Request a demo

Find out today the difference that Callsign’s unique solution can make to your business.

Seeing is believing.

General enquiries, support and press

By submitting this form, you agree to Callsign’s Privacy Policy



Thank you for your request


In the meantime, connect with Callsign for insights on authentication and fraud prevention

Glossary of terms

Callsign & industry terminology explained

A/B testing

A/B testing is the practice of showing two variants of a web page/application to different segments of users at the same time so insight can be gained to their effectiveness. At Callsign, this specifically refers to the Orchestration Layer where two active policies are run concurrently but with different logic, for a specified user population or event.

Account borrowing

It’s not just fraudsters that businesses need to be aware of. Account borrowing – or second-person fraud – is an equal risk. Examples include users allowing third parties the use of their accounts or using accounts in unauthorized locations – breaking copyright laws or compromising the security of accounts in the process.

Account Takeover

The straightforward takeover of accounts. Often done through fraudsters using social engineering tactics to gain the data they need to mimic a user’s identity and infiltrate accounts. Fraudsters will then use the user information they have collected for financial gain.

Activation code

An activation code – also known as a one-time passcode (OPT) – is a temporary possession-based event-driven authenticator that requires the user to enter a code provided by the organization to authenticate a transaction.


Application Programming Interface – A set of clearly-defined methods of communication among various components.

App passcode

An app passcode is a local authenticator mechanism that acts like a soft token in place of hardware tokens. A user can generate a passcode for authentication purposes.

Authentication mechanism

Logical representation of a mechanism a subscriber can use to perform an authentication. Examples: PIN, swipe, touch ID (fingerprint), OTP or tokens.

Authentication policy

To configure a mechanism's specific parameters. For example, PIN with length of 4 numbers, OPT with maximum challenges of 5.

Authentication Suite

The Callsign Authentication Suite enables organizations to create their own authentication policies that can be applied to multiple use cases, for instance workforce or consumer authentication and identification. Policies are composed of rulesets that are triggered when certain criteria are met.

Authenticator management

Authenticator management is available via Callsign's Authentication Suite and enables organizations to register authenticators, configure their properties for use and apply them to users.


Performing an association between objects e.g. associating a user and a device.

Biometrics (Including behavioral)

Biometrics is the technical term for body measurements and calculations. It refers to metrics related to human characteristics. Biometrics authentication is used in computer science as a form of identification and access control. Examples include fingerprint, voice recognition, swipe, keystroke and facial authenticators.

Bot detection

Bot traffic detection is the act – either through DIY methods, tools or proactive solution providers – of classifying and labeling an automated bot that either is active, or is trying to reach a website or application.

Call challenge

Call challenge is an authenticator that enables users to receive an automated call as part of an authentication event.


Champion/challenger testing involves the evaluation of a model and compares it to one or more challengers. After the system compares the results, the best model can be promoted to be the champion. Callsign currently supports this testing on policies as part of the Orchestration Layer.

Continuous authentication

Continuous authentication is where the user is continuously being assessed, in a passive manner, to confirm they are who they say they are. This is used to compare against the user’s previous habits, to form a highly-reliable risk assessment of ID or fraudulent activity. It is often seen as more invasive than other methods such as event based.

CPU Fingerprinting

CPU fingerprinting combines certain unique attributes of a device CPU to contribute to the identification of a recognized device.

Credential input analysis

Credential input analysis examines the behaviors and patterns of users entering credentials into website forms.

Device anomaly detection

Device anomaly detection detects signs of malicious activity or risk to the mobile app session, for instance: root, jailbroken or rooted devices, tampering, hooking and emulation.

Device fingerprinting

Device fingerprinting combines extensive and numerous device attributes that rarely, if ever, change – these include which operating system the device is running, the type and version of web browser being used, the browser's language setting, MAC address and system fonts – to identify it as a unique device.

Dynamic linking

Dynamic linking (a PSD2 requirement for Strong Customer Authentication) requires that an authentication code for each transaction must be unique (i.e. it can only be used once), is specific to the transaction amount and recipient, and that both amount and recipient are made clear to the payer when authenticating.

Feedback service

The feedback service is a mechanism to classify transactions as either legitimate or fraudulent and feed this information back to the Callsign Intelligence Engine so models can be optimized.

