February 4, 2021
The Internet of Things (IoT) ushered in a world where even the objects around us are connected, with the ability to track everything from our steps to our heart rate to the amount of food we have in our refrigerators. These connected devices produce unthinkable amounts of data that drive more informed decisions about the world around us, saving money, time, and even lives. But the IoT also opened the door to something bigger: a paradigm shift where these devices don’t have to be just passive collectors of data, but objects that can take action independent of humans, from a car paying for its own fuel to a washing machine requesting and paying for maintenance. With secure transactions initiated by machines, you can cut out the human middleman, eliminate opportunities for fraud, and save users and financial institutions time and money.
The challenge to opening up this new world of possibility has been solving the question of trust. How do you issue and authenticate the payment identity of a delivery truck? That’s the problem Car IQ set out to solve, developing a machine-centric payment environment that incorporates security and fraud mitigation into its structure. Our primary focus is the connected vehicle market, which is expected to become the largest IoT market opportunity in the next couple of years.
In this white paper, we introduce our Vehicle Identity and Authentication solution for vehicle payments. By leveraging vehicle telematics data, our solution provides trust in a vehicle’s identity before, during, and after a transaction has been initiated. It’s a system we believe will not only open the door to vehicle payments, but a universe of objects that can be trusted to make transactions without human intervention.
Motivation for Vehicle Payments
A number of trends motivate the need to have a machine or device initiate payment transactions directly with merchants and independent of human intervention:
- Modern machines are increasingly the consumers of goods and services and are capable of providing an audit trail of consumption.
- Smart connected machines have the ability to autonomously detect needs and act on them.
- In the current hyper-expanding era of the IoT, security issues in digital payments systems are increasingly focused on compromising the human in the process.
In the realm of vehicles, all these trends are converging now.
Vehicles with embedded connectivity accounted for 91% of all vehicles sold in the US in 2020, and ABI Research estimates that more than 115 million connected passenger cars will be shipped globally in 2025.
Connected vehicles capture hundreds of onboard sensor readings in real-time (such as fuel/engine performance, atmospheric data, odometer, location, etc.) at rates of multiple times per minute. The expansion of 5G connectivity, autonomous driving capabilities, and V2X technologies will accelerate the volume and rates of data generated by vehicles: A 2019 Gartner report predicts that the automotive industry will be the largest market for 5G IoT by 2023, accounting for 53% of total market opportunity.
With the rapid growth of IoT, digital payments applications are being connected to an increasingly diverse ecosystem of devices. 451 Research forecasts that IoT-enabled transactions (dubbed Internet of Payments (IoP) transactions) will increase at a 125% compound annual growth rate over the next few years, with an expected $7.5 billion in new transactions in the US in 2022.
The expansion of IoP opportunities means consumers must manage payment credentials across a spectrum of applications. Fraudsters are increasingly looking to exploit application users with sophisticated social engineering techniques that establish credibility and create believable situations to obtain credentials or install malware. Findings from Proofpoint make the threat landscape starkly clear:
More than 99% of cyber attacks investigated in 2019 exploited this human factor by targeting individuals rather than systems.
Car IQ has reimagined the payments process by making it possible for vehicles to initiate transactions without human intervention. By using connected vehicle telematics data, we have solved the authentication problem and can provide transparency into a payment transaction that is unique to the machine payment environment. Moreover, removing the human eliminates multiple fraud threats and reduces the risk of chargebacks.
Secure Machine Payment Environment
Car IQ has created a payments platform that allows vehicles to autonomously initiate and validate payments for services by connecting directly to vehicle telematics data.
The transaction process is highly-controlled, contactless, and cloud-based, resulting in a highly secure payment environment:
- Personal data and financial information are never stored in a vehicle or physical device, eliminating multiple opportunities for fraud and resulting in a narrower attack surface.
- Credentials are stored in the cloud, tokenized, and communicated via state-of-the-art encryption standards.
- Vehicle-originated payments are highly restricted in scope by account owner-defined transaction limits and eligibility constraints, like geofencing.
- The vehicle is both the payment instrument and consumer, which lends transparency into a transaction. Vehicle telematics data allows Car IQ to establish post-transaction validation processes that limit opportunities for repeated fraud attacks and eliminate friendly fraud attacks.
- Our machine-centric system mitigates the human factor in security; vehicles can’t be directly exploited by social engineering attacks or suffer from credentials mismanagement.
In this way, security is built into the structure of the payment environment and the risk of disputes and chargebacks from a vehicle-originated transaction are virtually eliminated. By removing the human from the process, Car IQ diminishes opportunities for fraud across multiple fronts, and the machine payment environment serves as the foundation for a secure payments platform where vehicles can be trusted to transact.
In any payments system, it is essential that trust is established between parties. Car IQ has defined a unique Vehicle Identity that elevates vehicles to trusted entities on the platform.
This is what allows vehicles to transact directly for the many billions of dollars of services that they consume each year. The context of these payments also unlocks a new world of enhanced payment experiences for vehicle owners and service providers, opening up opportunities to leverage yet-untapped insights into vehicle purchasing behavior.
Fraud & Risk Management
Car IQ’s primary objective is to ensure that vehicles can be trusted to transact securely. With a machine-centric payment process, Car IQ has incorporated fraud mitigation into the structure of the payment environment. Moreover, we aim to minimize risk with preventative measures that ensure fraud attempts require considerable sophistication for minimal reward, and system-wide anomaly detection methods to catch out-of-pattern user/transaction behaviors.
On our platform, we have identified the main sources of potential fraud:
Cloud-focused and application-focused threats are present in any modern payments system, and are mitigated using state-of-the-art information security, communications security, and cybersecurity methods and protocols. As a PCI-compliant company, Car IQ has demonstrated its commitment to addressing such threats and implementing state-of-the-art mitigation strategies.
Vehicle-focused threats present a new challenge:
How can we trust a vehicle to transact securely? How might an attacker commit fraud in our system?
Being connected to the vehicle and its rich data set provides unparalleled transparency into the vehicle’s purchasing requirements, and allows Car IQ to extract vehicle-specific behavioral patterns that uniquely identify any vehicle. Vehicle connectivity allows Car IQ to leverage data as a foundation for trust in a vehicle’s identity as well as to mitigate multiple fraud attack paths.
We believe a unique vehicle identity must encompass a number of principles:
- Uniqueness: The collection of elements defining a vehicle’s identity must uniquely identify an individual vehicle on the Car IQ platform.
- Redundancy: Including multiple vehicle-specific attributes strengthens an identity against errors or impersonations.
- Context-relevant: An identity must include elements that are relevant to the context of use, e.g. vehicle service payment transactions in real-time.
- Verifiability: The identity must allow for a secure authentication process.
With these principles in mind, Car IQ has created a unique Vehicle Identity for payment transactions consisting of the following components:
- Machine attributes: a set of static and dynamic data elements that are collectively unique to a vehicle. These include a vehicle’s unique Vehicle Identification Number (VIN), certain subcomponent serial numbers, telematics, and vehicle sensor data.
- Account owner and funding account information: In today’s world, funds remain the exclusive property of individuals or commercial entities. By pairing a vehicle to a funding account, the vehicle transacts on behalf of the human account owner.
- Transaction Eligibility & Constraint Rules: A set of permissions and rules created by the account owner that define the scope for allowable payment behavior for the vehicle. These rules make up a vehicle’s Transaction Profile.
- the set of categories of merchants the vehicle may transact with (e.g., fuel, parking, tolls, repairs, or insurance, but not grocery, apparel, or footware)
- limits on transactions (amount, velocity)
- geolocation restrictions if applicable
- when explicit owner approval is required as part of a transaction (e.g., above a certain amount), etc.
A vehicle’s VIN is a globally unique identifier. By incorporating additional static and dynamic data, the VIN establishes both uniqueness and redundancy. Within the context of payments, associating a funding account is an essential requirement, and transaction rules establish the scope for vehicle-originated payments for services. To allow for real-time payments, the identity also includes vehicle telematics data that enables a real-time identity verification process (this will be described in later sections).
Issuing a Vehicle Identity requires collecting and verifying these elements during our onboarding process. An Identity is only issued to a vehicle after its Transaction Profile has been confirmed by the account owner and Car IQ has connected to streaming vehicle data that makes up the Identity.
The account owner and the source of funds that will be used for payment also must be identified and verified. This process is well-established and referred to as Know-Your-Customer (KYC) in the payments world. Performing KYC on the account owner is a critical component of vehicle identity.
