Zainul Abi Din and Hari Venugopalan, UC Davis; Jaime Park, Bouncer Technologies; Andy Li, Segment; Weisu Yin, UC Davis; Haohui Mai, Hengmuxing Technologies; Yong Jae Lee, UC Davis; Steven Liu, Bouncer Technologies; Samuel T. King, UC Davis and Bouncer Technologies
Card-not-present credit card fraud costs businesses billions of dollars a year. In this paper, we present Boxer, a mobile SDK and server that enables apps to combat card-not-present fraud by scanning cards and verifying that they are genuine. Boxer analyzes the images from these scans, looking for tell-tale signs of attacks, and introduces a novel abstraction on top of modern security hardware for complementary protection.
Currently, 323 apps have integrated Boxer, and tens of them have deployed it to production, including some large, popular, and international apps, resulting in Boxer scanning over 10 million real cards already. Our evaluation of Boxer from one of these deployments shows ten cases of real attacks that our novel hardware-based abstraction detects. Additionally, from the same deployment, without letting in any fraud, Boxer’s card scanning recovers 89% of the good users whom the app would have blocked. In another evaluation of Boxer, we run our image analysis models against images from real users and show an accuracy of 96% and 100% on the two models that we use.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Zainul Abi Din and Hari Venugopalan and Jaime Park and Andy Li and Weisu Yin and HaoHui Mai and Yong Jae Lee and Steven Liu and Samuel T. King},
title = {Boxer: Preventing fraud by scanning credit cards},
booktitle = {29th USENIX Security Symposium (USENIX Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {1571--1588},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/din},
publisher = {USENIX Association},
month = aug
}