Technology firms are battling to stay a step ahead of crooks and malicious intruders. Welcome to the emerging world of behavioural biometrics.

With cybercrime proving to be a major worry for financial services firms, as a number of recent industry surveys suggest (click here), banks and other firms need to develop ways to stay ahead of criminals. In this commentary, Ryan Wilk, director, NuData Security, examines the area known as “user behaviour-based biometrics” - another tongue-twister to add to the lexicon of financial technology. NuData Security is headquartered in Vancouver, Canada. The editors of this publication are pleased to share these views with readers; as ever, the views are not necessarily shared by this publication and readers are invited to respond. 

Gone are the days when online security could be trusted to a simple username and password combination or simple identity checks. As fraudsters got better at bending and breaking the system, e-commerce and digital banking initiatives had to keep pace, creating tough rule-based systems to check for fraud and adding new technology like IP detection and device ID. But even these measures are no longer enough. The next great leap in digital security isn’t based on a device or a password, but on the user themselves. 

User behavioral biometrics (UBB) combines a biometric and behaviour-based analysis of the user. Until recently, security technology looked solely at what data was entered and what device was connected. But you can only understand so much about the user with only two pieces of information.

And what if the user changes or upgrades their device? You would lose half the visibility. UBB adds layers of nuanced information of passively observed behaviour that goes beyond what data they put in and what device they use. It allows one to really understand how the user interacts with the mobile or web portal. 

But how exactly do we define behaviour in this context? It is how the user interacts with the website in passive, yet very specific, ways that are unique to every person – akin to a fingerprint. For example, there is information such as typing speed and patterns, how users habitually navigate the website, their patterns of online usage, or even how they hold their mobile device. These behaviours and hundreds of others, coupled with traditional passwords and connectivity details, offer many layers of information and a more complete picture of the user.

When you start passively observing layers of user behaviour and biometrics, from the moment they land on your site, create an account and across every interaction on the website, you build a profile for that user that doesn’t rely on the device they use or the password they enter. 

Every time users return to the environment, you can measure that behaviour against their unique historical data. You can finally answer, “is this the real user?” with confidence. You can compare that behaviour with other good users to broaden your understanding of how your good users behave and you can even answer with the same certainty, “is this user behaving like a human being?” and “is this user acting safely?” and act accordingly in real time. 

User behavioral biometrics helps e-commerce businesses fight fraud by bringing a wider context to every transaction decision. Most e-commerce merchants simply look at the transactions and use knowledge-based fraud prevention techniques that rely on personally identifiable information (PII) and payment card industry (PCI) even though that data is too freely available to be secure. Moving beyond easily compromised PII and instead relying on a user’s unique behaviour protects both your site and your users.

Fraudsters know that traditionally e-commerce merchants and financial institutions have relied on knowledge-based authentication (KBAs) for their fraud prevention strategy, which means they authenticate by the user having the right answer to pass the test. So long as the fraudster has the cheat sheet, they don’t have to worry about getting the answers right. 

That’s why UBB is so important. Even if the fraudster has the correct password, their behaviour on the site before the transaction is a dead giveaway that something’s wrong. Fraudsters behave completely different from a good user, so different that it gives security teams a sneak peak at fraudsters' plans because it becomes strikingly evident when they are testing stolen accounts in bulk before an upcoming brute force attack. And since all of these transactions are monitored in real time, it’s easy to determine which accounts at are risk right now and what future interactions are highly likely to be fraudulent. 

By observing behaviour from the point of login, to registration to point of purchase, companies are able to better understand when a purchase may not be legitimate, even when a “user” is successfully logged in using stored payment information. And while fraudsters are just starting to realise their tactics of yesterday don’t work anymore, user behavioural biometrics will continue to hold them back because user behaviour can’t be copied, stolen, or spoofed. 

User behaviour analytics layered with behavioural biometrics, and combined with traditional security measures, gives the industry the ability to understand users like never before. Knowing who the user is based on how they behave protects business and users alike in a passive, unobtrusive, invisible way with a success rate second to none.