Abstract: Systems, methods, and non-transitory computer-readable media for creating labels for training a machine learning model using a limited dataset. A label creation application receives raw data from a storage device. The raw data includes requests associated with user accounts. The application determines an account type of each of the user accounts. The application generates a raw data set based on account types, requests, and user accounts. The application cleans the raw data set using client feedback data. The feedback data is the limited dataset that includes fraud events associated with user accounts identified by a client. The application extracts a request history for a user account from the raw data that is cleaned. The application generates a training profile for the user account based on the request history. The application creates training labels based on the training profile, and the model is trained by processing the created labels.

Abstract: Devices, non-transitory computer-readable media, and systems. In one example, a computing device may include a memory and an electronic processor configured to: receive information of a user of the computing device, perform authentication of the user based on the information of the user, determine a list of behavioral experiments that can be performed by the user based on the authentication of the user and the information of the user, the list of behavioral experiments including one or more behavioral experiments, display the list of behavioral experiments, receive a selection of a behavioral experiment in the list of behavioral experiments from the user, initiate the behavioral experiment based on the selection, and in response to the user completing the behavioral experiment, upload experiment data to a server.

Abstract: Devices, methods, and non-transitory computer-readable media for user authentication with biometric data in conjunction with autofill assistance. In one example, an electronic computing device includes a memory including a user account and an electronic processor communicatively coupled to the memory. The electronic processor is configured to receive a request to access the user account and biometric data associated with the request, determine whether an autofill assistance occurred while the biometric data was captured, responsive to determining that the autofill assistance occurred while the biometric data was captured, identify data associated with the autofill assistance in the biometric data, generate second biometric data by excluding the data associated with the autofill assistance from the biometric data, and perform user authentication based on the second biometric data.

Abstract: Embodiments herein provide a server including a memory and an electronic processor. The server includes a UDID database. The electronic processor is configured to receive an identification request regarding a currently-observed user device having a first set of attributes associated with the currently-observed user device. The first set of attributes includes an IP address of the currently-observed user device. The electronic processor is further configured to generate an IP hardened UDID associated with the currently-observed user device based on the first set of attributes, and store the IP hardened UDID in the UDID database. The generation of the IP hardened UDID compensates for changes in the IP address of the currently-observed user device over a period of time.

Abstract: User identification with blended response from dual-layer identification service. In one embodiment, a server comprising an electronic processor configured to detect an access request by a user of a user interface device, retrieve a plurality of input profile records from an input profile record repository, perform an identification of the user with one or more passive biometrics models and the plurality of input profile records that are retrieved, generate an identification response and an additional identification request based on an outcome of the identification of the user, control the communication interface to transmit the additional identification request to the second server via the network, receive a second identification response from the second server, and generate a blended response by modifying one or more characteristics of the identification response with the second identification response, the blended response indicating the identification of the user.

Abstract: User identification with blended response from dual-layer identification service. In one embodiment, a server comprising an electronic processor configured to detect an access request by a user of a user interface device, retrieve a plurality of input profile records from an input profile record repository, perform an identification of the user with one or more passive biometrics models and the plurality of input profile records that are retrieved, generate an identification response and an additional identification request based on an outcome of the identification of the user, control the communication interface to transmit the additional identification request to the second server via the network, receive a second identification response from the second server, and generate a blended response by modifying one or more characteristics of the identification response with the second identification response, the blended response indicating the identification of the user.

Abstract: A fraud prevention server that includes an electronic processor and a memory. The memory includes an online application origination (OAO) service and a plurality of OAO models, each of the plurality of OAO models differentiates between a behavior of a normal user and a behavior of a nefarious actor during a submission of the online application on a device. When executing the OAO service, the electronic processor is configured to receive form data from a client server, determine a best OAO model from a plurality of OAO models with deep-learning, determine a fraud score of the online application based on the best OAO model, and control the client server to approve, hold, or deny the online application based on the fraud score that is determined.

Abstract: A system for utilizing behavioral features to authenticate a user entering login credentials. The system includes an electronic processor configured to receive a request to access a user account and compare behavioral features included in the request to behavioral features included in a user behavior profile associated with the user account. The electronic processor is also configured to, based on the comparison, generate one or more scores. The electronic processor is further configured to, for each of the one or more scores, compare the score to a predetermined threshold and, based on the comparison of the score to the predetermined threshold, adjust a match value. The electronic processor is also configured to compare the match value to one or more predetermined thresholds to determine whether the behavioral features included in the request to access the user account authenticates the user, does not authenticate the user, or is inconclusive.

Abstract: A system for determining a fraud risk score associated with a transaction. The system includes a server including an electronic processor. The electronic processor is configured to determine a plurality of rules based on a plurality of transactions over time and extract one or more features of the transaction. The electronic processor is also configured to select, based on the plurality of rules, a plurality of fraud risk features Each non-categorical fraud risk feature selected is associated with a fraud risk feature value and each categorical fraud risk feature selected is associated with a categorical variable value. The electronic processor is configured to determine, for each categorical fraud risk feature, a fraud risk feature value. The electronic processor is also configured to determine the fraud risk score based on the one or more of the transformed fraud risk feature values.

Abstract: A fraud prevention server that includes an electronic processor and a memory. The memory includes an online application origination (OAO) service and a plurality of OAO models, each of the plurality of OAO models differentiates between a behavior of a normal user and a behavior of a nefarious actor during a submission of the online application on a device. When executing the OAO service, the electronic processor is configured to receive form data from a client server, determine a best OAO model from a plurality of OAO models with deep-learning, determine a fraud score of the online application based on the best OAO model, and control the client server to approve, hold, or deny the online application based on the fraud score that is determined.

Abstract: A fraud prevention system that includes a client server and a fraud prevention server. The fraud prevention server includes an electronic processor and a memory. The memory including a trust scoring service. When executing the trust scoring service, the electronic processor is configured to receive a trust score request of a device from the client server, generate, with a trust model, a trust score of the device, and responsive to generating the trust score, output the trust score to the client server in satisfaction of the trust score request, wherein the trust score is distinct from a risk factor, the trust score representing a predicted trust level of the device, and the risk factor representing a fraud risk level associated with the device based on one or more device behaviors.

Abstract: Methods and systems for approximating event intervals. One system includes an electronic processor configured to receive time-bucketed data. The time bucketed data includes an event count for a bucket. The electronic processor is also configured to determine a set of event intervals for the bucket based on the time-bucketed data, wherein each event interval included in the set of event intervals evenly distributes one or more events associated with the event count across a bucket time window of the bucket. The electronic processor is also configured to store the set of event intervals as interval data in an interval database.

Abstract: A fraud prevention system that includes a fraud prevention server including an electronic processor and a memory. The memory includes a feature drift hardened online application origination (OAO) service. When executing the feature drift hardened OAO service, the electronic processor is configured to detect, with respect to a first OAO model, feature drift in a dataset of an online application that exceeds a predefined threshold, generate one or more feature drift hardened OAO models that mitigate the feature drift, determine a fraud score of the online application based on the one or more feature drift hardened OAO models that differentiates between a behavior of a normal user and a behavior of a nefarious actor during a submission of the online application on a device and mitigates the feature drift, and control a client server to approve, hold, or deny the online application based on the fraud score.

Abstract: An account recommendation system that includes a server. The server is operable to identify a user account based on a server-side persistent device identification. The server includes a processor and a memory. The server is configured to receive a request including one or more attributes related to a client device, identify the server-side persistent device identification (“PDI”) record for the client device based on the one or more attributes of the client device, identify one or more candidate accounts based on the server-side persistent device identification, determine confidence scores for each of the one or more candidate accounts, generate a recommendation signal for the user account associated with the client device based on the confidence scores, and transmit the recommendation signal to a merchant server.

Abstract: An account recommendation system that includes a server. The server is operable to identify a user account based on a server-side persistent device identification. The server includes a processor and a memory. The server is configured to receive a request including one or more attributes related to a client device, identify the server-side persistent device identification (“PDI”) record for the client device based on the one or more attributes of the client device, identify one or more candidate accounts based on the server-side persistent device identification, determine confidence scores for each of the one or more candidate accounts, generate a recommendation signal for the user account associated with the client device based on the confidence scores, and transmit the recommendation signal to a merchant server.

Abstract: A fraud prevention system that includes a server. The server is operable to receive a first attribute of a client device from the client device and associated with a first transaction, receive a second attribute of the client device from the client device and associated with the first transaction, receive a third attribute related to the client device and associated with the first transaction, and generate a persistent device identification (“PDI”) record including the first attribute, the second attribute, and the third attribute, store the PDI record in a memory, receive the third attribute related to the client device and associated with a second transaction, and identify the client device using the PDI record based on the third attribute without receiving, in association with the second transaction, the first attribute of the client device and the second attribute of the client device.

Abstract: User identification with blended response from dual-layer identification service. In one embodiment, a server comprising an electronic processor configured to detect an access request by a user of a user interface device, retrieve a plurality of input profile records from an input profile record repository, perform an identification of the user with one or more passive biometrics models and the plurality of input profile records that are retrieved, generate an identification response and an additional identification request based on an outcome of the identification of the user, control the communication interface to transmit the additional identification request to the second server via the network, receive a second identification response from the second server, and generate a blended response by modifying one or more characteristics of the identification response with the second identification response, the blended response indicating the identification of the user.

Abstract: User identification with an input profile record (IPR). In one embodiment, a server includes a memory and an electronic processor. The electronic processor is configured to receive a plurality of input profile records (IPRs) associated with a first user, the plurality of IPRs each based on a plurality of user inputs and indicative of identity of the first user, control the memory to store the plurality of IPRs in the input profile record repository, receive a current IPR associated with a second user, determine whether the second user is the first user by comparing a first one or more biometric features based on the plurality of IPRs and a second one or more biometric features based on the current IPR, and responsive to determining that the second user is the first user, output an identity confirmation that the second user is the first user.

Abstract: A payment terminal evaluation device may include a network interface configured to receive data associated with each of a plurality of payment terminals. The data may include a plurality of data fields each having a respective value for a respective transaction processed by one of the plurality of payment terminals. Each payment terminal may be associated with one of a plurality of merchants. The payment terminal evaluation device may further include an electronic processor that may be configured to identify, based on the data, at least one of (i) a merchant of the plurality of merchants as an anomalous merchant and (ii) a payment terminal of the plurality of payment terminals as an anomalous payment terminal. The electronic processor may be further configured to transmit anomaly information to a communication device to cause the communication device to display the anomaly information.

Abstract: Systems, methods, devices, and computer readable media for determining whether a transaction was initiated by a known user. Known users can be identified using a known user identification linear regression algorithm. The known user identification algorithm incorporates a variety of features of an initiated transaction, as well as reputation and historical data associated with an account or user, to produce a prediction value that indicates whether a user is a known user or whether there is a high potential for fraud. If the prediction value that results from the known user identification algorithm is greater than or equal to the threshold value, a fraud rule is triggered (i.e., predicted fraud). If the prediction value that results from the known user identification algorithm is less than the threshold value, the user who initiated the transaction is identified as a known user and the transaction is permitted to proceed (i.e., predicted non-fraud).