Behavioral biometrics are about behavioral tendencies as people do their digital banking. This includes typing speed on their phone, how they move their computer mouse, and more.
An emerging fraud form where behavioral biometrics may be effective is authorized push-payments fraud, where a customer is socially engineered into authorizing a payment.
In the future of fraud prevention, there is room for banking institutions to integrate more deeply with existing fraud solutions to address a growing incidence of cross-channel fraud.
Seth Ruden, Director of Global Advisory for the Americas at BioCatch, and Joey Zollinger, VP, Product management at Alkami. Welcome to the BAI Banking Strategies podcast.
ZOLLINGER: Thank you and happy to be here.
So Joey, fraud is an important issue for banking institutions and it seems to be growing even more important as fraudsters get more sophisticated, and losses from fraud, they keep escalating. Broadly speaking, how are you at Alkami thinking about the current fraud risk environment for banks and credit unions?
ZOLLINGER: What we’re looking at now is what we’ve always looked at, and that’s there has to be some type of balance between extremely secure and ease of use, which is how digital banking got started in the first place, was to allow people an easier way to get access to their financial information. The way that we approach it with our customers is letting them have a say in what that balance is. We provide a lot of different options, and we try to integrate with different vendors and different providers and different solutions out there to provide our customers with a lot of options and tailor their security profile or their risk assessment that they do for their customers.
So when you’re out meeting with those customers, what are you hearing from them about the most prevalent kinds of fraud that they’re encountering, particularly as digital banking continues to grow rapidly? And how much success are they having, what they tell you, in terms of fighting back against it?
ZOLLINGER: Yeah, I would say it’s really tough right now. When you look at where digital banking was 20, 25 years ago, banks would tell their customers that you have a higher chance of fraud being committed against you outside of digital banking through your normal mail process. That was because most people weren’t using digital banking way back then. That’s changed, obviously – everybody’s using digital banking right now. So it’s a really ripe target for fraudsters, but the types of facts that are coming are the most prevalent ones haven’t changed all that much. It’s still about account takeover and getting access to user credentials. That’s something that our customers are still experiencing in very sophisticated variations of that, much more sophisticated than they were before, but still very prevalent with account takeover.
So let’s bring Seth into the conversation now. But Seth, before we get too deep into substance here, could you tell us a little bit more about BioCatch and where the company fits into the fraud prevention space?
RUDEN: Sure. BioCatch is something of a third-generation fraud detection solution, and it allows us to bring in new elements and data points about the online banking journey, about the online banking sessions. It adds behavioral biometrics and endpoint elements that decorate the historical transaction detail, which is more than what our historical fraud detection solutions were able to create for us. So when we look back at the trajectory of fraud detection solutions, and I’ve been a practitioner of these for two decades now, and the early ones were looking just at specific transaction elements, the payment itself. Second generation, we started adding some profiling elements. Have you been here before? Is this your device that we’ve seen? Is this a location that you’ve been to? Now we’re looking at quite a larger data set that allows us far more precision in deploying those detection controls. We want to be sure that we’re operating in a low friction environment and enabling as much end-user transaction elements as possible, but yet providing the right deterrence when we recognize that something is amiss in a potential anomalous transaction.
You mentioned behavioral biometrics. By now, all of us are familiar with biometrics, and this includes facial recognition, retinal scans, touch sensors that read fingerprints as part of identity verification. Tell us more about what behavioral biometrics are and how they’re used by banks and credit unions for fraud protection?
RUDEN: Behavioral biometrics is really how you interact with the session. These are cognitive elements like how you focus your short term memory. If I’m looking at the way that I interact with my online banking session and I need to provide information like my date of birth or my phone number or my email address, I’m able to pull that from short term memory because it’s locked up in there. So I’m able to really reflexively leverage things that are easy for me to recall, and that changes the way I can interact with the session. But this also includes other elements. There’s hand-eye coordination. There’s your regular typing speed that’s reflective of you as a given user, and how you spend time on specific screens. You can extract about 2,000 different elements and draw from this enough information to be very that is your end user and that they’re acting in characteristic patterns that have been observable in the past.
