FindBiometrics President Peter O’Neill recently spoke with Frances Zelazny, Vice President of Marketing, BioCatch. 
The conversation starts with a look at research suggesting that behavioral biometrics are on the verge of becoming a mainstream modality and then takes a look at the most interesting of BioCatch’s many key patents. The interview then delves into the nuances of behavioral authentication and threat detection before examining the modality’s appeal in financial verticals and finally touching on the deployment process of this new technology.
Read the full interview with Frances Zelazny, Vice President of Marketing, BioCatch :
FindBiometrics: Behavioral biometrics are relatively new to the scene as biometric modality, but they are quickly gaining popularity. New research from Acuity is projecting behavioral biometrics are going to go mainstream this year. Do you think that’s an accurate forecast? What is driving that popularity?
BioCatch: Yes it’s true, behavioral biometrics is already considered the third most popular biometric technology, behind finger and face, and tied with iris, according to a recent survey by your website, in fact! But we have seen this validated also in a new research report by the Mercator Advisory Group predicts, “behavioral dynamics will play an increasingly important factor in establishing trust factors,” and by our own company’s activities in the last few months alone.
We are in a very mobile and digitally driven era, and our devices have shifted from primarily hardware-based solutions to cloud-based solutions because of the rise of mobile. In the past, we have used very archaic solutions to fight cybersecurity not recognizing that this is a 21st century battle that we are currently in. With the pace of hacks and cyberattacks continuing relentlessly, people are recognizing that we need a new approach to cybersecurity. The fraudsters are able to circumvent multi-factor authentication, that we know and continue to see. This makes the need for a passive, continuous modality more urgent. We believe that behavioral biometrics is so popular is because it matches the speed and pace of today’s shifting innovation, while providing actual solutions that are in favor of our mobile ecosystem.
FB: BioCatch has more than 40 granted and pending patents, and 2016 was a huge year for your company’s IP growth. Can you talk a bit about the important role IP plays in the world of behavioral biometrics? What are some of the more important and exciting patents BioCatch has related to authentication?
BioCatch: Yes, 2016 was a huge year for us in terms of patents, and the growth of the company’s IP portfolio highlights the company’s differentiation and innovation in always staying one step of the fraudsters. Hackers are only going to get smarter, and cleverer and it is important that we are constantly giving our clients options to fight back.
One of the most interesting patents that we have is called Invisible Challenges. Through Invisible Challenges we introduce “tests” into the online session that users subconsciously respond to without sensing any change in their experience. Everyone reacts to an Invisible Challenge differently, which is why it is so exciting and effective. All together, we collect more than 500 parameters of behavior and assign a profile to each user that is based on the 20 parameters that are most unique to them. Each person’s profile is based on different parameters. What this means for the fraudster is that (a) he doesn’t know how he is supposed to behave to trick the system, unlike a known password or code that can be stolen and (b) he doesn’t know when the system is testing him. And so what our system does, is look for any differences between a user’s normal behavior and what is actually happening in a session, whether it is a breach by another human, or a piece of malware or a robot that is conducting activity on a person’s account.
FB: BioCatch’s technology has a number of applications, but first I want to talk about authentication. Your technology can passively authenticate users based on cognitive, behavioral and physiological pattern analytics. What sort of advantages do behavioral biometrics have that make them stand out in a crowded biometrics landscape when it comes to authentication? Are there foreseeable scenarios where behavioral biometrics are combined in a multi-factor scenario?
BioCatch: The promise of behavioral biometrics goes beyond traditional logon. Only by adding a passive layer of authentication on a continuous basis, is it possible to know WHO is behind a session in real-time, not only what device, or password, or biometric was used to login.
