking allowance of the subscription request. The system may include providing code at a service provider server to redirect a subscription request received via a communication channel from the mobile communication device by integrating the code in a service confirmation stage. The system may further include providing code at a mobile communication device for gathering risk data related to subscription requests and other data points and associating the gathered risk data with a subscriber identifier. According to a further aspect of the present invention there is provided a computer program product for fraud protection in subscription flows for mobile application services using direct billing of a subscriber account maintained by a mobile network operator (MNO), comprising a computer- readable medium having stored computer-readable program code for performing the steps of: receiving a redirected subscription request for a direct carrier billing service, wherein the subscription request is provided via a communication channel between a service provider server and a mobile communication device having a subscriber identifier; validating in real time the subscription request at the security platform including evaluating risk associated with the subscription request using the subscriber identifier of the request and by applying fraud detecting algorithms to the subscription request using gathered risk data; and confirming allowance of the subscription request by initiating the activation of the subscription at the MNO allowing access to the mobile application service by the subscriber via the mobile communication device; or blocking allowance of the subscription request. Further features provide for the computer-readable medium to be a non-transitory computer- readable medium and for the computer-readable program code to be executable by a processing circuit. Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings. BRIEF DESCRIPTION OF THE DRAWINGS In the drawings: Figure 1 is a block diagram of a system including a security platform in accordance with an example embodiment of the present invention; Figure 2 is a schematic diagram of an interaction between a service provider server and a security engine in accordance with an example embodiment of the present invention; Figure 3 is a flow diagram showing an example subscription flow including validation using a web channel in accordance with an aspect of the present invention; Figure 4 is a flow diagram showing an example subscription flow including validation from a published advertisement and using Unstructured Supplementary Service Data (USSD) verification in accordance with an aspect of the present invention; and Figure 5 illustrates an example of a computing device in which various aspects of the disclosure may be implemented. DETAILED DESCRIPTION WITH REFERENCE TO THE DRAWINGS The described methods and systems provide a security platform that protects MNOs and their subscribers from fraud in online transactions. The security platform sits as a gateway between a direct carrier billing system of the MNO and a service provider server to which a subscriber wishes to subscribe using a mobile communication device. Analysis tools and techniques are provided by the security platform providing end-to-end protection of the subscription flow, from advert click to subscription to subscriber billing via the subscription. The security platform provides a fraud prevention platform for online subscription transactions and enables MNOs to build a healthy, fraud-free subscriber base, using a fraud-protected subscription flow. This allows subscribers to enjoy various digital services increasing customer satisfaction and minimizing customer care issues. The security platform provides security for subscription flows that use one of various communication channels between the subscriber mobile communication device and the service provider server including web, Short Message Service (SMS), and Unstructured Supplementary Service Data (USSD) subscription flows. In the case of web implementation, the security platform provides code that is integrated with the service provider’s offering such as the web page with a customized consent page in order to intercept and validate a subscription request as part of the subscription flow. The security platform also provides code that is executed on a mobile communication device to gather required data points for the security validation as described further below. Referring to Figure 1, a block diagram shows an example embodiment of a system (100) including a security platform (120) that acts as a gateway between a mobile network operator system (110) and a service provider server (130) providing subscription services. The security platform (120) may be provided on one or more servers that may be local to the mobile network operator system (110) or provided via a network including as a cloud service. The security platform (120) includes a security engine (160) for ensuring multi-dimensional anti-fraud during a subscription flow between a service provider server (130) and a mobile communication device (140) of a user. The security platform (120) may be provided by one or more servers that include a processor for executing the functions of components described, which may be provided by hardware or by software units executing on the server. The software units may be stored in a memory component and instructions may be provided to the processor to carry out the functionality of the described components. In some cases, for example in a cloud computing implementation, software units arranged to manage and/or process data on behalf of the security platform may be provided remotely. A service provider server (130) may provide a value-added service that can be subscribed to by a mobile network subscriber from their mobile communication device (140). The service provider may be related to the mobile network operator or may be independent from it with the service allowing subscription using direct carrier billing of a subscriber billing system (112) and service delivery platform (111) of the mobile network operator system (110). The security platform (120) may provide a security component (135) at the service provider server (130) that may be incorporated within a subscription service (132) such that the security component (135) intercepts and validates a subscription request made from a mobile communication device (140). The security component (135) includes a redirection component (136) that redirects a subscription flow provided when a subscriber using a mobile communication device (140) makes a subscriber request to a service provider server (130) via a subscription channel (150). A subscription channel (150) may be a web channel, an SMS channel, a USSD channel, or another form of communication channel via which a subscriber using a mobile communication device (140) may sign up to a service provided by a service provider server (130). The subscription request for a direct carrier billing service may be redirected to a subscription validation component (121) of the security engine (160) at the security platform (120) and the subscription validation component (121) may include a request receiving component (131). For subscription requests using a web subscription channel (150), this may be directly from the browser (141) of the mobile communication device (140). For subscription requests using USSD or SMS subscription channels, this may be forwarded via the security component (135) at the service provider server (130) or via the MNO system (110). The subscription validation component (121) may use a fraud detection component (123) to ensure that the subscription flow is valid and not subject to security threats. The fraud detection component (123) uses multiple fraud detection algorithms (124) to provide multiple dimensions of security threat detection. This may include monitoring for occurrence of predefined events that are known to be threats and that may be recorded in a threat index (125). There may be multiple algorithms for each type of threat and the algorithms may be used in conjunction with each other to produce the final result (e.g. in some cases the outputs of some algorithms may feed into others). The fraud detection algorithms (124) may take one or more data points as their inputs and may output one or more of a score, value, likelihood or other indication of the probability of the data points being associated with fraudulent activity or security threat detection. The data points may include or form part of risk data or security data gathered from one or more of a mobile communication device of a subscriber (e.g. via a security application installed thereon or from the device itself), user interactions with the service provider’s web page (e.g. via a subscriber activity component provided at an external domain of the service provider server which records subscriber interaction with the external domain), and web protocols (such as HTTP messages). The security component (135) may gather risk or security data at the service provider server (130), when using subscription channels (150) using USSD or SMS, for use and monitoring by the security platform (120). The security platform (120) may include a service provider monitoring component (129) for gathering and monitoring the data from service provider server (130). The security component (135) may include a subscriber activity component (137) provided at an external domain of the service provider server (130) to record subscriber interaction with the external domain. The subscriber activity component (137) may record data points relating to subscriber interaction with the external domain. This data may be used by the fraud detection component (123). The security platform (120) also provides a security application (145) in the form of a mobile software application installed or executed at a subscriber’s mobile communication device (140). The security application (145) may include a validation component (146) to validate a subscriber request with the security platform (120) and to gather risk or security data from the mobile communication device (140). A mobile communication device (140) has an associated unique identifier provided by the mobile network operator to which the user subscribes, for example, International Mobile Subscriber Identity (IMSI) or Mobile station International Subscriber Directory Number (MSISDN) number. This identifier is used by the security application (145) when gathering data for the security platform (120). The security platform (120) may include a mobile device monitoring component (126) for gathering and monitoring the data from mobile communication devices (140). This data may be used by the fraud detection component (123). The security application (145) may transmit and receive data from the security platform (120) that may include malware update data to update a malware index stored in the security application (145) and configured for use by the security application (145) in detecting malware installed on the mobile communication device (140). The received data may also include untrusted external domain update data to update an untrusted external domain index stored in the security application (145) and configured for use by the security application (145) in evaluating external domains accessed by mobile communication device (140). The security platform (120) may include a service monitoring dashboard component (127) for providing a monitoring service to the service provider of past and current security threats and including a mobile communication device identifier monitoring component (128) for monitoring mobile communication devices by their identifiers for security threats. To instigate a subscription, a mobile network subscriber using their mobile communication device (140) may respond to an advert (143) received on their mobile communication device (140). In an example scenario, this may be an advert (143) viewed on a browser (141) of the mobile communication device (140) for a subscription service (142). In another scenario, the advert (143) may be received at the mobile communication device (140) in a message such as an SMS or USSD message, or via another application or communication method. The mobile network subscriber may send a subscription request via a subscription channel (150), such as via a web request, an SMS, a USSD, or other message, to the service provider server (130) offering the subscription service. Conventionally, the service provider server (130) will activate the subscription service (132) and using direct carrier billing the subscription service fee will be directly debited using the subscription billing system (112) of the mobile network operator system (110). In the described system, before activating the direct carrier billing, the security platform (120) validates the subscription request providing security for the service provider and for the subscriber. The security platform (120) may include a header enrichment component (122) for using a header enrichment service (113). The header enrichment service (113) may be provided by the mobile network operator to provide a unique identifier of a mobile communication device (140). The unique identifier may be provided to use as a subscriber identifier in subscriber request messages. Header enrichment may be used in the validation when the subscription channel (150) is a web channel. Header enrichment may also be used to validate that the unique identifier is not spoofed. Header enrichment is the process of adding data fields in the Hypertext Transfer Protocol (HTTP) header used by downstream servers. This is used in mobile networks by adding unique identifiers such as user and device identifiers such as IMEI, IMSI, MSISDN UID or other data to identify subscriber or mobile communication device details. Additional information may be added to HTTP headers to be processed during the subscription flow. The security platform (120) executes end-to-end validation from all subscription and activation requests. During the entire flow, each individual request is analysed in real time on several dimensions, granting security to the subscription process. Once the