ProxyPay

Location-based transaction validation using arm-based cloud computing for end-to-end security; features a mobile application and mock web transaction portal.

Comment

ProxyPay: Secure Payments with Location and Attestation

🌟 Inspiration

Last year, $ 12.5 billion was lost to fraud and, and and even more vanishes from incorrectly flagged false positives. One of our team members even had one of his own credit cards information stolen.

We wanted to make a system that proactively identifies certain kinds of threads without generating false positives and being a burden on the user. Essentially we answer the question:

What if fraud detection could be preventative, not reactive?
That question sparked ProxyPay.

How We Built It

We built ProxyPay as a location-based fraud prevention system, in which we match a phone’s live location with the point of sale at the time of payment.

  • If the phone is nearby → approve instantly.
  • If the phone is far away → block the transaction.
  • If the phone is close but not exact → deploy multi-factor authentication.

On the backend, we deployed our service on an ARM-based AWS EC2, which gave us scalable infrastructure. Our system achieved rapid decisions.

Security

We implemented multiple security measures to deal with sensitive financial data.

  • We integrated zero-knowledge proofs (ZKPs) to ensure merchants only see the minimum information needed—never raw location data.
  • For device trust, we leveraged Arm Confidential Compute Architecture (CCA). Using CCA attestation tokens, we can verify the integrity of the device, ensuring the environment has not been compromised.

This means that even if attackers tried to fake location or run ProxyPay in a tampered environment, the attestation flow would detect and reject it.

Execution

Our system is optimized for speed and reliability:

  • AWS EC2 cluster runs lightweight verification services.
  • Attestation tokens are verified in real time.
  • Requests average sub-second latency, even under load.

This ensures ProxyPay doesn’t disrupt the user’s checkout flow while still enforcing strong fraud checks.

Ease of Implementation

One of our design goals was simplicity for merchants, and to that end ProxyPay requires just one API call to verify location and attestation status. We are:

  • Payment platform agnostic – works with Visa, Mastercard, and any e-commerce flow.
  • Merchant agnostic – no vendor lock-in.

This makes institutional adoption as frictionless as possible. Users just need to install a single mobile application.

Why ARM Matters

We chose Arm’s Confidential Compute Architecture (CCA) because it gives us a hardware root of trust. Traditional fraud prevention relies on software checks that can be bypassed if the underlying system is compromised. With ARM CCA:

  • Attestation tokens provide cryptographic proof that ProxyPay is running in a trusted, uncompromised environment.
  • GPS Spoofing is far more difficult since the app's data transfer is protected through the attestation flow.
  • ARM’s design ensures scalability — CCA is lightweight and efficient, meaning we could deploy it on AWS EC2 Arm instances without significant overhead.

This hardware-backed trust closes the gap between security theory and practical implementation, letting us guarantee that fraud checks are not only fast, but tamper-resistant at the silicon level.

What We Learned

  • Applied cryptography: working with zero-knowledge proofs in real transaction flows.
  • Hardware-level security: integrating Arm CCA attestation was our first time working with confidential compute at this depth.
  • Systems design: balancing speed (sub-second response) with strong security guarantees.
  • DevOps in Industry: Using CI/CD for the frontend and an AWS backend helped us develop our skills
  • Mobile Development - This was our first react-native application. We had experience with web applications and other mobile frameworks.

Challenges We Faced

  • Integrating CCA: Setting up attestation tokens on EC2 Arm instances was technically complex and poorly documented.
  • Location accuracy: GPS can be noisy; we had to design logic for “close enough” cases without frustrating the user.
  • User experience vs. security trade-offs: Too strict, and users get false positives; too loose, and fraud slips through.
  • AWS Finnickiness - Dealing with server nuances were tricky, but it worked out

ProxyPay: Payments You Can Trust.

ProxyPay represents a huge step toward fraud systems that are preventative, secure, and user-friendly. By combining location verification, Arm CCA attestation, and ZKPs, our platform can scale with merchants while protecting customers.

Share this project:

Updates