Please see a schematic of the Vehicle Identity in the figure below.
Identity authentication is the process of verifying a proof-of-identity assertion made by an entity. Car IQ is in continuous communication with vehicles on its platform, receiving unique static (VIN, subcomponent serial numbers) and dynamic (including fuel/engine performance, TPMS, odometer, location) vehicle data at rates up to multiple times per minute. By including the unique VIN and subcomponent serial numbers, every packet received is an assertion of a vehicle’s unique Identity. Therefore, authenticating a vehicle’s Identity requires verifying and trusting vehicle data.
One common model for authentication of digital identities is the factor model, based on the following three factors of authentication: something the entity knows, something the entity has, and something the entity is. Authentication is established by verifying elements from at least one of these factors.
The first factor of authentication (something the entity knows) is usually established through a password, PIN, or challenge-response question(s). The second factor of authentication (something the entity has) can be employed via embedded tokens, physical objects/devices, or keys. To verify vehicle telematics data, these methods require the addition of secure hardware or encryption software embedded in the vehicle’s architecture and/or operating system, which involves significant investment and coordination between OEMS, chip manufacturers, tier one ECU suppliers, and others to define standards. These efforts are currently underway, but suffer from long timelines, an uncertain deployment date, and high cost. Nevertheless, we believe that these elements will be an integral part of the future of vehicle authentication, and Car IQ has the flexibility to incorporate these methods into our system when they become available.
The last factor of authentication (something the entity is) is the most intriguing of these factors. The availability of real-time streaming telematics data from connected vehicles presents an opportunity to establish vehicle behavioral models using machine learning methods. This allows for continuous authentication of a vehicle’s Identity by learning vehicle-specific behavioral patterns that can be used to verify vehicle data.
Additionally, our team of vehicle engineers have designed custom algorithms that provide extra layers of security for data integrity. With our team’s expertise in modern automotive electronic architecture, we are able to detect, control, and account for anomalies in the vehicle data we receive.
This data-driven approach is known in the literature as implicit authentication. Every data packet that Car IQ receives represents an assertion of a vehicle’s Identity, requiring evaluation in real-time and without explicit action by a human. Coupling that with the structure of our payment environment ensures that vehicles can be trusted to transact securely for the services they need.
Implicit Continuous Authentication
Car IQ has devised a centralized, cloud-based approach to vehicle behavioral modeling. Our approach begins by defining a vehicle state that incorporates snapshots of the vehicle’s sensor readings at a given moment of time. The state will include various data points such as fuel/engine performance, odometer reading, TPMS pressure, location, etc. In general, more data points lead to a more detailed state, though our approach can work with any number of data points. Car IQ uses an initial collection period of data in enrollment to seed the verified historical data and establish baseline trust.
We then devise a model of allowable state changes over time. A number of factors affect allowable future values of state variables relative to a given historical point. These include:
- Physical limitations: For example, a vehicle that was in Las Vegas one hour ago cannot be in New York now.
- Sensor noise: All sensors exhibit noise. This noise might originate from electrical properties of the sensor or the mechanical and physical properties of the way the measurement is done.
- Measurement correlations: Correlations between specific measurements are expected; for example, fuel level is correlated with odometer values.
- State transition likelihood: Some states are unlikely given prior states. For example, as time moves forward, the odometer should increase monotonically.
Our implicit authentication approach is based on comparing a vehicle’s recent telematics data to its known and verified historical telematics data. During Identity enrollment, Car IQ collects an initial duration of vehicle telematics data to establish a baseline history. Once the baseline is established, the trust level becomes a dynamic quantity, and provides a continuous measure of trust in the vehicle’s data. As a result, Car IQ is continuously evaluating a stream of Identity assertions made by a vehicle.
This method of continuous authentication is in contrast to typical payment approaches to authentication that are event-based and triggered at the time of payment. With continuous authentication, we are constantly evaluating our trust in streaming vehicle data before, during, and after a payment transaction.
Doing so allows us to enforce transaction eligibility constraints (such as geofencing), enable a vehicle to be trusted to initiate a transaction, and validate that a service has been received. Each of these actions relies on verifying a vehicle’s Identity. Continuous authentication also lessens risk for vehicle spoofing attacks, as it is able to detect abrupt changes in state and shortens the window of opportunity for an attacker to take over a vehicle’s data source.
