When a breach of the world's major e-mail service providers was reported last week, it drove home the fact that a single stolen password can put numerous accounts in danger.
Human nature being what it is, even the threat of a data breach won't trigger all consumers and employees to choose separate, complex passwords for each account. The problem illustrates the need for layered protection on websites that require password access.
NuData Security has been offering such a service the past few years with NuDetect, providing behavioral analytics that identify the user behind a device for e-commerce merchants, banks and other service providers in the health and insurance industries. The company could not provide client contacts, citing privacy concerns.
Behavioral biometrics monitor how users hold a device, their typing speed, mouse movements, and site navigation patterns. In a real-time, cloud-based service, NuData can authorize a user or detect an automated attack on an account.
"We are not necessarily protecting against a breach, but our focus is on making the data stolen in a breach less valuable," said Robert Capps, vice president of business development for Vancouver, B.C.-based NuData Security.
That's a significant task, considering more than 700 million consumer records were exposed to fraudsters in 2015, according to the Gemalto Data Breach Level Index.
In a new white paper, NuData says it identified nearly 46% of accounts created across its financial institution and e-commerce clients in 2015 as fraud attempts, a 66% increase over the previous year when the rate was 27% of all accounts.
NuData bases its defense on the premise that bad guys stealing data from servers want a return on the investment of time it takes to steal those credentials. If they can't steal from accounts after entering with stolen passwords and usernames, they may stop trying.
"If you can change the way data can be used, it changes the dynamic of theft," Capps said. "We can prove this over and over again in the cybercrime business. If we can remove the usability of this data and make it difficult to get a return, we win as an industry."
Even with biometrics advancing on various levels from fingerprints to facial and voice recognition, many in the industry feel passwords will not be obsolete any time soon.
Knowing that possibility exists, NuData's NuDetect monitors the behavior after a customer logs in to an online banking or e-commerce site. NuDetect profiles certain interaction points such as log-ins, account creations, password resets, checkouts and bill payments.
"We look for anomalies across that session, that user and the population as a whole and with all of our covered customers," Capps added. "We did 38 billion interaction profiles for our more than 70 customers last year."
Fraudsters are starting to get around device fingerprinting, IP location detection, and others, said Avivah Litan, a vice president and distinguished analyst at Gartner Inc. "To catch these guys, you have to have super smart analytics that see other anomalies."
It's an arena in which automated attacks emulating full device characteristics are making it harder to use the traditional device identification techniques, while also spreading those attacks over a wide range of IP addresses so that no one address is used against online retailers more than a few times.
As such, Litan finds it "amazing" that most service providers still rely on password security.
Many competitors in the biometrics space have different approaches, but all are delivering a security tool that is inconspicuous to consumers and can be used across channels, said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
Because behavioral analytics is still a relatively new field, instances of false positives and other drawbacks may arise, but many more large businesses and financial institutions are becoming interested in the technology, Pascual added.
"We know passwords are broken," Pascual said. "Consumers are 25% more likely to reuse a password on mobile devices because they don't want to type them in on a tiny screen."
Such a trend allows biometrics providers to "fill in the gaps" with other security measures, with behavioral analytics proving to be an effective multi-channel tool, Pascual said.
NuData, which serves e-commerce merchants that are multi-channel, multi-site businesses, focuses NuDetect as an anti-automation defense with the most common use cases being account verification and account creation.
"Almost every website is going to have a problem if they have log-ins and something of value behind those log-ins," NuData's Capps said. "We can identify human and non-human both through behavioral signatures and volume."
Ultimately, it is all about "really understanding the identity of the human who uniquely belongs to that account and recognizing when an anomaly occurs," Capps said. Such an approach "has really helped our customers with stopping account takeovers," he added.