PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Outwit the Fraudsters? With Behavioral Biometrics, It’s Possible

Ryan Wilk by Ryan Wilk
June 2, 2016
in Industry Opinions
0
I'll pay with credit card

I'll pay with credit card

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Credit card details used to be the apple of cyber criminals’ eyes, but 2015 saw a shift in focus. Fraudsters are now out to get as much personally identifiable information (PII) as possible, purchased on the Dark Web in the wake of numerous breaches against government agencies, healthcare companies and other organizations that use PII.

Fraudsters most often use the data from these breaches to steal from banking and ecommerce organizations. Analysts predict that account takeover (ATO) and new account fraud will increase by as much as 60 percent in the next three years, resulting in billions of dollars in losses.

The cat-and-mouse game of fraud perpetration and fraud prevention goes on and on. As merchants and financial institutions become better at thwarting traditional fraud techniques, criminals are forced to adapt. It’s the responsibility of financial institutions and merchants to stay ahead.

How the New Threats Work
ATO is popular these days for a variety of reasons. ATO fraud occurs when a fraudster accesses an existing user’s credentials (personally identifiable information) that allow consumers to log onto online banks, retailers, gaming sites or social media. Using an existing consumer’s account allows a criminal to masquerade as a genuine customer to transfer funds, use the payment method on file to make a high-value purchase or simply mask fraudulent transactions. Accessing these accounts has become easy through one of three common practices:

• Using brute force automated attacks for account takeover, which are systematic assaults (also referred to as “bots”) that use a script to continually “guess” a user’s password
• Attempting combinations of usernames and/or passwords obtained through data breaches, both large and small
• Cycling through easily remembered passwords, like “Password123,” or words like their child’s name, street name, birth dates or other data socially engineered from public profiles

These practices work quite well, and their use will continue – primarily for two reasons.
First, passwords can no longer be relied upon to keep a user’s account secure. Second, traditional fraud prevention systems that primarily use rules-based systems to analyze payment and personal identification information (PII) do not have the ability to determine if a user accessing an account is in fact the real user of that account.

Financial institutions can’t afford the consequences of failing to stop fraudulent transactions. While rules-based systems are still relevant in terms of apprehending other forms of fraud and some instances of account takeover fraud, they can only examine payment and some device information, not the user’s behavior at the time of login.

In addition to the growth and popularity of account takeover, new account fraud is also on the rise. In most cases, the information obtained is enough to apply for new financial accounts, many times without the victims being aware for months.

These days, fraudsters don’t sit at the keyboard all day, typing in new account information. Instead, hackers write scripts that can be run by bots en masse to attack systems using that data. Scripted attacks can be tricky to detect, as the perpetrators have studied the account creation and login pages of their target company to ensure that each field is completed correctly and appears legitimate. Standalone fraud prevention systems are merely looking at the information provided in the order or application, not the behavior displayed when logging in to or creating an account.

As businesses begin to feel the economic pain of these fraud methods, an expensive side effect develops; companies apply excess caution when reviewing orders, sometimes mistaking good orders for bad. When this occurs, the merchant is not only losing the immediate sale, but also in most cases the lifetime value of that customer. In fact, transactions denied because of suspected fraud have cost businesses more than 10 times what they’ve lost to actual ecommerce fraud. Merchants need a better way to save these legitimate sales while still preventing the potential dollar loss due to sophisticated fraud tactics.

Recognizing the Good
Losses of this kind cannot be sustained; new detection methods must be found. With many traditional fraud prevention tools, only the data entered into a shopping cart or account creation form is analyzed. Some will look at device or connection, which can be spoofable. With the data available from recent data breaches, all these details can match perfectly with the genuine consumer yet still be fraudulent and/or spoofed. Additionally, once the order and application form is completed, it initiates fraud decision-related resources via payment authorizations and fraud and/or credit reviews.

In contrast, another detection method is gaining prominence: observable behavioral biometrics. In this case, users accessing an account or application are continually evaluated from the moment they begin interacting with an online property. The amount of time it takes to log in, place an item in a cart or get to the application page is all captured. Device information such as whether a mobile, PC or tablet is being used, along with device identification information, browser language, screen size, location and whether the IP or geo-location has been faked are all compared to an existing user profile. The way a user interacts with a website is also analyzed, including the way a person types, how they hold their mobile phone, etc. By absorbing all of these characteristics and aggregating the data, behavioral biometrics create a unique profile for each user.

Sometimes, the best way to spot a fake is to have an expert grasp of what the original looks like. That’s the case with behavioral biometrics. By passively identifying the good users, the anomalous or bad users become obvious in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also allows businesses to prevent bots and systems from running scripts to access or create new accounts. The uniqueness of the data gathered and the aggregation and application of all collected data creates a full 360-degree view of each user.

Fighting Bad Behavior with Good
Fraud detection is a tricky proposition, no matter how you look at it. As quickly as the industry can come up with a solution to a fraud tactic, cyber criminals come up with a new tactic. But they can’t fake or otherwise overcome good users’ or their own unconscious behaviors. Identifying and blocking fraud attempts, while also protecting the customer experience, is the order of the day. Using data gleaned from a user’s device, including behavioral biometrics throughout an account’s lifespan, puts an end to the fraud cat-and-mouse game.

About Ryan Wilk
Ryan Wilk is the vice president of customer success for NuData Security. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles.

NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. NuData Security analyzes and scores billions of users per year and services some of the largest ecommerce and Web properties around the globe.

Tags: BiometricsFraud Risk and Analytics
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    On-Demand Webinar: Solving the Digital Onboarding Challenge​ – Increasing Conversions without Increasing Risk

    On-Demand Webinar: Solving the Digital Onboarding Challenge​ – Increasing Conversions without Increasing Risk

    February 8, 2023
    legacy infrastructure

    How Modernizing IT Can Help Banks Compete With Fintechs

    February 7, 2023
    Buy Now Pay Later BNPL, B2B BNPL

    B2B BNPL Offers a High-Potential New Chapter in Payments

    February 6, 2023
    eCommerce On Social Media, social commerce

    The Rise of Social Commerce and Social Payments

    February 3, 2023
    Electroneum AnyTask; ETN Crypto, sales enablement

    Ethical Financial Selling: The Role of Compliance Technology and Sales Enablement

    February 2, 2023
    direct deposit

    Nacha Launches Campaign to Reach Millennials on the Benefits of Direct Deposit

    February 1, 2023
    Equinix Helps UK-Based Payments Provider Enable Faster, More Reliable Payments Processing

    Equinix Helps UK-Based Payments Provider Enable Faster, More Reliable Payments Processing

    January 31, 2023
    credit card tumbling

    How to Detect, and Prevent, Credit Card Tumbling

    January 30, 2023

    • Advertise With Us
    • About Us
    • Terms of Use
    • Privacy Policy
    • Subscribe
    ADVERTISEMENT
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • News
    • Resources

    © 2022 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result

      Register to download the Equinix report - Dojo Delivers Fast, Reliable and Secure Card Payments to Businesses on Platform Equinix