Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
SYSTEMS AND METHODS FOR ELECTRONIC FRAUD DETECTION AND PREVENTION
Document Type and Number:
WIPO Patent Application WO/2017/093801
Kind Code:
A2
Abstract:
A non-transitory computer readable medium storing instructions for performing a secure transaction is provided. The instructions, when executed by at least one processor, cause the at least one processor to perform operations including harvesting, at a mobile device, activity data indicative of various diverse activities of a user of the mobile device; transmitting to a remote server, from the mobile device, the activity data harvested from the mobile device in order to enable the remote server to generate a behavioral profile of the user of the mobile device based on the harvested activity data; receiving at the mobile device, from the server, the behavioral profile; storing the behavioral profile locally on the mobile device; and determining, on the mobile device, whether to authorize a requested financial transaction based on a comparison of data associated with the requested financial transaction and data associated with the behavioral profile.

Inventors:
EINHORN ORI (IL)
RAZ YUVAL (IL)
MARGALIOT NACHSHON (IL)
Application Number:
IB2016/001832
Publication Date:
June 08, 2017
Filing Date:
November 30, 2016
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
EINHORN ORI (IL)
RAZ YUVAL (IL)
MARGALIOT NACHSHON (IL)
Download PDF:
Claims:
CLAIMS

1. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: harvesting, at a mobile device, activity data indicative of various diverse activities of a user of the mobile device;

transmitting to a remote server, from the mobile device, the activity data

harvested from the mobile device in order to enable the remote server to generate a behavioral profile of the user of the mobile device based on the harvested activity data;

receiving at the mobile device, from the server, the behavioral profile;

storing the behavioral profile locally on the mobile device; and

determining, on the mobile device, whether to authorize a requested financial transaction based on a comparison of data associated with the requested financial transaction and data associated with the behavioral profile.

2. The non-transitory computer readable medium of claim 1, wherein the activity data

includes data associated with a plurality of differing financial transactions.

3. The non-transitory computer readable medium of claim 2, wherein the data associated with the plurality of differing financial transactions includes price data, transaction time data, and merchant identification data.

4. The non-transitory computer readable medium of claim 1, wherein the activity data

comprises geographic location data.

5. The non-transitory computer readable medium of claim 1, wherein the activity data

comprises data communications activity.

6. The non- transitory computer readable medium of claim 1, wherein the activity data comprises gyroscope activity.

7. The non-transitory computer readable medium of claim 1, wherein the activity data comprises accelerometer activity.

8. The non-transitory computer readable medium of claim 1, wherein the activity data comprises compass activity.

9. The non-transitory computer readable medium of claim 1 , wherein the activity data comprises battery activity.

10. The non-transitory computer readable medium of claim 1, wherein the activity data comprises mobile device buttons activity.

11. The non-transitory computer readable medium of claim 1 , wherein the activity data comprises touch screen input activity.

12. The non-transitory computer readable medium of claim 1, wherein the activity data comprises messaging activity.

13. The non-transitory computer readable medium of claim 1, wherein the activity data comprises mobile device application activity.

14. A mobile device configured to perform operations comprising:

a memory storing executable instructions; and

at least one processor configured to execute the stored instructions to:

harvest, at the mobile device, activity data indicative of various diverse activities of a user of the mobile device;

transmit to a remote server, from the mobile device, the activity data harvested from the mobile device in order to enable the remote server to generate a behavioral profile of the user of the mobile device based on the harvested activity data;

receive at the mobile device, from the server, the behavioral

profile;

store the behavioral profile locally on the mobile device; and determine, on the mobile device, whether to authorize a requested financial transaction based on a comparison of data associated with the requested financial transaction and data associated with the behavioral profile.

15. The mobile device of claim 14, wherein the activity data includes data associated with a plurality of differing financial transactions.

16. The mobile device of claim 15, wherein the data associated with the plurality of differing financial transactions includes price data, transaction time data, and merchant identification data.

17. The mobile device of claim 14, wherein the activity data comprises geographic location data.

18. The mobile device of claim 14, wherein the activity data comprises data communications activity.

19. The mobile device of claim 14, wherein the activity data comprises gyroscope activity.

20. The mobile device of claim 14, wherein the activity data comprises accelerometer

activity.

21. The mobile device of claim 14, wherein the activity data comprises compass activity.

22. The mobile device of claim 14, wherein the activity data comprises battery activity.

23. The mobile device of claim 14, wherein the activity data comprises mobile device buttons activity.

24. The mobile device of claim 14, wherein the activity data comprises touch screen input activity.

25. The mobile device of claim 14, wherein the activity data comprises messaging activity.

26. The mobile device of claim 14, wherein the activity data comprises mobile device

application activity.

27. A computer-implemented method for performing operations on a mobile device, the method comprising:

harvesting, at the mobile device, activity data indicative of various diverse

activities of a user of the mobile device;

transmitting to a remote server, from the mobile device, the activity data

harvested from the mobile device in order to enable the remote server to generate a behavioral profile of the user of the mobile device based on the harvested activity data;

receiving at the mobile device, from the server, the behavioral profile;

storing the behavioral profile locally on the mobile device; and

determining, on the mobile device, whether to authorize a requested financial transaction based on a comparison of data associated with the requested financial transaction and data associated with the behavioral profile.

28. The computer-implemented method of claim 27, wherein the activity data includes data associated with a plurality of differing financial transactions.

29. The computer-implemented method of claim 28, wherein the data associated with the plurality of differing financial transactions includes price data, transaction time data, and merchant identification data.

30. The computer-implemented method of claim 27, wherein the activity data comprises geographic location data.

31. The computer-implemented method of claim 27, wherein the activity data comprises data communications activity.

32. The computer-implemented method of claim 27, wherein the activity data comprises gyroscope activity.

33. The computer- implemented method of claim 27, wherein the activity data comprises accelerometer activity.

34. The computer-implemented method of claim 27, wherein the activity data comprises compass activity.

35. The computer-implemented method of claim 27, wherein the activity data comprises battery activity.

36. The computer-implemented method of claim 27, wherein the activity data comprises mobile device buttons activity.

37. The computer-implemented method of claim 27, wherein the activity data comprises touch screen input activity.

38. The computer- implemented method of claim 27, wherein the activity data comprises messaging activity.

39. The computer-implemented method of claim 27, wherein the activity data comprises mobile device application activity. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining a behavioral profile on a mobile device, the behavioral profile being unique to a user of the mobile device and comprising a general population attribute, a fraud ratio attribute, and a personal history attribute;

wherein the general population attribute is associated with

financial transactions conducted by a general population of users;

wherein the fraud ratio attribute is associated with a prevalence of fraud among the general population of users; and wherein the personal history attribute is associated with the user's history of financial transactions; and

determining, on the mobile device, whether to authorize a requested financial transaction based on the behavioral profile.

The non-transitory computer readable medium of claim 40, wherein the general population attribute indicates a number of financial transactions conducted by the general population of users at a point on a behavioral map.

The non-transitory computer readable medium of claim 40, wherein the fraud ratio attribute indicates a proportion of fraudulent activity to overall financial activity at a point on a behavioral map.

The non-transitory computer readable medium of claim 40, wherein the personal history attribute indicates a number of financial transactions that the user has engaged in at a point on a behavioral map.

44. The non-transitory computer readable medium of claim 40, further comprising computing a likelihood that the requested financial transaction is fraudulent based on the behavioral profile.

45. A mobile device configured to perform operations comprising:

a memory storing executable instructions; and

at least one processor configured to execute the stored instructions to:

maintain a behavioral profile on the mobile device, the behavioral profile being unique to a user of the mobile device and comprising a general population attribute, a fraud ratio attribute, and a personal history attribute;

wherein the general population attribute is

associated with financial transactions conducted by a general population of users; wherein the fraud ratio attribute is associated with a prevalence of fraud among the general population of users; and

wherein the personal history attribute is associated with the user's history of financial transactions; and

determine, on the mobile device, whether to authorize a requested financial transaction based on the behavioral profile.

46. The mobile device of claim 45, wherein the general population attribute indicates a

number of financial transactions conducted by the general population of users at a point on a behavioral map.

47. The mobile device of claim 45, wherein the fraud ratio attribute indicates a proportion of fraudulent activity to overall financial activity at a point on a behavioral map.

48. The mobile device of claim 45, wherein the personal history attribute indicates a number of financial transactions that the user has engaged in at a point on a behavioral map.

49. The mobile device of claim 45, wherein the at least one processor is further configured to compute a likelihood that the requested financial transaction is fraudulent based on the behavioral profile.

50. A computer-implemented method for performing operations on a mobile device, the

method comprising:

maintaining a behavioral profile on the mobile device, the behavioral profile

being unique to a user of the mobile device and comprising a general population attribute, a fraud ratio attribute, and a personal history attribute; wherein the general population attribute is associated with

financial transactions conducted by a general population of users;

wherein the fraud ratio attribute is associated with a prevalence of fraud among the general population of users; and wherein the personal history attribute is associated with the user's history of financial transactions; and

determining, on the mobile device, whether to authorize a requested financial transaction based on the behavioral profile.

51. The computer-implemented method of claim 50, wherein the general population attribute indicates a number of financial transactions conducted by the general population of users at a point on a behavioral map.

52. The computer-implemented method of claim 50, wherein the fraud ratio attribute

indicates a proportion of fraudulent activity to overall financial activity at a point on a behavioral map.

53. The computer-implemented method of claim 50, wherein the personal history attribute indicates a number of financial transactions that the user has engaged in at a point on a behavioral map.

54. The computer-implemented method of claim 50, further comprising computing a

likelihood that the requested financial transaction is fraudulent based on the behavioral profile.

55. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, on a mobile device, a behavioral profile associated with a user of the mobile device, wherein the behavioral profile is configured for use in approving financial transactions from the mobile device without real time use of a network;

maintaining, on the mobile device, a set of fall-back rules for use when

insufficient information is contained in the behavioral profile to authorize a financial transaction, the fall-back rules indicating whether to authorize or deny certain types of financial transactions; and

when the behavioral profile contains insufficient information to authorize a

financial transaction, accessing the fall-back rules and determining, based at least in part on the fall back rules, whether to authorize the financial transaction, from the mobile device, without further approval from another source.

56. The non-transitory computer readable medium of claim 55, wherein the fall-back rules include at least one rule that requires the user to enter personal identification information before completing a financial transaction.

57. The non-transitory computer readable medium of claim 55, wherein the fall-back rules include at least one rule that authorizes transactions at merchants previously patronized by the user.

58. The non-transitory computer readable medium of claim 55, further comprising, when the behavioral profile is determined to contain sufficient information, authorizing the financial transaction without resort to the fall-back rules.

59. A mobile device configured to perform operations, comprising:

a memory storing executable instructions; and

at least one processor configured to execute the stored instructions to:

maintain, on the mobile device, a behavioral profile associated with a user of the mobile device, wherein the behavioral profile is configured for use in approving financial transactions from the mobile device without real time use of a network;

maintain, on the mobile device, a set of fall-back rules for use when insufficient information is contained in the behavioral profile to authorize a financial transaction, the fall-back rules indicating whether to authorize or deny certain types of financial transactions; and

when the behavioral profile contains insufficient information to authorize a financial transaction, access the fall-back rules and determine, based at least in part on the fall back rules, whether to authorize the financial transaction, from the mobile device, without further approval from another source.

