There are three different types of authentication for a customer.
- Knowledge — something only the customer knows, for example, a password, PIN, or secret answer
- Possession — something only the customer possesses’, such as their mobile phone eg OTP
- Inherence — something the customer is, for example, a behavioral fingerprint or facial recognition
In this article, we will focus on how behavioral biometrics can solve inherence and briefly summarize other features expected in a Behavioral Biometrics (Device) vendor.
What is Behavioral Biometrics?
Behavioral biometrics is the field of study related to the measure of uniquely identifying measurable patterns in human activities. The behavior can be device-based, voice or kinesthetic. In this article, we will focus on device based biometrics.
The goal of behavioral biometrics based on the device is to use all the users’ interactions with the device to identify different/suspicious behavior. Behavioral biometric verification methods include keystroke analysis, touch/mouse, and sensor data like how you hold a phone etc. The suspicious behavior can be a bot, remote desktop or a different user using the same or similar device. Hence Account Take Over (ATO) prevention is a good use case for Behavioral Biometrics.
Why Behavioral Biometrics?
Merchants need to use inherence (biometrics) or possession (OTP) besides knowledge(password) to prevent Account Take Over (ATO), as there have been 12 billion pawned accounts with reports of new breaches like LastPass happening on regular basis. Inherence is considered as a low friction approach as compared to Possession (OTP) and hence it is generally preferred for medium-risk transactions.
There is also lots of fraud targeting elderly population that can be caught via behavior biometrics.
Behavioral Biometrics and Inherence
To solve inherence, a behavioral biometrics feature called “Same User Score” uses the data collected from the user via keyboard, mouse, and sensor data to validate if it is the same person who is entering the data again.
To use this feature, a customer needs to enter the same or similar information a few times on the same or similar device. This can happen on a login screen where the customer is entering the same information like user name and password. At each attempt, a similarity score is given and the score will get more accurate after each attempt. Usually, companies may need at least 3 pieces of data from the same person before they are confident in predicting it is the same user. If another person uses the phone on say the 4th attempt then the behavioral biometrics will catch that its not the same person as the persons behavior on the page or device is now different.
An example of typing cadence could be like the below diagram:
The reason Same User Score is effective is because the typing cadence and how the customer uses the phone is different from another person using the same phone or similar device model.
Use Cases
1. Stolen Devices
The device was stolen after the fraudster observed the customer typing the phone PIN. In this case the fraudster has complete access to the phone and hence can easily use 2FA etc to transfer money or make purchases. The only way to detect this device is being misused is to combine “Same User Score” with transaction anomaly.
2. Misuse of Phone
A relative (eg kid) or acquaintance is misusing the phone. In this case the relative can make purchases to the same shipping address. Hence, in this case the transaction anomaly along with behavioral biometrics can be used to decline the transaction or force MFA like selfie authentication.
3. Strong Customer Authentication
Same User Score can be used as an inherence factor in SCA. Strong Customer Authentication (SCA) is a European regulatory requirement to reduce fraud. SCA requires authentication to use at least two of the three authentication factors. SCA considers behavioral biometrics ie Same User Score as a valid authentication factor for inherence. SCA will expect the vendors to use at least the keyboard and gyroscope data.
While SCA reduces fraud, merchants may consider SCA as friction for obviously good customers or transactions. Hence transactions below €30 may be considered “low value” and may be exempted from SCA. The exemption amount may change depending on your payment provider’s overall fraud rate. e.g. exemption amount could be as high as €500 for a fraud rate of 0.01% (1 bps). The cardholder’s bank may still reject the exemption and SCA will still need to be performed. If the issuer approves an exemption that is requested by the acquirer then it is the acquirer/merchant who is liable if the transaction is fraudulent. The issuer can also choose to exempt a transaction from SCA without a request from the acquirer and in this case, the issuer will be liable for any fraud.
Behavioral Biometrics Features
We will quickly summarize some of the other features that can be done by Behavioral Biometric solutions.
Age Detection
By analyzing intrinsic behavior and device orientation data as model inputs, it may be possible to predict the age group of the user e.g. > 50 years old. This is important as the elderly population tends to suffer a lot from elderly scams and hence may inadvertently act as a mule.
Per FTC, the elderly population has a 400% higher chance of falling into Tech Support Scams.
Remote Desktop
A Device intelligence + Behavioral biometric solution can help in detecting remote desktops.
More details on remote scams using AnyDesk/TeamViewer/ Microsoft RDP is here.
Bot Detection
In one of my past companies, the security department noted the phones were upside down in the device farm while the device farm was doing a bot attack. The phone orientation turned out to be an important signal to detect bots. The sensor signals along with other signals like “fast page movement” can be used to predict bots.
Record and Play
Record and Play features are usually seen in analytical tools. It allows merchants to see the actual action performed by a customer on your website. Fraud Operations can look at the behavior for suspicious transactions to confirm if this behavior looks suspicious.
Long-term Memory
The way a customer types data from long-term memory for fields like “First Name” is likely going to be different from fields like the credit card number. In LTM fields, the customer is unlikely to hesitate or switch windows. In the case of fields like credit card numbers, the customer is likely to look over to their wallet and hence you will notice a segmented typing pattern. If the pattern in LTM is segmented then it is likely a fraudster is noting down the data from some sheet and typing by looking at it.
Abnormal behavior
The use of autofill, copy-paste, and distractions along with how the page and the forms were filled can help in detecting if this is a normal user pattern or a pattern by the fraudster or bots.
Summary
Behavioral Biometrics is able to passively reduce fraud without causing friction to the customer. Behavioral Biometrics can be used as an inherence factor, besides providing signals around age, bot, anomaly detection etc. Hence Behavioral Biometrics along with Device Intelligence is a must-have tool to tackle fraud. Sardine was able to reduce ATO by 34.8% reduction at customers while at the same time reducing false positives. Please contact Sardine, if you are interested in a Behavioral Biometrics + Device Intelligence solution.