A new piece of malware was released on average every 4.2 seconds in the first quarter of 2017, according to a top anti-malware centre. This statistic, from V-Test, along with the stat from the Breach Level Index that more than 7 billion data records with PINs, bank account details, names and address were compromised through data breaches since 2013 makes grim reading for anyone in charge of trying to stop fraud and maintain the security of their bank.
Traditional security has focused on individual access attempts, often using inadequate and/or cumbersome access protocols to authenticate or verify users, along with manual investigation techniques when alerts are raised. When a customer’s personal data have been stolen, this approach on its own will not stop the fraud. And even when customer data have not been compromised, it has major flaws. It’s not very effective; it affects the customer experience; and it costs a lot of money.
Banks lose $67bn annually to fraud. If that weren’t bad enough, traditional customer authentication techniques can put off users – customers don’t like cumbersome access methods including passwords and two factor authentication, resulting in abandoned transactions and even changes in banking provider. The customer experience is further diminished by the high rates of false positives generated, where a legitimate transaction results in a call to the customer for verification or is blocked. And the investigation cost of alerts is not insubstantial, with calls to customers costing an average of between $15 and $35 each.
What is needed is a new approach that is effective against not only malware but also hackers and fraudsters with stolen customer data, is frictionless, and cuts costs. This is where behavioral profiling and machine learning comes in.
We are all unique. From the way we look, to the words we use, the speed we type, even the way we hold our phones. Taken together, how we behave across a huge number of variables adds up to only us. When these variables are noted and turned into a profile, security becomes far more robust, is frictionless and virtually impossible to copy or fake. It provides our own unique behavioral biometric.
Using algorithms, systems can score any activity against the behaviour biometric. This score can be used to stop or allow a transaction. All transactions scores are logged and machine learning means profiles are updated to incorporate acceptable behaviour that differs from the norm – for example if the user has broken a finger and has to operate a phone differently.
Behavioral biometrics has achieved accuracy levels of 99.87 per cent in independent testing. It can also spot remote access Trojan attacks, where a fraudster works in the background – something that has to date been very difficult. A valuable additional benefit is that just as banks build up genuine user profiles from customer behaviour, so they can profile fraudsters’ activities.
Often the same hacker will try repeatedly to access multiple accounts within a bank or different banks. In this case, behavioral profiling can spot that the same physical human is behind them all. This opens up the possibility of banks and banking platform providers creating blacklists of known fraudsters that can be shared, speeding up their detection and further improving security. It could also contribute to their capture and prosecution. An added benefit is that banks can review a customer complaint about a transaction from its log, compare it with the unique biometric and spot any fraudulent claims.
All told, it is an impressive line of defence against fraud and is part of a new wave of technology being used by banks as the imminent application of the European Payment and Services Director 2 (PSD2) ramps up pressure on them to tackle the fraudsters.
Banking is a competitive, crowded market. Strong security with a good customer experience gives banks a competitive edge. Behavioral biometrics provides both and cuts costs. It’s the modern, effective solution to the age-old problem of fraud.
Mark Gent is the director of worldwide sales engineering at BehavioSec