The mobile device of claim 59, wherein the fall-back rules include at least one rule that requires the user to enter personal identification information before completing a financial transaction.

The mobile device of claim 59, wherein the fall-back rules include at least one rule that authorizes transactions at merchants previously patronized by the user.

The mobile device of claim 59, wherein the at least one processor is further configured to, when the behavioral profile is determined to contain sufficient information, authorize the financial transaction without resort to the fall-back rules.

A computer-implemented method for performing operations on a mobile device, the method comprising:

maintaining, on the mobile device, a behavioral profile associated with a user of the mobile device, wherein the behavioral profile is configured for use in approving financial transactions from the mobile device without real time use of a network; maintaining, on the mobile device, a set of fall-back rules for use when insufficient information is contained in the behavioral profile to authorize a financial transaction, the fall-back rules indicating whether to authorize or deny certain types of financial transactions; and

when the behavioral profile contains insufficient information to authorize a

financial transaction, accessing the fall-back rules and determining, based at least in part on the fall back rules, whether to authorize the financial transaction, from the mobile device, without further approval from another source.

64. The computer-implemented method of claim 63, wherein the fall-back rules include at least one rule that requires the user to enter personal identification information before completing a financial transaction.

65. The computer-implemented method of claim 63, wherein the fall-back rules include at least one rule that authorizes transactions at merchants previously patronized by the user.

66. The computer-implemented method of claim 63, further comprising, when the behavioral profile is determined to contain sufficient information, authorizing the financial transaction without resort to the fall-back rules.

67. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, on a mobile device, a behavioral profile associated with a user of the mobile device, wherein the behavioral profile is configured for use in approving financial transactions from the mobile device without real time use of a network; maintaining, on the mobile device, a set of suspected fraud rules for use when, based on application of the behavioral profile, fraud is suspected;

invoking at least one of the suspected fraud rules when fraud is suspected,

wherein the invoked suspected fraud rule prompts the user to provide further information; and

determining, based at least in part on a response to the prompt, whether to

authorize the financial transaction from the mobile device, without intervention from a data source outside the mobile device.

68. The non-transitory computer readable medium of claim 67, wherein the suspected fraud rules include a rule that prompts the user to provide further information if a geographic location associated with the transaction is determined to be atypical for the user.

69. The non-transitory computer readable medium of claim 67, wherein the suspected fraud rules include a rule that prompts the user to provide further information if a merchant associated with the financial transaction is determined to be atypical for the user.

70. The non-transitory computer readable medium of claim 67, wherein the suspected fraud rules include a rule that prompts the user to provide further information for all merchants not previously patronized by the user.

71. The non-transitory computer readable medium of claim 67, wherein the suspected fraud rules include a rule that prompts the user to provide further information if the user is located outside of geographical area defined by the behavioral profile.

72. The non-transitory computer readable medium of claim 67, wherein the suspected fraud rules include a rule that prompts the user to provide further information if a transaction amount is beyond a threshold defined by the behavioral profile.

73. A mobile device configured to perform operations comprising:

a memory storing executable instructions; and

at least one processor configured to execute the stored instructions to:

maintain, on the mobile device, a behavioral profile associated with a user of the mobile device, wherein the behavioral profile is configured for use in approving financial transactions from the mobile device without real time use of a network;

maintain, on the mobile device, a set of suspected fraud rules for use when, based on application of the behavioral profile, fraud is suspected;

invoke at least one of the suspected fraud rules when fraud is suspected, wherein the invoked suspected fraud rule prompts the user to provide further information; and determine, based at least in part on a response to the prompt, whether to authorize the financial transaction from the mobile device, without intervention from a data source outside the mobile device.

74. The mobile device of claim 73, wherein the suspected fraud rules include a rule that prompts the user to provide further information if a geographic location associated with the transaction is determined to be atypical for the user.

75. The mobile device of claim 73, wherein the suspected fraud rules include a rule that prompts the user to provide further information if a merchant associated with the financial transaction is determined to be atypical for the user.

76. The mobile device of claim 73, wherein the suspected fraud rules include a rule that prompts the user to provide further information for all merchants not previously patronized by the user.

77. The mobile device of claim 73, wherein the suspected fraud rules include a rule that prompts the user to provide further information if the user is located outside of geographical area defined by the behavioral profile.

78. The mobile device of claim 73, wherein the suspected fraud rules include a rule that prompts the user to provide further information if a transaction amount is beyond a threshold defined by the behavioral profile.

79. A computer-implemented method for performing operations on a mobile device, the method comprising:

maintaining, on the mobile device, a behavioral profile associated with a user of the mobile device, wherein the behavioral profile is configured for use in approving financial transactions from the mobile device without real time use of a network;

maintaining, on the mobile device, a set of suspected fraud rules for use when, based on application of the behavioral profile, fraud is suspected;

invoking at least one of the suspected fraud rules when fraud is suspected,

wherein the invoked suspected fraud rule prompts the user to provide further information; and determining, based at least in part on a response to the prompt, whether to

authorize the financial transaction from the mobile device, without intervention from a data source outside the mobile device.

80. The computer-implemented method of claim 79, wherein the suspected fraud rules

include a rule that prompts the user to provide further information if a geographic location associated with the transaction is determined to be atypical for the user.

81. The computer- implemented method of claim 79, wherein the suspected fraud rules

include a rule that prompts the user to provide further information if a merchant associated with the financial transaction is determined to be atypical for the user.

82. The computer- implemented method of claim 79, wherein the suspected fraud rules

include a rule that prompts the user to provide further information for all merchants not previously patronized by the user.

83. The computer-implemented method of claim 79, wherein the suspected fraud rules

include a rule that prompts the user to provide further information if the user is located outside of geographical area defined by the behavioral profile.

84. The computer-implemented method of claim 79, wherein the suspected fraud rules

include a rule that prompts the user to provide further information if a transaction amount is beyond a threshold defined by the behavioral profile.

85. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, at a server, a plurality of behavioral profiles, the plurality of

behavioral profiles being associated with a plurality of mobile device users, each mobile device user being associated with a mobile device; transmitting to the mobile devices, associated mobile behavioral profiles, each for storage on a corresponding mobile device of the plurality of users;

receiving from one of the plurality of mobile devices, an information about a fraudulent transaction;

updating the plurality of behavioral profiles based on the received information about the fraudulent transaction; and

transmitting to the mobile devices updated behavioral profile information that adjusts each of the plurality of mobile behavioral profiles to account for the information received about the fraudulent transaction.

86. The non-transitory computer readable medium of claim 85, wherein each mobile

behavioral profile is identical to a corresponding behavioral profile maintained on the server.

87. The non-transitory computer readable medium of claim 85, wherein each mobile

behavioral profile is a light version of a corresponding behavioral profile maintained on the server.

88. The non-transitory computer readable medium of claim 85, further comprising, when information about a fraudulent transaction is received from one of the mobile devices, identifying a subset of mobile device users with similar behavioral profiles, and transmitting the updated profile information only to the subset.

89. The non-transitory computer readable medium of claim 85, wherein the subset is

determined using a nearest neighbor statistical analysis.

90. A system configured to perform operation comprising:

a memory storing executable instructions; and at least one processor configured to execute the stored instructions to:

maintaining, at a server, a plurality of behavioral profiles, the plurality of behavioral profiles being associated with a plurality of mobile device users, each mobile device user being associated with a mobile device;

transmitting to the mobile devices, associated mobile behavioral profiles, each for storage on a corresponding mobile device of the plurality of users;

receiving from one of the plurality of mobile devices, an

information about a fraudulent transaction;

updating the plurality of behavioral profiles based on the received information about the fraudulent transaction; and transmitting to the mobile devices updated behavioral profile information that adjusts each of the plurality of mobile behavioral profiles to account for the information received about the fraudulent transaction.

The system of claim 90, wherein each mobile behavioral profile is identical to a corresponding behavioral profile maintained on the server.

The system of claim 90, wherein each mobile behavioral profile is a light version of a corresponding behavioral profile maintained on the server.

The system of claim 90, wherein the at least one processor is further configured to, when information about a fraudulent transaction is received from one of the mobile devices, identify a subset of mobile device users with similar behavioral profiles, and transmit the updated profile information only to the subset.

The system of claim 90, wherein the subset is determined using a nearest neighbor statistical analysis.

A computer-implemented method for performing operations, the method comprising: maintaining, at a server, a plurality of behavioral profiles, the plurality of

behavioral profiles being associated with a plurality of mobile device users, each mobile device user being associated with a mobile device; transmitting to the mobile devices, associated mobile behavioral profiles, each for storage on a corresponding mobile device of the plurality of users;

receiving from one of the plurality of mobile devices, an information about a fraudulent transaction;

updating the plurality of behavioral profiles based on the received information about the fraudulent transaction; and

transmitting to the mobile devices updated behavioral profile information that adjusts each of the plurality of mobile behavioral profiles to account for the information received about the fraudulent transaction.

The computer-implemented method of claim 95, wherein each mobile behavioral profile is identical to a corresponding behavioral profile maintained on the server.

The computer-implemented method of claim 95, wherein each mobile behavioral profile is a light version of a corresponding behavioral profile maintained on the server.

The computer-implemented method of claim 95, further comprising, when information about a fraudulent transaction is received from one of the mobile devices, identifying a subset of mobile device users with similar behavioral profiles, and transmitting the updated profile information only to the subset.

99. The computer-implemented method of claim 95, wherein the subset is determined using a nearest neighbor statistical analysis.

100. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, on a mobile device, a merchant profile, wherein the merchant profile includes at least one merchant determined to be likely patronized by a user of the mobile device;

receiving, at the mobile device, transaction data associated with a requested

financial transaction, the transaction data identifying a merchant;

determining, at the mobile device, a risk of fraud based on the merchant profile and the transaction data; and

determining, at the mobile device, whether to authorize the requested financial transaction based on the risk of fraud.

101. The non-transitory computer readable medium of claim 100, wherein the at least one merchant is determined to be likely patronized by the user based on prior conduct of the user.

102. The non-transitory computer readable medium of claim 100, wherein the at least one merchant is determined to be likely patronized by the user based on a prior transaction with the merchant.

103. The non-transitory computer readable medium of claim 100, wherein the merchant

profile includes a list of merchants patronized by other users determined to be similar to the user.

104. The non-transitory computer readable medium of claim 100, wherein the merchant profile includes a category of merchants determined to be likely patronized by the user.

105. The non-transitory computer readable medium of claim 100, further comprising, if the merchant identified in the transaction data is not included in the merchant profile, requesting additional verification information from the user.

106. The non-transitory computer readable medium of claim 100, further comprising, if the merchant identified in the transaction data is included in the merchant profile, determining to authorize the requested financial transaction.

107. A mobile device configured to perform operations comprising:

a memory storing executable instructions; and

at least one processor configured to execute the stored instructions to:

maintain, on the mobile device, a merchant profile, wherein the merchant profile includes at least one merchant determined to be likely patronized by a user of the mobile device; receive, at the mobile device, transaction data associated with a requested financial transaction, the transaction data identifying a merchant;

determine, at the mobile device, a risk of fraud based on the

merchant profile and the transaction data; and

determine, at the mobile device, whether to authorize the requested financial transaction based on the risk of fraud.

