Incognia’s Location Technology

Incognia started developing its location technology in 2011 and published a study in 2014 about locating indoor users. At the time, the main challenge with the indoor location was that GPS signals were blocked by physical barriers like concrete, significantly reducing accuracy. To improve the accuracy and enable indoor location, the Incognia team used a combination of radio signals, including wifi, Bluetooth and other mobile phone sensor data, such as gyroscopes and accelerometers.

The founders of Incogia, led by Andre Ferraz and Alan Gomes,  participated in a Microsoft-sponsored indoor location competition and were recognized for the most accurate indoor location technology, achieving a distance error of fewer than 2.81 meters.

For the past decade, Incognia has been working to adapt its location technology to the identity market. In 2022, Incognia’s engineering team published a paper entitled “Using Location as a Signal to Affirm Identity Online,” showing that Incognia’s technology, leveraging mobile phone sensors and GPS signals, can identify an individual with an accuracy rate of 1 out of 17 million using five Spatio-temporal points. The accuracy demonstrated by Incognia’s technology is much higher than the False Acceptance Rate (FAR) of commercial biometric technologies, such as Apple Face ID,  which has self-reported a FAR of 1 in 1 million users. By these figures, Incognia’s technology delivers a 17x improvement over the top mobile facial recognition technology, leading to improved business outcomes like higher fraud prevention.

Incognia location technology is so precise that it identifies specific signal environments that devices connect from.

Each micro-location has a unique signature of GPS coordinates and available Wi-Fi, Bluetooth, and cellular network signals. Incognia maps and correlates these signatures to create unique environments and uses this information to identify a device's location with high precision and accuracy, even indoors.

Let’s run through the main technologies used for location verification today. 

1. Global Positioning System (GPS)

GPS is the most widely used geolocation technology on mobile devices. GPS-based geolocation uses communication satellites that orbit the Earth and continuously broadcast their status, exact location, and precise time. A GPS device that receives these signals can determine its GPS location. The accuracy of the GPS location is typically between 33 to 330 feet and is impacted by several factors, including atmospheric conditions, signal blockage, and receiver design and quality. Most GPS sensors can be manipulated to change the apparent location of a device using a range of GPS spoofing apps, VPNs, Proxies, and emulators.

2. Wi-Fi location positioning

Wi-Fi positioning, known as WPS or WiPS, uses Wi-FI hotspots and wireless access points to geolocate a device. It is used most commonly to measure the receiving signal strength - known as the Received Signal Strength Indicator (RSSI) from several Wi-Fi hotspots or access points. Wi-Fi positioning systems are particularly useful for indoor locating, as GPS does not perform well inside.

3. Cellular location positioning

Cellular networks are enabled by a network of cell towers that transmit the radio waves used for mobile communication. Similar to how satellite signal broadcasts locate a device, cell tower signals can also be used for geolocation. That said, this method is not as accurate as GPS and typically is only accurate within a radius of just under a mile.

4. Bluetooth location positioning

Bluetooth is a wireless technology that communicates across short distances by sending short-wavelength radio waves between devices. The most recent version, Bluetooth Low Energy (BLE), is built into many smartphones. Smartphones can determine their location by picking up signals from BLE beacons enabling an indoor positioning system. With an accuracy of between 1 and 2 meters, Bluetooth connects many portable smart devices, such as headphones, speakers, and fitness trackers, to a smartphone.

To use location as an identity signal, the underlying technology needs to encompass four main characteristics — accuracy, precision, efficiency, and privacy.

The accuracy and precision of location data are the details that distinguish our behavioral patterns from those of our neighbors and legitimate users from fraudsters. Accuracy, or the ability to determine the true location of a device, and precision, meaning the consistency of the location data collected, are critical to ensuring that the data is credible and distinguishable.

The efficiency of data collection is also essential to ensure that location data can be continuously updated. A location fingerprint needs to be updated in real time so it comprises enough detail to be used as a unique identifier. Knowing when and where to collect data makes this level of detail possible without depleting a smartphone's battery and impacting the user experience.

The final and most critical step of using location behavior for identity is ensuring user privacy. Cryptographic techniques and systems like differential privacy make it possible to de-identify location data so that it cannot be linked to the real-world identity of any individual.