Fraud: first party

First-party fraud (AKA friendly fraud) is where the legitimate end-user performs the fraud themselves. This could be by refuting an online purchase they have made to get a chargeback refund, or bypassing controls, e.g. to access domestic-only services whilst traveling abroad, mis-stating their true age or income levels etc.

Fraud: second party

It’s not just fraudsters businesses need to be aware of. Account borrowing – or second-person fraud – is an equal risk. Examples include users allowing another person the use of their accounts, e.g. a family member or fellow employee – breaking copyright laws or compromising the security of accounts in the process. Inherence-based authentication (e.g. behavioral biometrics) is a good way to address this issue, as the credentials cannot be shared.

Fraud: third party

This is the most common type of fraud, where a fraudster compromises your credentials and/or steals your identity.


The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25, 2018 for Europe and was designed to modernize laws that protect the personal information of individuals.

GPU fingerprinting

GPU fingerprinting is a way to combine certain attributes of a device GPU – like manufacturer, model and memory – to contribute to the identification of a recognized device.

Hard tokens

A HOTP (HMAC-based one-time passcode) is a possession-based authenticator that generates a single-use OTP which is usually entered onto a web channel to complete an authentication event. HOTPs can be derived from entered information such as a challenge, or from transaction data. A TOTP (time-based one-time passcode) hard token is a possession-based authenticator that generates codes that are valid only for a certain amount of time, after which a new code must be generated.

ISO 27001

ISO 27001 was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system (ISMS). The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action and requires cooperation among all sections of an organization. Callsign is ISO 27001 certified.

Journey mapping

Journey mapping within the Callsign Orchestration Layer enables bespoke authentication pathways and user journeys to be created, including any required step-ups where necessary. The designer utilizes a "drag and drop" user interface so that workflows can be quickly created and visualized by business stakeholders.

Keystroke dynamics

Keystroke dynamics (or typing dynamics) refers to the automated method of identifying or confirming the identity of an individual based on the manner and the rhythm of typing on a keyboard. Keystroke dynamics is a behavioral biometric, and falls under the inherence factor (something you are) of SCA.

List management

The Callsign Orchestration Layer enables organizations to create/import their own list datasets which can be referenced as part of an authentication ruleset or policy. Examples include a whitelist of “VIPs” based on a data type defined by the client, or a blacklist of “fraudulent devices”, defined by a metric of their choosing.

Location-based authentication

Providing that the user has consented and, staying true to our privacy principles, using obfuscated data, we confirm if the user’s location at the point of request aligns with their typical behavior.

Mobile SDK

The Callsign mobile SDK delivers all the features of the Callsign mobile platform to compatible Android or iOS smartphone applications, enabling a secure and seamless user experience. All of the technical sophistication of the platform is embedded in the SDK, which has been designed as an easy-to-use developer interface.

Mobile swipe authentication

Mobile swipe is an authenticator unique to Callsign, requiring the user to swipe their phone to authenticate a transaction. In the background, Callsign collects behavioral data to verify the user is who they say they are. Callsign’s swipe authentication can be classed as both an inherence-based (something you are) and a possession-based (something you have) SCA factor. The possession element comes from the strong, cryptographically secured relationship Callsign establishes between the mobile device and the Callsign platform.

Mouse dynamics

Like keystroke dynamics, mouse dynamics measures and assesses a user's mouse-behavior characteristics for use as a biometric. Mouse dynamics is a behavioral biometric, and falls under the inherence factor (something you are) of SCA.

Name & address check (ATP) – Mobile Network Operator (MNO) intelligence

Name & address check is a non-invasive check performed Callsign during a transaction as part of account takeover protection (ATP). The process checks whether a user’s telephone number differs to the one the client has on record, in order to determine whether the customer has been socially engineered. This forms part of our telecoms intelligence capabilities.

Number insight – Mobile Network Operator (MNO) intelligence

MNO intelligence (or telecoms intelligence) leverages comprehensive MNO data feeds which can be evaluated to detect social engineer fraud in real-time. Helping to reduce false positives for SIM swap and call divert, as well as number porting attack detection, SIM splitting, change of telephone number attacks and identification of known fraudulent numbers and devices.