108. The mobile device of claim 107, wherein the at least one merchant is determined to be likely patronized by the user based on prior conduct of the user.

109. The mobile device of claim 107, wherein the at least one merchant is determined to be likely patronized by the user based on a prior transaction with the merchant.

110. The mobile device of claim 107, wherein the merchant profile includes a list of

merchants patronized by other users determined to be similar to the user.

111. The mobile device of claim 107, wherein the merchant profile includes a category of merchants determined to be likely patronized by the user.

112. The mobile device of claim 107, wherein the at least one processor is further configured to, if the merchant identified in the transaction data is not included in the merchant profile, request additional verification information from the user.

113. The mobile device of claim 107, wherein the at least one processor is further configured to, if the merchant identified in the transaction data is included in the merchant profile, determine to authorize the requested financial transaction.

1 14. A computer- implemented method for performing operations on a mobile device, the method comprising:

maintaining, on the mobile device, a merchant profile, wherein the merchant profile includes at least one merchant determined to be likely patronized by a user of the mobile device;

receiving, at the mobile device, transaction data associated with a requested financial transaction, the transaction data identifying a merchant;

determining, at the mobile device, a risk of fraud based on the merchant profile and the transaction data; and

determining, at the mobile device, whether to authorize the requested financial transaction based on the risk of fraud.

115. The computer-implemented method of claim 114, wherein the at least one merchant is determined to be likely patronized by the user based on prior conduct of the user.

1 16. The computer-implemented method of claim 114, wherein the at least one merchant is determined to be likely patronized by the user based on a prior transaction with the merchant.

117. The computer-implemented method of claim 114, wherein the merchant profile includes a list of merchants patronized by other users determined to be similar to the user.

118. The computer-implemented method of claim 114, wherein the merchant profile includes a category of merchants determined to be likely patronized by the user.

119. The computer-implemented method of claim 114, further comprising, if the merchant identified in the transaction data is not included in the merchant profile, requesting additional verification information from the user.

120. The computer-implemented method of claim 114, further comprising, if the merchant identified in the transaction data is included in the merchant profile, determining to authorize the requested financial transaction.

Description:
SYSTEMS AND METHODS FOR ELECTRONIC FRAUD DETECTION AND

PREVENTION

DESCRIPTION

Technical Field

The present disclosure relates to computerized systems and methods for electronic fraud detection and prevention. More particularly, and without limitation, the present disclosure relates to systems and methods for assessing a risk of fraud in transactions involving a mobile device and/or through the use of behavioral information associated with a mobile device user. Brief Description of the Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate the disclosed embodiments and, together with the description, serve to explain the disclosed embodiments. In the drawings:

FIG. 1 is an exemplary payment system consistent with disclosed embodiments;

FIG. 2 is an exemplary mobile payment device consistent with disclosed embodiments;

FIG. 3 is a flowchart illustrating general steps of performing a mobile transaction consistent with disclosed embodiments;

FIG. 4 is an exemplary payment system consistent with disclosed embodiments; FIG. 5 is a flowchart illustrating an exemplary sequence of steps that may be performed for dynamically processing a mobile transaction consistent with disclosed embodiments; and FIG. 6 is another flowchart illustrating an exemplary sequence of steps that may be performed for dynamically processing a mobile transaction consistent with disclosed embodiments. Detailed Description

Reference will now be made in detail to the present exemplary embodiments of the present disclosure, examples of which are illustrated in the accompanying drawings. The figures illustrate exemplary systems that may be used in connection with some or all of the innovations described herein. The figures are not restrictive of the disclosure. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts.

As used herein, the terms "mobile communications device" and "mobile device" broadly include any portable computing device having at least one processor, memory, and a capability for data communication. Mobile devices may include, but are not limited to, a mobile phone, smartphone, personal digital assistant, tablet, laptop, portable device, etc. In embodiments discussed herein, such mobile devices may engage in financial transactions with merchants (e.g., via communications with POS devices).

As used herein, the term "merchant" broadly includes any person or entity accepting payment in exchange for providing goods or services. Merchants may provide or use a variety of types of machines for accepting payment. For example, merchants may use POS devices that magnetically or electronically read information from a purchaser's credit or debit card. Such devices may also communicate with a purchaser's mobile device to perform a transaction. Such communications may use near-field communications (NFC), RFID, RF, Bluetooth®, infrared, or other similar communications techniques, whether now known or developed in the future.

As used herein, the terms "mobile transaction" and "financial transaction" broadly includes any electronic communication for requesting, or processing, a payment request or payment confirmation. For example, financial transactions may include, but are not limited to, a debit card transaction, credit card transaction, prepaid card transaction, e-commerce transaction, contactless payment transaction, etc.

Referring to FIG. 1 , an exemplary payment system 100 will be described. The exemplary system 100 includes an issuer 10 which in exemplary embodiment is the credit card company or a bank; a server 20 which in exemplary embodiment can be one server or plurality of servers, residing at the issuer's premises or at separate location; a mobile payment device 30 which in exemplary embodiment can be, but is not limited to, a mobile telephone device or a credit card; a point of sale (POS) 40; and a clearing house 50. It is to be understood that the elements of the system may be connected to each other via standard communication lines, either wire line or wireless, as known in the art. It should also be understood that some elements are presented as separate elements for the sake of clarity only. In another exemplary embodiment, several elements from the group comprising the server, issuer and the clearing house could be grouped together to form one element.

Referring now to FIG. 2, the exemplary mobile payment device 30 in accordance with the present disclosure may include the illustrated elements, among others.

Location receiver 31 for calculation of the mobile payment device location using data received. The received data can be, and is not limited to, GPS (global positioning system) data received from orbiting satellites, position data received via base station e.g. TO A, triangulation, etc. or any combination thereof. Location information may also be received from transaction details, interaction with other location aware devices or network access devices via WI-FI, near- field or short range communication protocols, for example, as well as other application activity such as "checking-in" at a location, Methods for locating the position of a mobile device are well known in the art and will not be discussed further here.

Validity token 32 stores a token based in an exemplary embodiment on One Time Password (OTP), well-known to those skilled in the art. The validity token may be received from the server 20. It may be replaced once every known period which in an exemplary embodiment could extend from a few minutes to a few days, depending on the needed level of security, to verify that the mobile payment device is in order and is not blocked. Behavioral pattern 33 may be, for example, an encrypted file or files or any other collection of data, received from the server 20. The file (or files) describes the behavior profile of the customer and similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or specific customer encrypted rules. This file does not necessarily need to reside in a secure area as opposed to the model 34, because it is relatively large when compared to the model, and because it is encrypted. It can reside, for example, in the memory of the mobile payment device. The behavioral pattern is unique for every customer. In an exemplary embodiment however, one mobile payment device can support two or more files representing different behavioral patterns of different users or customers. In another exemplary embodiment, one mobile payment device can support two or more files representing different behavioral patterns of different cards from different issuers related to the same customer.

Additional details of exemplary behavioral patterns or profiles are described below.

Model 34 is a software element implementing one or more algorithms. In an exemplary embodiment, the algorithm can be a logistic model. As known to those skilled in the art, this model is basing its predictions by the deviation from the regular behavior of the customer. In another exemplary embodiment, the algorithm can be the known in the art rule based engine related to the specific customer encrypted rules that were sent to element 33 from the server 20. In yet another exemplary embodiment, the algorithm can be a data mining function implemented in the form of a decision tree or neural network engine as is known in the art. The model may reside inside a protected area, which may be secure and not accessible for users after the initial installation. In an exemplary embodiment, the protected area can be located in a secure area inside the SIM card of the mobile device, as implemented for example by Google's Android operating system. In another exemplary embodiment, the protected area can be located in the memory of the device as implemented for example by Apple's iOS operating system. The model 34 may use the data or rules that were stored with element 33 for rejecting or approving a transaction. This may be done by decrypting the encrypted behavioral pattern file or data or rules, and, when a transaction takes place, calculating the probability for fraud based on the behavioral pattern or data or rules and the transaction details. In another exemplary embodiment, the outcome of the calculation by the model can be a request for higher level of security, implemented for example by requesting the customer to enter one or more codes, in different lengths, as defined by the requested security level.

The application 35 may also reside in the protected area. As will be readily understood by those skilled in the art, the application may communicate with the other elements of the mobile payment device 30 and executes the different algorithms that are part of the various methods of the disclosed embodiments.

In the disclosed embodiments, an exemplary method 800 of secure purchase may generally include the following steps described with respect to FIG. 3: 1) the issuer 10 may send the transactional data of the customer to the server 20; 2) the server 20 may compute or update a unique behavioral pattern of an existing customer 805 (step 806) or may compute or access a general behavioral pattern of a new customer 803 (step 804) ; 3) the behavioral pattern may be sent to the mobile payment device 30. When the customer wishes to perform a transaction (step 807), the customer's mobile payment device 30 may receive from the point of sale 40 the transaction details, which may include a merchant ID, time of the transaction and the sum amount of the transaction. The mobile payment device 30 may compute whether the transaction can receive authorization (step 808), based on the behavioral pattern received in the mobile payment device. If the outcome of the computation is negative, then the customer may be prompted to enter identification means (step 809). The mobile payment device 30 may then verify the identification means. If the verification fails (step 81 1), then the customer will not be able to perform the transaction. However, if the transaction is authorized by the mobile payment device 30, then transaction data may be sent via the POS 40 to the clearing house 50 (step 812). The clearing house 50 may send the transaction data to the issuer 10 (step 813). Variations of and additional details on this general process are described in greater detail below.

Fraud Detection Performed on a Mobile Device without Resort to a Network

A concept of this disclosure involves an ability to detect fraud on a mobile device even when the device is disconnected from a network. This may make the fraud detection robust, and also may speed the detection process, because time may not be wasted on network communications.

Exemplary Independent Concept

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising:

receiving, on a mobile device, transaction data associated with a requested financial transaction;

accessing behavioral information stored locally on the mobile device;

comparing information in the transaction data with the behavioral information on the mobile device without resort to a mobile network, such that the comparing is capable of occurring when the mobile device is outside of a network coverage area; and

determining, based on the comparing on the mobile device, whether to authorize the requested financial transaction.

As used herein, the term "transaction data" broadly includes any data that may be associated with a financial transaction including but not limited to, for example, a purchase price, purchase item identifier, date, time, merchant or store identifier, or any other information directly or indirectly related to a financial transaction.

Further, as used herein, "behavioral information" broadly includes data associated with the actual or expected behavior of an individual, such as a mobile device user. For example, as discussed further below, behavioral information may include data identifying previous financial transactions in which a user has engaged; and/or non-financial information, such as information about a geographic location of the user time, date, weather, heart-rate, body temperature, or other calendar or environmental information. More generally, behavioral information may include any data directly or indirectly indicative of an individual's identity or conduct, including but not limited to information relating to the individual's use of email, phone, text, social media, or other apps or device usage; information relating to contacts; information received from sensors in a mobile device; information about how and/or when the user enters data; information about the user's current behavior, past behavior, habits or idiosyncrasies; or any other data that provides insights as an individual's identity.

As discussed further below, behavioral information may be expressed in a database, in a map (e.g., a map comprising pixels), as a set of probabilities, etc.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein determining whether to authorize occurs on the mobile device, without

contacting a remote server

• In an exemplary embodiment, the transaction details may comprise merchant ID, time of the transaction, and the sum amount of the transaction. The model, based on the behavioral pattern, may approve or deny the transaction.