Of all the recognition signals, precise location is incredibly effective for fraud prevention. Today, mobile devices are an extension of us - we carry our phones everywhere. Additionally, every person’s location behavior is unique and, therefore, can be used to create a unique pattern of their behavior. The ability of location data to uniquely identify 99.9999% of individuals makes it a more reliable signal than even facial recognition.

Using a location behavior signal as part of risk-based authentication on mobile offers the opportunity to provide an initial low-friction authentication option to legitimate users and only invoke higher security, higher friction, and authentication methods for high-risk logins or sensitive transactions.

In analyzing location data from devices on the Incognia network:

• 85% of mobile bank account openings happen from the user's home address
• 93% of e-commerce transactions contain an address (bill to or ship to) that the user frequently visits
• 90% of the logins and 95% of the sensitive transactions at financial services Apps happen from a trusted location (home, work, or other highly frequented location)
• 88% of e-commerce transactions happen from a trusted location

Incognia also uses advanced technology to create a unique “device fingerprint” for each device, allowing it to be quickly and easily recognized during future visits. Device fingerprinting is a way to combine select software and hardware attributes of a device — like the brand, model, screen resolution, memory size, operating system version, etc…  — to identify it as a unique device. This first level of protection lays the groundwork for establishing trusted locations and helps protect the onboarding process against threats like fake account creation.

Incognia has developed proprietary algorithms that establish a pattern of location behavior for each user based on three criteria:

• Location Fingerprint: the location behavior pattern of the device

• Trusted Location: highly frequented locations specific to each user

• Device behavior: using the device fingerprint, Incognia checks if the same device has been accessing multiple accounts if multiple devices are accessing the same account and the number of the app re-installations on the device

When Incognia detects that a user is at one of their trusted locations, there is a high probability that the transaction is legitimate and at lower risk for fraud, enabling the app to offer a frictionless authentication experience.

Incognia requires at least three logins to create an initial location fingerprint for a user.  Subsequent log-ins allow us to refine and customize this set for increased protection.

This process is equivalent to the “enrollment stage” in other authentication systems. Enrollment is the process of collecting data samples from a person and subsequently storing the data in a reference template representing a user's identity to be used for later comparison.

In 2022, Incognia’s engineering team published a paper entitled “Using Location as a Signal to Affirm Identity Online,” demonstrating that Incognia’s technology can identify an individual with an accuracy rate of 1 out of 17 million using five spatiotemporal points.

The time required to establish the set of “trusted locations” and start the “Advanced” Protection depends on the app usage model:

• For a gaming app or crypto app accessed several times daily, the trusted locations set is established within a few hours.
• For a food delivery app accessed once a day to order food, the trusted location set is established within a few days.
• For a financial services app accessed a couple of times a week to check balances and pay bills, it may take up to two weeks.

Users move around, and our technology understands that. Incognia keeps the set of the user’s trusted locations secure and up-to-date. Even if the user travels, we continually monitor location changes to ensure that our algorithms adjust accordingly - running basic jobs daily and more comprehensive ones weekly for maximum security.

Suspicious Locations is used to flag the risk level of in-app events occuring from specific locations. This enables apps to associate suspicious devices and accounts by location and automatically block sessions that originate from there. Solutions with lower location precision, like those based exclusively on GPS or IP,  would generate too many false positives, negatively impacting the experience for legitimate users.

Suspicious Locations is used to prevent fraud by detecting and flagging the location of fraud farms (or device farms) used in organized fraud operations. This technique also allows companies to keep a Location Watchlists so that it can block  bad actors immediately based on their location. 

Incognia Suspicious Locations delivers a new layer of fraud intelligence by analyzing location data in real-time, enabling companies to make an automatic risk decision. It is available as an add-on to any existing Incognia solution, including Incognia Address Verification, Passwordless Authentication, and Location Spoofing Detection. 

The feature alerts fraud and risk teams when:

• clusters of high-risk devices are concentrated in a micro-location, like a small apartment or room
• a device connects from a location that has been previously associated with confirmed fraudulent activity

Fraud and risk teams can use this feature to detect systematic fake account creation and organized account takeover attempts. Once the Incognia risk assessment is received, the flexible signal can be used to trigger a user being added to a watchlist, submitted to step up security measures, or blocked outright.