subscription flow has passed all anti-fraud filters, users are successfully activated into the service requested and are redirected to the service provider homesite (destination Uniform Resource Locator (URL)) for consumption. The security platform covers user recruitment (subscription requests) from users connected via the carriers’ or MNO’s network, for example, from both native browsers and in-application requests originating from a Hyper Text Markup Language (HTML) page in which the described security is provided. For the security platform to function optimally, consent or confirmation pages of the service provider are integrated with a button for the security platform engine. Header enrichment may be provided to all security platform domains (using the Domain Name System (DNS)) with the header enrichment provided to service providers using the security platform. The security platform prepares landing pages for service providers and the partner service providers make any necessary development or configuration on their side. Requirements from the MNO side may be limited and may for example include enabling header enrichment as described and in some implementations configuration steps for example relating to the clearing process as described. The security platform performs all the necessary validation work and, only if a request is approved, the security platform notifies the service provider of the validated attempt with related MSISDN. Referring to Figure 2, a flow diagram (200) illustrates an example embodiment of the described method carried out at a service provider server (130) and the security engine (160) of the security platform (120). The service provider server (130) may provide a subscription service web page (231) and this may include an attestation of compliance (AOC) page in the form of a confirmation or consent page (232) that displays mandatory policies information to the end user. The confirmation page (232) integrates the security component (135) for interaction with the security platform (120). This may be by inserting a security button or other form of trigger at the confirmation page (232) for the security engine (160) hosted by the security platform (120) to perform the security validation and anti-fraud protection. The security button may include software code that triggers the security engine (160) upon activation by a user. The user clicks on a “buy” or “subscribe” button at the subscription service page (231) and is redirected to the confirmation page (232) where the subscription request triggers (241) the security engine. Depending on the subscription channel used by the mobile communication device (140), the security component (135) identifies the requesting subscriber by a unique identifier. This may use header enrichment provided by the MNO or other methods to include a unique identifier of the subscriber, such as the MSISDN, that is used by the security engine (160) in its evaluation of the security threats associated with the mobile communication device (140) and the subscriber. The security engine (160) receives (262) the validation request including the subscriber identifier and validates the request. This may include the security engine (160) carrying out checks (263) for fraud and threats. The checks may involve multiple dimensions of security validations based on data gathered from the service provider, subscriber devices such as the mobile communication device (140), web protocols and the like. The checks (263) may include inputting data points from the gathered data, such as gathered risk data, into fraud detection algorithms (124) for detecting fraud or security threats. The checks may include outputting one or more of a score, value, likelihood or other indication of the probability of the data points being associated with fraudulent activity or security threat detection. The validation may include checking (264) the subscriber identifier for threats recorded against this identifier. The security engine (160) may confirm or deny (265) the subscriber request to the service provider based on the security validation carried out. Once validated, the security platform (120) sends an activation call (266) to the MNO’s service delivery platform (SDP) and/or to the service provider. The MNO’s SDP or the service provider activates the user on the service and may notify (267) both the security platform (120) and the service provider. The access to the service is granted or denied (244) and, if granted, the subscriber is redirected to the service provider’s web site portal (233) with their authenticated subscription. This may be referred to as a double opt-in flow and summarised as follows: 1. User clicks on ‘subscribe’ button at Service Provider page; 2. User is redirected to the Consent Page where Security Engine button is implemented; 3. Security Engine performs validation request and releases only clean traffic for SDP/MNO validation; 4. SDP/MNO checks user eligibility for service subscription and/or billing charge; a. SDP/MNO returns response code to Security Engine; 5. Security Engine redirects user to Service Provider Portal (website) for successful activation; a. Unsuccessful activations are redirected to a disclaimer page. The security platform delivers the security measures necessary to use header enriched flows and avoid one-time password (OTP) flows, which prevent real users from activating. OTP flow protection may also be included with the security platform, but is neither required nor recommended as it does not add to the security provided and may make the user experience worse. The security platform may monitor adverts and subscriptions provided via an external domain of a service provider. This may include parsing content provided to a subscriber via the external domain and evaluating the parsed content against a regulation schema to determine whether the external domain complies with regulations relating to the transaction. This may also include crawling the web to identify web-based advertisements directing to the external domain. Referring to Figure 3, a flow diagram (300) shows an example scenario for a subscription flow starting from a published advertisement and using a subscription web channel from a mobile communication device (140) of a user. A user of a mobile communication device (140) sees an advertisement banner from a service provider server (130), for example, displayed (301) on a browser displayed on their mobile communication device (140) and clicks on it to subscribe. The security platform (120) may monitor the placement and compliance of advertisements from service providers. Clicking on the advert takes (302) the browser to an MSISDN page using header enhancement for MSISDN identification of the mobile communication device (140). An MSISDN page may be any web page to which the subscriber is redirected and via which redirection the MSISDN or other unique identifier is obtained through header enrichment. A confirmation click may be received (303) on the page to confirm the user’s intention to subscribe to the service. The subscription request is redirected (304) to the