The year of 2020 was the best of times – if you were either a stock trader or a cybercriminal. As the shockwaves of Covid and resulting economic consequences continue to reverberate around the globe, the magnitude of the shock varies based on which part of the world you live in. As the saying goes, “This too shall pass,” but it would be a shame if it passed without embracing new opportunities.
Financial institutions were among the hardest hit as they tried to embrace the digital world for their own day-to-day activities. Some organizations were better prepared than others to deal with the implications of the pandemic, but there is a broad recognition that banking and commerce have changed forever. Before the pandemic, the emphasis was on targeting millennials with digital products hence the adoption rate towards such products were manageable. That changed when suddenly millions more required access to online and mobile banking.
While digital banking products are hardly new, their recent popularity is. As banks welcome digital adoption from the masses of new and underbanked populations, the opportunity does not come without risk. Financial institutions are faced with the pressure to balance the needle between customer friction and fraud prevention. But this is not the responsibility of just one group but rather a cross-functional effort. As the CISOs, CROs, CDOs, and CIOs of financial institutions seek to re-evaluate their investment in information security in general, the digital rush is going to cast a renewed focus on user authentication and transaction management.
In thinking about a layered approach, the focus of fraud prevention has typically centered on the authentication solution as it assures the identity of a user. However, fraud tactics continue to evolve and new banking services have increased the potential for attacks across multiple touchpoints. Even more important is the customer themselves. Consumer preferences have changed, and there is much less tolerance for friction. Unlike before, the digital user journey requires continuous protection, and must not be limited to only point-in-time evaluation (e.g. login). To protect the user experience, customers should not be prompted frequently to actively authenticate (e.g. OTP, biometric) as is the case with many financial institutions that rely solely on authentication solutions to provide foundational security.
Consider this in the context of the ever-evolving fraud techniques used by cybercriminals. We see malware, RATs, bots, social engineering scams, SIM swap, credential stuffing – the list goes on. Financial institutions have tried to tackle fraud by introducing more and more advanced authentication techniques which only resulted in increasing customer friction rather than addressing the problem. Not to mention cybercriminals are capable of spoofing most device and location-based authentication controls.
While authentication vendors have been pushed to be creative with their solution offerings, there is a need now to bring in new technologies capable of keeping up with the emerging attack vectors and consumer demands for frictionless experiences. This is where behavioral biometrics has a crucial role to play.
Let’s get something straight first though and understand the different jargon used, as biometrics and behavioral biometrics have become the buzzwords in the banking and payments industry and are frequently misused or misunderstood by the application vendors. Biometrics refer to the physiological features on the human body such as a fingerprint, retina scan, or facial recognition which can be used to authenticate an identity.
Behavioral biometrics is entirely different and looks at user behavioral and cognitive attributes. Behavioral attributes refer to the way a user interacts with a device while cognitive attributes refer to the way the user interacts with an application using the device. Behavioral biometrics solutions have become a game-changer across the world and are generally data rich and beyond the scope of human interpretation and rule-based systems. Therefore, these solutions use artificial intelligence and machine learning technology to enable the processing and interpretation of expansive real-time datasets.
Behavioral biometrics has delivered huge benefits to the banking and payments sectors in the area of fraud prevention, as these behavioral signals have been added as a new layer of security controls protecting genuine customers. One particular benefit beyond fraud prevention has been the reduction in false positives. For example, one large bank was able to reduce false positives by 66% after deploying behavioral biometrics on top of their existing transaction monitoring solution.
The rules of the game have changed, and as financial institutions look to re-evaluate their fraud prevention and user authentication strategy, there are new considerations. First, fraud prevention is a business issue, not a security issue. Stakeholders across the business often have conflicting priorities of how fraud should be managed which requires a cross-functional team to solve. Second, cybercriminals are sophisticated and adaptive thus traditional authentication controls are no longer a match on their own. New technologies, such as behavioral biometrics, are required to provide the continuous protection and additional visibility into risk that many authentication solutions are missing today. Finally, and most important, is the changing needs of the customer. As digital channel adoption increases, solutions must enable financial institutions to treat genuine users not as criminals, but as the valued customers that they are.