Securing Instant Payments: Implementing Fraud Prevention Frameworks with AVS and OTP Validation

Sirisha Meka

Securing Instant Payments: Implementing Fraud Prevention Frameworks with AVS and OTP Validation

Authors

Sirisha Meka

Credit Karma, United States

Keywords:

Scala, TypeScript, GraphQL, BigQuery, Kafka, GCP, Figma, Jira, Fraud Analytics, Security Design, FinTech Risk Systems, Data Validation, Cross-Service Coordination

Synopsis

The fast development of instant-payment systems within the FinTech environment is both convenient and increases the risk of fraud, which necessitates the implementation of effective preventive systems. The paper describes the creation, deployment, and testing of a fraud-prevention system, using Address Verification Service (AVS) and One-Time Password (OTP) validation as a part of the large-scale instant-payment infrastructure based on a modern stack of Scala, TypeScript, GraphQL, BigQuery, Kafka, and Google Cloud Platform (GCP) and product design in Figma and project management in Jira. The suggested approach applies cross-service coordination of microservices to screen transactions in real-time: AVS verification microservice verifies billing address/cardholder address matches, OTP microservice issues and validates SMS/email OTPs, fraud-analytics pipeline aggregates transaction metadata (device, geolocation, velocity) in BigQuery to be risk-scored; a GraphQL API coordinates the services.In evaluating system performance, the solution achieved a measurable decrease in instant-transfer loss rate driven by multilayered validations, including card declination rates exceeding 20 percent of transactions, AVS and name-matching validation declines of approximately 10 percent, and BIN-based declines of roughly 3 percent. These safeguards collectively contributed to an overall revenue increase of about 5 percent while maintaining transaction latency within the acceptable SLA range of 180–225 ms. We also break down performance based on risk segments, with performance being maximally beneficial in first-time payers and domestic transactions. The results confirm that an address-verification and a layered, real-time authentication approach built into a scalable cloud-native stack can significantly increase the level of security in an instant-payment-based setting without being excessively detrimental in terms of usability.

References

[1] Z. Lei, Y. Nan, Y. Fratantonio, A. Bianchi, and C. Talos, “On the insecurity of SMS one-time password messages against local attackers in modern mobile devices,” Proc. Network and Distributed System Security Symp., 2021.

[2] M. A. Kazi, S. Woodhead, and D. Gan, “An investigation to detect banking malware network communication traffic using machine learning techniques,” J. Cybersecurity and Privacy, vol. 3, no. 1, pp. 1–23, 2023, doi: 10.3390/jcp3010001.

[3] A. Aparicio, M. M. Martínez, and V. Cardeñoso, “Vulnerabilities of the SMS retriever API for the automatic verification of SMS OTP codes in the banking sector,” in Proc. Int. Conf. Ubiquitous Computing and Ambient Intelligence (UCAmI 2022), pp. 983–994, Springer, 2023, doi: 10.1007/978-3-031-21333-5_99.

[4] C. Peeters, C. Patton, I. N. Munyaka, D. Olszewski, T. Shrimpton, and P. Traynor, “SMS OTP security (SOS): Hardening SMS-based two factor authentication,” in Proc. 2022 ACM Asia Conf. on Computer and Communications Security, pp. 2–16, 2022, Doi: 10.1145/3488932.3497756.

[5] D. E. Kurniawan, M. Iqbal, J. Friadi, F. Hidayat, and R. D. Permatasari, “Login security using one time password (OTP) application with encryption algorithm performance,” J. Phys. Conf. Ser., vol. 1783, p. 012041, 2021, doi: 10.1088/1742-6596/1783/1/012041.

[6] S. Gosavi and G. K. Shyam, “A novel approach of OTP generation using time-based OTP and randomization techniques,” in Data Science and Security: Proc. IDSCS 2020, Singapore: Springer, pp. 159–167, 2020, doi: 10.1007/978-981-15-5309-7_16.

[7] F. Wang, N. Yang, P. M. Shakeel, and V. Saravanan, “Machine learning for mobile network payment security evaluation system,” Trans. Emerg. Telecommun. Technol., 2021, doi: 10.1002/ett.4226.

[8] J. Gualdoni, A. Kurtz, I. Myzyri, M. Wheeler, and S. Rizvi, “Secure online transaction algorithm: Securing online transaction using two-factor authentication,” Procedia Comput. Sci., vol. 114, pp. 93–99, 2017.

[9] M. K. Sharma and M. J. Nene, “Dual factor third-party biometric-based authentication scheme using quantum one time passwords,” Secur. Privacy, vol. 3, p. e129, 2020.

[10] K. Xue, X. Luo, Y. Ma, J. Li, J. Liu, and D. S. L. Wei, “A distributed authentication scheme based on smart contract for roaming service in mobile vehicular networks,” IEEE Trans. Veh. Technol., vol. 71, pp. 5284–5297, 2022.

[11] [11] A. Ara, A. Sharma, and D. Yadav, “An efficient privacy-preserving user authentication scheme using image processing and blockchain technologies,” J. Discrete Math. Sci. Cryptogr., vol. 25, pp. 1137–1155, 2022.

[12] F. Sinigaglia, R. Carbone, G. Costa, and N. Zannone, “A survey on multi-factor authentication for online banking in the wild,” Comput. Secur., vol. 95, p. 101745, 2020.

[13] G. Kaur, Z. H. Habibi Lashkari, and A. H. Habibi Lashkari, “Cybersecurity vulnerabilities in FinTech,” in Understanding Cybersecurity Management in FinTech, G. Kaur, Z. H. Lashkari, and A. H. Lashkari, Eds., Berlin, Germany: Springer, 2021, pp. 89–102.

[14] A. Cherif, A. Badhib, H. Ammar, S. Alshehri, M. Kalkatawi, and A. Imine, “Credit card fraud detection in the era of disruptive technologies: A systematic review,” J. King Saud Univ. Comput. Inf. Sci., vol. 35, pp. 145–174, 2023.

[15] A. M. Aburbeian and M. Fernández-Veiga, “Secure Internet financial transactions: A framework integrating multi-factor authentication and machine learning,” AI, vol. 5, no. 1, Art. 1, 2024, doi: 10.3390/ai5010010.

[16] R. Alsaqour, A. Majrashi, M. Alreedi, K. Alomar, and M. Abdelhaq, “Defense in depth: A multilayered security,” Int. J. Commun. Netw. Inf. Secur. (IJCNIS), vol. 13, no. 2, 2021, doi: 10.17762/ijcnis.v13i2.4951.

[17] M. A. Hassan and Z. Shukur, “A secure multi-factor user authentication framework for electronic payment system,” in Proc. 3rd Int. Cyber Resilience Conf. (CRC), pp. 1–6, 2021, doi: 10.1109/CRC50527.2021.9392564.