• A module may be a software element implementing one or more algorithms.

• A behavioral pattern may be, for example, an encrypted file or files or any other

collection of data, received from the server.

• wherein the behavioral information is a behavioral profile.

• A behavioral pattern may be, for example, an encrypted file or files or any other

collection of data, received from the server. The file (or files) describes the behavior profile of the customer and similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or specific customer encrypted rules.

• The module may use the data or rules that were stored with an element for rejecting or approving the transaction. This may be done by decrypting the encrypted behavioral pattern file or data or rules, and, when a transaction takes place, calculating the probability for fraud based on the behavioral pattern or data or rules and the transaction details.

• further comprising receiving, from a remote server, and storing, on the mobile device before the requested financial transaction, the behavioral information

- A server may send a BP to a mobile payment device which is performed prior to the requested financial transaction.

- Transaction Details from POS to mobile payment device.

• wherein the behavioral information stored on the mobile device includes behavioral information of the user of the mobile device as well as behavioral information of other users

• In some embodiments, collecting users' behavioral pattern data that is stored in said memory through the use of said mobile device; decrypting said user's behavioral pattern data; tracking one or more activities associated with mobile device's behavioral pattern usage of said one or more end users and communicating said one or more activities performed by said one or more users; defining one or more unified parameters to correlate to said one or more activities across one or more mobile device's applications by said one or more users; and generating an offline self-verified mobile authenticating transaction framework comprising said unified parameters correlating to said one or more activities across one or more mobile device's applications by said one or more users.

• wherein the behavioral information stored on the mobile device includes a behavioral map

A behavioral map may be a collection of events; each event may be represented by a "pixel" having its own characters or "colour." These pixels create patterns and all together create a Multi-Dimensional Picture (MDP). The more pixels (events) in the picture the sharper our picture gets, the better we can see what's happening.

Deciding if an event is normal or abnormal is accomplished by a method for comparing the "pixel" of the event to the normal "picture." The system compares events to "behaviour maps" on a regular basis, by "knowing" a person, by maintaining the individual's "picture" in the Cloud and within the user's mobile device, the system calculates if it is likely the individual would do something, this likelihood enables us to reach the conclusion whether it is the person or not.

A transaction, for example, can be referred to as an event where something happens with money, usually when money is transferred from one place to another or from one person to another. Since there is a tendency to repeat these events, a pattern emerges. We tend to buy in the same places, eat in the same restaurants and call the same people, all these pieces of information create the picture of the person we know. For the system, the collection of past transactions may be processed by the database of the credit card issuers or the e- Wallet providers while the current transaction (done at the PoS or through the internet) may be retrieved by the e-Wallet as part of the purchasing process.

Transactions, when loaded into a multidimensional model, create a picture of transactional behaviour. This picture can be stored on a computer and events of the same kind can be compared to it. A comparison can tell us the likelihood of an event to be normal or abnormal, done by the person we know or done by someone else, i.e., fraudulent.

A multi-dimensional picture (MDP) can show different types of events or can focus on one type. MDPs are created on large processing units by applying known statistical methods such as correlation and reduction analysis.

The working process, in general, may done by determining explanatory and response variables to event records and analyzing them, variables such as purchase rate, position, last numbers dialed and all other events that can be tracked by the device. Using statistical methods such as reduction analysis, the number of dimensions and resolution can be reduced into an MDP which can be used on a smartphone.

A size reduction by DOF (Depth of Field) may be used to fit MDP into the mobile environment. After processing all events the system produces a very sharp and highly detailed MDP. This MDP includes all activities of all users. The size reduction is done by differential focusing on the specific user and changing the depth of field in the MDP, eliminating unnecessary details, and blurring out the background while leaving the users' activities untouched and in focus.

• further comprising, if it is determined to authorize the requested financial transaction, communicating an approval signal from the mobile device to a point of sale terminal

• further comprising a mobile payment device computing authorization outcome.

If negative, request identifications means. If declined, no transaction.

If approved, transaction data sent to clearing house via POA.

• wherein the comparing on the mobile device produces a likelihood that the requested financial transaction is fraudulent

A mobile payment device may compute whether the transaction can receive

authorization, based on the behavioral pattern received in the mobile payment device.

The mobile payment device may also compute whether the transaction can receive authorization, based on the behavioral pattern received in the mobile payment device. If the outcome of the computation is negative, then the customer may be asked to enter identification means.

Detecting Fraud Using Locally Stored Behavioral Information of Others

Another concept may include storing behavioral information of others on a user's mobile device and using that information to detect fraud on the user's device.

Exemplary Independent Concept

2. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: receiving, on a mobile device of a user, behavioral information of individuals other than the user;

receiving, on the mobile device, transaction data associated with a requested financial transaction;

accessing the behavioral information of the other individuals stored locally on the mobile device;

comparing, on the mobile device, the behavioral information of the other individuals with information in the transaction data; and

determining, based on the comparing on the mobile device, whether to authorize the

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the comparing occurs without resort to a mobile network, such that the

comparing is capable of occurring when the mobile device is outside of a network coverage area

• The mobile payment device may compute whether the transaction can receive

authorization, based on the behavioral pattern received in the mobile payment device. If the outcome of the computation is negative, then the customer will be asked to enter identification means. The mobile payment device then verifies the identification means. If the verification fails, then the customer may not be able to perform the transaction.

• The model, based on a behavioral pattern, may approve or deny the transaction. If the model denied the transaction, then the customer may be asked to enter identification means. The identification means can be, and not limited to, password, biometric characteristic of the customer, or a combination thereof. The mobile payment device then verifies the identification means. If the verification fails, then the customer may not be able to perform the transaction. An update on the failure is sent to a server and from the server to the issuer. The issuer can consider blocking (i.e. lock) the customer from further use of the payment software as was previously described. If, however, the customer was successful in the verification, the server may be updated with the transaction details and also with location data, so the server can update the profile of the customer. In an exemplary embodiment, the system can be used to track merchant fraud in addition to customer fraud that was described hereinabove. If, for example, there is suspicion that a certain transaction was not carried out by the customer, the mobile payment device could be interrogated for approving or denying that this transaction ever took place. It is to be understood by those skilled in the art that this embodiment may involve the mobile payment keeping track of the customer's transactions.

• wherein the behavioral information of the other individuals is assembled on a server

remote from the user's mobile device and is transmitted over a wireless network to the mobile device in advance of the requested financial transaction

The system may involve tracking one or more activities associated with a mobile device's behavioral pattern usage of said one or more end users and communicating said one or more activities performed by said one or more users.

A behavioral pattern may be for example, an encrypted file or files or any other collection of data, received from the server. The file (or files) describes the behavior profile of the customer and similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or specific customer encrypted rules.

The rule engine may be configured to define one or more unified parameters to correlate to said one or more activities across one or more mobile device's applications by said one or more users; and a generating engine may be configured to generate offline self-verified mobile authenticating transaction framework comprising said unified parameters correlating to said one or more activities across one or more mobile device's applications by said one or more users.

• wherein comparing further includes comparing behavioral information of the user with the information in the transaction data An exemplary mobile payment device may comprise, among other elements, the following elements: a location receiver for calculation of the mobile payment device location using data received. The received data can be, and is not limited to, GPS (global positioning system) data received from orbiting satellites, position data received via base station, e.g. TOA, triangulation, etc. or any combination thereof.

A user's behavioral pattern data indicators can be selected from the group consisting of mobile device usage indicators such as but not limited to network activity, Wi-Fi activity, proximal routers activity, Bluetooth activity, proximal devices activity, gyroscope activity, accelerometer activity, compass activity, microphone activity, speaker activity, CPU activity, speaker activity, battery activity, data peripheral connectors activity, device volume activity, power buttons usage activity, decoders activity, mobile device buttons activity, camera activity, screen GPU allocation activity, touch screen input activity, flashlight activity, LED notification activity, storage usage activity, memory usage activity, proximity detector activity, inter-process messaging activity, associated with said mobile device sensors activity and any combination thereof. wherein said step of classifying one or more frameworks for rejecting or confirming a financial transaction of said user performed on said mobile device is performed by calculating the probability for fraudulent activity based on said mobile device usage indicators.

Remote Generation of a Behavioral Profile for Storage and Use on a Mobile Device

Another feature involves generating a behavioral profile at a location remote from a mobile device for later use in fraud detection on the mobile device.

To add to the model beyond the transaction data, data that is relevant to the way the customer uses his/her smartphone and other data that is gathered in the smartphone such as sport application that registers the heartbeat and number of steps. Since the model takes into consideration other customers and fraudster activity/behavior, the place where this data is stored is on the server. Therefore the raw data may be sent from the smartphone to the server to be processed and develop the model and be returned to the smartphone in two components:

• Aggregation - behavioral maps which encapsulate both the customer and other

customers' behavior and fraudulent activities by themselves and in interaction with others.

• Fraud prediction Model - which takes into consideration the transaction or transactions and the behavioral maps which calculate the similarity and deviation of the transaction or transactions from the behavioral maps.

Exemplary Independent Concept

3. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: receiving, from a mobile device, past user activity data associated with a user of the mobile device;

computing a behavioral profile for the user based, at least in part, on the received past user activity data, wherein the behavioral profile is generated at a location remote from the mobile device and is configured to be stored on and used by the mobile device; and

transmitting the behavioral profile to the mobile device for offline use in fraud detection.

As described herein, activity data may include financial or non-financial information associated with the activity of a mobile device user. Examples of financial information may include requested purchases, actual purchases, and other actual or proposed financial transactions. Examples of non-financial information may include geographic location, proximity to a merchant, heart-rate, body temperature, email communications, text messaging

communications, mobile application usage, etc.

Exemplary Dependent Concepts and Additional Details and Explanation wherein the past user activity data includes information about conduct of the user, gleaned from the mobile device

The server may send a request to the mobile payment device for the transaction details. The mobile payment device, in turn, sends the requested transaction details or a response that the details are not available, to the server.

wherein the past user activity data includes information about prior financial transactions of the user

The issuer may send the transactional data of the customer to the server. In a further step, the server may compute a unique behavioral pattern of the customer. The behavioral pattern is sent to the mobile payment device.

Collecting a user's behavioral pattern data that is stored in said memory through the use of said mobile device.

wherein the behavioral profile is computed based on both the past user activity data and activity data of users of other mobile devices

A behavioral pattern may be, for example, an encrypted file or files or any other collection of data, received from the server. The file (or files) may describe the behavior profile of the customer and similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or specific customer encrypted rules.

