Using Behavioral Biometrics to Combat Cyber Fraud – Techstrong TV

Gadi and Charlene discuss how behavioral biometrics are used specifically to combat cyber fraud, examples of what this looks like in action for banks and financial institutions and how trends in the cyber fraud space require evolving security solutions while balancing customer experience.

Moderator:                 This is Digital Anarchist.

Charlene O’Hanlon:   Hey, everybody. Welcome back to Techstrong TV. I’m Charlene O’Hanlon and I’m here now with Gadi Mazor, who is the CEO of BioCatch. Gadi, thank you so much for joining me today. I really do appreciate it. Thank you so much.

Gadi Mazor:               Thanks for having me. Thank you, Charlene.

Charlene O’Hanlon:   Great. Great. I’m interested in talking to you a little bit about the topic of behavioral biometrics, and how they can be used to combat cyber fraud. But first, I wonder if you can introduce us to your company.

Gadi Mazor:               Sure. BioCatch is the pioneer of behavioral biometrics. The company started 10 years ago, I worked with the company for four years. As many Israeli startups, the company started probably five years ahead of its time and started to sell nicely to the financial sector in 2016. We now have in the high 10s of financial institutions as customers, 25 of the top 100 banks are customers.

Major banks have invested in us, HSBC, Citi, Barclays, customers across the globe in Latin America, in Australia, in Europe, of course, and of course, in North America. Companies of about 200 people, pretty much half and half between Israel and everywhere else around the globe.

Charlene O’Hanlon:   Excellent. Wow. That’s really great to hear. We’re talking about behavioral biometrics. You guys are focused mostly in the financial services space, correct?

Gadi Mazor:               Yes, yes. It’s really my focus.

Charlene O’Hanlon:   So tell me a little bit about how these organizations that are using your technology are using it. And as it pertains to behavioral biometrics in general, why is it such a great technology, especially in these verticals, such as financial services? And what does it offer that other types of security can’t?

Gadi Mazor:               I’ll start with a very simple kind of explanation. I think 20 years ago, 10 years ago, when we still used to do banking by going into the branch, and thankfully, we do everything digitally these days. But think of that 20 years ago, when you actually did go to your community branch to the bank, it was very frictionless. You almost never had to even show your ID, they knew.

It was completely safe, because they knew you. And they would identify if something is strange in how you behave. And it’s completely frictionless. Once everything became digital, and there was a screen between the bank systems and the end-user, think about the defenses and think about the friction that was introduced.

Whenever you want to transfer money, you now get an SMS code, and you need to key in six digits. And it says if the bank is protecting itself from the customers. And they do that because they don’t see that. There’s no more that interaction, that actually that teller can identify that that’s the person that they know, etc.

And biological biometrics basically says each one of us has, for lack of better terms, a fingerprint of behavior, digital behavior. We move the mouse differently; we click in different speeds on the keyboard. If it’s a mobile device, we hold it in a different angle, we press with a different pressure, we swipe differently, left hand, right hand, etc.

And this creates a way for us to tell the back even though you don’t see the person and that relationship is no longer there in terms of understanding and knowing that this is your customer, we can tell you that based on their behavior, this is the customer that you were doing business in the five sessions before and then you can reduce all those defenses and frictions that you put because they are not fraudsters.

Or if it is a fraudster, we know how to identify behavior that is typical for not genuine user doing their own business with a bank, but for fraudsters trying to get into someone else’s account. So we have those models of behavior of what the fraudster would typically do, and what the genuine user does based on the previous sessions.

And then we can basically do simultaneously those two things. One is, increase the security of the session, but also reduce the friction. And if I think about cyber security defenses that are usually put, it always one in exchange for the other. You can increase security by putting more friction and that’s the only technology that basically says, no, increase in security decrease in friction at the same time.

Charlene O’Hanlon:   Okay, so basically, you’re tracking the movements of somebody who is a customer while they are on that particular site to match it against previous sessions and how they behaved in those sessions such as, to your point, the mouse track, or the keyboard strokes or things of that nature.

Gadi Mazor:               Exactly.

Charlene O’Hanlon:   Great. Okay. All right, great.

Gadi Mazor:               Even on how you scroll the page. You can scroll the page by clicking the arrows, you can scroll the page by the scroll bar, you can swipe. So all this, we all have our own preferences in the way we act with the digital channels. And we model that. We create the model that fits your behavior.

And then we can say whether the current behavior fits your profile or doesn’t fit. We don’t look at anything that you actually do in terms of what information you type in, etc., just the dynamics of your interaction.

