The reasons why Behavioral Biometrics alone cannot prevent online banking fraud

In our rapidly advancing digital age, where the world is at our fingertips with a mere tap or swipe, the need for robust security measures has never been more critical. Traditional authentication methods like passwords and PINs have proven vulnerable to cyber threats and identity fraud. 

That’s why it’s been a while now that Behavioral Biometrics has been chosen as one of the most promising technologies to protect banking customers from online fraud.  

However, believing this technology can stop fraud alone would be a lie. It can’t. 

In this blog article, we explain why Behavioral Biometrics, when used alone, falls short in protecting from online fraud and how you can keep cyberattacks at bay to protect your customers

‍

Behavioral Biometrics is a cutting-edge technology that allows continuous authentication of the user based on their unique behavioral patterns, such as typing rhythm, mouse movements, touchscreen gestures, and voice characteristics.

By going beyond what you know (passwords) and what you have (tokens) to authenticate your digital identity, this technology adds an extra layer of security to digital services, providing a robust and innovative approach to combat cyber threats and identity fraud.

In online banking, it promises to be a decisive competitive advantage and to speed up customer identification processes without interfering with the online experience.

Despite traditional authentication methods based on Biometrics, this advanced technology doesn’t require any user activity (like scanning fingerprints or faces). Instead, it works silently in the background during the user’s navigation.

The significant promise of Behavioral Biometrics in online banking fraud lies in the ability to analyze and build very precise customer profiles over time, helping banks tailor enhancements to digital products and the overall user experience.

The more the product is aligned with customers' needs, the higher the customer satisfaction will be. 

Moreover, the continuous monitoring of each user’ session through Behavioral Biometrics improves KYC (Know Your Customer) capabilities, a crucial aspect for banks and financial institutions in combatting fraudulent activities.

Nevertheless, integrating Behavioral Biometrics poses challenges that banks and financial institutions must address. 

First, protecting sensitive customer information is paramount, mandating compliance with privacy regulations such as GDPR. Behavioral Biometrics collect a significant amount of sensitive data, which use and storage must be explicitly accepted by customers.  For this reason, banks need to ensure clear and transparent communication with their customers.

Most importantly, this technology, if used alone, is not enough to detect most online fraud attacks, as it covers only a tiny portion of what needs to be monitored and analyzed to protect online banking customers. 

Let’s deep dive into this.

To ensure you fully understand the reason behind our statement, here are two real-life examples showing why Behavioral Biometrics cannot work alone. 

Fraud via APP: pure human manipulation

Authorised Push Payment fraud is a social engineering attack to trick customers into making payments to fraudsters’ banking accounts.

This usually happens when victims receive a call from a fraudster impersonating someone they trust; for example, it can be a fake call from the bank of the victim, asking to move urgently money from their account for emergency reasons, or maybe a call from their landlord asking for money for house renovations, and so on.  

Because ​​the victims believe the payment, the bank account, and the receiver are legitimate, fraudsters can convince them to complete the money transfer. 

APP fraud is today one of the most common and dangerous attacks, as the development of AI audio deep fake makes it harder for victims to acknowledge the illicit activity.

This is also shown in the latest CertFin report (2022): over 90% of fraud involves human manipulation, and 65% of final transactions are performed by customers. This means that the victim completes the fraud by themselves, making it difficult for behavioral biometrics to detect any different movement that signals an ongoing fraud attempt.

Fraud via ATS: Pure application payload tampering

Another way to complete fraud is via ATS, like a SharkBot. As for the first example, all activities are completed by the victim who wants to make a transfer to another bank account. 

Today, advanced malware can be highly tailored to the targeted banking systems and products, and they can tamper API calls: they replace the account number in the message payload between the app and the server with a different - illegitimate - one. 

This is a dangerous attack in the case of instant payment, where the money is gone in a few seconds. 

Behavioral Biometrics cannot detect any different movement as the legitimate user completes the action itself.

Behavioral Biometrics is undoubtedly a valuable tool in the fight against online banking fraud. Still, it should not be relied upon as the sole solution.

Without integrating into a more holistic approach, the risk is falling into the trap of online fraud management: inaccurate indicators push you to block many sessions, creating frequent friction for your customers. 

A more holistic approach, instead, is paramount to collect all specific indicators and correlate them in real time. 

An approach that uses intelligence on what’s happening in the banking landscape to prevent what can put at risk your systems. 

This is precisely how the Cleafy platform works. 

‍

By correlating thousands of indicators in real time and exploiting our intelligence, our technology can detect potential APP scams more accurately and detect any malware before attempting ATS attacks. 

Our technology is patented on Behavioral Biometrics-human detection, advanced malware, and behavioral analysis, and, thanks to millions of transactions analyzed daily, it owns accurate data to continuously improve its detection capabilities through AI and deep learning. 

Today, the Cleafy platform can detect even zero-day malware in seconds, building a solid shield for your systems against online banking fraud. 

To create a robust defense against cyber threats, financial institutions must adopt a multi-layered approach that combines behavioral biometrics with other authentication methods such as multi-factor authentication, device fingerprinting, and advanced AI-driven anomaly detection. 

By understanding the limitations of Behavioral Biometrics and complementing it with other security measures, banks can significantly reduce the risk of online banking fraud and provide customers with a safer and more secure banking experience.