N-dimensional behavioral biometrics: a viable solution for digital fraud?

Identity fraud is expected to reach an all-time high in 2018. Javelin Research Center reported a record 16.7 million consumers fell victim last year, in large part due to the massive Equifax breach which left millions of consumers’ data exposed to would-be hackers. Now, hackers are using exposed credit and debit card numbers to steal from bank and loyalty accounts, shifting to digital attacks without ever needing a physical card in their hands. According to Javelin, card-not-present fraud (CNP) is 81 percent more likely than point-of-sale fraud (PoS). In 2017, more consumers had their cards misused in a CNP transaction than at the cash register.

The changing fraud landscape

Credit card fraud at the PoS has dramatically decreased thanks to the deployment of EMV chip cards, which makes it extremely difficult for fraudsters to create counterfeit cards. While physical fraud has gone down 28 percent over the last three years, hackers are getting more sophisticated and are constantly changing their attack vectors.

Through card skimming at ATMs and online data breaches caused by phishing and other types of attacks, hackers are illegally obtaining consumer card numbers to commit CNP fraud, or selling them on the dark web for others to use. CNP is one of the most prevalent types of fraud in countries that have adopted EMV cards. As the leading e-commerce country in the world, the percentage of CNP fraud in the U.S. is currently lower than in other countries, but the recent migration to EMV is expected to contribute to a surge in CNP fraud. From 2000 to 2014, the CNP growth rate was 16 percent per year. In Canada, CNP fraud increased by 205 percent from December 2010 to December 2015, and accounted for 76 percent of all fraud in 2015.

In addition to CNP fraud, cybercriminals can take over a consumer’s financial accounts to make extravagant purchases or drain their funds. Account takeover poses a significant threat to online merchants, and financial and mobile payments providers – total losses have reached $5.1 billion, a 120 percent increase from 2016. Another challenging threat is synthetic fraud, in which hackers cull together information they’ve obtained from various consumers’ accounts to create an entirely new identity and associated account. This makes it quite difficult for service providers to tell whether a transaction is fraudulent or not. The prevalence of these threats, in effect, have caused online fraud to skyrocket 106 percent.

New sweeping regulations cause concerns over privacy and security

Since May of last year, much attention was on the EU’s implementation of GDPR and how enterprises doing business in the EU needed to scramble to comply with stringent regulations in a tight timeframe. At the same time, however, the UK also set PSD2 into effect – the Second Payment Services Directive, otherwise known as Open Banking.

Under the directive, the UK’s nine largest banks are required to release their data securely, to be shared more easily between authorized parties online. This includes everything from branch locations and explicit details on product offerings, to transaction details on bill, loans and shopping payments, which is a cause for concern among consumers not comfortable sharing that data. In reality, PSD2 puts power into the account holder’s hands, as they control who can receive their data. 

Broad-sweeping laws like GDPR and PSD2 are expected to inspire similar regulations in the U.S., like the recent California privacy law which requires companies to reveal to state residents what information they are collecting and how it’s being used, and giving consumers the option to revoke permission to stop using that information. For now, most businesses are focused on compliance with overseas regulations. 

Are organizations offering sufficient protections?

Regulations, like PSD2, require strong customer authentication, incorporating knowledge-based elements such as passwords and PINS, a key material, inherent characteristics like biometrics, and a unique authentication code for remote transactions.

To adhere to these requirements, some businesses are embracing biometric authentication methods, like fingerprint sensors and iris scans, in tandem with two-factor authentication (2FA) solutions. However fixed biometrics and 2FA methods are not foolproof, and are still subject to hacking and copying.

An emerging alternative now being recognized by enterprises is behavioral biometrics. With this method, AI and machine learning (ML) algorithms can be trained to adapt to a consumer’s behavior and run on-device, continuously building behavioral models based on the way they interact with the device in their hand, including the way they type, tap and swipe, which is much more difficult for a fraudster to replicate. Behavioral biometrics also greatly reduces the risk of breaches of third-party vendors that do not follow the same set of security standards as the financial institutions they work with.

Some organizations utilize “black box” ML, in which the algorithm flags a potential incident of fraud without a reason why. This is counterintuitive, as transparency is key for any fraud detection application (and for open banking). An audit trail of a given transaction, coupled with the amount of cash held in an account and other account details, is needed in order to understand why something was considered fraudulent, which in turn fosters transparency and compliance. AI algorithms must analyze the consumer’s behavioral model for even the slightest deviation in activity, and then flag that anomaly for the user to determine whether it was a legitimate threat.

Continuous behavioral authentication that incorporates AI brings a new level of personalized defense that fixed biometrics and MFA alone cannot enforce when combating CNP and other types of online fraud. Without it, identity fraud will continue to reach new astronomical highs that will cause major headaches from a consumer and regulatory standpoint.