security platform for validation of the subscription request. Validation may be carried out by the security engine (160) using fraud detection algorithms (124), for example as described above with reference to Figure 2. Once validated, the user browser may be redirected (305) to an OTP page on the mobile communication device (140) in order to receive (306) an OTP from the security platform that is sent using the MSISDN. The OTP page may receive (307) the OTP and subscription confirmation whereby access is provided (308) to the service. Referring to Figure 4, a flow diagram (400) shows an example scenario for a subscription flow starting from a published advertisement and using a USSD verification from a mobile communication device (140) of a user. A user of a mobile communication device (140) sees an advertisement banner from a service provider server (130), for example, received (401) via a message displayed on their mobile communication device (140) sent to the MSISDN of the subscriber. Clicking on the advert may take the browser of the mobile communication device (140) to visit (402) a landing page for the service. A confirmation or subscribe click on the landing page may be received (403) to confirm the user’s intention to subscribe to the service and to activate a USSD prompt that is displayed to the user in order to be confirmed. A confirmation response may be received (404) to the USSD prompt in order to confirm the subscription request by the subscriber. The subscription request is sent (405) via a server-to-server (S2S) call to the security platform for validation of the subscription request. Validation may be carried out by the security engine (160) using fraud detection algorithms (124), for example as described above with reference to Figure 2. Once validated, the user’s service is activated and the user may be redirected (406) to the service access. This provides a web initiated USSD and the security measures enable the use USSD flows and avoid OTP flows, the latter of which can prevent real users from activating. In other example scenarios, a subscription may be initiated via other channels. For example, in other example scenarios, any one of SMS-, rich communication services- (RCS), SatPush-, interactive voice response- (IVR) or email-based channels may be used to activate a prompt that is displayed to the user in order for the service to be confirmed. In another example scenario, a subscription flow may start from a USSD, RCS, SatPush, IVR or SMS request. As such a request uses the MSISDN, it has the user identifier and header enrichment is not required. The user directly responds to the request to the service provider, which then redirects the request to the security platform for validation pending which the user is subscribed to the service. As referred to in Figure 1, the security platform (120) may include a service monitoring dashboard component (127) that provides reporting of security threats and associated statistics. This includes data as gathered from the security component (135) at the service provider server (130) and the security applications (145) provided at mobile communication devices (140) as well as the outcomes of the fraud detection component (123) of the security engine (160). Security Platform Dashboard The security platform may provide a dashboard for monitoring a campaign’s performance for each service provider and service, using a variety of different reports and dimensions, as well as reviewing the interaction history on a subscriber identifier (such as an MSISDN or equivalent) level. Reports may include: ^ Real time monitoring of subscription flows; ^ Overall performance: Main key performance indicators and daily evolution of blocked and cleared traffic; ^ Analysis: Breakdown on type of fraud identified; ^ Top Blocked Traffic Sources: List of top blocked traffic sources, as shared by the service providers; ^ Top Blocked Applications: List of top blocked application, as identified in the activation requests sent by the users; ^ Blocked vs successful attempts: Daily aggregated performance of the real time blocking; ^ Security Performance: Detailed performance reports, with low level break down and export functionality for offline processing; ^ Real time view on the traffic, as processed by the security platform. ^ Requests stream report, will provide a view of the real time processed requests, with details such as the application, service, etc. The security platform may maintain a subscriber risk profile, including updating the subscriber risk profile with data associated with a new subscription request. The subscriber risk profile includes data associated with prior subscription requests associated with the subscriber identifier. Analysing the risk data associated with the subscription request includes comparing the subscription request against the prior subscription requests and flagging anomalies detected in the comparison. The security platform may provide a unique identifier search based on unique identifies such as MSISDNs. The security platform may provide the option to search for the activation, interaction and infection history of users. This may be done through a MSISDN search page where the MSISDN of a user is used as key on the search. MSISDN (or equivalent) search will also give the possibility to check by MSDISN: ^ Partner name, service name, IP, browser type/app, device, price, frequency/one-time charge, free trial period, request time-stamp, status of validation; ^ Interaction history may be extracted. The security platform architecture ensures that the platform will be highly available and with very low response times. For example, response time on client requests will aim not to exceed 1 second, for all the calls related to a browser user experience. Validations Performed by the Security Platform: Platform functionalities can be grouped as follows. ^ Real-time Automated Fraud Prevention: detection and blocking of bots, clickjacking, hijacked devices, malware apps, etc. The security platform broadly classifies all threats encountered as an Automated Threat (i.e. malware or bot attacks). Such threats may be determined to have happened by a piece of software running on user’s device without user realizing it, or may be determined to originate from malicious software that is server- based. ^ Behavioural Fraud Prevention: User behaviour analysis to further block unwanted patterns. The security platform broadly classifies all threats encountered that are determined to have happened by a human lead action without the user being able to identify the malicious behaviour, as a mislead human threat. ^ Clearing Process: payment gateway-like clearing process of purchase and final funds collection. The security platform continues working even after the subscription is completed. Should the system at a later stage identify either an Automated or Behavioural Fraud Pattern, transactions of affected users will be cancelled (during the clearing period), thereby further eliminating fraud post-subscription. The security platform is a dynamic system that is constantly evolving to adapt to the changing