Two thousand, that’s a lot of unique elements, as you call them, or characteristics to consider for every customer. And when you multiply that across tens of thousands or even millions of customers that a banking institution might have, it’s not hard to see that data part getting pretty unwieldy. So how do you wrangle the data so that my bank, for instance, has an accurate read on my specific behavioral tendencies?
RUDEN: We can concentrate this data on our servers and roll it up, if you will. We can concentrate the profiling of the users, create fields that look like they’re consistent with history, and we don’t need to have that data in all of its raw form. This is how a lot of fraud detection solutions utilize data today. They’re not bringing in all the session information that you had historically. We have different areas where we can leverage that data and we can access it in a way that allows it to be, one, not necessarily requiring and requesting PPI, that personal information that we want to steer away from in our technology, and we want to get it away from being stored locally. So between those two elements, and then finally, the roll up of that data into metadata, that allows you to overcome some of those challenges and take it away from a specific pressure of resources that the end client would have to accommodate.
Facial recognition, retina scans – what I’m going to call classic biometrics for lack of a better term – as tools for identifying someone, they’re considered pretty accurate, even extremely accurate. In poking around the web to learn more for this conversation, I came upon one tech site that said, retina scans are 20,000 times more accurate than relying on fingerprints, for instance. So how should we be thinking about the accuracy of behavioral biometrics compared to that? And is there a point at which the technical ability to create greater accuracy, that this leads to diminishing returns on the user end?
RUDEN: A retina scan is one specific feature, just like a fingerprint or a face print. You’re looking at just is this retina representative of the retina that I have on file? Is this fingerprint representative of this fingerprint that I have on file? You can apply a lot of analytical elements to that but it’s only going to give you the validation that the retina is the retina. But our behavioral biometrics approach, we’re able to apply a lot of other features over that entire session. We’re looking at so many other different data elements that allow you to apply different layers because fraud is rich with different typologies. It’s rich with different attack vectors. It has this potential of not just being able to use one fraud type to realize the end goal. So if you use the richest of the data – that includes devices and point locations, networks – and then you apply those behavioral patterns and habits and all those elements, now you can have a greater contextual framework over the accuracy of your user. Not just that it is your user, but it is your user performing transactions in alignment with their desirable and authentic behavior and the riskiness of the transactions that they’re attempting to pursue. So the ability to identify those fraud elements just go beyond the specific element of, is this genuine user the genuine user? Because fraud exists in so many different planes and we want to be sure that we take into consideration the potential use cases that exist.
What about the growing technical ability and the idea that at a certain point, there are diminishing returns for the user, much like, say, a PC maker, once their chip speed gets up to a certain point, the user doesn’t really notice much difference?
RUDEN: We keep on identifying new use cases. We keep on identifying new ways where this technology can be valuable. As the individual who ran a fraud department for many years through the pandemic at a very significant institution, I started finding use cases that were well beyond just the initial use cases that we had for it, which were specific to the account takeover scenario. I started finding new elements to be able to write policies around liability and the capacity that these users were first party fraudsters or mules or victims of scams. So I wouldn’t say that the technical ability is going to have somehow diminishing returns when fraud is constantly changing, and we see greater use cases emerge. And especially in these cases that we have lately with these authorized push payments fraud, where the fraudster socially engineers that person and has them authorized a payment going to a new endpoint. This isn’t one that we had a lot of exposure to even just a couple of years ago. This has become something that’s somewhat of a crisis across the pond in the U.K., and we’re now starting to experience some of these use cases in the United States. I think that there’s going to likely be new and emerging fraud patterns that will create for us great new use cases for this technology.
Yeah. Seth, I want to ask you about how the banking industry is looking at behavioral biometrics at this point. BioCatch isn’t the only player in the space, so what can you tell us about how widespread adoption has been, and if there are any trends you’re seeing regarding resistance or obstacles that could be affecting adoption rates?
