How Behavioral Biometrics can help you fight online banking fraud

We would all agree in saying that digital services help us improve our everyday lives, lifting us from the burden of lack of time and gifting us with more efficiency and speed in a wide variety of activities. From shopping to working, from managing our money to learning, today we do mostly everything online and expect to do even more in the future.

Vendors in all industries are running towards new and more advanced technologies that provide the best digital experience across channels while protecting customers from the growing cyber threats that come with the digital evolution.

In particular, the past few years have seen a consistent increase in the adoption of Behavioral Biometrics technologies, which seem to tick quite a few boxes for both customers’ protection, and digital user experience.

This article provides you with the essential information you need to know about Behavioral Biometrics, underlying the benefits and challenges of deploying such technology, with a focus on the banking industry, and explaining why it might not be enough to prevent the latest advanced fraud attacks.

Behavioral Biometrics is an advanced technology that leverages machine learning techniques to continuously assess the identity of online users, based on their behaviors, such as how they type, swipe, or move their devices.

By continuously monitoring the way users interact with their devices, the technology can build detailed behavioral profiles used as a reference to detect possible fraudulent activities. As soon as the system detects abnormal behaviors, alert responses are triggered in the background to perform additional investigations to protect the integrity of the legitimate user’s account.

If the now traditional authentication methods based on Biometrics require the user to explicitly act, for example by scanning part of their body, like fingerprints or faces, the innovative power of Behavioral Biometrics lies in the ability to work silently in the background during the entire users’ navigation, without interfering with their experience. Users are therefore never interrupted and can finalize their digital activities and transactions quickly and with no friction.

In the past few years, the number of online vendors that adopted this technology has increased considerably, and this will grow in the coming years. Researches show that the behavioral biometrics market will reach $3,922.42 million by 2025, registering a CAGR of 23.71% from 2018 to 2025.

In this context, the banking industry is where this technology performs at its best: on one side, it helps to fasten all types of online activities, from onboarding to payments, while on the other side, it increases the ability to recognize genuine users and prevent cyber-fraud. As a result, banks can be more competitive and focus more on innovating their digital offering while ensuring a safe and seamless user experience.

The common types of Behavioral Biometrics are related to body movements and device-based gestures.

‍Body movements include personal ways people move, sit or handle their devices, while device-based gestures include different ways people interact with their devices. For example, Behavioral Biometrics analyzes how users touch the mobile screen, move or click the mouse, and type on the keyboard.

Collecting such data represents an incredible advantage for security departments, as Behavioral Biometrics creates accurate behavioral profiles of each user (in an anonymised way) by building predictive models based on the latest machine learning techniques.

For banks and financial institutions, adopting Behavioral Biometrics means ensuring an extra layer of identity verification, as they deliver continuous identification and are very difficult to replicate. This means increasing the chances to detect a threat before the fraud occurs.

Behavioral Biometrics in banking grants businesses and product departments a decisive advantage if adequately used. They help build precise customers’ profiles, potentially guiding tailored improvements to the digital products and the user experience.

Therefore, thanks to the continuous monitoring of each session, Behavioral Biometrics strengthens the KYC (Know Your Client) capabilities, which are extremely important for banks and financial institutions today to prevent fraudulent activities.

On the other hand, Behavioral Biometrics might present some challenges that banks and financial institutions must consider when integrating this technology into their security systems.

This is because most Behavioral Biometrics technology providers still process biometric data in a centralized engine, which means data are collected, sent outside the user’s device, and stored in remote data centers. As biometric data are private and classified as sensitive data, banks and financial institutions must safeguard customers’ personal information by:

• Ensuring that the chosen Behavioral Biometrics technologies comply with all privacy regulations, such as GDPR.
• Adapting contracts and legal documents, and making sure users are aware that these data are being collected and know how they are treated.
• Making changes in the app user journey to enable users to deactivate the biometrics data collection whenever they want to.

As each user must give explicit consent for their data to be collected, Behavioral Biometrics technologies often end up being actively deployed only on a fraction of the entire customer base. Which might dramatically decrease the impact of this technology on the overall fraud detection capabilities of the organization. That’s why transparent and efficient external communication becomes crucial.

Moreover, depending on the chosen provider, it might require setting up secure data storing systems and getting them certified to comply with security and privacy regulations. This means that security departments need to be extremely careful about handling them, as they are directly responsible for their customers' data protection.

Today, the cyber-world is populated by fraudsters who possess enough resources and freedom to grow fast, develop new products, and win against cybersecurity. Fraud analysts, security experts, and software engineers work hard to stay ahead of the continuous threats' evolution and fight them by developing ad-hoc technologies.

Despite this, even the most advanced solutions, like Behavioral Biometrics, could not be enough to stop new generation attacks when working alone.

A recent example is our fraud analysts’ latest discovery, SharkBot, a new generation banking malware that perpetrates fraud by leveraging ATS (Automatic Transfer System) technique. Although this technique has been already largely seen on web apps, it is still relatively new in the mobile world. It auto-fills fields in legitimate mobile banking apps and initiates money transfers from the compromised devices without the user's ability to realize what’s happening.

The bad news? A threat like SharkBot can bypass Behavioral Biometrics because any action is performed by the genuine user.

To better understand how this works, picture a simple example:

• The user opens the mobile banking app and authenticates it successfully.
• Then he goes on to perform a payment he wants to do.
• At the very last moment, before the payment request is sent to the backend, the malware swaps the payee account number entered by the user with a new one.
• The malware also manipulates the confirmation message content, any OTP, and even the transaction history in the app so that, for the user, all looks ok.

In a scenario like this, looking only at Behavioral Biometrics will let fraud go undetected.

As fraud will keep evolving towards more sophisticated and informed attacks, it is crucial to consider an ecosystem of detection technologies and stop working in silos.

Behavioral Biometrics represents a powerful tool in banking if integrated with other detection capabilities, as it can help to look after online customers more comprehensively and understand their behaviors behind the scenes.

For instance, correlating anomalous biometrics such as handling the device or scrolling or typing in, with other important information from the users’ behavior (UBA), such as the indication of a new device, a new location, and a new sim, can give us more confidence in making the right decision when trying to detect sim-swap scenarios, and, as consequence, further lowering false positives rate.

However, it’s worth mentioning that, as we speak, this technology hasn’t proved to be robust for all scenarios. For example, it’s effective in distinguishing automated bots versus humans, but still needs correlation with plenty of other signals to be effective in verifying people's identity. This limit, together with the rapid development of advanced malware, makes it a priority for banks to integrate it with other detection technologies.

Together with Malware detection, Endpoint telemetry, Behavioral and Transactional analysis, to name a few, Behavioral Biometrics must be seen as one of the key components of an overall fraud management ecosystem based on the continuous cross-correlation of different kinds of micro-anomalies.

This is how we conceived the Cleafy platform: as a combination of multiple detection technologies that work together to monitor in real-time the user journey across all digital channels.

And this is how we make sure that banks and financial institutions keep their customers safe from online fraud and provide the best user experience of their digital services.