Internet landscape. To achieve this, the security platform performs the following validations: ^ Malicious Bot (Machines replicating human behaviour): The security platform broadly classifies all threats encountered that are determined to have happened by a piece of software running on user’s device without user realizing it, as a Malicious Bot (sometimes referred to as malware or bot attacks). In many cases the various installations of such software communicate with a central server that coordinates and commands such behaviour. It can be increased or increased in pace, switched on/off, informed to switch from one target URL or service to another. ^ Malicious on-page Behaviour: The security platform classifies in this category all threats encountered that are determined to have happened based on a behavioural pattern on the landing page showing that the activation attempt was not initiated by the end-user. ^ Header injection / IP Discrepancy: The security platform classifies in this category all threats encountered that are determined to have happened based on an attempt to emulate the MSISDN of the user and/or coming from an IP that is not allowed as a legitimate request. ^ Blacklisted App: The security platform classifies in this category all threats encountered that are determined to have happened from specific well-known malicious apps based on the HTTP request header. ^ Activity Pattern (suspicious repetitive actions & usage patterns): The security platform broadly classifies all threats encountered that are determined to have happened through usage or action patterns that are suspicious, as Behavioural Pattern threat. Such cases typically include irregular subscription attempts, irregular service usage etc. They may have been caused by an automated threat that was not detected as such at the time. Such patterns/threats are a valuable source for feeding back to the automated threat component of the security platform algorithm. Risk data including data points may be gathered from mobile communication devices of subscribers via the security application from the device itself, user interactions with the service provider’s web page, and web protocols, such as an HTTP web request. The data points may include one or more of the following: time spent on page, time of day, date of last subscription, HTTP headers, IP address, interaction with the page, application making the request, browser making the request, number of existing subscriptions, device time zone, device language, device screen size, device screen resolution, device message permissions, device JavaScript capabilities, user agent, originating URL, data saving settings, country, user devices. Data points may also be gathered from and/or delivered to the service provider server using web protocols such as HTTP GET/POST. Proprietary scripts running on the page may gather data points relating to additional information which can be used to assess the validity of a request. Threats that are detected can be further categorized as follows: Automated Threats: ^ Header Injection The insertion of a fake Header Enrichment HTTP header in the incoming request in order to subscribe an arbitrary user to a service. ^ Pre-installed / Downloaded Malware apps Applications specifically designed (or inadvertently containing malicious SDKs) to perform malicious actions on the user’s device. These apps usually load web pages in the background in order to avoid being noticed by the user. ^ Cross-site Scripting (XSS) A type of injection security attack in which an attacker injects data, such as malicious scripts, into contact from otherwise trusted websites. Cross-site scripting attacks happen when an untrusted source is allowed to inject its own code into a web application, and that malicious code is included with dynamic content delivered to a victim’s browser. ^ Replay Attacks A category of attacks in which an attacker detects a data transmission and fraudulently has it delayed or repeated. The delay or repeat of the data transmission is carried out by the sender or by the malicious entity, who intercepts the data and retransmits it. ^ Click Farms Click fraud in the form of large group of workers hired to click on paid advertising links for the click fraudster. The workers click the links, surf the target website for a period of time, and subscribe to services. Misleading Users: ^ Touch/click Hijacking A malicious technique using hidden layers on web pages to trick a user into clicking on something different from what the user perceives, thus allowing involuntary subscription to services while clicking on seemingly innocuous objects. ^ Frame Masking Using HTML frames or iFrames to hide the confirmation page and requesting the user to click on a seemingly ‘harmless’ web page while in reality providing consent to the service subscription. ^ User Action Simulation Listening for user swipes/gestures/taps and playing them back to provide consent to the user subscription. Usually encountered in malware installed on the user’s device. ^ Browserless Clickjacking Causing a user-click on a service confirmation button without using a web browser screen overlays under which malicious apps can hide the actual content of the web page. Figure 5 illustrates an example of a computing device (500) in which various aspects of the disclosure may be implemented, including the security platform (120) servers, the MNO system (110) servers, the service provider server (130), and the mobile communication devices (140) of the subscribers. The computing device (500) may be embodied as any form of data processing device including a personal computing device (e.g. laptop or desktop computer), a server computer (which may be self-contained, physically distributed over a number of locations), a client computer, or a communication device, such as a mobile phone (e.g. cellular telephone), satellite phone, tablet computer, personal digital assistant or the like. Different embodiments of the computing device may dictate the inclusion or exclusion of various components or subsystems described below. The computing device (500) may be suitable for storing and executing computer program code. The various participants and elements in the previously described system diagrams may use any suitable number of subsystems or components of the computing device (500) to facilitate the functions described herein. The computing device (500) may include subsystems or components interconnected via a communication infrastructure (505) (for example, a communications bus, a network, etc.). The computing device (500) may include one or more processors (510) and at least one memory component in the form of computer-readable media. The one or more processors (510) may include one or more of: CPUs, graphical processing units (GPUs), microprocessors, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs) and the like. In some configurations, a number of processors may be provided and may be arranged to carry out calculations simultaneously. In some implementations various subsystems or components of the computing device (500) may be distributed over a number of