Doing good by fighting fraud: Ethical anti-fraud systems for mobile payments

TL;DR

This paper evaluates the ethical implications of anti-fraud security challenges in mobile payments, analyzing a large-scale deployment of Boxer and proposing Daredevil to improve fairness across diverse devices.

Contribution

It presents a large-scale measurement study of Boxer, identifies its limitations on low-performance devices, and introduces Daredevil, a more equitable anti-fraud system for mobile payments.

Findings

Boxer struggles on devices with less than 1 FPS.

Daredevil reduces low-FPS devices by an order of magnitude.

Study includes data from over 5 million devices across 496 apps.

Abstract

App builders commonly use security challenges, a form of step-up authentication, to add security to their apps. However, the ethical implications of this type of architecture has not been studied previously. In this paper, we present a large-scale measurement study of running an existing anti-fraud security challenge, Boxer, in real apps running on mobile devices. We find that although Boxer does work well overall, it is unable to scan effectively on devices that run its machine learning models at less than one frame per second (FPS), blocking users who use inexpensive devices. With the insights from our study, we design Daredevil, anew anti-fraud system for scanning payment cards that work swell across the broad range of performance characteristics and hardware configurations found on modern mobile devices. Daredevil reduces the number of devices that run at less than one FPS by an order of magnitude compared to Boxer, providing a more equitable system for fighting fraud. In total, we collect data from 5,085,444 real devices spread across 496 real apps running production software and interacting with real users.