Callsign & Industry Terminology Explained


  • A/B Testing

    A/B testing is the practice of showing two variants of a web page/application to different segments of users at the same time so insight can be gained to their effectiveness. At Callsign, this specifically refers to the Callsign Decisioning Module where two active policies are run concurrently but with different logic, for a specified user population or event.

  • Account Borrowing

    It’s not just fraudsters businesses need to be aware of. Account borrowing – or second person fraud – is an equal risk. Examples include users allowing third parties the use of their accounts or using accounts in unauthorized locations – breaking copyright laws or compromising the security of accounts in the process.

  • Account Takeover

    The straightforward takeover of accounts. Often done through fraudsters using social engineering tactics to gain the data they need to mimic a user’s identity and infiltrate accounts. Fraudsters will then use the user information they have collected for financial gain.

  • Activation Code

    An activation code (or OPT) is a temporary possession-based event driven authenticator that requires the user to enter a code provided by the organization to authenticate a transaction.

  • API

    Application Programming Interface - A set of clearly defined methods of communication among various components.

  • App Passcode

    App Passcode is a local authenticator mechanism that acts like a soft token in place of hardware tokens. A user can generate a passcode for authentication purposes.

  • Authentication Mechanism

    Logical representation of a mechanism a subscriber can use to perform an authentication. Examples: pin, swipe, touch id (fingerprint), OTP or tokens.

  • Authenticator Management

    Authenticator management is available via the Callsign portal and enables organizations to register authenticators, configure their properties for use and apply them to users.

  • Authentication Policy

    To configure a mechanism's specific parameters. Ex: pin with length of 4 numbers, OPT max challenges of 5.


  • Binding

    Performing an association between objects e.g. associating a user and a device.

  • Biometrics (including behavioral)

    Biometrics is the technical term for body measurements and calculations. It refers to metrics related to human characteristics. Biometrics authentication is used in computer science as a form of identification and access control. Examples include fingerprint, voice recognition, swipe, keystroke and facial authenticators.

  • Bot Detection

    Bot traffic detection is the act - either through DIY methods, tools or proactive solution providers - of classifying and labelling an automated bot that either is on or is trying to reach a website or application.


  • Call Challenge

    Call Challenge is an authenticator that enables users to receive an automated call as part of an authentication event.

  • Champion / Challenger

    Champion / Challenger testing involves the evaluation of a model and compares it to one or more challengers. After the system compares the results, the best model can be promoted to be the champion. Callsign currently supports this testing on policies as part of the policy evaluation toolkit.

  • Continuous Authentication

    Continuous authentication is where the user is continuously being assessed, in a passive manner, to confirm they are who they say they are. This is used to compare against the user’s previous habits, to form a highly reliable risk assessment of ID or fraudulent activity.

  • CPU Fingerprinting

    CPU fingerprinting combines certain unique attributes of a device CPU to contribute to the identification of a recognized device.

  • Credential Input Analysis

    Credential input analysis examines the behaviors and patterns of users entering credentials into website forms.


  • Decisioning Module

    The Callsign Decisioning Module enables organizations to create their own authentication policies that can be applied to multiple use cases, for instance workforce or consumer authentication and identification. Policies are composed of rulesets that are triggered when certain criteria are met.

  • Device Anomaly Detection

    Device anomaly detection detects signs of malicious activity or risk to the mobile app session, for instance; root, jailbroken, tampering, hooking and emulation.

  • Device Fingerprinting

    Device fingerprinting combines extensive and numerous device attributes that rarely, if ever, change – these include what operating system the device is on, the type and version of web browser being used, the browser's language setting, MAC address and system fonts - to identify it as a unique device.

  • Dynamic Linking

    Dynamic linking (a PSD2 requirement for Strong Customer Authentication), requires that an authentication code for each transaction must be unique (i.e. it can only be used once), is specific to the transaction amount and recipient, and that both amount and recipient are made clear to the payer when authenticating.


  • Feedback Service

    The feedback service is a mechanism to classify transactions as either legitimate or fraudulent and feed this information back to the Callsign Intelligence Engine so models can be optimized.

  • Fraud: First-party

    First-party fraud (aka friendly fraud) is where the legitimate end-user performs the fraud themselves e.g. refutes an online purchase they have made to get a chargeback refund, or bypasses controls e.g. to access domestic only services whilst travelling abroad, mis-stating their true age or income levels etc..