physical locations (e.g. in a distributed, cluster or cloud-based computing configuration) and appropriate software units may be arranged to manage and/or process data on behalf of remote devices. The memory components may include system memory (515), which may include read only memory (ROM) and random access memory (RAM). A basic input/output system (BIOS) may be stored in ROM. System software may be stored in the system memory (515) including operating system software. The memory components may also include secondary memory (520). The secondary memory (520) may include a fixed disk (521), such as a hard disk drive, and, optionally, one or more storage interfaces (522) for interfacing with storage components (523), such as removable storage components (e.g. magnetic tape, optical disk, flash memory drive, external hard drive, removable memory chip, etc.), network attached storage components (e.g. NAS drives), remote storage components (e.g. cloud-based storage) or the like. The computing device (500) may include an external communications interface (530) for operation of the computing device (500) in a networked environment enabling transfer of data between multiple computing devices (500) and/or the Internet. Data transferred via the external communications interface (530) may be in the form of signals, which may be electronic, electromagnetic, optical, radio, or other types of signal. The external communications interface (530) may enable communication of data between the computing device (500) and other computing devices including servers and external storage facilities. Web services may be accessible by and/or from the computing device (500) via the communications interface (530). The external communications interface (530) may be configured for connection to wireless communication channels (e.g., a cellular telephone network, wireless local area network (e.g. using Wi-Fi™), satellite-phone network, Satellite Internet Network, etc.) and may include an associated wireless transfer element, such as an antenna and associated circuitry. In the case of a mobile communication device (140), the external communications interface (530) may include a subscriber identity module (SIM) in the form of an integrated circuit that stores an international mobile subscriber identity and the related key used to identify and authenticate a subscriber using the computing device (500). One or more subscriber identity modules may be removable from or embedded in the computing device (500). The computer-readable media in the form of the various memory components may provide storage of computer-executable instructions, data structures, program modules, software units and other data. A computer program product may be provided by a computer-readable medium having stored computer-readable program code executable by the central processor (510). A computer program product may be provided by a non-transient or non-transitory computer- readable medium, or may be provided via a signal or other transient or transitory means via the communications interface (530). Interconnection via the communication infrastructure (505) allows the one or more processors (510) to communicate with each subsystem or component and to control the execution of instructions from the memory components, as well as the exchange of information between subsystems or components. Peripherals (such as printers, scanners, cameras, or the like) and input/output (I/O) devices (such as a mouse, touchpad, keyboard, microphone, touch-sensitive display, input buttons, speakers and the like) may couple to or be integrally formed with the computing device (500) either directly or via an I/O controller (525). One or more displays (519) (which may be touch-sensitive displays) may be coupled to or integrally formed with the computing device (500) via a display or video adapter (518). The foregoing description has been presented for the purpose of illustration; it is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Persons skilled in the relevant art can appreciate that many modifications and variations are possible in light of the above disclosure. Any of the steps, operations, components or processes described herein may be performed or implemented with one or more hardware or software units, alone or in combination with other devices. In one embodiment, a software unit is implemented with a computer program product comprising a non-transient or non-transitory computer-readable medium containing computer program code, which can be executed by a processor for performing any or all of the steps, operations, or processes described. Software units or functions described in this application may be implemented as computer program code using any suitable computer language such as, for example, Java™, C++, or Perl™ using, for example, conventional or object-oriented techniques. The computer program code may be stored as a series of instructions, or commands on a non- transitory computer-readable medium, such as a random access memory (RAM), a read-only memory (ROM), a magnetic medium such as a hard-drive, or an optical medium such as a CD- ROM. Any such computer-readable medium may also reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network. Flowchart illustrations and block diagrams of methods, systems, and computer program products according to embodiments are used herein. Each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, may provide functions which may be implemented by computer readable program instructions. In some alternative implementations, the functions identified by the blocks may take place in a different order to that shown in the flowchart illustrations. Some portions of this description describe the embodiments of the invention in terms of algorithms and symbolic representations of operations on information. These algorithmic descriptions and representations, such as accompanying flow diagrams, are commonly used by those skilled in the data processing arts to convey the substance of their work effectively to others skilled in the art. These operations, while described functionally, computationally, or logically, are understood to be implemented by computer programs or equivalent electrical circuits, microcode, or the like. The described operations may be embodied in software, firmware, hardware, or any combinations thereof. The language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the inventive subject matter. It is therefore intended that the scope of the invention be limited not by this detailed description, but rather by any claims that issue on an application based hereon. Accordingly, the disclosure of the embodiments of the invention is intended to be illustrative, but not limiting, of the scope of the invention set forth in any accompanying claims. Finally, throughout the specification and any accompanying claims, unless the context requires otherwise, the word ‘comprise’ or variations such as ‘comprises’ or ‘comprising’ will be understood to imply the inclusion of a stated integer or group of integers but not the exclusion of any other integer or group of integers.

