By: Ryan Wilk, Director of Customer Success, NuData Security
Last year, cyber criminals got ahold of hundreds of millions of records containing the personal data of customers across all industries. Name-brand retailers were hit particularly hard, sometimes in ingenious ways, and at least one major bank suffered an embarrassing large data theft. IT teams are not usually run by psychics, so they must do their level best to protect user data – and their best often proved to not be good enough. That’s because hackers are insidious in their ability to keep creating new attack vectors.
Many times, the sought-after commodity is credit card numbers, which malicious actors use on other e-commerce sites or sell to fellow criminals. While dealing in stolen financial data is still a lucrative endeavor, a shift is occurring in the value of another commodity: usernames and passwords. Because many people use the same credentials across multiple Web accounts, a cascading effect occurs if a hacker gets hold of those credentials. Suddenly, all those accounts can be accessed – including emails accounts, if those credentials work for email as well.
Banks employ a variety of methods to safeguard their users. These methods include authenticating users by sending an SMS message to a user’s cell phone and Knowledge Based Authentication(KBAs), in which users answer pre-defined questions (“What’s the name of your first pet?” “Where did you meet your spouse?” etc.) While these methods provide an added layer of protection,they also add customer friction, potential customer insult and lost conversions, all of which a business wants to avoid.
A newer user validation method works in a much different way: it focuses on the subconscious aspects of a user’s behavior. This grants insight intowhether they really are who they claim to be. These are called subconscious metrics, and they look at how a user functions at the most basic level – just below the level of awareness. In day-to-day life, this can be as simple as always putting on your left shoe first. When online, it’s more complex, like the speed you type your email address into a username field on a website. These experienced-based data points are unique to the user and very difficult to mimic or forge. The collection of this data is 100 percent non-intrusive to the end user and gives you the ability to monitor, authenticate, verify and gain confidence in who your users are, all in realtime.
Brute Force, Username Testing and Account Testing are some of the methods used to take over accounts, one of the most popular forms of identity theft today. For anyone trying to protect their web or mobile user accounts from such schemes, the concept of subconscious metrics is an exciting one. If you can verify that the username and password entered are correct and also that the subconscious behavioral patterns matchprevious interactions, you can feel much more comfortable allowing that user to proceed. The opposite is true as well; if the user comes back with the correct username and password but the subconscious behavioral elements drastically differ from prior interactions, there is now powerful intelligence available to protect both the account holder and the overall brand.
It becomes much more difficult for a fraudster to impersonate a legitimate user when behavioral profiles are being used as a fraud detection method, because these profiles are composed based on hundreds of subconscious behavior measures. This allows us to determine that a change in a user’s behavior is not malicious, like using a computer instead of a smart phone, while still providing insight that a majority of the behavioral elements displayed by the user are accurate. Most of today’s authentication systems may have created customer friction based solely on a user logging on from a different device.
Avivah Litan, security and privacy analyst for Gartner, encapsulated the current fraud security zeitgeist in a recent research note: “The ultimate goal of OFD [online fraud detection] is: continuous behavioral profiling of users, accounts and entities.”A best practice for financial institutions looking for an authentication approach is to search for one that creates the most accurate behavioral, account and entity-profiling model available.
The best option for success in user validation is to gather and analyze a huge number of data points to discern who is really responsible for a transaction. This is called complex behavioral biometrics. The subconscious aspects of this behavior elevate our strategy so firms have a powerful weapon to protect their community of users against dangerous attacks such as account takeover and identity theft – and do it absolutely passively.
Zeroing in on subconscious behavior measures is an exciting new option in the fight against online fraud. It is a comprehensive method that greatly increases the likelihood of financial institutions being able to detect fraudulent behavior and, subsequently, keeping customers—and your bottom line—safe.