Why Banks Need to Go Beyond Device Identity for Fraud Detection

Sep. 28, 2020 | by Ayelet Biger-Levin

Financial institutions regularly use device identity for fraud prevention and to authenticate users at login. It is one of many controls that can be used to safeguard online interactions. But as with other security tools that rely on static measures, cybercriminals are finding ways to circumvent device ID. Taking over user accounts is one of the largest tactics, and in 2019 alone, account takeover fraud cost U.S. businesses nearly $7 billion in losses. Secondly, financial institutions are experiencing significant rates of fraud in the account opening process and have difficulty accurately separating genuine applicants from cybercriminals. Because new customers have never been seen before, their devices haven’t either, making device identity unhelpful for account opening protection.

Today, 100% of fraud occurs within authenticated sessions. Device identity is falling short because it cannot provide sufficient visibility beyond login and when opening digital accounts. But where device identity stops, there’s a solution that takes up the challenge to provide continuous protection of online sessions: behavioral biometrics.

What Is Device Identity?

In our remote digital environment, identity is based on three aspects: what you know, what you have, and who you are.

  • What You Know: Static information, also called personally identifiable information (PII), like passwords, the answer to a security question or your social security number or phone number
  • What You Have: A unique token or a device used to verify your identity
  • Who You Are: Biometrics such as fingerprint or face, voice or specific user behavior, based on how an individual interacts with a device, like tap pressure and swipe patterns, or how they enter information into a form

Device identity falls into the “what you have” category. Also known as device fingerprinting, it is a tool used to collect unique information about a device that can then be used to link the device to an individual user. The tool will collect data on browser, operating system, internet connection, IP address, geo-location, and more.

Device Fingerprinting Controls Leave Blind Spots

On their own, the first two categories are no longer able to reliably verify digital identity. Data breaches and phishing scams have made information in the what you know category easily accessible to cybercriminals. What you have, which includes device ID, also presents major challenges. Digital Identity has to be clearly defined so it can be routinely used to verify a person is who they say they are, even customers a financial institution has never seen before. That’s not possible with device identity for several reasons.

Too easy for cybercriminals to circumvent

Cybercriminals are constantly evolving to find new ways to circumvent security and authentication solutions. On its own, device ID is one they’ve got beat. Using several methods, cybercriminals are easily able to take over a device or hide their use of one.

  • RATs: Most authentication and fraud prevention solutions rely on known device and IP location parameters to measure fraud risk. Remote Access Tool (RAT) attacks directly bypass device identity. RAT attacks entirely take over a device and make it appear that the transaction is coming from the legitimate user. When a RAT is present, a bank’s systems detect a genuine device fingerprint, with no traces of proxy, code injections, or malware, and the proper IP and geo-location. With automated malware scripts, criminals direct specific actions to occur from a device on behalf of a user.
  • Social Engineering: Using social engineering schemes, fraudsters trick users into taking action from their own device to initiate a fraudulent transaction. Maybe a social engineer poses as a user’s bank and requests the user to make a money transfer to the fraudster’s account. Traditional fraud prevention tools that are device-based or activity-based cannot detect such attacks because the transaction or payment takes place within an authenticated session, from a trusted device and location, and does not use any form of malware. In Europe, one form of social engineering scam known as Authorized Push Payment (APP) fraud has seen an alarming 30% percent increase. Losses due to APP scams rose to £456 million in 2019.
  • ID Spoofing: Cybercriminals can mask device IDs to appear as if they are working from a previously identified and authenticated device, using methods like proxy IP addresses and man-in-the-browser (MitB) attacks from malware on the genuine user's device. Cybercriminals have also created man-in-the-middle (MitM) attacks, where they can spoof device fingerprints and JavaScript elements, not only IP and location.

Too hard to link a user to a device

A secondary challenge is how frequently users change their devices. New models come out, cell phones break all the time — regular device changes fail the requirement for identity to be fixed and stable. Some devices can also be used by more than one person, like a desktop computer in your home office. If a device is shared among multiple users and used as the authenticator, there’s no way to tell which specific user is behind a session on that device.

Success Stories: How Banks Can Cover All Their Bases

Device ID remains a valid fraud detection solution and shouldn’t be abandoned. However, there are use cases that it cannot cover, and that’s where other solutions come in to ensure financial institutions have all their bases covered.

A top-five bank in the United Kingdom quickly found this to be true after deploying BioCatch behavioral biometrics to gain visibility into anomalies in user behavior and interactions through actionable behavioral insights. The bank was experiencing a prolonged cyber attack involving the Dridex malware which was capable of taking over customer accounts and circumventing its traditional controls such as malware detection, transaction monitoring, and device fingerprinting.

BioCatch quickly identified several high-risk activities based on user behavior, even when it appeared the session came from a trusted device and location. As a result, the bank was able to stop a £1.6M attempted fraudulent transaction and was able to detect 81% of fraudulent transactions with less than a 0.05% alert rate.

Read more about how behavioral biometrics uncovered this advanced malware attack here.

BioCatch has also changed the game for account opening protection. During account opening, typing speed, swipe patterns, and every click of the mouse tells a story — one of criminal activity or genuine user behavior. BioCatch behavioral biometrics quickly spots these patterns with a high degree of accuracy, pulling together data to empower fraud teams with increased visibility into risk through actionable behavioral insights. Even when you’ve never seen a customer before, you can recognize trusted behaviors, creating a smooth journey through the account opening process.

The growth of fraud has made it all too clear that it is time to move beyond traditional fraud detection alone. Tackling today’s threats requires a layered solution that builds trust with customers, manages risk across digital channels, and limits financial losses from cybercrime. Behavioral biometrics is that solution, allowing financial institutions and digital businesses to deliver a comprehensive fraud management strategy and build an online environment where customers feel safe to interact.

Access the latest report from KuppingerCole to get tips on how to leverage behavioral insights to enhance your fraud management strategy and make more informed risk decisions. 

Topics: Authentication, Identity Proofing