  • Fraud: Second-party

    It’s not just fraudsters businesses need to be aware of. Account borrowing – or second person fraud – is an equal risk. Examples include users allowing another person the use of their accounts e.g. a family member or fellow employee – breaking copyright laws or compromising the security of accounts in the process. Inherence-based authentication (e.g. behavioural biometrics) is a good way to address this issue as the credentials cannot be shared.

  • Fraud: Third-party

    The more classic type of fraud where a fraudster compromises your credentials and/or steals your identity.


  • GDPR

    The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25, 2018 for Europe and was designed to modernize laws that protect the personal information of individuals.

  • GPU Fingerprinting

    GPU fingerprinting is a way to combine certain attributes of a device GPU - like manufacturer, model and memory - to contribute to the identification of a recognized device.


  • Hard Tokens

    A HOTP hard token is a possession-based authenticator that generates a single-use OTP which is usually entered onto a web channel to complete an authentication event. HOTP OTPs can be derived from entered information such as a challenge or transaction data. A TOTP hard token is a possession-based authenticator that generate codes that are valid only for a certain amount of time, after which a new code must be generated.


  • ISO 27001

    ISO 27001 was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system (ISMS). The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action and requires cooperation among all sections of an organization. Callsign are ISO 27001 certified.


  • Journey Mapping

    Journey mapping within the Callsign Decisioning Module enables bespoke authentication pathways and user journey’s to be created, including any required step-up’s where necessary. The designer utilizes a ‘drag and drop’ user interface so workflows can be quickly created and visualized by business stakeholders.


  • Keystroke Dynamics

    Keystroke dynamics or typing dynamics refers to the automated method of identifying or confirming the identity of an individual based on the manner and the rhythm of typing on a keyboard. Keystroke dynamics is a behavioral biometric and falls under the inherence factor (something you do) of SCA.


  • List Management

    The Callsign Decisioning Module enables organizations to create/import their own list datasets which can be referenced as part of an authentication ruleset or policy. Examples include a whitelist of “VIPs” based on a data type defined by the client, or a blacklist of “fraudulent devices”, defined by a metric of their choosing.

  • Location Based Authentication

    Providing that the user has consented and, staying true to our privacy principles - using obfuscated data, we confirm if the user’s location at the point of request aligns with their typical behavior. Find out more.


  • Mobile SDK

    The Callsign mobile SDK delivers all the features of the Callsign mobile platform to compatible Android or iOS smartphone applications, enabling a secure and seamless user experience. All of the technical sophistication of the platform is embedded in the SDK, which has been designed as an easy-to-use developer interface.

  • Mobile Swipe Authentication

    Mobile swipe is an authenticator unique to Callsign requiring the user to swipe their phone to authenticate a transaction. In the background Callsign collects behavioral data to verify the user is who they say they are. Callsign’s swipe authentication can be classed as both an inherence (something you do) and possession (something you have) based SCA factor. The possession element comes from the strong – cryptographically secured –relationship Callsign establishes between the mobile device and the Callsign platform.

  • Mouse Dynamics

    Like keystroke dynamics, mouse dynamics measures and assesses a user's mouse-behavior characteristics for use as a biometric. Mouse dynamics is a behavioral biometric and falls under the inherence factor (something you do) of SCA.


  • Name & Address Check (ATP) - Mobile Network Operator (MNO) Intelligence

    Name & address check is a non-invasive check performed Callsign during a transaction as part of account takeover protection (ATP). The process checks whether a user’s telephone number differs to the one the client has on record, in order to determine whether the customer has been socially engineered. This forms part of our telecoms intelligence capabilities.

  • Number Insight - Mobile Network Operator (MNO) Intelligence

    MNO intelligence (or telecoms intelligence) leverages comprehensive MNO data feeds which can be evaluated to detect social engineer fraud in real-time. Helping to reduce false positives for SIM swap and call divert, number porting attack detection, sim-splitting, change of telephone number attacks and identification of known fraudulent numbers and devices.


  • One Time Passcode (OTP)

    A one-time passcode (OTP) is a temporary possession-based authentication factor (based on possession of the device or medium upon which it is received or generated) that requires the user to enter a code provided by the organization to authenticate a transaction.


