October 10, 2017 -
Behavioral biometrics is a breakthrough cybersecurity technology that identifies people by how they do what they do, rather than by their physical characteristics, what they know, or by the authentication technology they possess.
Behavioral biometrics is defined as the measurement and analysis of human activity patterns. Historically, these have included keystroke patterns, gait, and handwritten signatures. However, today’s advanced behavioral biometric techniques now capture a wider array of human interactions between a device and an application, such as hand-eye coordination, pressure, hand tremors, navigation, scrolling and other finger movements.
BioCatch’s behavioral biometrics-based authentication technology analyzes the way people interact with online applications or devices. BioCatch has positioned itself as a market leader, with a solution designed to reduce transaction friction, decrease fraud and associated cyber threats, and provide quantifiable business value. The firm’s enterprise-grade solution is used by major banks and e-commerce sites worldwide, and currently monitors over four billion transactions per month, in order to provide measurable returns on investment.
“It is not enough to rely on static identification verification when opening an account or conducting a credit check,” said Frances Zalazny, Vice President of Marketing at BioCatch, in an exclusive interview with BiometricUpdate.com. “Relying on static data makes organizations susceptible to social engineering attacks.”
Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Social engineers target their victims utilizing tactics that include “phishing” and “remote access trojans”.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by criminals disguising themselves as a trustworthy entities within an electronic communication. A remote access trojan (RAT) is a malware program which includes a back door to allow criminals to take control over a user’s target computer. RATs are unintentionally downloaded through user-requested programs, such as games, or through e-mail attachments.
Due to a veritable explosion in such attacks over the past 10 years, BioCatch has been offering its integrated behavioral biometrics solutions to banks and retailers to successfully detect and deter criminal behavior, thereby preventing major financial loss.
Zalazny notes that since 2008, more than nine billion records have been breached or stolen. And according to figures published in Gemalto’s Breach Level Index Report for 2016, nearly 1.4 billion data records were stolen by hackers or lost in the past year.
Notable examples of data breaches abound, including the most recent Equifax data theft incident that compromised over 145.5 million customers in the United States, UK and Canada. According to the credit bureau itself, criminals exploited a Web site application vulnerability to gain access to certain files. Based on Equifax’s own investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases. Despite the fact that Equifax says the data in its own databases may not be manipulated, the stolen data can theoretically be used to establish fake accounts.
The notion of “synthetic identities” refers to the creation of fake accounts or identities based on stolen and fictitious personal data, such as the combination of a fake name and physical address with a real social security number. With the Equifax breach, the potential for an explosion of “synthetic identities” is highly probable.
“Social engineering and account takeover is the fastest growing type of threat,” said Zalazny. “Surprisingly, we found that nearly 100 percent of this type of fraud happens after authentication has been achieved where a PIN, password or token is used. It is however fortunate that our behavioral biometrics solutions can address this type of attack.”
Zalazny notes that with BioCatch running in the background, retailers and banks can analyze, in detail, the methods in which people interact with online applications or devices. The approach is passive, and analyzes physical, behavioral and cognitive attributes in real-time, while injecting invisible challenges to ensure the veracity of the user.
BioCatch’s platform can thus undertake real-time risk assessments to determine whether a user is navigating an online form at an unnatural rate of rapid speed or taking too long to enter intuitive information. Analysis of such behavior allows the firm to develop a “risk score” which informs its banking and retail customers as to the legitimacy of a user and transaction.
Increasingly, fraudsters are remotely taking over a bona fide user’s logged-in session, after the user has appropriately and correctly authenticated themselves, with no malware involved. Similarly, because by definition they usurp a user’s login and device credentials, traditional verification and network security tools are not effective in recognizing them.
“With account takeover one of the most intractable cybersecurity challenges that enterprises are facing today and a wide variety of fraud emerging, including malware, remote access, phishing, and new account activation based on stolen data, we are pleased that we can provide a solution that facilitates risk-based authentication,” said Zalazny.
BioCatch’s passive approach has been successful in preventing identity theft and account takeover in cases of phone fraud, where fraudsters have directly called customers to trick them into revealing their account information. BioCatch’s systems have been so attuned that they have caught these fraudsters in the act, allowing financial institutions to contact their customers in real-time while their accounts are actively being compromised.
“Because traditional fraud prevention methods have proven to have limited effect, we expect continued growth in behavioral biometrics,” stated Zalazny. As BiometricUpdate.com has previously reported, the firm recently partnered with LexisNexis Risk Solutions and HoneyTek Systems to provide them respectively with fraud protection services.
Zalazny also noted users of BioCatch’s solution can also improve their customers’ experience by minimizing false alarms and providing frictionless continuous authentication throughout a session, from login to logout. With one in four legitimate transactions being denied due to extraneous factors, BioCatch’s technology can examine transaction legitimacy, thereby increasing a firm’s revenue potential. BioCatch’s VP however did emphasize that the firm undertakes an assessment of risk, and it is up to its banking and retailer customers to determine how to act upon those risk assessments.