RUDEN: It’s early days. We’re a growing space and we’re starting to get a widespread sense of the potential, and that the reliability of behavioral biometrics can be something that allows for better decision-making across financial institutions. What I would suggest is that the obstacle is that we’re constantly experiencing resource restraints, and adoption has a limitation because there’s only so many projects that an institution can bring in and there’s only so many hands that can participate in the adoption of a new technology. When we have very limited amounts of staff and it’s hard to hire in this present environment and have that ability to bring in new resources to assist us in these deployments, that tends to be one of the larger obstacles that we have from the banker perspective, I would suggest.
Joey, we haven’t forgotten about you. Alkami has been in the fraud prevention space for years. So you have a history with a number of the technologies developed to protect institutions and their customers. About a year ago, you brought BioCatch into a special partnership you have with a select group of fintech companies. Seth has been talking about how the behavioral biometrics part work, but let me ask you about why you think this is the right solution for your banking clients?
ZOLLINGER: Yeah. Thanks for coming back to me here. I think that we have two questions that were asked previously that I think I can draw on some of the information from those to give you an answer. One was the evolution of fraud over time. I mentioned account takeover is still the number one problem, but the sophistication of account takeover has changed over the years to now you can learn almost everything you need to know about a person or a lot of information you need to know to take over an account online. So all of these different ways that the traditional security methods that you deployed in online banking, which is multifactor authentication, having something or something else besides a password to authenticate, you have to assume that they can be compromised. If you’re assuming that they can be compromised and account takeover is your number one problem, then you have to have something else that you’re layering on top.
There’s no reason to think that banking won’t continue on its current path of going ever more digital. Really, if anything, that curve is going to steepen. So as a result, fraudsters will continue to have the opportunity to operate from the virtual shadows to try to steal money from banks and their customers. As we look out over the next few years, where do each of you see things going prevention wise? Seth, maybe you start and then, Joey, you finish.
RUDEN: Well, I see that there’s a greater opportunity for financial institutions to have deeper and better integrations with their technologies and the various fraud solutions that exist today. One of the things that fraudsters are starting to really capitalize on is cross-channel activity and being able to perform, cross-channel transactions to maximize their economic gains from a specific event. And this is something that institutions should be paying very close attention to, because if you have these find of cross-channel, outside the silo of the individual specific payment device exposure, then you need to start looking at the concentration of your detection framework in multiple different facets of the business and being able to ensure that you can centralize those things and bring in more models, more data, more elements that allow you to make a smarter, more precision decision, you’re able to expand to meet other fraud typologies like scams or money mules or other detection models, say even remote check deposit, to ensure that you’ve got a more comprehensive vision for how you’re going to protect the end user, the victims and even the financial institution itself.
ZOLLINGER: From a digital banking perspective, I think there’s a couple of things that we’re going to see. One, we’re going to see a collection of even more data for providers that are looking at behavior transactional information. Vendors that are looking at behavioral biometrics are going to start looking at even more and looking at additional interactions with the digital banking channel and some of the third parties that the digital banking channel integrates with, extending to those as well. And I think you’re going to see a move away from traditional passwords. This may not be in the next two years, but certainly over the next five years, I think. There are technologies out there that are moving away from passwords into different types of technology. You probably use some of them already. I think you’ll start seeing that for digital banking as we go forward as well, and that will help mitigate some of the problems we have. It won’t completely eliminate it. We’ll always have fraudsters out there spending a lot of time trying to circumvent the roadblocks we put in place, but certainly I think the next evolution is going away from traditional passwords.
You’re right. It’s always move/counter move, so staying one step ahead is ever so difficult. So Seth Ruden from BioCatch and Joey Zollinger from Alkami, many thanks again for being with us on the BAI Banking Strategies podcast.
Cheers. Thank you, Terry.
Yeah. Thanks, Terry. I appreciate the opportunity to be here.
In this month’s BAI Executive Report, we examine where things stand with fraud protection and how it can be done more efficiently and effectively, including looking at the role of both humans and technology in fraud prevention strategies. Download Now...
Compliance training and professional development courses that are efficient, effective and on-point. Give your people the latest industry-approved tools they need to improve performance, reduce operational risk and better serve your customers.