The following testimony was delivered in front of the New York State Assembly Banking Committee on Monday, December 19th by BioCatch Vice President of Marketing, Frances Zelazny during an open hearing on cybersecurity.
Thank you Chairwoman Robinson. I am honored to be here and appreciate the opportunity to testify before your committee about the real cybersecurity threat that banks are facing today.
I am Frances Zelazny, Vice President of BioCatch. I have been involved in biometrics for almost 20 years and in addition to speaking here today on behalf of my company, I have a personal interest and deep concern about how we protect our online identities.
We live in an increasingly dangerous world. Part of what makes it more dangerous than past situations is that we do not always know where the threat is coming from and by the time we find out, it is too late. Every day we learn of a new invasion of our cybersecurity system. Just last Wednesday, we learned that literally a billion accounts were hacked at Yahoo, and that the criminals who accessed the accounts did not even need the users’ passwords. We are also dealing with the possibility that hackers may have somehow influenced our presidential election and we continue to be notified of breaches to the GOP state-level apparatus. No one is immune.
When criminals invade our financial systems, our health systems and our political databases, the integrity and fabric of our society is put in jeopardy. Some of these criminals are motivated by money; others have different agendas. Regardless of their motives, today’s cyber criminals are smart and sophisticated and they have an array of proven methodologies at their disposal. They are not always predictable and most of all, they are patient.
We, on the other hand, are defending ourselves with predictable techniques that are antiquated. The fraudsters are familiar with our prevention solutions and they have figured out how to bypass them, as we have seen time and time again. Clearly it is time for a new approach because what we are doing is just not working. This is the reason I am here today.
The Chief Technology Officer of BioCatch, Avi Turgeman, was sitting on the other side when he came to the same realization – that logon authentication is not the end all-be-all. Avi spent 6.5 years as the Head of Innovation for the Israeli Intelligence Technology Unit. As he would explain, decades ago, hackers were focused on ways to steal online credentials. By 2000, they realized there was a more effective way – that is, to either bypass the login process completely, or to essentially tailgate on someone else’s access. At the time, this knowledge was closely held but we can see today that this is in fact exactly what the cybercriminals are doing and that the tools to make it happen are available for purchase very cheaply on the dark net.
With this premise, Avi started the company. BioCatch is a cybersecurity company that delivers behavioral biometrics, which as opposed to static logon techniques, cannot be duplicated or stolen. Behavioral biometrics analyzes the way people interact with a device or an application. Every person is unique and behaves in a certain way. We look at things like the way people scroll, how they type, toggle between fields, use shortcuts, and even respond to what we call “invisible challenges”. These are tests that we invoke in the system and that elicit a response without the user being aware. All together, we collect more than 500 parameters of behavior and assign a profile to each user that is based on the 20 parameters that are most unique to them. Each person’s profile is based on different parameters. What this means for the fraudster is that (a) he doesn’t know how he is supposed to behave to trick the system, unlike a known password or code that can be stolen and (b) he doesn’t know when the system is testing him. And so what our system does, is look for any differences between a user’s normal behavior and what is actually happening in a session, whether it is a breach by another human, or a piece of malware or a robot that is conducting activity on a person’s account.
Today, BioCatch works with the retail, corporate and wealth management departments of major banks around the world, primarily out of Europe and Latin America, providing continuous authentication for more than 2 billion transactions per month. Each week, we save our customers millions of dollars in fraud-related losses, and more importantly, we provide their clients an assurance that their personal information and money are safe. The most interesting thing that we see, is that our customers already employ multi-factor authentication, PINs, tokens, passwords, challenge/responses, physical biometrics, device authentication, IP verification and other fraud prevention solutions, yet they are still susceptible to intrusions. Time and time again, we are recognizing fraud situations that these other methods are not detecting.
Why? Because all of the fraud is coming from AUTHENTICATED sessions.
Which begs the question – how can that be?
