Why Online Trust Doesn’t Have to Come at the Expense of the User Experience

Digital customer interactions are increasing, accelerated by the forced adoption of data-enabled services in the wake of this year’s pandemic. With stay-at-home orders came a sudden reliance on digital technologies for consumers and institutions alike, and a seismic shift in the word’s approach to work, commerce and social interactions. As digital services and applications continue to be integrated into more facets of everyday life, the need for effective online fraud detection capabilities to secure online identities and prevent account takeover only gains in significance. Analysis that shows attackers becoming more adept at phishing and credential theft over time, like that featured in the Verizon Data Breach Investigations Report, highlights why.

Stopping these attacks and restoring online trust is important not only for maintaining enterprise customer and employee confidence and engagement, but also revenue. According to a Gartner strategic planning assumption, by 2023, digital businesses that have adaptive customer experience linked to trust and risk assessments will earn 15 percent more revenue than those who do not.

How can organizations restore trust in online channels without disrupting user experience or digital transformation efforts? The answer is a frictionless solution that goes beyond legacy “one-size-fits-all” account authentication mechanisms, automatically separating fraudsters using common attack vectors, like the three outlined below, from valuable customers without undermining the digital experience.

Credential Stuffing

Data breaches continue to soar, and each one means more data available for purchase on the black market making it easier than ever for fraudsters to misappropriate it. One common attack vector cybercriminals use applies stolen credentials from one breached system and scripts automated programs for trying them in another one. This type of cyberattack is often successful, since many people use the same username and password across multiple logins. There are several ways credential stuffing can be implemented. The easiest uses a bot to copy and paste thousands of credentials into a new system, changing IP-address every so often to circumvent the first layer of defenses. Another employs a hybrid of automation and human interaction, using a bot for the initial authentication attempts that then redirects step-up requests, such as CAPTCHAs, to human click-farms to resolve and attain access to the account.

Behavioral biometrics can detect these types of attacks using innate behavioral tendencies, like typing pressure or speed, that serve as a continuous and frictionless safeguard, unlike one-time static solutions like passwords. This unique behavioral data provides a comprehensive and more accurate view of who is actually behind the keyboard.

Malicious applications

There are many types of malicious applications that can help fraudsters gain access to online accounts, often taking over the session after a genuine login and making it very difficult for traditional fraud- and authentication tools to detect. These types of attacks, like Man-in-the-browser (MITB), infect the web browser by taking advantage of security vulnerabilities to manipulate and modify transaction information or embed additional transactions. One example of a MITB-threat is the Gozi malware designed to steal banking credentials mainly via phishing emails. A malicious attachment tricks the user – for instance by opening a Microsoft Word document – into downloading malware. Retefe is another example of malware that targets online banking information through a proxy. Retefe is primarily distributed by phishing emails with malicious JavaScript code aimed at changing the operation system’s auto-configuration settings. Major browsers like Mozilla Firefox, Google Chrome and Internet Explorer have struggled to stop these types of attacks, with fraudsters able to bypass legacy device- and IP-based security by launching the attack from the victim’s own device.

Behavioral biometrics is a seamless and effective way of combining security and identity functions to spot suspect activities during the entirety of an online session. With this frictionless behavioral layer, attacks conducted by MITB malware and others can be easily spotted, allowing security teams to take swift action without  negatively impacting the digital experience of genuine customers.

Remote access and social engineering

BBC recently reported about a fake call center that had scammed more than 70,000 people. The fraudsters used social engineering to gain credential information from victims in the United States, Australia, and the United Kingdom. The combination of social engineering and remote access trojan makes these attacks very hard to detect. The remote access trojan (RAT) is a malware that can take control over the user’s computer through a remote network connection. The RAT is often hidden in a program or an email attachment that the user downloads which gives the attacker control of the victim’s computer from which they can take to screen shots, access information like credit card numbers, or activate the webcam. Cybercriminals often combine the RAT with social engineering in the form of phishing email links directing them to fraudulent call centers posing as customer service for Microsoft or the victim’s bank. In these sophisticated attacks fraudsters use personal information from social media or the dark web to give the appearance of being legitimate to persuade victim’s to complete a transaction or provide credential details the fraudster can then use to transfer/steal money.

Social engineering attacks meant to steal user credentials are problematic because – when successful – they result in the correct username and password being used to access a victim’s account. However, behavioral biometrics can detect and stop them at their start by alerting to abnormal or unusual log-in behavior.

Better Authentication. Better Experience

Traditional security methods, like passwords and step-up authentication, are simply no longer sufficient to stop modern fraud attacks using a combination of machine automation and social engineering. Additionally, many of the multi-factor methods add friction to the user experience increasing the risk of customer attrition. Behavioral biometrics provides the ability to detect hybrid-threats without additional user friction points, keeping customers and employees secure and the digital experience seamless.

The post Why Online Trust Doesn’t Have to Come at the Expense of the User Experience appeared first on BehavioSec.

*** This is a Security Bloggers Network syndicated blog from BehavioSec authored by Anton Klippmark. Read the original post at:

Secure Coding Practices