When New York State published final cybersecurity regulations for the financial services industry last week, it became the first in the nation to offer specific guidelines to protect consumers from identity theft and other cyberthreats.
There are multiple provisions related to compliance, reporting, creation of incident response plans, etc. which are covered by other guidelines more generally. What makes the New York State regulations unique, however, is the specificity which they address the requirement for multi-factor authentication and risk-based authentication.
Risk-based authentication is defined in the regulations as “any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a person and requires additional verification of the person’s identity when such deviations or changes are detected”.
By giving each covered entity the latitude to use “effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems,” the regulations allow each financial institution to weigh for themselves the friction versus fraud argument that often plays into the decision to deploy behavioral biometrics.
The up and coming technology that is increasingly deployed by leading banks to prevent fraud, by detecting anomalies between a legitimate user’s behavior patterns – the way they type, scroll, toggle between fields, what shortcuts they use, the pressure and angle with which they hold their phone – and those of an imposter, whether it is human or not (malware, robotic or aggregator activity). One element that makes behavioral biometrics so attractive is that it works in the background and does not interrupt or change the user experience in any way, and it does not rely on malware libraries which essentially develop into a cat and mouse game.
The other driver behind the rapid adoption of behavioral biometrics is that it is the only practical way to protect against account takeover and ensure the integrity of a session after the initial log-on, that is to “detect anomalies or changes in the normal use patterns of a Person” after the authentication, which is where all of the fraud today is taking place. Today’s cybercriminals have figured out how to circumvent the traditional means of authentication – be the device ID, IP verification, SMS codes, tokens, and even physical biometrics. By continuously monitoring the activity within a session, this technology offers a built-in solution for an otherwise vexing problem.
The following examples are a case in point:
- 130K transaction stopped when a fraudulent user tried to change the payee and reroute funds to their account
- 2M+ saved when a CFO was faced with an account takeover that changed all routing and account numbers in the background during a session where he was setting up payable
- Average 15 cases per day of a new malware that was not indexed by any other system led to a $16K fraudulent consumer banking transaction being stopped, among other smaller amounts
We are still early in 2017, but there are numerous indications that the remote access attacks will shift to regional banks, and that mobile banking fraud will spike, along with application fraud for retail banking and credit cards. The new regulations come into effect on March 1st, and can provide a real framework for financial institutions to act. Solutions like behavioral biometrics have come of age and can make it easy not only for covered entities to comply, but to change the rules of the game and keeping fraudsters at bay.