As online fraud gets more sophisticated, passive biometrics could help keep accounts more secure
Hackers are finding new ways to avoid fraud detection, and are increasingly trying to steal account login information using scripted attacks, according to a new threat intelligence report from NuData Security.
Based on data from the past 90 days, sophisticated scripted attacks aimed at getting usernames and passwords grew 112 percent compared to the same time period in 2014.
What’s especially notable is that account takeover attempts are rising and becoming the preferred method for hackers trying to hijack payment information as opposed to more easily detected credit card fraud attempts.
NuData Security, which creates software aimed at predicting and preventing online fraud, thinks that user behavioral analysis can help online fraud detection solutions handle these more sophisticated fraud attempts by better understanding the user behind the machine.
NuData customer success director Ryan Wilk says, “We’re looking at how the user is actually interacting: how they’re typing, how they’re moving their mouse or phone, where they are using their phone, their accelerometer readings… As single data points unto themselves they’re not terribly useful, but when you start to bring them together and merge them into a profile of who that user is, you start to build out something that’s really profound and really unique, and something that’s extremely difficult to spoof.”
Attackers are increasingly able to gain personal details like the username and password, as well as confirmation details like having the correct billing address. Fraud detection that look at the user’s operating system, browser, and IP to verify their identity are also being fooled by attackers that cycle through combinations of software and IP addresses. NuData’s study found that, for instance, the average retail attack will now only use an IP address two times before moving onto the next IP in an attempt to circumvent detection, and fraudsters have begun matching IP addresses to billing addresses on the stolen credit cards being used..
The key advantage of passive biometrics is that it aims to create a profile of the person operating the machine, not just the machine itself.
This passive biometric approach helps provide an understanding of the user is at “almost a subconscious level,” according to Wilk. “This includes various things that are unique to them and can’t be spoofed…usernames and logins are not a very strong means of authentication or protection anymore.”
Having systems that cannot be spoofed is increasingly important when it comes to online accounts because they often allow attackers to make account changes.
It’s also becoming common for usernames and logins to be bought and sold by cybercriminals on the dark web. NuData found that an account typically gets sold 5 to 10 days after it’s compromised. If the account breach was detected the first time or prevented, then it would make things much easier for companies in industries like online services, ecommerce, finance and healthcare to detect fraud and users to suspicious activity.
Once breached, NuData found that accounts are rarely used for more than five purchases in an attempt to further avoid detection.
“I could know almost 16 days ahead of time that this bad actor was going to come on and do those things because I was able to see this activity way up front. Merging the idea of passive biometics, we really try to dig deep into understanding not just what [device] is logging in, but who that user is.”
NuData positions itself as forming a different identity profile than BioCatch, which tracks user interactions with devices but also uses “invisible challenges”, which are barely noticeable changes to the user behavior of applications – like nudging the cursor a few pixels in a different direction – then using the user’s unique reaction to form a behavior profile.
NuData doesn’t take this approach, according to Wilk, because its passive biometrics aren’t completely passive so-to-speak. “If you’re going to be monitoring user interaction through passive biometrics, the worst thing you could ever do is tip your hat to what you’re doing,” noting that, if noticed, random changes in application behavior might make a user suspicious of malware or be obtrusive to the user experience.
Still, while there are a range of approaches to passive biometrics, they are being actively rolled out across all industries where there’s sensitive information stored behind a login. And, at least for the time being, behavioral biometrics are often a less obtrusive security measure than scanning physical biometric traits.