By leveraging the new Suspicious Locations feature, customers can identify apartment-level locations with a high risk of fraud. This feature allows teams to rely not only on location technology but on true location intelligence as well.

Incognia differs from other location technologies due to our experience working with hundreds of mobile apps around the globe, of all sizes and categories.

Working with these apps allowed us to develop a strong network effect, with Incognia now deployed in over 200 million devices, that allows us to deliver highly accurate risk assessments without requiring a lengthy period to train models or develop rules.

Location identity technology is based on location behavior, which can start protecting against unauthorized access right away based on the establishment of relationships between:

• User Account: the online account that the user accesses

• User Device: the mobile phone used to access the account

• Device Location: the mobile phone’s current location

• Device behavior: using the device fingerprint, Incognia checks if the same device has been accessing multiple accounts if multiple devices are accessing the same account and the number of the app re-installations on the device

Incognia requires at least three logins to create an initial location fingerprint for a user.  Subsequent log-ins allow us to refine and customize this set for increased protection.

After establishing these relationships, the Incognia SDK provides multi-layered protection, delivering security through a combination of insightful user identity signals. It provides two primary levels of protection from unauthorized access and securing the authentication process.

Fraud detection technologies that were once extremely reliable have become less effective, specifically, device fingerprinting. The reasons for this vary:

• Households having a larger number of connected devices for the same person 
• Apple and Google's commitment to privacy restricts the collection of data for fingerprinting

Also, since device ids are created from different characteristics of the device since it's a technology that has been around for a while, once fraudsters know what data they have to emulate to create a new "synthetic" device, it is easy enough to fool a fraud engine using the device id as part of their authentication heuristics.

Device IDs are not perfect. That is why they are more effective when combined with additional signals, such as location behavior. Incognia leverages anonymized, spoof-proof location behaviors to differentiate between fraudsters and trusted customers, which, combined with its proprietary device ID, will deliver results like the ones seen below.

Incognia location behavior technology can be used in various industries and several use cases:

Delivery - GPS Spoofing and Social Engineering Scams

A leading food delivery company in Latin America noticed that many couriers were using GPS spoofing applications. By generating fake GPS data, the couriers were able to defraud the platform by charging for orders they didn’t deliver, reporting longer rides, and accepting orders from busy neighborhoods, even if they were not nearby.

These fake couriers were also executing a social engineering scam that involved using an external mobile POS machine to steal large sums of money from unsuspecting users. They would claim that the original transaction didn’t go through and that they needed to swipe the customer’s card again upon delivery.

The company chose to leverage two features of Incognia’s location identity solution at different moments of the user journey. It decided to call the Incognia API at 1) login to check the device against the Incognia watchlist and re-recognize courier devices and 2 just before a courier accepts a delivery in order to detect GPS spoofing.

After integrating the Incognia SDK and risk-scoring APIs, Incognia analyzed one month of location data from 1.3M couriers. Incognia determined that approximately 3% of couriers accessed at least two accounts and ~1% of all couriers were spoofing their location.

After implementing Incognia, the delivery app significantly reduced gps spoofing and chargebacks associated with mPOS fraud. Incognia’s location accuracy and device fingerprint ensured that bad actors were identified and the false positive rate remained low, preventing fraud before it happened.

Social Media - Global Real-time User Verification

This leading social media app requires every new user to verify their address before opening an account. With its existing address validation solutions, the app verified approximately 70% of users, with lower performance in international markets. The Trust & Safety team needed a solution to increase the app’s global real-time address verification rate in established and emerging markets.

The Trust & Safety team initially focused on finding an identity database with high global coverage. The team found that the databases were sometimes outdated, resulting in an inability to validate the addresses of 30% of new users, and often even more in certain international markets.

For these reasons, the company chose to test Incognia’s real-time Global Address Validation solution for mobile. After the Incognia SDK was integrated into the app, Incognia analyzed 30 days of location data from 2.5 million new users across 11 countries and delivered a risk assessment based on the user’s proximity to their declared address.

