Faster Payments, PSD2 spur interest in behavioral biometrics
The advent of Faster Payments services plus Europe’s PSD2 have heightened concerns among banks about increased fraud risks. This has created opportunities for firms such as New York/Israel’s BioCatch and San Francisco’s BehavioSec, both of which develop technology around behavioral biometrics analysis.
Behavioral biometrics shouldn’t be confused with a complementary security technology, user behavior analysis.
“With behavioral biometrics, you’re looking at specific behaviors such as how users interact with their mouse, keyboard or touchscreen,” said Al Pascual, senior vice president for research and head of fraud and security at Javelin Strategy & Research. “User behavior analysis looks at details such as whether users typically log on once a day to check their balances, or perform specific transfers on a regular basis.”
Both technologies can analyze geolocation data. “Behavioral biometrics can tell whether someone is in a different location than they purport to be, but user analytics considers a user’s actual location and the activities they are performing there,” said Pascual.
Strong customer authentication
With the EU set to require strong customer authentication in September 2019 as part of PSD2, the need for improved security is top of the agenda. This rule will require European payments service providers (PSPs) to use authentication methods involving at least two factors from two different categories: “knowledge” (e.g. password or PIN); “possession” (e.g. smartphone or card); and “inherence” (e.g. unique attributes of an individual’s behavior, such as patterns in how they hold mobile devices and interface with websites).
“Behavioral biometrics is ideal for PSD2 compliance as it combines inherence with traditional login credentials, offering dramatically enhanced defenses from account hijacking and fraud,” BehavioSec CEO Neil Costigan said in a blog post. “Every business handling online payments faces mounting threats of fraud and abuse, as login credentials are widely breached and it is trivial for bots and other malicious programs to impersonate account-holders’ names and devices. Behavioral biometrics breaks this cycle by giving FIs and payment firms the ability to block login attempts that deviate from known users’ behaviors.”
Existing two-factor authentication methods include the use of hardware devices to calculate one-time login tokens, and authentication codes sent via SMS to mobile phones. Providing users with token calculators can be costly, logistically complex and not risk-free. It is conceivable that a hacker could impersonate a legitimate user and persuade a bank call center to reissue them with a token calculator, claiming to have lost their original one.
SMS authentication can be insecure, since hackers can hijack mobile devices and intercept SMS messages. For example, the online messageboard Reddit recently said hackers had intercepted SMS authentication codes sent to its staff and broken into its server.
While token calculators typically authenticate users only at login, behavioral biometrics continuously study behaviors to spot subsequent, suspect activity. This is crucial for defeating remote access Trojans (RATs), bots, man-in-the-browser (MITB) and other types of “past gateway” attacks. In a RAT attack, a person or a malware program impersonates a legitimate user and takes over the session.
“A fraudster isn’t necessarily doing an interception when you authenticate yourself with your credentials,” said Frances Zelazny, chief strategy and marketing officer at BioCatch. “They are waiting in the background using malware which got downloaded onto your PC previously when you clicked on a malicious link, and which becomes active only when you log in. They may also redirect you to log in at a fake website that looks like your bank’s browser, known as ‘browser redirect.' Once they’ve stolen your username and password, they send you back to your bank’s website.”
BioCatch verifies the authenticity of a user’s digital identity from their initial login and during subsequent transaction sessions. It examines over 500 behavioral profiling metrics such as how the user holds a device, cognitive behavior and other subconscious behavior patterns.
Biometrics in the wild
“I first came across behavioral biometrics analysis six years ago,” said Pascual. “I was impressed by the technology’s potential, but it was ahead of its time. Now there are major banks deploying behavioral biometrics or conducting proofs of concept.”
BioCatch said all of the major banks in the U.K. use its technology, with NatWest (part of Royal Bank of Scotland) having launched a pilot with BioCatch to prevent malware in early 2016 for its corporate banking users and for customers of Coutts, RBS’s U.K. private bank. It launched a pilot of BioCatch technology for its consumer banking customers in 2017, and now plans to roll out BioCatch across its U.K. customer base.
According to BioCatch, during the 2016 corporate banking pilot, NatWest detected fraudulent attempts to transfer funds, identified RAT attacks during online banking sessions, detected fraud attempts occurring across online and mobile channels.
Pascual predicts that large banks will be the first to deploy behavioral biometrics and that the technology will trickle down to smaller banks and to other industries such as insurance, retail and health care.
Behavioral analytics can be used to prevent false positives, according to Zelazny.
“In an actual false positive example, a CFO for a U.K.-based firm found himself overseas and needing to perform a transfer from his hotel room,” she said. “With his bank’s login procedures, he wasn’t able to do this transaction, as the system detected his location based on his IP address, and the call center refused to help.”
Certain parts of the world are riskier even if the user is legitimate, Javelin's Pascual noted.
“Ultimately, the enterprise or the bank that is trying to authenticate a user needs to weigh various factors, such as weighing the output from its behavioral biometrics tool more heavily than the location data,” said Pascual. “But there are definitely locations from which transactions should not be authorized, even if they are legitimate, such as countries on OFAC (Office of Foreign Assets Control) lists such as North Korea or Iran.”
Behavioral biometrics can help with open banking, Pascual said. “If a consumer provides their banking login credentials to a third-party wealth management service, whether via screen-scraping or open APIs, banks are legitimately concerned about the integrity of these credentials. Having access to behavioral data on how a client interacts with their device can tell the bank if a client’s transactions are legitimate.”
Fraud and Faster Payments
“The impetus for much of the earlier adoption of BioCatch’s technology was the advent of Faster Payments in the U.K. and the need to prevent fraud,” said Zelazny. “Faster Payments creates a situation where fraudsters can commit instant fraud, and PSD2 is opening up the Pandora’s box of fraud.”
PSD2 allows licensed PSPs — also known as third-party providers (TPPs) — to act as Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP). Under PSD2 and the U.K.’s Open Banking regulations, an AISP license allows access to bank customer data, while a PISP license grants access to the customer’s account to initiate payments.
Zelazny identified the three points of vulnerability with PSD2 in Europe: on the TPP side when people open TPP accounts; on the bank side, when they link their bank account to their TPP account; and on the transactional side, when there is account takeover fraud.
“PSD2 lets someone create a new TPP account and link someone else’s bank account to it, then transfer stolen funds to the newly created TPP account,” said Zelazny. “They then transfer the stolen funds to another account and close their original TPP account, vanishing without trace."
No one technology provides all the answers to fraud, so banks need to have multiple security methods in their arsenal.
“Behavioral biometrics can be very effective in detecting anomalous activity and are completely transparent to the end user,” said Julie Conroy, research director at Aite Group. “Because no physical biometric element is captured, these solutions aren’t subject to the patchwork of regulation that is springing up around traditional biometrics in various U.S. states and countries.”
Behavioral biometrics can be used to detect account takeover (ATO) and new account fraud, said Conroy.
“When an ATO attack is in progress, behavioral biometrics serve as an early red flag by detecting deviance from the user’s normal interaction patterns,” she said. “For new account fraud, the technology looks for a few important ‘tells’. Fraudsters input data differently than genuine consumers. They don’t have the same level of familiarity with the data, so are more likely to have to repeatedly delete and fix typos. Criminals are also more likely to copy and paste data (pulling it from a data dump purchased off the dark web), and they will have more familiarity with the application layout given their frequent use, which manifests in a very different pattern of interaction than a genuine consumer.”
Conroy said that behavioural biometrics is helpful as one element of a layered solution to prevent fraud in an open payments or Faster Payments environment. “There are no silver bullets in fraud detection, unfortunately,” she noted.