Modification of the behavioral maps due to successful authentication after raising an alert (because of deviating from profile)

The issuer can consider blocking (i.e. lock) the customer from further use of the payment software. If, however, the customer was successful in a verification of step, the server may be updated with the transaction details and also with location data, so the server can update the profile of the customer. In an exemplary embodiment, the system can be used to track merchant fraud in addition to customer fraud. If, for example, there is suspicion that a certain transaction was not carried out by the customer, the mobile payment device could be interrogated for approving or denying that this transaction ever took place. It is to be understood by those skilled in the art that this embodiment requires the mobile payment device to keep track of the customer's transactions.

wherein the offline fraud detection occurs without contacting a remote server during the course of a real time financial transaction

wherein transmitting the behavioral profile occurs according to a predetermined schedule wherein transmitting the behavioral profile occurs in response to computing the behavioral profile

wherein transmitting the behavioral profile occurs in response to a message from the mobile device indicating that the mobile device has network connectivity and is idle There may be no reason for updating profile when:

No activity (no purchasing)

If e- Wallet operates with real money and there are no funds available There may be several modes when the profile should be updated in the e-wallet:

When the server identifies a change in the profile

If, however, the customer was successful in a verification step, the server may be updated with the transaction details and also with location data, so the server can update the profile of the customer

E-wallet user travels to foreign country or different region - may add to his profile behavioral information about "nearest neighbors"

Recommended to update profile:

o When the device is connected to a power source and is connected to WIFI wherein transmitting of the behavioral profile occurs at a time independent of a time of a financial transaction of the user

Refreshing a Behavioral Profile Stored on a Mobile Device

Behavioral profiles may be regularly updated based on new activity information (e.g., financial activity or other user activity).

There may be two types of updating: Major and Minor.

Major- when there is a behavioral change based on many transactions or a new fraud activity or a massive fraud operation.

Minor- customer is in the same environment and one or two transactions deviate a bit from the profile.

An example of Minor update occurs, for example, when a customer makes a purchase at a merchant (which he has previously bought from). And the time elapse between purchases is the same; the only change is that the purchase was done at a totally different time than his usual habit. Or this purchase amount is 25% higher than his typical purchases. Due to this minor deviation, we may require the identification means which was subsequently authenticated. This can trigger a minor updating process in the smartphone. Initiation of updating files/behavioral patterns without involving the server may also occur.

Example A: Customer makes a purchase at a newly established merchant which the server lacks sufficient data about. Due to lack of data, we may require the identification means and which was subsequently authenticated. The system may initiate adding a new merchant profile for this specific customer without involving the server.

Example B: A new customer without a transaction history receives a general profile which doesn't include his neighborhood grocery merchant. At the first acquisition at the neighborhood grocery he may be required to identify himself. Since we do not want to annoy him to identify himself at the same merchant in all subsequent acquisitions, the application component may update.

An exemplary system may resides in the smartphone for example and doesn't communicate in real time with said server, and may comprise the following steps:

1. A customer may request to receive an e-wallet. Since his issuer doesn't have any history of this particular customer, we download a general-customer profile embedded in his new e- Wallet. A general profile mainly based on fraudulent activity without the specific customer's profile.

2. A customer may request to receive an e-wallet. Since his issuer has historical data

concerning this customer, we download his customer profile embedded in his e- Wallet. His customer profile is mainly based on his specific behavior and his "nearest neighbors" and less on fraudulent activity.

When the customer makes a purchase at the merchant, the model calculates the risk level - Transaction Self-Authentication. If approved no need for a verification and transactions sent to POS for further processing. If declined, then a verification process may be required. If the verification process was declined then the transaction is not approved and not sent. Depending on the e- Wallet policy, the token can be canceled- e- Wallet is cancelled until a release process is performed by the e-Wallet company.

Exemplary Independent Concept

4. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining a plurality of behavioral profiles, the plurality of behavioral profiles being associated with a plurality of mobile device users, wherein each of the mobile device users has an associated mobile device;

transmitting to each of the mobile device users one of the plurality of behavioral profiles for storage on their associated mobile device;

acquiring from the mobile devices associated with the plurality of users activity information;

after the transmitting, updating the plurality of behavioral profiles based on the acquired new activity information; and

sending to each of the mobile device users one of the plurality of updated behavioral profiles for use in for offline fraud detection in financial transactions.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the plurality of behavioral profiles are configured for use in offline fraud

detection in financial transactions

Since the smartphone may not be equivalent to a server as far as electric and processing power, memory, bandwidth, etc. is concerned - we do not want to impinge or even cause a minor annoyance to the user on the smartphone. In our case, the user could forego the fraud detection and acquire a different e- Wallet or an e- Wallet company could choose a different fraud detection system than ours.

In contrast to a solution that resides on a server at the farm, where the security encompasses the server, the fraud solution that resides in the e- Wallet without any connection to a secure server may be embedded in all the components of the solution. In other words there are three main issues - minimal use of resources, maximum security, and a better prediction which in our case clash one with each other. We like to use more resources for a better prediction and better security however too many resources have a negative impact on the customer experience. Therefore, it may involve a different approach to the architecture, more compact and accurate behavioral maps/profiles, and the most challenging is the model which may be a nano-model because it should reside due to security issues in a specific tiny place - a very secure area in the smartphone, e.g., SIM card or special secure area that the manufacturer specially designated.

A behavioral pattern may be, for example, an encrypted file or files or any other collection of data, received from the server. The file (or files) describes the behavior profile of the customer and similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or specific customer encrypted rules. This file does not necessarily need to reside in a secure area as opposed to the model, because it is relatively large when compared to the model, and because it is encrypted. It can reside, for example, in the memory of the mobile payment device. The behavioral pattern may be unique for every customer. In an exemplary embodiment however, one mobile payment device can support two or more files representing different behavioral patterns of different users or customers. In another exemplary embodiment, one mobile payment device can support two or more files representing different behavioral patterns of different cards from different issuers related to the same customer. A module may be a software element implementing one or more algorithms. In an exemplary embodiment, the algorithm can be the logistic model. This model may be basing its predictions by the deviation from the regular behavior of the customer.

In another exemplary embodiment, the algorithm can be a rule-based engine related to the specific customer encrypted rules that were sent to a network element from the server.

In yet another exemplary embodiment, the algorithm can be a data mining function implemented in the form of a decision tree or neural network engine. The model resides inside a protected area, which is secure and not accessible for users after the initial installation. In an exemplary embodiment, the protected area can be located in a secure area inside the SIM card of the mobile device, as implemented for example by Google's Android operating system. In another exemplary embodiment, the protected area can be located in the memory of the device as implemented for example by Apple's iOS operating system. The module can use the data or rules that were stored with the element for rejecting or approving the transaction. This is done by decrypting the encrypted behavioral pattern file or data or rules, and, when a transaction takes place, calculating the probability for fraud based on the behavioral pattern or data or rules and the transaction details. In another exemplary embodiment, the outcome of the calculation by the model can be a request for higher level of security, implemented for example by requesting the customer to enter one or more codes, in different lengths, as defined by the requested security level. The application also resides in the protected area. As will be readily understood by those skilled in the art, the application communicates with the other elements of the mobile payment device and executes the different algorithms which are part of the various methods of the current disclosure.

The concept of depth of field supplanted on multi-dimensional picture relates to a concern for size, efficiency and accuracy.

Multi-dimensional picture (MDP) can show different types of events or can focus on one type. MDPs may be created on large processing units by applying known statistical methods such as correlation and reduction analysis.

The working process, in general, may be done by determining explanatory and response variables to event records and analyzing them, variables such as purchase rate, position, last numbers dialed and all other events that can be tracked by the device. Using statistical methods such as reduction analysis, the number of dimensions and resolution can be reduced into an MDP which can be used on a smartphone.

A size reduction by DOF (depth of field) is used to fit MDP into the mobile environment.

After processing all events the system produces a very sharp and highly detailed MDP.

Another concept is Incremental behavioral profile update.

If, however, the customer was successful in a verification of step, the server may be updated with the transaction details and also with location data, so the server can update the profile of the customer.

Every time we update the profile/behavioral maps we may be exposed to security issues such as: changing the data, adding Trojan code, etc. It also may involve an enormous amount of resources, i.e., potentially annoying to the customer- using up his transmission allotment in addition to CPU and battery usage, etc. Therefore the concept of behavioral maps enables us to change part of the picture/ behavioral map. The DOF concept enables us to change from low to high resolution when the customer performs an acquisition in a specific area of the

picture/behavioral map. The same updating may be done if a massive fraudulent activity occurs.

Another updating concept is updating the profile within the smartphone itself without connecting to the server.

A generating engine may be configured to generate an offline, self-verified, mobile

authenticating transaction framework comprising unified parameters correlating to one or more activities across one or more mobile device's applications by one or more users. The system framework may be derived and updated from analysis of the unified parameters based on realtime analytics and user's behavioral pattern data output.

• wherein the transmitting, acquiring, and updating, for each of the plurality of users,

occurs at differing times

• wherein timings of transmitting and acquiring, for each of the plurality of users, occurs according to a common set of rules

• wherein the new activity information includes identification of a merchant that the mobile device user patronized

• wherein the new activity information includes a new geographic location associated with the mobile device user

• wherein sending the updated behavioral profile includes sending only aspects of the

behavioral profile that differ from a previously transmitted behavioral profile

• further comprising, based on the acquiring new activity information from one user,

updating a behavioral profile of another user

• further comprising, based on acquiring new activity information from one user, updating a behavioral profile of another user, when there are behavioral similarities between the one user and the another user Incremental Behavioral Profile Updates on a Mobile Device

Behavioral profiles stored on mobile devices may be incrementally updated, rather than entirely replaced. This may save bandwidth, reduce transmission time, and enhance the user experience.

Exemplary Independent Concept

5. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, on a mobile device, a behavioral profile associated with a user of the mobile device, the behavioral profile comprising a plurality of attributes;

receiving, at the mobile device, updates for the behavioral profile from a server, the updates being associated with a subset of the plurality of attributes;

updating, to produce an updated behavioral profile, the subset of attributes of the behavioral profile based on the received updates; and

determining, on the mobile device, whether to authorize a requested financial transaction based on a comparison between transaction data associated with the requested financial transaction and the updated behavioral profile.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the updates are received on a predetermined schedule

• further comprising sending information to a remote server that causes the remote server to transmit updates for the behavioral profile

• If, however, the customer was successful in a verification of step, the server may be updated with the transaction details and also with location data, so the server can update the profile of the customer.

Another concept is Incremental behavioral profile update.

Every time we update the profile/behavioral maps we may be exposed to security issues such as: changing the data, adding Trojan code, etc. It also may require an enormous amount of resources, i.e., potentially annoying to the customer- using up his transmission allotment in addition to CPU and battery usage, etc. Therefore the concept of behavioral maps enables us to change part of the picture/behavioral map. The DOF concept enables us to change from low to high resolution when the customer performs an acquisition in a specific area of the

picture/behavioral map. The same updating may be done if a massive fraudulent activity occurs.

• wherein updating the subset of attributes includes replacing information associated with one or more attributes

• wherein updating the subset of attributes includes adding data to one or more attributes

• further comprising-accessing, in the mobile device, an indication of an attribute for which an update is requested

• further comprising updating the profile within the smartphone itself without connecting to the server

A generating engine may be configured to generate an offline, self-verified, mobile

authenticating transaction framework comprising unified parameters correlating to one or more activities across one or more mobile device's applications by one or more users. The system framework may be derived and updated from analysis of the unified parameters based on realtime analytics and user's behavioral pattern data output.

• further comprising sending, from the mobile device, information that triggers the

updating

If, however, the customer was successful in a verification of step, the server may be updated with the transaction details and also with location data, so the server can update the profile of the customer.

• further comprising receiving, at the mobile device, data representing additional resolution for an attribute of the behavioral profile. Mobile Device Locally Interrupts a Financial Transaction When Fraud is Suspected

A mobile device may locally interrupt a transaction in progress if fraud is suspected locally on the mobile device.

