Launch HN: Dyneti (YC W19) – Helping apps stop fraud and process payments faster
We’re Julia and Lena, the founders of Dyneti (https://dyneti.com). Our first product is DyScan, an SDK that helps apps stop fraud and process payments faster by taking a picture of a credit card (https://youtu.be/3gzDECAsqXs).
We met about 3 years ago at Uber, where we worked together to fight fraud on the platform. (Merchants are liable for fraud losses on digital transactions). One thing we noticed is a problem industry-wide is that while there is tons of investment in detection (rules and models and features), barely any work goes into figuring out what to do to someone after tagging them as fraudulent. Most of the reliable actions - the ones that actually stop fraud - are very severe (e.g., account banning). In order to minimize good users impacted, fraud systems are built to detect very specific fraud behaviors. It is therefore easy for fraudsters to reverse engineer models and rules and iterate around them, which means even more investment into detection.
Along those lines, we noticed few companies realize card scanning is a powerful tool to reduce fraud and improve digital transaction security. Stolen credit card fraud is a major contributor to payment fraud losses. Fraudsters attempting to pay with stolen cards rarely have the physical card on hand, but rather, are running through a list of stolen credit card numbers, expiration dates, and cvvs. Having people enter payment information through a card scan will only allow users with a physical card present to go through with payment. It’s extremely rare to have a tool that both improves customer experience and improves security - but an accurate card scanner accomplishes this.
In addition to being a powerful tool for fraud prevention, DyScan also provides a nontrivial conversion boost at checkout by reducing time and effort required to enter payment information (under 5 seconds for DyScan, compared to 21 seconds for manual entry). DyScan is also the only card scanner SDK that works on all credit card formats, including non-embossed numbers, numbers on the back, vertical cards, and Quick-Read format cards (those are the weird ones you may have seen around with a four-digit groups stacked on top of each other). Card.io, which is the card scanner experience you may have seen in other apps, works on only one credit card format (embossed numbers on the front of the card).
Other card scanners aren't great because they were constrained technologically at the time they were built. Due to PCI compliance, credit cards must be scanned on device, and it hasn’t been possible to get a good deep learning model small enough to do this until very recently (due to more neural net processing power on devices and better tooling). The additional benefit of this approach is that it means zero latency, which can make a huge difference in terms of user experience and user friction.
How it works: After an app integrates DyScan into its checkout process, their users can enter payment information by holding a credit card up to a smartphone camera. At the same time, DyScan verifies that the card is real and non-fraudulent. This results in more good transactions while bad transactions are blocked.
We’ve been working hard on DyScan for the past few months and are very excited to share it with the HN community and get your insights on what we’re building.
Thanks for reading!
Julia & Lena
58 comments
[ 4.5 ms ] story [ 125 ms ] threadSo I'd say it's definitely possible to fool even a person let alone an algorithm, as you said it's questionable though if there aren't any easier ways for criminals to use stolen card numbers.
Definitely agree it's possible to make good fake cards, but it makes it difficult enough that fraudsters will usually migrate to a different platform. Since banks are probably the most attractive business to fraudsters, we'd suspect banks would have to make life much more difficult for fraudsters than the average business in order to chase them away.
However, it seems if this practice (scanning card) becomes more widely adopted and becomes a standard process of detecting fraud, it'd become a relatively easy target for fraudsters to crack, right? I don't know if DL or card making technology will outpace fraudsters' will to make fake cards?
Further more, if I'm a fraudster and know some websites that adopt this policy, there is a big incentive for me to get a credit card embossing kit to start making cards, right? After all, I'd think it is far easier to make a copy of a card than making the magnetic strip thing? And given your tech is a strong signal of 'not fraud', if it is relatively easy to beat this system, wouldn't it attract a huge number of fraudsters?
Thinking about this from a individual fraudster perspective. Acquiring a stolen cc is not an easy transaction, there is risk, and cost involved. So I think each fraudster would be trying to maximize the value of each stolen cc they have on hand. When you have a system that doesn't tell the fraudster what is causing the stolen cc to be rejected, the fraudster has nothing but trial&error to improve their chance, maybe instead of public wifi they have to use a private one, maybe instead of a gmail account they have to use a edu account. But in this case, if they know that a embossing kit will significantly improve their chance, wouldn't they spend the money and get that technology?
The bottom line is this technology has to make it more expensive for the fraudster to throw their hands up and say "well i better go try a different place". but I'm not sure if the barrier is high enough here. Furthermore, if you have an 'invisible' barrier, then it is all about trial and error, if you have a 'visible' barrier, I think it is just going to garner more attention and more people trying to solve it?
We used to say that our job wasn't to stop fraud, it was to move the attacks to Paypal instead. I don't have strong product opinions on this either way (personally I find all the card scanning apps to be incredibly annoying, but I think I'm a minority), but I do think it'll be a long time before I'd be worried about self-embossed cards being a meaningful attack vector.
