Behavioral biometrics are a powerful identity tool that can be used for frictionless authentication and anti-fraud purposes, and as new advances in AI, mobility and connectivity emerge, the invisible modality is evolving to serve even more applications. To learn more about the latest advances in behavioral biometrics, FindBiometrics Managing Editor Peter Counter spoke with a leading expert on the topic: Frances Zelazny, Chief Strategy and Marketing Officer, BioCatch. In part one of the expansive two-part interview, Zelazny delves into the specifics on how behavioral biometrics can thwart complicated vishing fraud attacks, before discussing the booming behavioral insights marketplace and the importance of BioCatch’s latest partnerships.
This conversation serves as the perfect lead-in to next week’s K(NO)W Identity Conference in Las Vegas, where Zelazny will be speaking on the panel: “That Thing You Do: Behavioral Biometrics and Predictive Analytics.” The event is scheduled for Tuesday, March 26 at 11:30 am local time, and promises to shed light on “the unique potential of dynamic behavioral biometric tools to reduce friction and fraud,” according to the conference agenda.
Read part one of our interview with
Frances Zelazny, Chief Strategy and Marketing Officer, BioCatch
Peter Counter, Managing Editor, FindBiometrics & Mobile ID World: In the most recent update to the BioCatch platform it is specifically aimed at vishing. What is vishing and how can behavioral biometrics counteract it?
Frances Zelazny, Chief Strategy & Marketing Officer, BioCatch: Vishing is a form of something called authorized push payment fraud which is basically a whole variety of scams comprised of the user defrauding themselves. The most common one occurs on the phone but there are also the romance scams which are cultivated over time and then the fraudsters ask their victim to start wiring money and the whole thing ends up being a fraud. So, there are all kinds of authorized push payment (APP) scams and they come in all different flavors. In general, these are very, very hard to identify because it is the person defrauding themselves – and who wants to say that they got scammed?
Today, in the UK, the whole category is the fastest growing fraud. There was a report issued by UK Finance that said in the first half of 2018 alone British banking customers lost £500 million. Within those there were 4,000 cases of vishing, and these are phone scams. Vishing is a voice-based social engineering scam, and what happens is the fraudster calls a person on the phone and they convince them to make a transfer. So, no method of authentication or fraud prevention will detect something like this because it involves the right person, the right device, the right location, and they are doing an authentication that would pass.
A typical scenario would go like this: Mrs. Bulkly gets a phone call from her telecom company saying she is overdue on her account and they say if she doesn’t pay with a debit card, they will shut off her cell phone. So, she gives the debit card and they say, “Thank you very much.”
Then 15 minutes later she gets another phone call and this time it’s her “bank” saying, “What is this debit charge from the telco company?” And she says that if she didn’t pay with her debit card they were going to shut off her account.
Then the bank says, “That wasn’t your telco company, that was a fraud and now your debit card is linked to your bank account so they have access to your bank account. So, we need to shut your bank account and transfer all your money over to a new account, and don’t worry I’m going to tell you what to do.”
So, they walk her through this elaborate scheme and tell her what to do and low and behold she transfers all of her life savings into a new account. And not only was the first phone call a scam, but the second phone call was a scam. The whole thing was a scam.
Welcome to vishing.
This scam is very, very sophisticated, and if anybody that thinks they are immune or that they wouldn’t fall for it is fooling themselves, because these fraudsters are really, really sophisticated and they use all the data that is available on the dark web from their hacks and data breaches and all the personal data that is circulating.
Where does BioCatch fit in with all of this? You are probably wondering what behavioral biometrics has to do with this or biometrics at all for that matter? As I mentioned, standard authentication and fraud prevention approaches won’t work, and even traditional behavioral modeling won’t work because it is the same user. So, this gets to the heart of what BioCatch actually does: we call ourselves a behavioral biometrics company but actually the strength of BioCatch is in what we call behavioral insights. It is our ability to collect and analyze more than 2,000 parameters of user behavior. Some of these are physical behaviors and some of these are cognitive behaviors. Our IP portfolio takes these into account, in addition to techniques that have to do with soliciting further behavioral information to distinguish a person from another person, or another thing – like a malware or a bot – but also extract other non-abnormal behavior even if it is the right user. We call these techniques Invisible Challenges.
Let’s look at all this in the context of vishing. If you are under the influence of a fraudster and he is telling you what to do, you might be confused, you might be hesitant. If they say, “Log into your bank account and start transferring money,” you may use different functions in the app that maybe you wouldn’t have used before, and that slows you down. Your mouse movements might be a little bit different, you might hesitate, you might make more mistakes because you’re nervous or you are being asked for information that you normally aren’t asked for. All kinds of things that in and of themselves don’t really mean anything, but when you put them in combination can actually be a powerful indicator, like a vishing attack.
