July 25, 2014 -
For Israel-based biometric authentication and threat detection company BioCatch, the way we do things says a lot about who we are.
BioCatch monitors how people use applications, collecting data from a device’s keyboard, mouse, touch screen, and even gyroscope to create an accurate profile of the person who’s using an application, and – more importantly – detect when it’s an intruder.
“Basically, what BioCatch does is we track human behavior – how people interact with applications and devices,” says Oren Kedem, BioCatch’s vice president of product management. This data is used to create a physiological as well as a cognitive profile of the user. It is also analysed to identify threats through behavior that is suspicious, fraudulent, or criminal.
BioCatch’s “passive biometrics” approach tracks and analyzes things that users don’t even know they’re doing. It takes physical traits like the size of a fingerprint on a touchscreen, whether they use a mouse with their right or left hand, or the frequency at which the user’s hand tremors while holding their phone. It also records cognitive traits, which can be thought of as preferences, such as how you scroll through a webpage (arrow keys, page up and down, mouse wheel, etc.) or how you hold the device (horizontal or vertical, and what angle you tilt the device).
BioCatch’s solution creates a profile of users through their session behavior, which typically takes six sessions to build an accurate profile, but could take as few as two sessions if the user’s activity is particularly distinctive.
Kedem says that the biometric profile BioCatch creates also includes “invisible challenges” where the application makes a barely noticeable change to the user behavior. For instance, the application might nudge the cursor a few pixels in a different direction, or change the page scrolling speed. How the user responds to these incidents is incredibly unique, and is something that’s nearly impossible to replicate.
“We don’t just track what you do, we also influence what you do,” Kedem says. “We ask you a question without you being asked and you give us an answer with you knowing. It’s a secret that can’t be stolen like a password or a token.”
The system automatically detects and prevents keylogging botnets and replay attacks, which record and replay the target’s movements, because there’s no way to replicate how a user responds to these invisible challenges, which are always changing within the app.
Reducing Dependence on Call Centers, and Retaining Customers
While the company is branching out into fraud prevention for ecommerce sites, the company’s main clients have been major worldwide banks. Online banking login procedures have to be simultaneously secure while also being easy for customers to access.
According to BioCatch, one of its clients, a US bank, has 12 million logins per day and 10 percent of them are identified as risky by existing fraud detection solutions.
In these cases, the bank uses a step-up authentication procedure such as asking a secret question, sending a code to the user’s phone via SMS, or asking for additional user information. But 20 percent of people fail these authentication methods and have to phone the bank’s call center. Each login authentication call costs the bank around $4 to handle, which can add up to hundreds of thousands of dollars a day.
But it’s even worse if the hassle causes users to shy away from online banking, which is cheaper, or change banks. “Many people give up on the website, which they find is hard to log into, and just use their phone instead of the digital channels. Their experience might be so bad that they switch to a different bank,” Kedem says. “The name of the game is user experience now.”
Flagging Fraudsters During World Cup
This summer’s FIFA World Cup predictably drew the worldwide attention of sports fans to Brazil. At the same time, however, BioCatch was playing a different sort of match against fraudsters seeking to infiltrate bank accounts.
BioCatch had been working with a Latin American bank to detect fraud attempts, and it found that fraud attempts occurred on days between the Quarter-Finals and the Final WorldCup matches. It also found that fraud attempts were unlikely to happen on Sunday.
BioCatch monitors things like typo rates and the length of sessions. It noticed that during the Brazil-Germany match, where Germany had a five goal lead in the first half, it took Brazilian customers twice as long to complete transactions during the game’s first half compared to the second half. This raised flags for BioCatch, but it likely also had to do with Brazilians bank customers being distracted.
This shows how real-world events can change how users interact with applications, and how trends can be predicted to provide greater accuracy.
Keeping Customer Data Private
BioCatch’s solution is securely hosted on Microsoft’s Azure cloud platform, making it deployable at any of Microsoft’s worldwide data center locations. And BioCatch already works with banks in the US, Latin American, the UK, Spain and Italy.
It also helps that BioCatch is able to comply with data privacy regulations even in places like Europe where consumer privacy is taken very seriously.
“One of the biggest advantages we have in the biometrics space is that we don’t infringe on [privacy regulations] for two reasons,” said Kedem. “We don’t know who the user is. We track sessions, and we get an API call from the bank telling us there are unique identifiers, but not actually identifying who that user is. Secondly, our biometric profile is application-specific, and very inaccurate outside of the context. The raw data is meaningless unless you have the algorithms.”
BioCatch’s software is able to confidently detect when a user’s behavior is consistent with their past behavior in 80 percent of cases, but its machine-learning algorithms are constantly becoming more accurate at detecting fraudulent behavior.
With their behavior being checked against their profile in the background, this technology ultimately promises to make security more ubiquitous and imperceptible to the end-user. Their actions help prove their identity, securing them from threats but also providing a more streamlined user experience.