Exemplary Independent Concept

6. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: receiving, at a mobile device associated with a user, transaction data associated with a requested financial transaction;

determining, while the requested financial transaction is in progress, and based on behavioral information stored locally on the mobile device, a risk of fraud associated with the requested financial transaction; and

determining based on the risk of fraud determined locally on the mobile device, and while the requested financial transaction is in progress, whether to perform an offline intervention in the processing of the requested financial transaction; and

performing the offline intervention when a determination is made to intervene.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the behavioral information is a behavioral profile

A behavioral pattern may be, for example, an encrypted file or files or any other collection of data, received from the server. The file (or files) describes the behavior profile of the customer and similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or specific customer encrypted rules.

The module may use the data or rules that were stored with an element for rejecting or approving the transaction. This is done by decrypting the encrypted behavioral pattern file or data or rules, and, when a transaction takes place, calculating the probability for fraud based on the behavioral pattern or data or rules and the transaction details.

In an exemplary embodiment, the transaction details comprise merchant ID, time of the transaction, and the sum amount of the transaction. The model, based on the behavioral pattern, may approve or deny the transaction.

The behavioral pattern may be unique for every customer. In an exemplary embodiment, however, one mobile payment device can support two or more files representing different behavioral patterns of different users or customers. In another exemplary embodiment, one mobile payment device can support two or more files representing different behavioral patterns of different cards from different issuers related to the same customer.

• wherein performing the offline intervention includes requesting additional verification information from the user

• In another exemplary embodiment, the outcome of the calculation by the model can be a request for higher level of security, implemented, for example by requesting the customer to enter one or more codes, in different lengths, as defined by the requested security level.

• wherein performing the offline intervention includes performing, transparently to the user, additional verification of the user

• wherein performing the offline intervention includes interrupting a request for access to an electronic wallet stored on the mobile device

In another exemplary option for blocking the mobile payment device, the user has entered incorrect identification means such as, but not limited to, wrong password. Blocking the device due to wrong password can be activated after a predefined number of false retries.

In an exemplary embodiment, if the mobile payment device was stolen then it is considered not in order. In another exemplary embodiment, the mobile payment device may be blocked if the user had reached the allowed limit for accumulated transactions (credit limit), i.e. not Open To Buy (OTB).

further comprising receiving additional verification information from the user while the requested financial transaction is in progress

If the model denied the transaction, then the customer may be asked to enter

identification means. The identification means can be, and not limited to, password, biometric characteristic of the customer, or a combination thereof. The mobile payment device then verifies the identification means. If the verification fails, then the customer may not be able to perform the transaction.

further comprising authorizing the requested financial transaction based on the additional verification information further comprising, when the risk of fraud is below a threshold, determining not to perform an offline intervention in the requested financial transaction

The mobile payment device may compute whether the transaction can receive

authorization, based on the behavioral pattern received in the mobile payment device. If the outcome of the computation is negative, then the customer may be asked to enter identification means. The mobile payment device then verifies the identification means. If the verification fails, then the customer may not be able to perform the transaction. However, if the transaction is authorized by the mobile payment device, then transaction data may be sent to via the POS to the clearing house. The clearing house sends the transaction data to the issuer.

Autonomous Fraud Interrogation by Mobile Device

When potential fraud is detected, a further feature is that the mobile device itself can

autonomously interrogate the user and block a transaction if that interrogation does not result in a satisfactory answer.

Exemplary Independent Concept

7. A non-transitory computer readable medium configured to reside on a mobile device and to store instructions that, when executed by at least one processor in the mobile device, cause the at least one processor to perform operations comprising:

accessing on a mobile device, transaction data associated with a requested financial transaction by the user of the mobile device;

autonomously accessing, in the mobile device and without resort to information remotely stored, data associated with past conduct of the user;

autonomously comparing, in the mobile device, and without resort to information remotely stored, the transaction data with the past conduct data;

autonomously determining, in the mobile device based on the comparing, whether to present a query to the user before proceeding with the requested financial transaction;

autonomously presenting the query to the user before proceeding with the requested financial transaction; and

autonomously determining, in the mobile device, and without resort to information remotely stored, whether to permit the requested financial transaction to proceed based on a response to the query by the user.

As described herein, autonomous processing (e.g., accessing, comparing, determining, or presenting) may involve processing that is initiated or controlled by a mobile device application. These examples of autonomous processing are in contrast to processing initiated or controlled through manual intervention by a user. Exemplary Dependent Concepts and Additional Details and Explanation

• wherein autonomously accessing data associated with past conduct includes accessing a behavioral profile previously transmitted to the mobile device from a remote server

• wherein the query prompts the user to input information uniquely held by the user

The user, for example, opens an account, and he chooses some identification question and answer them.

At the first step, when the user opens an account or for example order a credit card, he chooses some identification questions and answers them.

• wherein the query prompts the user to input biometric information

If the model denied the transaction, then the customer may be asked to enter

identification means. The identification means can be, and not limited to, password, biometric characteristic of the customer, or a combination thereof.

• further comprising, if the response to the query by the user is incorrect, denying the

requested financial transaction

If the model denied the transaction, then the customer may be asked to enter

identification means. The identification means can be, and not limited to, password, biometric characteristic of the customer, or a combination thereof. The mobile payment device may then verify the identification means. If the verification fails, then the customer will not be able to perform the transaction. An update on the failure is sent to server and from the server to the issuer. The issuer can consider blocking (i.e. lock) the customer from further use of the payment software as was previously described. If, however, the customer was successful in the verification, the server may be updated with the transaction details and also with location data, so the server can update the profile of the customer.

• further comprising communicating to a point of sale terminal that the requested financial transaction is not authorized

If verification is declined, then no transaction takes place. Furthermore, there are several possibilities:

First, step-blocking the payment device:

Another exemplary option for blocking the mobile payment device is if the user has entered incorrect identification means such as, but not limited to, wrong password. It will be understood by those skilled in the art that blocking the device due to wrong password can be activated after a predefined number of false retries.

Furthermore a request or warning message can be sent from the device to the POS by NFC or any means of communication to request the customer to show any means of identification, e.g., i.d. card or driver's license. If the customer successfully identifies himself, then the transaction is approved and the POS can release the locked payment device. If the customer fails, then the transaction is not approved and there is an option for the POS to notify the issuer via the clearing house.

User's Mobile Device Helps Combat Merchant Fraud

Merchant fraud occurs when a merchant (as opposed to a user of a mobile device) engages in fraudulent activity. For example, a merchant may generate false transactions or manipulate the transaction amounts of legitimate transactions. To combat these forms of merchant fraud, a system may verify transaction data and/or a computed risk of fraud with a mobile device.

Exemplary Independent Concept

8. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: receiving at a server, as part of a procedure to detect merchant fraud, transaction data provided by a merchant;

sending from the server, to a mobile device, a request for transaction history data;

receiving at the server, from the mobile device, a response comprising transaction history data or an indication that transaction history data cannot be located; and

determining, at the server, whether to validate the transaction data based on the response from the mobile device.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the transaction data from the merchant and the transaction history data from the mobile device each include a transaction time, and wherein the computer readable medium further includes instructions to deny the transaction if the transaction time in the transaction data does not match the transaction time in the transaction history data

Two possible initiators for verifying if there was any manipulation of the transaction details:

1. Initiated by the Issuer - from Issuer to Mobile Payment Device via the Server

2. Initiated by Mobile Payment Device - from Mobile Payment Device to Issuer via POS and Clearing House

1 -Initiated by the Issuer

In an exemplary method for merchant verification, the issuer receives transaction data from the merchant. In order to verify that the transaction indeed took place, the issuer sends to the server a request for transaction validation. The server sends a request to the mobile payment device for the transaction details. The mobile payment device, in turn, sends the requested transaction details or a response that the details are not available, to the server. The server validates the transaction and the merchant if the transaction details are available and then sends the results of validation to the issuer.

2-Initiated by Mobile Payment Device

As shown with respect to FIG. 4, in some embodiments, a mobile payment device 30 may include an Authentication Number Generator ("ANG") 37, and an issuer 10 may also include an ANG 11.

Just as the Model generates a score (e.g., between 0-1) based on the transaction details and the behavior profile/ behavior maps, the ANG Authentication Number Generator produces a unique number for every transaction based on the transaction details, customer profile, merchant profile, date, and amount. When the transaction arrives at the Issuer via the POS and clearing house the same calculation can be made on the Issuer's side. If the ANG code that originates from the mobile is identical to the ANG code on the Issuer then we can be certain that there was no manipulation on the amount, date, customer and merchant i.d.

• wherein the transaction data from the merchant and the transaction history data from the mobile device each include a transaction price, and wherein the computer readable medium further includes instructions to deny the transaction if the transaction price in the transaction data does not match the transaction price in the transaction history data

• further comprising receiving a request to validate the transaction data from a payment card issuer

• further comprising, if the response includes an indication that transaction history data cannot be located, denying the transaction

The calculation that the ANG Authentication Number Generator generates may be based on the transaction details, customer profile, merchant profile, date, and amount. If the ANG code that originates from the mobile is identical to the ANG code on the issuer then we can be certain that there was no manipulation on the amount, date, customer and merchant i.d.

• further comprising, if the transaction history data received from the mobile device

matches the transaction data, validating the transaction

• wherein denying the transaction includes sending a denial indication to a payment card issuer Harvesting Behavioral Data From a Mobile Device to Create a Profile on a Remote Server

A diverse dataset can be used in building behavioral profiles. In addition to transaction data (e.g., transaction amount, merchant ID, time, etc.), a wide variety of other data can be collected by a mobile device and is useful in generating a robust behavioral profile.

Exemplary Independent Concept

9. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: harvesting, at a mobile device, activity data indicative of various diverse activities of a user of the mobile device;

transmitting to a remote server, from the mobile device, the activity data harvested from the mobile device in order to enable the remote server to generate a behavioral profile of the user of the mobile device based on the harvested activity data;

receiving at the mobile device, from the server, the behavioral profile;

storing the behavioral profile locally on the mobile device; and

determining, on the mobile device, whether to authorize a requested financial transaction based on a comparison of data associated with the requested financial transaction and data associated with the behavioral profile.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the activity data includes data associated with a plurality of differing financial transactions

• wherein the data associated with a plurality of differing financial transactions includes price data, transaction time data, and merchant identification data

• wherein the activity data comprises geographic location data

• wherein the activity data comprises data communications activity

• wherein the activity data comprises gyroscope activity

• wherein the activity data comprises accelerometer activity

• wherein the activity data comprises compass activity

• wherein the activity data comprises battery activity

• wherein the activity data comprises mobile device buttons activity • wherein the activity data comprises touch screen input activity

• wherein the activity data comprises messaging activity

• wherein the activity data comprises mobile device application activity

Exemplary Features of Local Behavioral Profile

Noting a number of exemplary features of a behavioral profile.

The standard deviation from the average money paid for a purchase in a store can be beneficial to understand if the purchase deviates from the typical purchase at that merchant. For example, if the purchase amount exceeds the standard deviation by twice the average, that may signal a problem.

We can be more accuracy by analyzing the statistics for a specific merchant vis-a-vis the average purchase amount and the standard deviation of the amount at a specific period of time in the store. When a transaction occurs at a specific period of time, the calculation will be based on the statistics regarding that specific period of time and the specific merchant.