On a side note: It annoys me when I see a page with little info on the homepage, I click "Demo", and I'm presented with a form. Why not at least put your Video on your Demo pages and then use the form for a "Personalized Demo" aka. sales call.
Thanks so much for the feedback! Just put it on my to-dos
I think a big threat would be if Apple opened up their card scanning tech for adding cards to Apple Wallet as an SDK to developers. Personally I've found that experience to be really awesome and they can scan both embossed and non-embossed cards well.
Apple does have great card scanner. Our thoughts on this (would love to hear yours) are they have little incentive to open up the card scanning tech standalone for developers, but even assuming they did, the standalone Apple scanner wouldn't include any fraud prevention features.
Longer term, we plan to leverage data from our customer base to make our fraud prevention features very robust - and we suspect this would be difficult for a competitor to replicate.
What happens to the photos of the cards?
Where is your privacy policy? I took a look at the site and didn't see one. They're required by CA law.
The photos of cards aren't stored anywhere - everything is analyzed on device to ensure privacy and compliance.
Re privacy policy - thanks, gotta put that up!
I guess you could argue that, from the merchant's perspective, they just want to avoid being the easiest target.
The benefit of working on a smaller/less established team is getting the autonomy to build something that's immediately impactful to the company and its customers, while not having to worry too about how to stay alive (fundraising, revenue, resources) - I think that's pretty good training for building a startup.
Picking a team where you'll get expertise in a newer/growing field can be helpful too - think something where you'll only need a few years to become an expert and start adding value. Also be sure to pick something you like, since if you do start a company in that field, you'll likely be spending a big chunk of your life on it.
Since fraud detection is done on-device, is there any clever encryption or security features that stop me from issuing a direct API request to the service with my (or someone else's) credit card info? If not, I'm worried that a technical fraudster could script their way around the ML model (and therefore not need the physical card), especially since cc lists are already nicely formatted. This would hurt pretty badly if the service assumes that DyScan is infallible and then doesn't have mechanisms for detecting fraud post-signup.
Regarding your fraud models, I actually used to work in this area (I'm pretty sure we know a lot of the same folks at Uber!) and I'm curious where you're getting your fraud model data from? Do you have partners you're working with? Until you have enough transaction volume, how will you train your models?
Edit: Actually it is quite trivial to request access to the camera via desktop now:
• The on-device tools are still in their infancy, and so it was actually a lot of work for us just to figure out what configuration of framework would work in a production system. For example, we can't use coreml for our iOS framework since it is only supported on iOS 11+ and many apps still support iOS 9+.
• There's very strict model size and performance constraints that require us to really optimize our model. App binary sizes are often tightly controlled in mobile first companies so we don't have much wiggle room in terms of how large our network can be. On top of that, we want the model to run reliably and quickly on phones from 5 years ago (which are still used today), when the hardware was much worse than it is today.
• Getting the training data for the model isn't easy.
• The model needs to be maintained, so any company that tries to do this would need to have a dedicated team on it. Credit card providers are constantly changing the style of cards they make (for example the new Visa Quickread format), and the framework has to be updated to keep up with this.
I like the on-device privacy with your system. I could have used an ID check / age check thing like this a few times over the years. Some people have been good at taking a photo of their ID and emailing it or posting to a web form, others tried taking the top results on google for fake ID and using a picture of that...
I would not expect a system like this to detect 100%, but it could have easily cut in half the amount of terribly fake IDs that were sent in to us.. which sounds nice.
Might be an option for whichever company to add in a user select-able option to upload / send the pic in for human review (and further net training) as an option if it fails, or fails with a certain percent or something..
can see a lot of use cases for this, glad to see you all working on this.
A company I worked with in the not so distant past got some real nastygrams.
There's a mountain of patents in that space that are near impossible to avoid stepping on.
On the flip side of that thinking, I wonder if that could be used to put all the places out of business that are trying to make the UK's 'you must prove age to see porn or nipples law' work, and if that would invalidate their law or just make it convenient that it could be impossible to implement and therefor just a backdoor to ban porn.
Where that isn’t possible, I prefer to use virtual cards that are created for me by my bank or by a service like privacy.com. They are single-merchant cards, so once they are used, they can’t be used with any other merchant. And I can put spending limits on them, and cancel them at any time.
With respect, I don’t trust your scanning mechanisms, nor do I trust the vendors (your customers) that would be permanently storing my credit card data.
So, what do you do regarding detecting credit card fraud for people using ApplePay or other legitimate virtual card providers?
https://www.tide.co/blog/a-card-designed-around-you
Bonus weirdness for tide cards: Name, credit card number, signature and cvv are all on the back, haha
Some Bank in Spain gives out vertical cards too, someone I know has one.
Most Germans have a girocard, way less hava got a debit/credit card.