Charlene O’Hanlon:   Okay. All right. Do you take into account the different environments, for example, obviously, there’s a mobile device, there’s a desktop device, but also, I will check my bank balance here at home, I’ll check my balance when I’m sitting at my desk at work? And each is a different type of machine. It’s a different mouse and different keyboard. Are collecting those actions as well?

Gadi Mazor:               Yes. So basically, you at the point where we have multiple behavioral profiles for each one of the users based on how they access the bank site through the bank application. For instance, if you use the laptop here, and you use a different laptop at home, there’s still correlation, by the way, between your usage on the two.

But of course, it’s a different profile, it’s different parameters that we look at when you’re accessing through the mobile application. But we do have multiple profiles, depending on your settings.

Charlene O’Hanlon:   Okay. All right. That’s really interesting. What types of benefits does behavioral biometrics provide that say regular biometrics don’t such as fingerprint or retina scan or something of that nature?

Gadi Mazor:               The main benefit of behavioral biometrics is it’s continuous throughout the session. You can ask for a biometrics signal, again, as you said, retina, iris scan, face, and fingerprint at specific points in the session. But think, what would be the user experience if for any new page that you open an application with a website, they’ll ask you for face recognition, again.

At the point that they ask you, let’s say when you log in or when you do a transfer, that increases the security level of that session, because that’s the point that assuming that that was not hacked, and that can be hacked, but that’s the point that those technologies identify that you’re you.

But then later, other tools, malware, or someone getting access to your device that is not you, etc., can take over. So he won’t access tools to just hijacking the device through finding an open device, etc. And then from then on, the device would be open, authenticated with, say face recognition at the begin, but then no continuous coverage.

And behavioral biometrics looks at the whole session continuously. And we monitor the whole interaction so at any given point we calculate what’s the risk score that we give to that session based on everything we saw so far?

Charlene O’Hanlon:   Okay. All right. So if your software or your application does detect potential fraud, does it just shut it down or does it log it and say this is something that we need to take a second look at, make sure that the user is who they are supposed to be?

Gadi Mazor:               Basically, the way it works is that we keep that ongoing scoring of that session in terms of risk. And whenever that risk becomes more than what the bank set the threshold to be, we notify the bank through an API call, so directly to the bank saying this session that we’re monitoring, there’s something risky going on there.

Again, based on their settings, and then they will decide what to do with this. They can reject, they can pin the transaction. Some transfer when you go to a bank, just go in it picking some transfer we’re being stopped for banker review, so they have teams to review that and then basically decide what to do based on our risk element.

And reversely, if we see that everything is fine, the bank can even reduce the friction to the user and say, for instance, I don’t really need to send an OTP code to that person for this type of transfer, because all signals are showing that this is genuine use, and everything’s fine with that transaction.

Charlene O’Hanlon:   Okay. All right. It’s really fascinating technology when you think about it. But I’m sure you guys have heard from privacy groups that say that biometrics in any form is an invasion of privacy. Do you get that as much with behavioral biometrics Is there that privacy conversation that’s happening?

Gadi Mazor:               So first of all, there’s always the privacy conversation, and we are working with top banks in the world, so privacy is always part of the discussion. The benefit that we have is behavioral biometrics is it’s a technology that allows us to compare the behavior of this session versus the previous sessions. But it’s not that we can look at behavior in a given session and pinpoint the one person in the millions of the banks.

It’s not like fingerprint, it’s not like iris. It doesn’t identify the user. It’s a measure whether the behavior is similar to previous behavior. It’s a weaker biometric signal than the fingerprint, etc. And then the privacy is way less concerned with this. It’s not considered strong biometric signal. It’s a behavioral biometrics part of biometrics, but it’s not considered as strong as fingerprints.

Charlene O’Hanlon:   Okay. Financial institutions, financial services is obviously a very highly regulated industry. Are there any particular regulations that you guys need to be mindful of regarding your technology and the use specifically in financial services?

Gadi Mazor:               Sure. So basically, every regulation you could think of. Of course, GDPR and all the different versions of GDPR. And GDPR defines private information to be even information that we would not consider private. Some of the device capabilities that I have, or IP address are considered PII.

We are considered PII information. But the fact that we never collect the actual information that you type, and we don’t have any idea of the user, it’s just a unique number, random number between us and the back to identify the user ID, we don’t really sit on private information the way we would describe that. Having said that, in terms of protection and everything and regulations, we are under GDPR and all the other regulations.

Charlene O’Hanlon:   I’m thinking about biometrics and just the adoption of biometrics over the last 10 years ago. It was very rocky at the beginning, I think a lot of people were very, very scared to have that information sitting out there.