The fact is, after spending nearly 20 years in this industry, there is no doubt to the accuracy and utility of traditional biometrics. They are effective and useful, and have tremendous applications in securing the login. However, the fraudsters have figured out how to get around it, and to simply hijack a session after the legitimate person has logged in. A classic example of how this happens in the corporate environment, is for a fraudster to get control over the CEO’s email account, and then to send a message to the CFO telling him/her to transfer money to the fraudster’s account. In this scenario, the login action is being done by the legitimate user and so with traditional techniques, it would be very hard to identify that a fraud had actually been perpetrated. This type of attack is very popular in EU and the UK, and it grew rapidly in the US last year.
FB: Your company’s technology can also be applied to detecting malware, bots, and remote access tool (RAT) attacks. Do you see a lot of overlap between these threat detection applications and authentication? I imagine that identifying a piece of malware looks different from verifying a human identity.
BioCatch: Yes, RATs behave very differently than a person working on their local PC. Once a RAT is installed it can be used without detection as long as the user is connected to the Internet. One of the many problems with RATs is that the current fraud detection solutions used by banks aren’t designed to detect them; and that leaves users vulnerable to a growing epidemic of remote access attacks.
At BioCatch we use a unique approach in detecting RATs. Most systems used today examine device data, which cannot detect when a RAT is present. We monitors and analyzes a user’s cognitive behavior, without interfering with the user experience and tracks a user’s unique profile throughout the session and can instantly detect and alert the bank when it spots abnormal user behavior consistent with a RAT, whether it is a human imposter or malware-based.
FB: Banking and payments are major areas of applications for behavioral biometrics from both an authentication and threat-detection standpoint. What are some examples of the financial use cases BioCatch is seeing the most demand for? What are some other markets/industries BioCatch technology is well suited for? It seems like the enterprise sector would be very interested in technology like this.
BioCatch: The financial services arena is clearly the leading vertical in the adoption of behavioral biometrics, because of the heavy demands of online and mobile banking from a customer convenience perspective and also operational perspective. Banks would like to provide as much functionality as possible through their digital channels, but this must be balanced with security imperatives. It is impractical to ask a user to authenticate repeatedly in a session; so incorporating a passive authentication method becomes very attractive. The customers that we have work to identify their pain point within a session and this is where they opt to employ the authentication measure while we collect the behavioral data in the background continuously. For example, adding payees or changing phone numbers is recognized as being a high risk action. Instead of sending customers to the call center to verify identity, the system is able to flag in real-time if there is an anomaly in the behavior of the user conducting that action.
We are able to apply the same principal to new account openings or new application filings (like for credit cards), as well as in the insurance and trading realms to detect online fraud activity. E-commerce, enterprise and e-government are also areas that experience the same risks and where behavioral biometrics can apply.
FB: Accessibility and ease-of implementation are becoming big distinguishing factors between security solutions, especially in verticals like enterprise and healthcare. What is the deployment process like for BioCatch?
BioCatch: BioCatch implementation is actually very simple. Unlike traditional biometrics, there is no active enrollment. By installing a simple Javascript on a website, a bank can begin implementing this modality. The technology behind it assigns a user profile, based on the collection and analysis of over 500 traits including hand eye coordination, pressure, hand tremors, navigation, scrolling and other finger movements etc.– as mentioned earlier – to create the user profile, the system detects the parameters that are most strongly associated with the user meaning that, for those parameters, the user does not behave like the rest of the population. Each person’s profile is made up of different unique parameters and can be linked across devices. Even if the person is new to the system, it is still able to pick up different kinds of fraudulent activity – criminal behavior, malware, bots, RATs, aggregators etc. and provide real-time alerts. As a result, the ROI is immediate and can be quantified. We also have an Analyst Station where all the activity is logged, which is very useful for investigators and fraud departments.
FB: Frances, thanks for taking the time to educate our readers about the rapidly growing Behavioral Biometrics area. Great to hear from a leader with your depth of experience in our industry. In fact, you were one of the first speakers I ever heard when I started in the Biometrics industry 15 years ago!
BioCatch: My pleasure. Wonderful to speak to you again, Peter.
Follow Us