At Finovate this week, BioCatch, a firm specializing in capturing and analyzing cognitive biometrics, demonstrated a new trend in mobile security. This concept has been rapidly adopted and wildly effective among major banks and e-commerce firms to stop fraud at the point of sale.
Behavioral authentication tools are capturing the behavioral footprint or cognitive DNA we all use when interacting with a device, be it a PC or a mobile application. A mobile device's gyro can capture the tilt of the user's hold, and the accelerometer captures swipes, pinches, zooms, and typing cadence. It takes only an application upgrade to start capturing subtle bio-behavior data and relaying it back to the bank to build user profiles.
If the sensors and signals show enough divergence in behavioral genetics, it can indicate an account takeover, even if all other elements -- like username, passwords, IP address, and device identification -- appear legitimate.
Malware also has DNA of its own in the scripts that are meant to go in and populate credentials in accounts and execute wire payments or whatever it is designed to do. The scripts are meant to look human, but they can look too perfect, or maybe too efficient. Even with malware scripts that have been made anonymous and developed to be polymorphic (coded to do things differently each time), there's still an underlying behavioral DNA.
This is helping to address one common scenario. Hackers often hire people to go through a stack of identities, compromised or synthetic, to open or enter online bank accounts. Understandably, someone whose job is to hammer out as many new accounts as possible gets good at jumping from field to field, and the mouse movements are more or less the same. Patterns emerge. Now that banks are leveraging biometric identification and machine learning analytics, they are flagged when a number of new accounts appear innocent but have an underlying human behavior that points to a single common user.
[Learn more about the Internet of Things at Interop's Internet of Things Summit on Monday, September 29].
Jens Hinrichsen, senior vice president of business development for NuData Security,which employs behavioral biometrics and predictive analytics as part of its NuDetect solution, says extraordinarily large organizations have already deployed passive behavioral biometric capture technology on mobile and PC channels. It's proven effective every day, minute by minute, in detecting tens of thousands of accounts that appear suspicious based on their behavioral genetics.
"Banks would never have correlated these acts of fraud and false accounts being opened without looking into the behavioral biometrics data," Hinrichsen says. "This kind of ability is opening up doors of how financial institutions and others deal with risk."
The next wave of how security teams can get ahead of the fraudsters is through a real-time non-PII network effect across the industry, he says. If one bank has found that 50 accounts are being opened by the same person, there might be four other financial institutions that have seen the same behavioral footprint attack them and interact with their online applications. Ideally, banks want the ability to correlate that biometric data across institutions in real-time, so damage can be avoided.
At the end of the day, institutions want good people to do more and keep bad guys out. The ability to passively pick up on aspects of what users are doing on multiple channels, and to monitor the underlying biometrics in real-time, is helping firms predict and protect across the lifecycle of their clients.
"You can't get rid of your DNA," says Hinrichsen. "The data is in the device. We just have to make sense of it and make use of it."Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio