As people spend more time online than ever before, the nature of fraud is changing. Since the adoption of EMV chip technology has made card-present fraud much harder to get away with, criminals are increasingly turning to the cyber world to steal personal information, money, and other valuable material.
Since it’s hard to know someone’s identity on the internet, criminals have been tremendously successful at carrying out cybercrime. They can pose as someone else and gain access to their accounts without anyone knowing until it is too late. Another common method is for criminals to deploy bots or malware to hack into accounts or trick unsuspecting companies.
NuData, a Mastercard company, estimated that almost half of all login attempts in 2018 were high risk for being fraudulent, and nearly 1 in 5 of new accounts created in 2019 so far are fraudulent on average.
In such a world, authenticating the identity of a user is more crucial than ever. As fraudsters go high-tech, so, too, are the companies seeking to stop them.
One approach is to harness shared insights from various data points consumers generate while surfing the web or interacting with their devices across a consumer journey. Mastercard calls this a connected intelligence approach, which includes multiple layers of authentication solutions, leveraging AI and working together to prevent fraud
To learn more about the passive biometric approach, PaymentsJournal interviewed Robert Capps, Mastercard’s Head of Marketplace Innovation. He explained what passive biometric authentication is and provided examples of how companies have worked with Mastercard to implement successful solutions.
Passive biometrics: A probabilistic approach
Mastercard has developed a range of products that use passive biometrics to help verify good users. Capps explained that passive biometrics is centered on probabilistically identifying if a legitimate person is physically present in the interaction. This can happen during account creations, login attempts, and transactions.
At each stage, the Mastercard products establish “a probabilistic match to a human based upon observations of the passive biometric signals that we can capture during an interaction, as well as behaviors and some other data about the context of the transaction,” said Capps.
He explained that there are over 300 distinct signals that Mastercard can analyze in order to make a determination. These can range from how hard a screen is being pressed to how a person is navigating around their device.
Capps explained that one interesting signal is when the user goes from using the scroll wheel to navigate a page to using the arrow keys. That’s a telling signal “that you’re dealing with a different consumer because every consumer, every human, has a different way of interacting with the technology in front of them,” he said.
However, he noted that the amount of signals can vary depending on the device being used. For example, the signal of how hard a screen is being pressed can be evaluated on a smartphone, but it is not present if the device being used is a laptop.
“So part of the core technology NuDetect brings to the table is being able to, in real time, figure out which signals are indicative of a legitimate consumer in any given channel interaction, and then distinguish bots from a real consumer at that point,” said Capps. The magic happens via real-time entity linking in a cloud consortium where machine learning leverages over 400 billion events analyzed annually from aggregated behavioral intelligence.
Part of what makes Mastercard’s approach so successful is that the company looks at more than just biometric data. Geographic location, IP addresses, and the history of the device can all be used to establish a probabilistic assessment of whether the person using the device is indeed
Mastercard’s passive biometric solutions in action
Companies interested in using Mastercard’s authentication products should know that there are an array of products on offer that are often a like-for-like replacement for the outdated legacy solutions many companies currently use. Capps noted that adopting these products does not require hard cuts or big installations, and many can be adopted whenever a merchant deems it necessary.
Once companies do adopt Mastercard solutions like NuDetect, they can see striking results. Capps recounted how a very large, top five U.S. bank realized that more than 30% of its login traffic was attack traffic meant to compromise accounts.
Such traffic might otherwise be seen as a positive thing—the more traffic a website has, the better—but by using Mastercard’s solutions, companies are realizing that not all traffic is the same. Companies can save money and resources by not handling the abundance of fake login attempts.
Capps also provided an example of how an e-commerce company used Mastercard’s authentication solutions to uncover a massive criminal scheme involving the company’s frequent shopper rewards program.
When shoppers made purchases, they received a receipt with a unique number on it that could be entered into a rewards account to earn four to six cents per receipt. To exploit the system, the cyber criminals created an algorithm that successfully came up with valid receipt numbers which had yet to be redeemed.
They then used an automation tool to repeatedly redeem reward points, stealing millions of dollars in the process. After earning the rewards, the criminals would use them to buy products from the company in order to resell them for a profit on another website.
“We found [the scam] once we got in there and we started looking at bot attacks and other sort of issues,” said Capps. Due to Mastercard discovering the criminal enterprise, the hackers were arrested and the e-commerce company saved $1.4 million by stopping the attack.
Use cases like these show how important it is to deploy effective authentication solutions. While passive biometric authentication solutions is one part of Mastercard’s approach to stopping fraud, it is only part of the story.
The success of passive biometric authentication solutions “in no way, shape, or form negates the need for active biometrics,” said Capps. Connected intelligence entails coupling the passive biometrics approach to an active one.
When passive biometrics indicate that an interaction has a high probability of being fraudulent, an active challenge can be issued to confirm the identity of the user. In this way, both approaches are necessary to effectively fight fraud.
Stay tuned for an article covering Mastercard’s active biometric authentication solutions, and how they relate to the passive approach.
To learn more about how NuData can help protect your environment, visit https://nudatasecurity.com/