Incognia was able to deliver a coverage rate of 94.9%. Additionally, Incognia verified 63% of the new users that the app’s existing solutions could not verify. Incognia also determined that 35% of these unverified new users had no location events near the address provided at onboarding, warranting a high risk assessment. Using Incognia in the mobile app enabled the social networking company to increase its real-time verification rate by up to 24%.

eCommerce Marketplace - Passwordless Authentication

A large ecommerce marketplace launched a new super app to give its customers easier credit card management features and enable instant payments. This app immediately became a target for Account Takeover fraud. To ensure account security, the company needed to add more advanced authentication signals at login and transaction to detect suspicious behavior and challenge or block account access automatically.

Incognia was implemented and called via API at several moments in the app flow, including account opening and authentication at user login. When given a choice, 84% of users allowed the app to collect their location data in exchange for greater account security.

Incognia became the primary authentication signal distinguishing the account owners from bad actors based on location behavior and without introducing friction into the login flow. Ultimately, Incognia delivered a secure and frictionless login experience for 75% of the app’s user base who received low-risk assessments.

“We wanted to focus on avoiding user friction within the application but also solve our security issues. That is why we chose to use the Incognia solution. With the use of Incognia, we were able to make the application safer for our customers - giving them the peace of mind that their accounts will not be taken over.”

Product Owner, Mobile Application

iGaming - Player Collusion

A leading social gaming mobile app provides multiplayer skill games, such as Poker, Rummy and Ludo. The app requires the users to share their location for two main reasons:

1. Comply with regulations: these types of online games are regulated and are only legal in some states/jurisdictions, so operators must have geofencing capabilities to allow/disallow players depending on the user’s location.
2. Combat player fraud: one of the most pervasive fraud types seen by these online skill games is collusion between players that are playing at the same virtual table.

Even if functional from a compliance perspective, the existing mobile app geofencing capabilities were ineffective in detecting players using location spoofing techniques to commit fraud or play from unauthorized locations. The product team needed a solution to prevent fraudsters from colluding in the mobile gaming app.

To commit collusion fraud, bad actors use three different methods. While playing the game at the same virtual table, they are physically sitting near to each other, sharing cards and game data by:

1. Using GPS Spoofing to mask their actual location
2. Logging into multiple accounts from one device
3. Logging into the same account from multiple devices To support a fair and trusted gaming environment, the company needed a scalable GPS spoofing detection and device intelligence solution. 

After the Incognia SDK was integrated into the app, Incognia analyzed 30 days of data collected from over 3.1 million gaming users across various types of devices and locations. For the users that granted location permissions to the app, Incognia delivered a risk assessment (low/high) for 94.3% of users. Out of over 3.1 million accounts analyzed during the evaluation, Incognia identified the following:

• 5K+accounts flagged for GPS Spoofing
• 13K+ accounts accessed by suspicious devices
• 1K+ accounts accessed by four or more devices
• 30K+ accounts had six or more installations
• 400+ suspicious locations
• 10K+ accounts associated with suspicious locations
• 50K+ suspicious accounts total detected from five watchlists

Using Incognia, the social gaming company detected and stopped systematic collusion fraud by identifying cases of GPS spoofing, suspicious accounts, suspicious devices and suspicious locations. Based on the increased blocking of fraudsters, Incognia was selected by the product team and was rolled out to all 70M users of the gaming app.

FinTech - Reduce Reliance on Biometric Authentication

A fintech wanted to increase its account security and fraud protection. As an initial step, it implemented a new facial biometric step to add security to sensitive transactions. Unfortunately, this new security step was viewed as “high friction” by a relevant percentage of their users, particularly by elderly users and users not familiar with the technology. In addition, this step had increased the company’s authenitcation costs.

The company selected Incognia to maintain a high level security while enabling frictionless authentication for legitimate users. By calling Incognia at login and other sensitive moments of the user journey, the fintech was able to take an adaptive risk-based approach to account security. 

• Each time Incognia provides a Low Risk response, a step-up to facial recognition is skipped and users are able to access their accounts frictionlessly.
• When incognia provides a “High Risk” assessment, the company triggers a facial recognition step-up challenge. 

With this approach, high friction is reserved for high-risk scenarios. 

After implementing Incognia, the fintech was able to frictionlessly authenticate 45% of users prior to allowing them to transact.

The fintech was also able to reduce authentication costs by 51%.

---

These are just a few examples of different Incognia use cases. For more case studies, access Incognia resources page.