So, back to BioCatch – the whole BioCatch story has to do with really understanding user behavior, establishing insight, using patented techniques to then discern what you actually do with these insights. You can use these insights to actually authenticate a person which is more like traditional biometrics; you can use these insights to identify that a person is an expert user in an account opening process, which means he is most likely a fraudster using synthetic or stolen identity as opposed to a legitimate person applying for a credit card; you can use these insights to detect vishing like we just said; you can use these insights to detect an account takeover attack, which could be coming from all kinds of places. And this is the BioCatch story, it’s very, very different than the traditional world of biometrics.
FB: Yes, it reminds me of something that I have heard you speak about before, which is sort of at the heart of anti-fraud, which is all fraud occurs within authenticated sessions whether it is a cooperative user or somebody has bypassed the authentication one way or another through a spoof. That’s incredibly robust.
BioCatch: Right, so vishing is an extension of this. It is true that 100 percent of fraud BioCatch finds happens in authenticated session – usually those things are coming from methods or techniques where they are circumventing the actual authentication. This vishing stuff is really frightening because it is fraud and it’s the person defrauding themselves.
FB: And as you said that is something that is really important to have a solution for because it’s a classic con where you are so embarrassed by it that I wonder how many vishing scams go unreported just because of general embarrassment.
Moving on, a report released by Allied Market Research is forecasting rapid growth for behavioral biometrics, the revenues are expected to hit almost $4 billion by 2025, I’m wondering from your perspective what is driving the demand for behavioral biometrics specifically, and if there have been any recent industry developments that have helped to boost behavioral modalities?
BioCatch: In general, I think behavioral biometrics are super attractive because they are passive and they don’t interrupt the user experience. You know that I have been in this biometric space for a long time and I have worked with all different modalities so this isn’t a knock on any specific modality – they each have their pros and cons – but in the online channel it is very, very challenging to provide security as well as a seamless online user experience. It has always been a traditional trade-off. And I’m not talking about logging in because you can solve the login in many, many ways, but once you are within a session, and going back to when we were talking about that 100 percent fraud happens in authenticated sessions, the only way up until now to really provide an end to end secure session is for you ask the person to re authenticate every few seconds. That is a non-starter. In order to provide this seamless and secure experience you need to have secure passive authentication and that is what behavioral biometrics essentially provides.
The other thing from a BioCatch perspective when analyzing user behavior, you can actually apply this modality across the ecosystem. You actually can’t do this with other modalities as most of them require you to be in a system in order to validate that you are who you claim to be. Behavior is the only one that can actually be used from identity proofing to authentication to account takeover. But it is even more than that. The fact is that banks and enterprises are sitting on all these troves of user information and what they want to know is: “How can we create sticky, more loyal brand experiences?” If I don’t have to be re-authenticated when I call the call center because they see that it is me in the digital channel, or the fact that I show in Spain and buy a gift for my husband and I don’t get rejected, I’m going to have much more brand loyalty to that retailer than to the website that rejects me.
I’ll give you another example: one of our top credit card customers deployed BioCatch and what they found was that not only were we catching 50 percent more fraud but we were also able to reduce false declines by 33 percent. False declines come from all sorts of things: it could be a typo, it could be a guy on a new device, a new location or what not.
And this is the main thing driving the growth of behavioral biometrics – less fraud, less friction, more functionality, better user experience, and ultimately all that translates to better results on the bottom line.
FB: That is really interesting. Because we have talked a lot about how behavioral biometrics and behavioral insights are different from the traditional biometric modalities but that this one very interesting commonality that they have and that is that the user experience really does seem to drive adoption all across the board.
BioCatch: But it is both, it is the security as well as the experience.
FB: Of course, you just can’t have an open door. We have been talking a lot about financial services and that seems to be the dominant area of application for behavioral biometrics but obviously fraud exists all across the board and as you just said behavioral biometrics isn’t only about mitigating fraud. What are other vertical markets that you see behavioral biometrics gaining traction now and over the next few years?
BioCatch: It definitely started with core banking and you see it spreading to adjacent markets or verticals that have the same problems like credit cards, insurance, payments. Clearly PSD2 is going to drive a lot of commerce, payment providers, and there are tons of other verticals that have very similar challenges in terms of onboarding, authenticating, and preventing account takeover like government applications, healthcare, transportation. And many, many others where you need to protect the integrity of the session, enable seamless experiences that are secure. This is fascinating to me because it is really a horizontal play; it’s not limited to a specific use case.
FB: Speaking of partners and collaboration, recently BioCatch announced collaboration with ACI Worldwide aiming to protect online and mobile banking customers from fraud. What can you tell me about this new partnership?
BioCatch: We have a number of value-added reseller partnerships and ACI is one of the latest ones we announced. ACI with BioCatch provides a one-stop shop to the banking world. They also have solutions for retail and other verticals. They provide the entire platform, and now BioCatch becomes part of that solution, which makes behavioral biometrics much easier for the broader market to consume.
*
Stay posted to FindBiometrics next week for part two of our interview with Frances Zelazny, Chief Strategy and Marketing Officer, BioCatch.
Follow Us