But do you think that the adoption of biometrics has increased, including behavioral biometrics, that that has increased. And the people’s comfort levels are more amenable to using biometrics, whether it’s behavioral biometrics, or standard biometrics. And where do you see this space going?

Gadi Mazor:               So we have ma biometrics, we don’t see a push back on the usage. Even though, again, it’s under the GDPR, it’s not considered or it’s not viewed as invasion of privacy the way we would look at that, again, because it doesn’t allow us to identify. And the fact that we have a model for how quickly you type doesn’t feel to people like that’s a huge invasion to their privacy.

We’re not seeing any pushback on the usage of behavioral biometrics, and the fact that this is completely passive and there’s no interface to the user, there’s no these annoying steps in either OTP or popping up this fingerprint, etc., that makes it even more easy. Because this is someone that looks and say, yeah, that behaves like previous sessions, but without really having too deep biometric information about you.

We’re seeing this taking more and more interest with the emergence of – you talk about where I see this going. If you look at the fraud landscape over the last five, six years and the evolution of fraud. As banks got better and better protection, and they were looking at where you’re coming from? What type of transaction you’re making? Transaction metadata, device, location, etc., and put those defenses.

And those defenses are pretty much standard with top backs. Fraud went back to scams. So they went back and said, okay, I cannot take over. It’s not easy for me anymore to take over with malware, to take over the end user machine. It’s not easy for me, even if I take and I buy the credentials of the user, if I log in someone will identify that that’s a different location, different device, or in our case, a different behavior.

So basically, they’re going to the weakest link, and the weakest link is the actual end user. And they went back to scams. And that’s the number one fraud type in many of the countries that we service, and those are social engineering. Whenever we hear about those stories, where we’ll say, this can never happen to me, can happen to everyone.

These guys are smart, they’re creative, they know psychology, they can fool everyone to do. In the UK alone, last year, the first half of the year 2021, was 750 million pounds stolen from accounts by scam alone. Huge losses, and primarily from the most vulnerable. And that’s where everything else is stand out. It’s the user themselves that do this. It’s their device, it’s their location, it’s everything.

And we are still able to identify that even though it’s the user that does the action, they are acting under the influence of someone else. And we believe that because fraud went back to basically fooling the end user, the human, then the only way to detect that something fishy is going on is to be able to identify the differences of behavior of that user. Because everything else is the same in that session.

Charlene O’Hanlon:   Interesting. It sounds like such great technology and financial services seems to be the perfect niche. Do you see other verticals that might be appropriate for behavioral biometrics?

Gadi Mazor:               Sure. Basically, we have three main use cases. We have the account able for protection, and this is when someone stole or bought your credentials and is logging into your account and is doing things in your account on your behalf for his benefit. So obviously, in financial services, that happens. And it’s basically someone hacking to your bank account.

Or it can happen in the airline and travel industry. Travel in the hospitality industry, when someone actually hacks your point account. It can be also financial service having FinTech companies. It can be telcos, when someone logs in and orders a phone for your account. So applicable to additional verticals.

The second use case is account opening protection. That’s actually when you submit an application for credit card, American Express as a customer for instance, they also invested in a company. And we know when someone types in application for credit card with American Express, we know to tell American Express whether we think this is a genuine user applying for a card or someone that stole the credentials.

And we’ve never seen that user before. So we cannot compare that behavior, but still a behavior. When you type your own social security number, you type that continuously from long-term memory. If I stole your social security number and was applying on your behalf to a card that would get, I would type that either in a chunky manner or I would paste that to the form.

You’ve never pasted your social security to a form. Those are the type of hints that we get to be able to differentiate. And this is again, a use case that is applicable basically completely horizontally, not just for financial services. But we’ve definitely focused on just getting with 500 banks, top banks in the world. That’s our wind zone, and we’re focused on just servicing them as much as we can.

Charlene O’Hanlon:   That’s great. That’s great. Well, Gadi, thank you so much for walking me through behavioral biometrics and financial services, and how you guys are changing the game. I do appreciate it.

Gadi Mazor:               Thank you very much.

Charlene O’Hanlon:   All right. All right, everybody, please stick around. We’ve got lots more on Techstrong TV coming up. So stay tuned.

[End of Audio]

Recent Articles By Author

• Techstrong TV: Understanding & Managing Digital Identities
• Techstrong TV: Behind the Scenes of Reaching Unicorn Valuation
• Security Risks With Digital Payment Options – Techstrong TV

More from admin-shreya