Behavioural Biometrics is a new way of doing security, particularly in consumer, retail focused and mobile facing platforms. Older technologies created friction and actually stopped people from using services. Behavioral technology allows us to quite accurately analyze how a user interacts with their device and based on their previous behavior will determine if they are who they say they are.
It’s already widely used in the Nordic countries by banking and finance companies as an anti-fraud tool and we’re now starting to move into other parts of Europe.
What sort of things is the technology looking for?
The way you use the device. Do you zoom across the screen with the mouse and then hover over a button? Which way do you circle the cursor? On mobile devices it would also be the depth of touch, how you move your finger across the screen, how much of your finger is on the screen, how hard you’re pressing, the angle you hold the phone and so on. This stuff is incredibly hard to mimic. It can be captured with no need for extra hardware or for the user to do anything different.
So, rather than credit card companies looking for suspicious behavior, such as a sudden change in usage patterns, to determine if card details have been compromised, behavioral analysis can detect fraudulent use in the way the user swipes the screen. There will therefore be less need for challenges just because you’re using your card in a different country.
Can it be easily added to existing software or websites?
Yes, typically a bank would enable the technology on a website or a mobile app in order to capture events. The back end then uses big data and machine learning in real time to analyze events and compare them to what you’ve done in the past.
Doesn’t that slow things down?
Performance issues, certainly on mobile, come down to how much bandwidth you take up. This technology is very, very light because the hard work isn’t done on the device itself, it’s done on the back end. Plus the amount of data transmitted is very small compared to things like using images for authentication.
If you think about using security methods like having a key card reader, the management of those things in terms of training and support calls, replacing devices when batteries fail and so on takes up time and costs money. Behavioral technology is lightweight and transparent to the end user so the overhead is very low.
Does the technology need to learn your behavior before it becomes effective?
Normally if you do a transaction seven to 10 times that’s enough to enable the security. But in practice we let people work in the background and the software itself will tell the back end system how much training it has and when it’s enabled. We don’t just analyze the login, it looks at all the transactions you do with the site or the app, so a rich amount of data is collected every time.
In the initial stages if it doesn’t have enough information to work then you’ll still be challenged to provide two-factor authentication or similar. Experience in the Nordic countries is that people use mobile apps more than they use internet banking, particularly with the ability to make mobile payments, so the system can be operational quickly.
What happens when suspicious behavior is detected?
There’s no one-size solution for all customers. It can be used to challenge a transaction by asking for another authentication method or by alerting an agent to call the customer. It can also be used to log information to provide support for fraud investigations.
One of the concerns businesses have is that too much authentication can actually drive customers away. By reducing the amount of friction and issuing fewer challenges this technology can ensure customers stay loyal.
We worked with a bank in Germany that told us it was calling about 8,000 people a month to challenge suspicious behavior, yet only three were due to actual fraud. Using behavioral biometrics they were able to cut the number of calls made each month down to 80 which is not only a cost saving it means less chance of alienating customers.
Is this just for banks or are there other applications?
The early adopters have been the banking and fintech companies as they tend to be the ones that take the issue of fraud most seriously. We’re now seeing interest around payments and ecommerce in terms of prevention and reduction of fraud and ease of use.
Longer term, because it allows you to tell if a person is who they say they are, there’s scope in things like education where you could, for example, check that the right person is sitting an online exam. It could also be used to police paywalls as you’d be able to tell if an account was being shared between several people.