Glossary of terms

A/B testing is the practice of showing two variants of a web page/application to different segments of users at the same time so insight can be gained to their effectiveness. At Callsign, this specifically refers to the Orchestration Layer where two active policies are run concurrently but with different logic, for a specified user population or event.

It’s not just fraudsters that businesses need to be aware of. Account borrowing – or second-person fraud – is an equal risk. Examples include users allowing third parties the use of their accounts or using accounts in unauthorized locations – breaking copyright laws or compromising the security of accounts in the process.

The straightforward takeover of accounts. Often done through fraudsters using social engineering tactics to gain the data they need to mimic a user’s identity and infiltrate accounts. Fraudsters will then use the user information they have collected for financial gain.

An activation code – also known as a one-time passcode (OPT) – is a temporary possession-based event-driven authenticator that requires the user to enter a code provided by the organization to authenticate a transaction.

Application Programming Interface – A set of clearly-defined methods of communication among various components.

An app passcode is a local authenticator mechanism that acts like a soft token in place of hardware tokens. A user can generate a passcode for authentication purposes.

Logical representation of a mechanism a subscriber can use to perform an authentication. Examples: PIN, swipe, touch ID (fingerprint), OTP or tokens.

To configure a mechanism's specific parameters. For example, PIN with length of 4 numbers, OPT with maximum challenges of 5.

The Callsign Authentication Suite enables organizations to create their own authentication policies that can be applied to multiple use cases, for instance workforce or consumer authentication and identification. Policies are composed of rulesets that are triggered when certain criteria are met.

Authenticator management is available via Callsign's Authentication Suite and enables organizations to register authenticators, configure their properties for use and apply them to users.

Performing an association between objects e.g. associating a user and a device.

Biometrics is the technical term for body measurements and calculations. It refers to metrics related to human characteristics. Biometrics authentication is used in computer science as a form of identification and access control. Examples include fingerprint, voice recognition, swipe, keystroke and facial authenticators.

Bot traffic detection is the act – either through DIY methods, tools or proactive solution providers – of classifying and labeling an automated bot that either is active, or is trying to reach a website or application.

Call challenge is an authenticator that enables users to receive an automated call as part of an authentication event.

Champion/challenger testing involves the evaluation of a model and compares it to one or more challengers. After the system compares the results, the best model can be promoted to be the champion. Callsign currently supports this testing on policies as part of the Orchestration Layer.

Continuous authentication is where the user is continuously being assessed, in a passive manner, to confirm they are who they say they are. This is used to compare against the user’s previous habits, to form a highly-reliable risk assessment of ID or fraudulent activity. It is often seen as more invasive than other methods such as event based.

CPU fingerprinting combines certain unique attributes of a device CPU to contribute to the identification of a recognized device.

Credential input analysis examines the behaviors and patterns of users entering credentials into website forms.

Device anomaly detection detects signs of malicious activity or risk to the mobile app session, for instance: root, jailbroken or rooted devices, tampering, hooking and emulation.

Device fingerprinting combines extensive and numerous device attributes that rarely, if ever, change – these include which operating system the device is running, the type and version of web browser being used, the browser's language setting, MAC address and system fonts – to identify it as a unique device.

Dynamic linking (a PSD2 requirement for Strong Customer Authentication) requires that an authentication code for each transaction must be unique (i.e. it can only be used once), is specific to the transaction amount and recipient, and that both amount and recipient are made clear to the payer when authenticating.

The feedback service is a mechanism to classify transactions as either legitimate or fraudulent and feed this information back to the Callsign Intelligence Engine so models can be optimized.

First-party fraud (AKA friendly fraud) is where the legitimate end-user performs the fraud themselves. This could be by refuting an online purchase they have made to get a chargeback refund, or bypassing controls, e.g. to access domestic-only services whilst traveling abroad, mis-stating their true age or income levels etc.

It’s not just fraudsters businesses need to be aware of. Account borrowing – or second-person fraud – is an equal risk. Examples include users allowing another person the use of their accounts, e.g. a family member or fellow employee – breaking copyright laws or compromising the security of accounts in the process. Inherence-based authentication (e.g. behavioral biometrics) is a good way to address this issue, as the credentials cannot be shared.

This is the most common type of fraud, where a fraudster compromises your credentials and/or steals your identity.

The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25, 2018 for Europe and was designed to modernize laws that protect the personal information of individuals.

GPU fingerprinting is a way to combine certain attributes of a device GPU – like manufacturer, model and memory – to contribute to the identification of a recognized device.

A HOTP (HMAC-based one-time passcode) is a possession-based authenticator that generates a single-use OTP which is usually entered onto a web channel to complete an authentication event. HOTPs can be derived from entered information such as a challenge, or from transaction data. A TOTP (time-based one-time passcode) hard token is a possession-based authenticator that generates codes that are valid only for a certain amount of time, after which a new code must be generated.

ISO 27001 was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system (ISMS). The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action and requires cooperation among all sections of an organization. Callsign is ISO 27001 certified.

Journey mapping within the Callsign Orchestration Layer enables bespoke authentication pathways and user journeys to be created, including any required step-ups where necessary. The designer utilizes a "drag and drop" user interface so that workflows can be quickly created and visualized by business stakeholders.

Keystroke dynamics (or typing dynamics) refers to the automated method of identifying or confirming the identity of an individual based on the manner and the rhythm of typing on a keyboard. Keystroke dynamics is a behavioral biometric, and falls under the inherence factor (something you are) of SCA.

The Callsign Orchestration Layer enables organizations to create/import their own list datasets which can be referenced as part of an authentication ruleset or policy. Examples include a whitelist of “VIPs” based on a data type defined by the client, or a blacklist of “fraudulent devices”, defined by a metric of their choosing.

Providing that the user has consented and, staying true to our privacy principles, using obfuscated data, we confirm if the user’s location at the point of request aligns with their typical behavior.

The Callsign mobile SDK delivers all the features of the Callsign mobile platform to compatible Android or iOS smartphone applications, enabling a secure and seamless user experience. All of the technical sophistication of the platform is embedded in the SDK, which has been designed as an easy-to-use developer interface.

Mobile swipe is an authenticator unique to Callsign, requiring the user to swipe their phone to authenticate a transaction. In the background, Callsign collects behavioral data to verify the user is who they say they are. Callsign’s swipe authentication can be classed as both an inherence-based (something you are) and a possession-based (something you have) SCA factor. The possession element comes from the strong, cryptographically secured relationship Callsign establishes between the mobile device and the Callsign platform.

Like keystroke dynamics, mouse dynamics measures and assesses a user's mouse-behavior characteristics for use as a biometric. Mouse dynamics is a behavioral biometric, and falls under the inherence factor (something you are) of SCA.

Name & address check is a non-invasive check performed Callsign during a transaction as part of account takeover protection (ATP). The process checks whether a user’s telephone number differs to the one the client has on record, in order to determine whether the customer has been socially engineered. This forms part of our telecoms intelligence capabilities.

MNO intelligence (or telecoms intelligence) leverages comprehensive MNO data feeds which can be evaluated to detect social engineer fraud in real-time. Helping to reduce false positives for SIM swap and call divert, as well as number porting attack detection, SIM splitting, change of telephone number attacks and identification of known fraudulent numbers and devices.

A one-time passcode (OTP) is a temporary possession-based authentication factor (based on possession of the device or medium upon which it is received or generated) that requires the user to enter a code provided by the organization to authenticate a transaction.

Page fingerprinting is a web SDK-only model, designed to detect potentially malicious web page modification and mutation.

Passive authentication, or identification, is the collection of information in the background to verify identity. We use thousands of available data points, such as a user’s location, device, typing patterns, mouse movement or swipe to verify a user’s identity.

Policy performance analytics provides organizations with the ability to query their policy, ruleset, authenticator and decision performance and utilization. Callsign offers this as part of the Orchestration Layer.

Policy simulation, (also referred to as Time Machine) is part of our policy evaluation toolkit. It allows organizations to test their policies using previously seen (historical) data from an offline environment. Simulation enables organizations to understand how their policies might perform in production, or how they could address situations differently.

PSD2 (Revised Payment Services Directive) requires banks to share raw account data with third-party providers, based on customer permissions, and open up APIs allowing those third parties to initiate payment transactions on behalf of the customer. PSD2 also includes the Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA).

During a transaction, we check for Remote Access Trojans (RATs) – a form of malware that enables unauthorized access to a someone’s device.

During a transaction, we check whether a replay attack is taking place. Replay attacks are a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or replayed.

SIM swap fraud involves a fraudster obtaining an individual’s banking details through phishing/vishing techniques, or by purchasing these from organized crime networks. With this and other information, they then dupe a mobile network operator into cancelling and reactivating the victim's mobile number to a SIM in their possession. As a result, calls and texts to the victim’s number are routed to the fraudster’s phone, including OTPs for banking transactions – which can then be used to transfer funds from the victim’s bank account.

Security process of authenticating a user using one type of authentication mechanism to access restricted resources. Typically, single factor authentication will rely on a knowledge factor (e.g. username password).

SS7 is an international telecommunications standard used by MNOs to exchange information when passing calls and text messages between each other, such as when you are roaming. By accessing SS7, fraudsters are able to compromise the messages being sent between networks, meaning they can get these messages and calls sent to a SIM of their choice by setting up a misdirection of the legitimate customer’s SMS or outbound verification call.

Stateful policies enable previous information about a customer to be remembered – for instance, what authentication they have performed in the last 30 days, the last time they had a high-risk intelligence score etc.

As part of its efforts to reduce online payment fraud, PSD2 requires a strong authentication process whenever a payment is initiated or remote account access is requested, which is what’s known in the directive as SCA. This method of authentication must include two independent and dynamic factors from the following:

- something you own

- something you know

- something you are

Mobile phones in particular are a breeding ground for Account Takeover. By requesting a SIM swap or call divert, fraudsters can pose as the account holder and authenticate via mobile phone – whether that’s with a one-time passcode or by receiving a security call.

A Temporary Access Code (TAC) is a single-use, knowledge-based authenticator that is distributed to a user via an operator.

Third-party risk system integration enables organizations to create rules within the Orchestration Layer that can incorporate third-party risk systems in addition to, or in replacement of, the Callsign Intelligence Engine.

Behavioral PIN is a form of typing dynamics, and refers to the automated method of confirming the identity of an individual based on the manner and rhythm of a PIN entry on a mobile device. Behavioral PIN authentication can be classed as both an inherence-based (something you are) and knowledge-based (something you know) SCA factor.

Known as 2FA, this is the security process of authenticating a user using two or more elements of SCA to access restricted resources.

Username and password is a knowledge-based authenticator that requires the user to enter a both a username and password into the application to authenticate.

Anonymization networks have been a common occurrence for illegitimate manned or unmanned (bot) traffic. Callsign can identify VPNs, Proxy- and/or Tor-based IPs, and report on these.

The Callsign Web SDK provides the capability to profile a web session; collecting data dependent for server-side machine learning. This data is useful to statistically analyze identity and device / location data, or quantify risk.