Claims

CLAIMS: 1. A computer-implemented method for fraud protection in subscription flows for mobile application services using direct billing of a subscriber account maintained by a mobile network operator (MNO), wherein the method is carried out by a security platform server and comprises: receiving a redirected subscription request for a direct carrier billing service, wherein the subscription request is provided via a communication channel between a service provider server and a mobile communication device having a subscriber identifier; validating in real time the subscription request at the security platform including evaluating risk associated with the subscription request using the subscriber identifier of the request and by applying fraud detecting algorithms to the subscription request using gathered risk data; and confirming allowance of the subscription request by initiating the activation of the subscription at the MNO allowing access to the mobile application service by the subscriber via the mobile communication device; or blocking allowance of the subscription request.

2. The method as claimed in claim 1, including gathering risk data from a mobile communication device with the data associated with the subscriber identifier and/or gathering risk data from the service provider server and using the gathered risk data in the validating of a subscription request.

3. The method as claimed in claim 2, wherein validating includes evaluating the gathered risk data associated with the subscription request from one or more of: profile data gathered and associated with the subscriber identifier; data gathered from an external domain of the service provider server; and the subscription request.

4. The method as claimed in any one of the preceding claims, wherein validating uses algorithms in multiple dimensions to check for known threat patterns in the subscriber request and previously gathered risk data.