We can be further accurate since there are different behavioral patterns for different days of the week. It may make sense, for example, to calculate the statistics for each merchant at a specific time on a specific day.

To download all these statistics to the smartphone of each individual may be too problematic, since may be too big to download, may be updated on a regular basis, and may take up too much space on the disk.

For this reason, if we want to implement these statistical methods in the smartphone, it may be helpful to use a different aggregation/profiling approach. An advanced profile/ behavioral map may be beneficial to use. For example, we may use behavioral maps with different depths of field (DOF) for each area on the map whose information we condensed to a size that is manageable on a smartphone.

Instead of (or in addition to) merely displaying information on one specific merchant, we can display information on a group of merchants, and more so on a larger group of merchants. The decision to display on the map higher resolution of merchants can be based on his GPS, actual purchase data and other customers' behavior that we can retrieve from the transaction data or from sensors on the smartphone, etc.

Exemplary Independent Concept

10. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining a behavioral profile on a mobile device, the behavioral profile being unique to a user of the mobile device and comprising a general population attribute, a fraud ratio attribute, and a personal history attribute;

wherein the general population attribute is associated with financial transactions conducted by a general population of users; wherein the fraud ratio attribute is associated with a prevalence of fraud among the general population of users; and

wherein the personal history attribute is associated with the user's history of financial transactions; and

determining, on the mobile device, whether to authorize a requested financial transaction based on the behavioral profile.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the general population attribute indicates a number of financial transactions conducted by the general population of users at a point on a behavioral map

• wherein the fraud ratio attribute indicates a proportion of fraudulent activity to overall financial activity at a point on a behavioral map

• wherein the personal history attribute indicates a number of financial transactions that the user has engaged in at a point on a behavioral map

• further comprising computing a likelihood that the requested financial transaction is fraudulent based on the behavioral profile

Derivative Fraud Detection Queries

Techniques may be used for dynamic user identification. These techniques may involve manipulating security questions and corresponding answers. For example, if a security question is "What is your first dog's name," and the answer is "Pongo," the manipulated question and answer may be "What are the first three letters of your first dog's name" and "Pon," respectively. In addition, manipulations may be mathematical or positional in nature.

Exemplary Independent Concept

11. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: accessing information provided by a mobile device user, the information comprising original answers provided by the mobile device user to a plurality of original security questions; determining, based on the original answers provided by the mobile device user and the plurality of original security questions, a plurality of derivative security questions and a plurality of corresponding derivative answers;

presenting to the mobile device user a security challenge, the security challenge including a derivative security question;

receiving a response from the mobile device user; and

determining an accuracy of the response received from the mobile device user; and if the response is determined to be accurate, enabling a financial transaction to proceed.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the derivative security questions are seek information relating to a subset of characters in the original answers

To each question of verification, an appropriate manipulation may be calculated. For example: turning the answer to the first two letters, calculating the sum of the digits of the answer to the original answer.

• wherein the derivative security questions seek information relating to an image associated with the original answers

For example, the process may involve selecting a picture of the first dog type he had as a child.

• wherein the derivative security questions seek information relating to sounds associated with the original answers

For example, the process may also ask with which word does the answer rhyme. wherein the derivative security questions seek information relating to a rearrangement of characters in the original answers

By these changes, the question can ask for partial information representing the original question. For example, where the answer would be the first two letters of the answer, or last two letters of the answer, any letter combination of the answer, or with which word does the answer rhyme.

The process may also involve calculating the sum of the digits of the original question.

Dynamically Shifting Liability for Fraud in e- Wallet Transactions

In a typical transaction, if a payment card is not present at the place of a transaction ("card not present" or "CNP"), the liability for fraud is borne by the merchant. When the payment card is present ("card present" or "CP"), the liability for fraud is borne by the card issuer. According to a new paradigm, liability for fraud can dynamically shift based on the likelihood of fraud.

This concept may relate to e- Wallets, since e- Wallets might change payment processes dramatically. a. e-Wallets may allow usage of the same software application both in-stores and for e- Commerce transactions. b. e-Wallets, equipped with the offline fraud prevention abilities, can support their own fraud detection capabilities, which may be more relevant for liability-to-fraud and risk-exposure prevention, than the traditional CP and CNP definitions.

Thus, this concept involves a different way of classification of transactions: a. A basic definition of CP or CNP may be done according to the presence of the customer in a brick-and-mortar shop, as it is done today. It means that if the e- Wallet is present in a physical store, the transaction will be defined as CP transaction and if it is an e-Commerce transaction, the transaction will be defined as CNP transaction. b. A refined definition may be based on the local fraud prevention process results, i.e. - the probability that a current transaction is fraudulent, based on the transaction details and the analysis done by the local system in the e- Wallet. c. If the original definition was a CNP transaction, and the probability that it is a fraud low enough (below a pre-defined threshold) - the transaction may be treated as a CP transaction and the liability-for-fraud may be shifted from the merchant to the card issuer (or to any other entity which is responsible for the payment on the customer side). d. If the original definition was a CP transaction, but the probability that it is a fraud is high enough (above a pre-defined threshold) - the transaction may be treated as a CNP transaction and the liability-for-fraud may be shifted to the merchant accordingly.

This concept might lead to a significant change, a sort of a revolution in the payment systems. It adjusts traditional processes and breaks well established concepts of credit card handling processes.

On the one hand, risky transactions which are made in a brick-and-mortar stores will be treated as CNP transactions, and the store may have to use additional identification means (like presenting I.D. card) to eliminate the probability it is a fraud and make sure that the real e-Wallet owner is present at the store. On the other hand, credit card issuers may be responsible for the risk for e-Commerce transactions made by their customers, if the e-wallet fraud prevention system is relatively confident that the real card owner is executing the specific transaction.

Basic CP transaction

An exemplary CP transaction is illustrated in FIG. 5 and is referenced below.

When a person selects a purchase and arrives at the POS and wants to pay with his credit card or e- Wallet, the transaction may be considered CNP.

The customer selects a purchase and arrives at the POS 40 with his e- Wallet. Due to the above explained agreement we will consider the transaction as CP. The customer tapped his e- Wallet at the POS, a request is sent to the Smartphone. The request details from the POS arrive at the smartphone and are processed in the fraud prediction and the score is calculated (step 200). Based on the score, the Liability Shift Engine (202) either approves in which case the transaction remains a CP step (step 21 1). If the Issuer refuses to take the risk due to high score (high probability of fraud), the smartphone sends a message (e.g., "can you take the risk because I am not," or words of like effect) to the POS then the POS that received the message decides whether to take the risk (step 210). If the merchant agrees to take the risk, then the transaction is a CNP (Step 213), if not then there is no transaction (step 212).

Basic CNP transaction

An exemplary CP transaction is illustrated in FIG. 6 and is referenced below.

When the customer is not present at the POS with his credit card or the card is swiped but the information is corrupted the transaction is considered CNP. However if the issuer agrees to take the risk the liability can shift to the bank and will be considered a CP transaction.

When a customer is executing a purchase via the Web/Smartphone and the customer is not present at the POS (step 301), the customer wants to pay for the purchase via his e- Wallet.

Before the e- Wallet approves the transaction, a calculation is done at the smartphone and a fraud prediction score is calculated (step 200). Based on the score, the Liability Shift Engine 202 may make a suggestion to the merchant: e.g., that the issuer offers to the merchant that he the issuer will take the risk (due to a low score which means a low probability of fraud) to which the merchant either agrees or disagrees (step 303). If the merchant agrees, then the transaction is considered CP (step 309). If the merchant disagrees then the transaction is as usual and is considered CNP (step 308).

If the Liability Shift Engine offers no suggestion then the transaction is as usual, the merchant at POS must decide whether to take the risk (step 302). If the merchant accepts the risk, then the transaction is considered as CNP (step 304), if he refuses then a message sent to the smartphone (e.g., "do you agree to take the risk?") then the Liability Shift Engine 305 decides whether to agree and take the risk the transaction is considered as CP (step 307). If the Liability Shift Engine / issuer rejects then there is no transaction (step 306).

Exemplary Independent Concept

12. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: enabling initiation of a financial transaction from a mobile communications device, wherein a user's credit account information is stored in the mobile communications device for electronic communication to a merchant;

receiving, in the mobile communications device, transaction data associated with the financial transaction;

accessing behavioral profile data stored in the mobile communications device;

comparing the transaction data with the behavioral profile data;

determining, in the mobile communications device, based on the comparing, a risk of fraud associated with the financial transaction; and

enabling, based on the determined risk of fraud, liability for the financial transaction to be shifted from the merchant to an issuer of the credit account.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the behavioral profile data stored on the mobile communications device includes information about behaviors of individuals other than the user

• A behavioral pattern may be, for example, an encrypted file or files or any other

collection of data, received from the server. The file (or files) describes the behavior profile of the customer and/or similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or a specific customer encrypted rule. In an exemplary embodiment however, one mobile payment device can support two or more files representing different behavioral patterns of different users or customers. wherein the enabling includes checking the determined risk of fraud against at least one threshold, and shifting the liability to the issuer only if the determined risk of fraud passes the at least one threshold

Based on the score, a liability shift engine may make a suggestion

further comprising enabling the merchant to make an ultimate determination over whether risk should be shifted to the issuer

wherein the merchant is enabled to shift the liability risk to the issuer at a cost to the merchant

further comprising prompting the user to provide additional security information and wherein determining the risk of fraud is based on the behavioral profile data and the additional security information

In another exemplary embodiment, the outcome of the calculation by the model can be a request for higher level of security, implemented for example by requesting the customer to enter one or more codes, in different lengths, as defined by the requested security level. wherein the enabling includes determining a proportion of liability to be borne by the merchant if the requested financial transaction is fraudulent

wherein the issuer is enabled to shift the liability risk to the merchant

It's possible to add another option to share the risk in this situation

further comprising offering a discount to a merchant associated with the requested financial transaction based on the risk of fraud

Imposing a "Cage" When Behavioral Profile Information is Insufficient

A "cage," or set of temporary limitations on financial activity, may be imposed in certain circumstances. For example, before a user has sufficient transaction history to have a

meaningful behavioral profile, a cage may be imposed. The cage may include a set of rules that allow, and disallow, certain financial transactions.

Exemplary Independent Concept

13. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, on a mobile device, a behavioral profile associated with a user of the mobile device, wherein the behavioral profile is configured for use in approving financial transactions from the mobile device without real time use of a network;

maintaining, on the mobile device, a set of fall-back rules for use when insufficient information is contained in the behavioral profile to authorize a financial transaction, the fallback rules indicating whether to authorize or deny certain types of financial transactions; and when the behavioral profile contains insufficient information to authorize a financial transaction, accessing the fall-back rules and determining, based at least in part on the fall back rules, whether to authorize the financial transaction, from the mobile device, without further approval from another source.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the fall-back rules include at least one rule that requires the user to enter personal identification information before completing a financial transaction

• When a new customer applies for an e- Wallet and we don't have his history of purchases, it may be difficult to determine if he made the purchase. Therefore, we may require the customer to identify himself to ensure that the customer indeed performed the purchase. In addition, we may be able to rely upon this transaction for the next prediction, e.g., if the customer returns a week later to buy in the same store, we can authorize the purchase without identification since we know that he already has been there. In some

embodiments, this purchase authorization is not based on a statistical model since there may not be enough data on this specific customer.