Machine Learning & Authentication
Machine learning provides tools and techniques that can determine complex relationships between sets of data, and has found tremendous success at solving a wide range of problems. As our world continues to move online, the amount of data the world generates is astounding: The World Economic Forum estimates that, by 2025, approximately 460 exabytes of data (1 exabyte = 1 billion GB) will be produced globally every day. In this data-rich environment, machine learning methods will provide real-time, streaming solutions to the problems of the future.
In sectors focused on risk detection and mitigation, such as financial fraud and application security, machine learning enables automated, real-time decision making and provides a more flexible approach than legacy methods. In particular, by leveraging dynamic user/machine data, it is possible to extract unique behavioral signatures that serve as a foundation for implicit authentication systems (e.g. behavioral biometrics).
Car IQ’s continuous authentication process utilizes streaming vehicle data to constantly verify a vehicle’s identity.
The authentication decision is formulated as the following problem: Given recently observed behaviour from vehicle A at time T1, and authenticated historical data from vehicle B at time T2, what is the probability that A=B? This probability determines a vehicle authentication score. By comparing the authentication score against a decision threshold, we decide whether to accept or reject vehicle A’s identity assertion.
By analyzing hundreds of millions of data points, including fuel/engine performance, odometer, geolocation, and atmospheric sensor data from tens of thousands of vehicles, Car IQ has determined features that can be used to differentiate between individual vehicles. These features are computed from streaming vehicle data to produce continuous authentication decisions that evaluate the likelihood of individual vehicle behavioral data signatures.
To express a baseline for the performance of our machine learning behavioral model, we consider the following testing framework:
- The raw data set contains vehicle data (including fuel performance, odometer, and location) coming from 90 vehicles located in the San Francisco Bay Area during a one week time period (approximately 350,000 records across all vehicles).
- We mimic vehicle identity theft attacks by uninformed attackers by splicing together vehicle data from different VINs throughout this time period. This method creates a data set comprising data sequences of good state changes — containing data from a single VIN over a time interval — and data sequences of bad state changes — containing data from distinct VINs that have been spliced together.
- From this data set, we transform/engineer the necessary features to obtain a balanced data set containing 55,740 records, where each record corresponds to a good/bad state change.
At the t=0.5 decision threshold, our behavioral models obtain the following results:
This corresponds to the following evaluation metrics:
- Accuracy [(TN+TP)/Total]: 99.9%
- False Positive Rate [FP/(TN+FP)]: 0.0036%
- False Negative Rate [FN/(TP+FN)]: 0.19%
- Positive Predictive Value [TP/(TP+FP)]: 99.996%
- Negative Predictive Value [TN/(TN+FN)]: 99.8%
- The behavioral models demonstrate high resilience to black-box vehicle data attacks. An attacker has roughly a 0.0036% (approximately 1 in 30k) chance of successfully taking over a vehicle’s data with uninformed injections of data. These results are comparable to modern fingerprinting biometric systems.
- Conversely, we have very high confidence — 99.996% — that data that has been verified with our behavioral model is coming from the correct vehicle.
- Our system currently exhibits an error rate of 0.19%, which is mainly due to the challenge of working with unstable and noisy sensor data. With more liberal decision thresholds, the error rate can be lowered. However, this does not adhere to Car IQ’s conservative approach to risk management, and with our new approach to machine-originated payments we want trust in our system’s resilience to fraud attacks to take precedence over errors.
In addition to behavioral models, we have designed custom algorithms to detect and account for sensor noise and data anomalies. These algorithms provide an essential layer of authentication security by analyzing data streams from individual vehicle sensors/accumulators and quantifying our confidence that these sensors are behaving as expected.
The elements we consider include connectivity, fuel level, odometer, and (GPS) location. These parameters are universally available across the majority of telematics platforms.
Our confidence in individual data streams is obtained through basic analyses:
- Is the vehicle acting like a vehicle (i.e., within normal physical limitations)?
- Are the vehicle’s parameter values within an acceptable range of its previous states (e.g., standard deviations from plausibility)?
- Is the data frequency similar to what we’ve received before?
Examples of outcomes that would lower confidence include :
- A vehicle has not sent any messages to Car IQ for a predetermined time.