5. The method as claimed in any one of the preceding claims, wherein the communication channel is one of the group of: a web channel, a short message service (SMS) channel, an unstructured supplementary service data (USSD) channel, or other communication channel through which a subscription request can be made.

6. The method as claimed in claim 5, wherein the communication channel is a web channel and the method includes using header enrichment to extract data from a header of the subscription request for use in the validation.

7. The method as claimed in claim 6, wherein extracting data from the header includes extracting an identifier injected into the request, and wherein validating includes analysing the validity of the identifier.

8. The method as claimed in any one of the preceding claims, wherein the redirected subscription request is triggered by a trigger component incorporated into an external domain of the service provider server.

9. The method as claimed in any one of the preceding claims, including deploying a subscriber activity component to an external domain of the service provider server, wherein the subscriber activity component records subscriber interaction with the external domain.

10. The method as claimed in any one of the preceding claims, wherein validating includes: analysing gathered risk data associated with the subscription request to determine the likelihood that the subscription request is legitimate; and, processing the subscription request if the subscription request is determined likely to be legitimate; or, refusing the subscription request if the subscription request is determined not likely to be legitimate.

11. The method as claimed in any one of the preceding claims, including transmitting and receiving data to and from a mobile software application installed on a mobile communication device associated with the subscriber identifier.

12. The method as claimed in claim 11, wherein transmitting data includes transmitting malware update data to update a malware index stored in the software application and configured for use by the software application in detecting malware installed on the communication device.

13. The method as claimed in claim 11 or claim 12, wherein transmitting data includes transmitting untrusted external domain update data to update an untrusted external domain index stored in the software application and configured for use by the software application in evaluating external domains accessed by mobile communication device.

14. The method as claimed in any one of the preceding claims, including parsing content provided to a subscriber via an external domain and evaluating the parsed content against a regulation schema to determine whether the external domain complies with regulations relating to a subscription request.

15. The method as claimed in any one of the preceding claims, including crawling the web to identify web-based advertisements directing to an external domain; parsing content provided to a subscriber via the web-based advertisements and evaluating the parsed content against a regulation schema to determine whether the web-based advertisements comply with regulations relating to a subscription request.

16. The method as claimed in any one of the preceding claims, wherein the method includes maintaining a subscriber risk profile, including updating the subscriber risk profile with data associated with the subscription request.

17. The method as claimed in claim 16, wherein the subscriber risk profile includes data associated with prior subscription requests associated with the subscriber identifier, and wherein analysing the gathered risk data associated with the subscription request includes comparing the subscription request against the prior subscription requests and flagging anomalies detected in the comparison.

18. The method as claimed in any one of the preceding claims, including providing a clearing period cancellation, wherein the security platform continues validating after the subscription is completed for a clearing period of time to identify a fraud pattern, and cancelling transactions of affected users during the clearing period.

19. A system for fraud protection in subscription flows for mobile application services using direct billing of a subscriber account maintained by a mobile network operator (MNO), including a security platform server including: a request receiving component for receiving a redirected subscription request received via a communication channel between the service provider server and a mobile communication device having a subscriber identifier; a subscription validation component for validating the subscription request at the security platform including evaluating risk associated with the subscription request using the subscriber identifier of the request and by applying fraud detecting algorithms to the subscription request using gathered risk data; and a subscription activation component for confirming allowance of the subscription request by initiating the activation of the subscription at the MNO allowing access to the application service by the subscriber; or blocking allowance of the subscription request.

20. The system as claimed in claim 19, including providing code at a service provider server to redirect a subscription request received via a communication channel from the mobile communication device by integrating the code in a service confirmation stage.

21. The system as claimed in claim 19 or claim 20, including providing code at a mobile communication device for gathering risk data related to subscription requests and other data points and associating the gathered risk data with a subscriber identifier.

22. A computer program product for fraud protection in subscription flows for mobile application services using direct billing of a subscriber account maintained by a mobile network operator (MNO), comprising a computer-readable medium having stored computer-readable program code for performing the steps of: receiving a redirected subscription request for a direct carrier billing service, wherein the subscription request is provided via a communication channel between a service provider server and a mobile communication device having a subscriber identifier; validating in real time the subscription request at the security platform including evaluating risk associated with the subscription request using the subscriber identifier of the request and by applying fraud detecting algorithms to the subscription request using gathered risk data; and confirming allowance of the subscription request by initiating the activation of the subscription at the MNO allowing access to the mobile application service by the subscriber via the mobile communication device; or blocking allowance of the subscription request.