Allow me to explain for a moment the 3 main ways this can happen.
Credential Theft – Credential theft is the simplest attack. In this attack, the criminal obtains the user’s credentials from various sources and techniques, such as email or phishing and then the fraudster proceeds to access the account from their own device. The most common attack is a phishing email that tricks the user into providing their username and password. We have seen this frequently in the news lately, especially as it relates to the recent election. If people like John Podesta and the Illinois GOP can be tricked into providing their credentials, what does that say about the rest of us?
Malware – Malware is essentially a rogue piece of software that can infect a user’s device. It is usually installed by an unsuspecting user that clicks on a link in an email and can sit dormant for a long time on a person’s device before doing anything. Malware is also sometimes referred to as a Remote Access Trojan or virus. Once installed on the machine, the malware waits for the user to authenticate to the session before injecting computer code onto the web site that the user logged into. That code then performs the designated actions. These “actions” can be things like transferring money or changing payee information. We recently witnessed a case on our system where the CFO of a company logged into his corporate bank account and began setting up a series of payments to be made to various payees. As he was progressing down his list, the fraudster in the background unbeknownst to him, was changing all the routing numbers and account numbers. When the CFO went to confirm the transfers, our system alerted the bank to the fraud and was able to stop it in real time.
Social Engineering – With social engineering, fraudsters gain remote control over the user’s device, either using malware as I just explained, or by calling unsuspecting users and convincing that they are from a trusted organization so the user downloads software that allows them to take control of the machine. Then they change the person’s phone number or email address in the system in order to receive any SMS or second factor authentication codes and in Avi’s words, enjoy.
One of our customers divulged this case to us, which happened to one of their clients before our system was in place: a gentleman was contacted by the “helpdesk” from his bank and was told that there were some security issues with their online banking account. The user was asked to download TeamViewer – this is a commercial available remote support tool - onto their machine. With the “helpdesk” on the line through TeamViewer, the user logged on to his account and allowed the “helpdesk” to run some “tests”. The “helpdesk” then took over the session and told the user that they will restart his computer and call him back when they were finished. Instead, for the next 36 minutes, they used the already authenticated session to make 6 money transfers totaling over $26,000. Unfortunately, this happens every single day to many, many people.
Yes, this is scary. We are not safe and we are not adequately protecting ourselves and our most important institutions from cybertheft. Today’s criminals are fighting a 21st century war, using unconventional techniques and methods, while are fighting back with antiquated techniques. PINS, tokens, passwords and even multi-factor authentication can all be bypassed. We are a step behind when we need to be a step ahead. Gartner, the world’s leading information technology research and advisory company, agrees. Specifically, they call on organizations to DETECT and RESPOND to malicious behaviors and incidents instead of trying to prevent every threat¹. The bottom line is that we need a continuous, risk-based approach that considers WHO is behind a session and not just HOW a session was authenticated. Building higher walls doesn’t mean the criminal can’t go under, over, or is already in on the other side, just waiting for the right moment to strike.
Many financial services companies still require consumers to use two-factor authentication which requires a login password and a unique number sent via text message. This process continues despite the fact that industry experts have known for some time that this process is vulnerable to hacks. I’m not suggesting we stop using this process, instead I’m suggesting we continue to evolve our methods to defend against our cyber enemies.
In fact, earlier this month, the President’s Commission on Enhancing National Cybersecurity recommended that “The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.” The Commission went on to discuss ”new tools that support continuous authentication provide a strong foundation for opt-in identity management for the digital infrastructure.”
We don’t believe New York State must wait for the Federal government. New York State can lead the nation in protecting consumers and the financial sector right now. New York State is the financial capital of the world; this Committee and this legislative body can take the first step in recognizing the real threat. We urge you to work with all stakeholders to truly protect and preserve the integrity of our financial system, which is ultimately about protecting our consumers.
Thank you again for the opportunity to be here today. I would be happy to answer any questions.