- A vehicle’s location is implausibly far from its previous location (based on known vehicle speed limitations).
- A vehicle’s odometer decreases in time or increases at an implausible rate.
Our confidence is quantified by assigning a confidence score to each data stream. We highlight our approach with a case study of the fuel level data stream.
Case Study: Fuel Level
Fuel sensors are inherently noisy, because of the nature of fluid level measurement in a moving vehicle with frequent acceleration and deceleration. The figure below shows the distribution of the change in successive fuel level measurements transmitted from a cohort of thousands of passenger vehicles. Noting that a typical passenger vehicle has a gas tank of 40-80 liters, these variations represent changes of as much as +/- 25% of a fuel tank from one measurement to another, though most of the time they fall within a more reasonable range of +/- 10%.
Further, fuel is constantly being consumed by the vehicle, and therefore in principle should represent a monotonically decreasing time series, the only exception being during fueling events. These two facts can be combined with the estimate of fuel sensor noise to detect anomalous behavior in fuel level.
Consider the plot below of fuel level for a vehicle over a 30-minute period with readings approximately every 10 seconds.
The figure shows the large noise in the measurements, but also the overall downward trend. A closer examination of each of the five-minute individual segments shows that in the period from 20 to 25 minutes, the measurements are biased so that the trend for the period appears upward, which is an anomalous pattern. Consistent anomalous patterns such as this lower our confidence that the fuel level sensor is transmitting appropriate measurements for this vehicle. We quantify our confidence in fuel level data with a 0-100 score, where high scores correspond to high confidence. With typical fuel level sensor readings, the confidence score will be between 90 and 100, and the confidence score is decremented whenever significant noise is detected (anomalous patterns result in severe drops in confidence score). Moreover, we have incorporated a reinforcement control, so that the confidence score can incrementally regenerate back to 100 when we receive expected sensor measurements.
In the next section, we outline how both the vehicle authentication score and the integrity of individual data channels combine to determine our continuous authentication decision: Is the vehicle who it claims to be?
The outcome of the authentication process is a decision over a vehicle’s proof-of-identity assertion and whether we can trust it to transact. At the time of transaction, this decision determines whether to initiate the payment authorization process.
Vehicle data plays an essential role before, during, and after the initiation of a transaction. Our authentication process produces continuous authentication decisions that are based on an evaluation of trust in vehicle-specific behavioral patterns and the integrity of individual data channels. We categorize our measure of overall trust in vehicle data and the corresponding authentication decision according to the following three-tiered schema:
- RED: Identity not trusted
- Decision: Vehicle Identity is not authenticated. Additional intervention from authenticated, external human source(s) required.
- YELLOW: Mild irregular event(s) / pattern(s) detected
- Decision: Vehicle Identity is authenticated and put on notice. Repeated YELLOW states over a short time window will trigger RED status.
- GREEN: Identity trusted
- Decision: Vehicle Identity is authenticated.
The vehicle trust level is determined by combining the vehicle authentication score and individual sensor confidence scores as follows:
- RED/YELLOW/GREEN thresholds have been established for each component score.
- If any single score is RED, the overall trust level is RED.
- If any single score is YELLOW, the overall trust level is YELLOW. (Note: depending on the context, multiple YELLOW scores may trigger an overall trust level of RED.)
- The overall trust level is GREEN only if each individual score is GREEN.
Whenever a vehicle’s identity is not authenticated, the vehicle is unable to initiate a transaction independent of human interaction and its payment status is suspended. The reactivation of a vehicle’s payment status can only begin with an authenticated human, and initiates the continuous authentication process anew.
Car IQ uses vehicle telematics data and machine learning methods to verify a vehicle’s Identity without the need for explicit human action. By removing the human from the transaction, we have eliminated multiple opportunities for fraud, and provide the framework for secure, vehicle-originated payments. With this implicit authentication approach, we can trust the vehicle before, during, and after the transaction, and use its data to enforce payment rules and validate that service has been received.
Though this system is predicated on cars and their data, we believe it opens the door to securing payments for all kinds of machines. With this puzzle solved, we can move on to the universe of connected devices, cutting down on fraud opportunities across sectors and appliances, saving both consumers and financial institutions time, money, and hassle. Car IQ’s Vehicle Identity and Authentication solution is just the first step in creating a world where machines can be trusted to transact.