• wherein the fall-back rules include at least one rule that authorizes transactions at

merchants previously patronized by the user There may be a log describing the recent transactions on the smartphone, which includes information that enables us to comprehend the present purchase, e.g., customer has already been in the same specific store or in a similar store in the same geographic area. All the above may be done on the smartphone without any recourse to the server. The log can be beneficial in a situation when, for example, the customer altered his behavior and there does not exist yet a new behavior map/profile from the server.

further comprising, when the behavioral profile is determined to contain sufficient information, authorizing the financial transaction without resort to the fall-back rules

When there is sufficient information on the server or smartphone to prepare behavioral maps/ profiles, this means there are enough customer purchases and/or of similar customers. Behavioral maps/ profiles may enable us to conclude that he made the purchases based on high probability thereby authorizing the transaction without necessitating authentication. Alternatively, when there is not sufficient information about the customer's purchases and there is fraudulent activity within the general population for similar transactions which indicate a problem with the purchase, then the transaction may not be authorized unless the customer will identify himself. More so, in some cases, where there is similarity to fraud cases, the purchase may not be authorized under any circumstances.

There may be rules which limit the risk of the e- Wallet, e.g., a 20th transaction or any random number, which may require identification, or if the total purchases add up to a large sum of money for a typical customer, then identification may be required before the purchase is authorized.

Imposing a "Cage" Based on Suspicious Detected Activity

Related to the above concept, a "cage" may be imposed when unusual activity of the user is detected (e.g., the mobile device is used in a new country, at a new merchant, or is not used at all for a period of time). The cage may include a set of rules that allow, and disallow, certain financial transactions.

Exemplary Independent Concept

14. A non- transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, on a mobile device, a behavioral profile associated with a user of the mobile device, wherein the behavioral profile is configured for use in approving financial transactions from the mobile device without real time use of a network;

maintaining, on the mobile device, a set of suspected fraud rules for use when, based on application of the behavioral profile, fraud is suspected;

invoking at least one of the suspected fraud rules when fraud is suspected, wherein the invoked suspected fraud rule prompts the user to provide further information; and

determining, based at least in part on a response to the prompt, whether to authorize the financial transaction from the mobile device, without intervention from a data source outside the mobile device.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the suspected fraud rules include a rule that prompts the user to provide further information if a geographic location associated with the transaction is determined to be atypical for the user

• In some situations, a customer may make purchases via his e- Wallet at merchants or e- commerce sites in which the language is different from the language of his smartphone's setup. The first time he may be asked to identify himself. If he succeeds, then a new profile of merchants and e-commerce sites in a geographical area which speak that language may be downloaded to his smartphone. If not, the transaction may not be approved.

• In some situations, a customer may make purchases for the first time at a merchant whose current GPS coordinates have never been recorded in his history log and/or not even in close proximity. If he succeeds, then a new profile of merchants in a geographical area may be downloaded to his smartphone. If not, the transaction may not be approved. wherein the suspected fraud rules include a rule that prompts the user to provide further information if a merchant associated with the financial transaction is determined to be atypical for the user

The merchants may be classified, e.g., as restaurant, hotels, entertainment, gambling, retail, professional services, grocery, etc.

The first time a customer wants to pay with his e- Wallet at, for example, a gambling establishment, he may be asked to identify himself. If he succeeds, the subsequent times all the merchants who are classified as gambling may be accessible to him. Merchants in other classifications may not be accessible in the same manner until, e.g., the customer makes a successful purchase at them.

wherein the suspected fraud rules include a rule that prompts the user to provide further information for all merchants not previously patronized by the user

wherein the suspected fraud rules include a rule that prompts the user to provide further information if the user is located outside of geographical area defined by the behavioral profile

wherein the suspected fraud rules include a rule that prompts the user to provide further information if a transaction amount is beyond a threshold defined by the behavioral profile.

Proactively Updating Behavioral Profiles Based on Detected Fraud

A further feature may relate to updating one user's behavioral profile when another user, who has a similar profile, is determined to have engaged in a fraudulent transaction. Thus, for any single detection of fraud, one or more other users may receive the benefit of that detection.

When a transaction of a specific customer is not similar to his previous behavior, a suspicion of fraud may exist. If the transaction is not similar to the behavior of, for example, his "nearest neighbors," then it may be considered more suspicious. In addition, if it is similar to previous fraudulent activity, then there may be a still greater suspicion of fraud. Therefore, it may be helpful to check if the customer's transaction is similar to that of a known (or suspected) fraudster's behavior.

To define the rules for determining this, the system may collect the transactions, both legitimate and fraudulent, on the server, and run statistical analyses (e.g., decision trees, neural networks, etc.). This may enable building a set of rules that defines if the transaction(s) is similar to fraud. The data that supports these rules may reside on the smartphone itself. This data may be prepared on the server and can be easily be downloaded due to its size, or the data can be easily prepared on the smartphone.

Exemplary Independent Concept

15. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, at a server, a plurality of behavioral profiles, the plurality of behavioral profiles being associated with a plurality of mobile device users, each mobile device user being associated with a mobile device;

transmitting to the mobile devices, associated mobile behavioral profiles, each for storage on a corresponding mobile device of the plurality of users;

receiving from one of the plurality of mobile devices, an information about a fraudulent transaction;

updating the plurality of behavioral profiles based on the received information about the fraudulent transaction; and

transmitting to the mobile devices updated behavioral profile information that adjusts each of the plurality of mobile behavioral profiles to account for the information received about the fraudulent transaction.

Exemplary Dependent Concepts and Additional Details and Explanation wherein each mobile behavioral profile is identical to a corresponding behavioral profile maintained on the server

wherein each mobile behavioral profile is a light version of a corresponding behavioral profile maintained on the server

further comprising, when information about a fraudulent transaction is received from one of the mobile devices, identifying a subset of mobile device users with similar behavioral profiles, and transmitting the updated profile information only to the subset

wherein the subset is determined using a nearest neighbor statistical analysis

Embedding Merchant Profile Information in a User's Mobile Device

A behavioral profile may not only store behavioral information associated with the mobile device user and other similar users, but may also store profile information associated with merchants frequented by the user (or determined to be likely visited by the user). In this way, fraud detection may be further enhanced.

The standard deviation from the average money paid for a purchase in a store can be beneficial to understand if the purchase deviates from the typical purchase by that merchant. For example, if the purchase amount exceeds the standard deviation by twice the average, that may signal a problem.

We can be more accurate with analyzing the statistics for a specific merchant vis-a-vis the average purchase amount and the standard deviation of the amount at a specific period of time in the store. When, for example, a transaction occurs at a specific period of time, the calculation may be based on the statistics regarding that specific period of time and the specific merchant.

We can be further accurate since there may be different behavioral patterns for different days of the week. It may make sense to calculate the statistics for each merchant at a specific time on a specific day.

To download all these statistics to the smartphone of each individual may be problematic, since they may be too big to download, may be updated on a regular basis, and may take up too much space on the disk.

For this reason, if we want to implement these statistical methods in the smartphone, it may be helpful to use a different aggregation/profiling approach. For example, an advanced profile/ behavioral map may be used. Behavioral maps with different depths of field (DOF) for each area on the map whose information we condensed to a size which is manageable on a

smartphone may be helpful.

Instead of (or in addition to) merely displaying information on one specific merchant, we can display information on a group of merchants, and more so on a larger group of merchants. The decision to display on the map higher resolution of merchants can be based on his GPS, actual purchase data, and other customers' behavior that we can retrieve from the transaction data or from sensors on the smartphone, etc.

When Condensation is Performed

For example, at the store where a customer bought in the past, we may not condense. If the stores where he didn't buy, however, are similar to those which he buys, then we may condense slightly. In stores that he has never bought from, and from those stores that are similar to them, a high condensation may be performed.

At the stores where a customer is frequently in their vicinity (based on his GPS), and for historical transactions, we may not condense. In the area where he doesn't frequent, but are nearby areas which he does frequent, we may condense slightly. In areas that he has never frequented, and are far from the places which he frequents, then high condensation may be performed.

If a merchant has major activity that is similar to the customer's purchase activity regarding time and date, we may not condense. If a merchant has major activity that is partially similar to the customer's purchase activity regarding time and date, we may slightly condense. For a merchant whose major activity is not similar to the customer's purchase activity regarding time and date, we condense. The actual condensation of the map may be the combination of all the above.

The behavior maps may represent the merchant's behavior in the geographical area where the customer frequents and at the time he purchases at his favorite merchants.

In areas where the customer has never been (GPS), at hours where he purchases very little, and at a merchant where he had not purchased in the past, the information in the map may reflect the behavior of the fraudsters in relation to the general population.

The more the behavior in the map is similar to the specific customer, we may focus on his "nearest neighbor." The more the behavior which is represented on the map is dissimilar from the customer, the more it represents larger segments of the population. The more that the behavior represented on the maps is similar to the customer, the higher the resolution. The more dissimilar from the behavior of the customer, the lower the resolution.

Exemplary Independent Concept

16. A non- transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising: maintaining, on a mobile device, a merchant profile, wherein the merchant profile includes at least one merchant determined to be likely patronized by a user of the mobile device; receiving, at the mobile device, transaction data associated with a requested financial transaction, the transaction data identifying a merchant;

determining, at the mobile device, a risk of fraud based on the merchant profile and the transaction data; and

determining, at the mobile device, whether to authorize the requested financial transaction based on the risk of fraud.

Exemplary Dependent Concepts and Additional Details and Explanation

• wherein the at least one merchant is determined to be likely patronized by the user based on prior conduct of the user • wherein the at least one merchant is determined to be likely patronized by the user based on a prior transaction with the merchant

• wherein the merchant profile includes a list of merchants patronized by other users

determined to be similar to the user

• wherein the merchant profile includes a category of merchants determined to be likely patronized by the user

• further comprising, if the merchant identified in the transaction data is not included in the merchant profile, requesting additional verification information from the user

• further comprising, if the merchant identified in the transaction data is included in the merchant profile, determining to authorize the requested financial transaction

It will be apparent to those skilled in the art that various modifications and variations can be made to the exemplary embodiments disclosed herein. It is intended that the examples be considered as exemplary embodiments only, with a true scope of the disclosed embodiments being indicated by the following claims and their equivalents. Further, it is to be understood that while the foregoing discussion may have referenced singular components (e.g., servers, databases, devices) in some instances, such components may be implemented using a plurality of such components to achieve similar to additional functionality. Further, it is to be understood that the above described hardware components (e.g., servers, communications devices, storage media, etc.), may be tangible hardware components, comprising memory devices (e.g., RAM, ROM, etc.), and may be configured to perform the functions and processes described above. Further, it should be recognized that the exemplary processes described herein are only exemplary, and may be performed with additional steps, fewer steps, and/or in different sequences than described above.

The foregoing concepts, subconcepts, and explanations are divided into groups for ease of discussion only. It is to be understood that all of the concepts, subconcepts, and technical details are intended to stand alone as separate innovations, and that each concept, subconcept, and technical detail is contemplated as being combinable with each other concept, subconcept, and technical detail either in pairs or groups to constitute separate innovations consistent with this disclosure. Therefore, the specific combinations of features disclosed herein and the exemplary claims presented are not necessarily restrictive of the present disclosure.