Abstract: Devices and techniques are generally described for detection of network anomalies. In various examples, first data describing network communication between a plurality of source entities and a plurality of destination entities may be received. In some examples, respective feature data representing network communication between a respective source entity and one or more of the plurality of destination entities may be generated. In some examples, an unsupervised machine learning model may be used to determine a first number of clusters of the feature data. In various cases, a first source entity that is an outlier with respect to the first number of clusters may be determined based at least in part on the first number of clusters. The first source entity may be classified as an anomalous entity.

Abstract: A biometric input device is used to obtain biometric data from a user. The biometric data is used to determine host card emulation (HCE) parameters that are associated with the user and are used to access a payment account. An interface device that is associated with the biometric input device receives the HCE parameters. The interface device includes a secure execution environment (SEE). A processor in the SEE decrypts and stores the HCE parameters in the memory of the SEE and executes an HCE instance. The HCE instance uses a communication interface to interact with a payment terminal using a contactless communication protocol. The interaction provides payment data to the payment terminal, which is then sent along a payment channel for processing. The HCE instance is then erased, and the SEE is then available for use by another user for another transaction using a different payment account.

Abstract: During provisioning of a biometric device, a hardware root of trust is established between the biometric device and a server. The biometric device includes a cryptographic processor with a first encryption key stored in secure storage. The first encryption key is used to establish a mutually authenticated communication channel with the server. A set of additional encryption keys between the device and the server are established via the communication channel. Biometric data generated by the biometric device is encrypted using the additional keys and digitally signed. The server receives the encrypted and signed data via the communication channel and verifies the signature. Once the signature is verified, the biometric data is then decrypted. The server then processes the decrypted biometric data. Data that does not arrive via the communication channel, that fails the verification, or that fails decryption is deleted or disregarded.