One-time passcode (OTP)

A one-time passcode (OTP) is a temporary possession-based authentication factor (based on possession of the device or medium upon which it is received or generated) that requires the user to enter a code provided by the organization to authenticate a transaction.

Page malware detection

Page fingerprinting is a web SDK-only model, designed to detect potentially malicious web page modification and mutation.

Passive authentication

Passive authentication, or identification, is the collection of information in the background to verify identity. We use thousands of available data points, such as a user’s location, device, typing patterns, mouse movement or swipe to verify a user’s identity.

Policy performance analytics

Policy performance analytics provides organizations with the ability to query their policy, ruleset, authenticator and decision performance and utilization. Callsign offers this as part of the Orchestration Layer.

Policy simulation

Policy simulation, (also referred to as Time Machine) is part of our policy evaluation toolkit. It allows organizations to test their policies using previously seen (historical) data from an offline environment. Simulation enables organizations to understand how their policies might perform in production, or how they could address situations differently.


PSD2 (Revised Payment Services Directive) requires banks to share raw account data with third-party providers, based on customer permissions, and open up APIs allowing those third parties to initiate payment transactions on behalf of the customer. PSD2 also includes the Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA).

Remote Access Trojan (RAT) detection

During a transaction, we check for Remote Access Trojans (RATs) – a form of malware that enables unauthorized access to a someone’s device.

Replay attack detection

During a transaction, we check whether a replay attack is taking place. Replay attacks are a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or replayed.

SIM swap detection

SIM swap fraud involves a fraudster obtaining an individual’s banking details through phishing/vishing techniques, or by purchasing these from organized crime networks. With this and other information, they then dupe a mobile network operator into cancelling and reactivating the victim's mobile number to a SIM in their possession. As a result, calls and texts to the victim’s number are routed to the fraudster’s phone, including OTPs for banking transactions – which can then be used to transfer funds from the victim’s bank account.

Single-factor authentication

Security process of authenticating a user using one type of authentication mechanism to access restricted resources. Typically, single factor authentication will rely on a knowledge factor (e.g. username password).

SS7 Network

SS7 is an international telecommunications standard used by MNOs to exchange information when passing calls and text messages between each other, such as when you are roaming. By accessing SS7, fraudsters are able to compromise the messages being sent between networks, meaning they can get these messages and calls sent to a SIM of their choice by setting up a misdirection of the legitimate customer’s SMS or outbound verification call.

Stateful policies

Stateful policies enable previous information about a customer to be remembered – for instance, what authentication they have performed in the last 30 days, the last time they had a high-risk intelligence score etc.

Strong Customer Authentication (SCA)

As part of its efforts to reduce online payment fraud, PSD2 requires a strong authentication process whenever a payment is initiated or remote account access is requested, which is what’s known in the directive as SCA. This method of authentication must include two independent and dynamic factors from the following:

- something you own

- something you know

- something you are

Telecoms fraud

Mobile phones in particular are a breeding ground for Account Takeover. By requesting a SIM swap or call divert, fraudsters can pose as the account holder and authenticate via mobile phone – whether that’s with a one-time passcode or by receiving a security call.

Temporary Access Code

A Temporary Access Code (TAC) is a single-use, knowledge-based authenticator that is distributed to a user via an operator.

Third-party risk system Intergration

Third-party risk system integration enables organizations to create rules within the Orchestration Layer that can incorporate third-party risk systems in addition to, or in replacement of, the Callsign Intelligence Engine.

Touch dynamics

Behavioral PIN is a form of typing dynamics, and refers to the automated method of confirming the identity of an individual based on the manner and rhythm of a PIN entry on a mobile device. Behavioral PIN authentication can be classed as both an inherence-based (something you are) and knowledge-based (something you know) SCA factor.

Two-Factor Authentication

Known as 2FA, this is the security process of authenticating a user using two or more elements of SCA to access restricted resources.

Username & password

Username and password is a knowledge-based authenticator that requires the user to enter a both a username and password into the application to authenticate.

VPN, proxy and Tor Detection

Anonymization networks have been a common occurrence for illegitimate manned or unmanned (bot) traffic. Callsign can identify VPNs, Proxy- and/or Tor-based IPs, and report on these.


The Callsign Web SDK provides the capability to profile a web session; collecting data dependent for server-side machine learning. This data is useful to statistically analyze identity and device / location data, or quantify risk.