  • Page Malware Detection

    Page fingerprinting is a web SDK only model, designed to detect potentially malicious web page modification and mutation.

  • Passive Authentication

    Passive authentication, or identification, is the collection of information in the background to verify identity. We use thousands of available data points, such as a user’s location, device, typing cadence, mouse movement or swipe to verify a user’s identity.

  • Policy Performance Analytics

    Policy performance analytics provides organizations with the ability to query their policy, ruleset, authenticator and decision performance and utilization.

  • Policy Simulation

    Policy simulation, also referred to as time machine is part of our policy evaluation toolkit. It allows organizations to test their policies using previously seen (historical) data from an offline environment. Simulation enables organizations to understand how their policies might perform in production, or how they could address situations differently.

  • PSD2 (Revised Payment Services Directive)

    PSD2 (Revised Payment Services Directive) requires banks to share raw account data with third-party providers, based on customer permissions, and open up APIs allowing those third parties to initiate payment transactions on behalf of the customer. PSD2 also includes the Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA).


  • Remote Access Trojan (RAT) Detection

    During a transaction we detect for Remote Access Trojans (RAT) - a form of malware that enables unauthorized access to a someone’s device.

  • Replay Attack Detection

    During a transaction we detect whether a replay attack is taking place. Replay attacks are a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or replayed.


  • SIM Swap Detection

    SIM swap fraud involves a fraudster obtaining an individual’s banking details through phishing/vishing techniques or by purchasing these from organized crime networks. With this and other information, they then dupe a mobile network operator into cancelling and reactivating the victim's mobile number to a SIM in their possession. As a result, calls and texts to the victim’s number are routed to the fraudster’s phone, including OTPs for banking transactions which can then be used to transfer funds from the victim’s bank account. Find out more about SIM swap here.

  • Singe-factor Authentication

    Security process of authenticating a user using one type of authentication mechanism to access restricted resources. Typically, single factor authentication will rely on a knowledge factor (e.g. username password).

  • SS7 Network

    SS7 is an international telecommunications standard used by MNOs to exchange information when passing calls and text messages between each other, such as when you are roaming. By accessing SS7, fraudsters are able to compromise the messages being sent between networks, meaning they can get these messages and calls sent to a SIM of their choice by setting up a misdirection of the legitimate customer’s SMS or outbound verification call. Find out more about SS7 here.

  • Stateful Policies

    Stateful policies enable previous information about a customer to be remembered – for instance, what authentication they have performed in the last 30 days, the last time they had a high-risk intelligence score etc..

  • Strong Customer Authentication

    As part of its efforts to reduce online payment fraud, the PSD2 requires a strong authentication process whenever a payment is initiated or remote account access is requested, which is what’s known in the directive as SCA. This method of authentication must include two independent and dynamic factors from the following:

    • Something you own
    • Something you know
    • Something about you


  • Telecoms Fraud

    Mobile phones, in particular, are a breeding ground for account takeover. By requesting a SIM swap or call divert, fraudsters can pose as the account holder and authenticate via mobile phone – whether that’s with a one-time password or by receiving a security call.

  • Temporary Access Code

    A temporary access code (TAC) is a single use knowledge-based authenticator that distributed to a user via an operator.

  • Third-party Risk System Integration

    Third-party risk system integration enables organizations to create rules within the policy manager that can incorporate third-party risk systems in addition to, or in replacement of, the Callsign Intelligence Engine.

  • Touch Dynamics

    Behavioral PIN is a form of typing dynamics and refers to the automated method of confirming the identity of an individual based on the manner and rhythm of a PIN entry on a mobile device. Behavioral PIN authentication can be classed as both an inherence (something you do) and knowledge (something you know) based SCA factor.

  • Two-factor Authentication

    Security process of authenticating a user using two or more elements of SCA to access restricted resources.


  • Username & Password

    Username and password is a knowledge-based authenticator that requires the user to enter a both a username and password into the application to authenticate.


  • VPN, Proxy & TOR Detection

    Anonymization networks have been a common occurrence for illegitimate manned or unmanned (bot) traffic. Callsign can identify VPNs, Proxy and/or TOR based IPs and report on these.


  • Web SDK

    The Callsign Web SDK provides the capability to profile a web session; collecting data dependent for server-side machine learning. This data is useful to statistically analyze identity and device / location data, or quantify risk.