The inaugural episode of Digital Tells: A BioCatch Podcast explores the origins of behavioral biometrics with BioCatch founder Uri Rivner and Chairman and CEO Howard Edelstein. The episode begins with host Peter Beardmore’s visits with his elderly mother and aunt, both having recently been targeted by scammers. Their stories illustrate the prevalence of cybercrime and scams throughout society, and the need for innovative solutions to help protect consumers and financial institutions alike.
The concept of technology that can use the ‘Digital Tells’ of online behavior (mouse movements, typing habits, etc.) to validate users or determine fraudulent intent may seem like the stuff of science fiction. In fact, it initially did to some of the leaders of BioCatch. But today, it’s real, preventing over 6 million fraud incidents per year and protecting hundreds of millions of people.
It’s late summer in the Northeast US. I’m taking a weekend ride through Cape Cod, a popular vacation area in Massachusetts, known for its beaches and most famously as home to the Kennedy family compound. My mission is to check in on elderly relatives who have summer homes in the area.
I’m seldom surprised by the stories I hear while catching-up on summer activities and family gossip... but these visits did yield one topic that did surprise me a bit… it came up twice… in separate conversations… once with my 75 year old mom and then again with my 84 year old Aunt. Both were targeted by scammers this summer, in one case quite successfully. As someone who works in cybersecurity and fraud, naturally these conversations peaked my interest. I pulled out my phone and began recording. So here’s my mom, her name’s Paulette
I got an email saying that I had been charged six hundred eleven dollars and three cents on my Amazon card for my package. And if I didn't order this package, call this number, which of course I did, because I don't have an Amazon account, so I don't order much online. And the man kind of led me on and said, I can't seem to retrieve that order. Tell me what your card number is. And, of course, like an idiot, I did. So he was in my phone and somehow shortly thereafter I got something taken out of my bank account.
What happened next I still can’t fully put together. Like all good scammers, they had just enough information to confuse their mark, pressure her, and collect a treasure-trove of information. In the end they had both a credit card number and attempted banking transfers. Eventually she got a notification from her bank that something was fishy. Accounts were frozen, and the process of cleanup, investigations, and reimbursements began. And re-routing all those automatic payments that nowadays we all take for granted.
Well, the problem is, is that you have to notify so many people because. We pay our oil here at this house, at the Cape, say, come and deliver, and they just charge my credit card because we're not here all the time in the winter. If transponders on it, I mean, just so many things our car insurances. We pay twice a year. What else do I pay? I pay a couple of bills on there that are just automatic. And so you forget like we didn't realize until we went to Maine two weeks ago that the transponder I'm like, oh, my God, we're going to get a bill…..
Things like that, that maybe a month transpired before everything was settled and that happened to be the last thing was the transponder. But I had to call the insurance company had called Social Security my husband's retirement. Our investment firm had to be notified that somebody’s in our accounts. And we need to change some numbers around here.
A few weeks and a lot of aggravation later… my parents’ issue eventually got resolved. Their money was reimbursed. But not without a very stressful toll. What they weren’t aware of was that at nearly the exact same time, my mother’s sister was also being targeted. My Auntie Sue is 84 years old, a retired school teacher, and she just wrapped up her 50th summer running a small fine art and antiques shop out of her converted garage in Barnstable Massachusetts:
Here’s my Auntie Sue:
I received an email from a lady who happens to be the president of the Cape Cod Antiques Dealers Association, which puts out the brochure that I just described. And in the emails, Dear Suzanne, it reads, I hate to lean on you for this, but I'm in a bad, very bad patch right now. And I know I can rely on you to do this. You know that the Antiques Association gives the amount of money each year to charity. This year, we determined that the veterans should get it. Would you be kind enough to go to local CVS or a similar commercial place and buy five hundred dollars in one hundred dollar denominations of gift cards and then send them to and then hold on to them? And I'll I'll be in touch with you to pick them up and I'll reimburse you from the Treasury of the Cape Cod Antiques Dealers Association for your doing this for me. Thank you so much.
Fortunately this story had a better ending.
So the excuses sounded plausible and rational, but I didn't do anything right away because I was somewhat suspicious. I let it go, and later that day I called my bank or my financial adviser and I said, does this sound fishy to you? And the financial adviser said, absolutely, we get these hundreds of times a month. And this sounds like a classic one. Do not respond, but do call the lady from whom you received the email, to alert other people because they undoubtedly sent the same email to everybody else who's listed in that brochure. And so I did and she did send everybody a flash email alerting us
These scams are, sadly, all to common. Recent FBI statistics reveal that in 2020 alone, cybercriminals stole $1.8B from older Americans. These are people who aren’t fully comfortable with computers, or online banking, or discussing finances over the phone. They prey on their fears and anxieties.
First of all, I think my age factor, I'm 84 years old. I think perhaps my age, they must go through the town lists and get people's ages, and then they just get on the phone from all over the country. And I would say of late, meaning in the past two months, I get a minimum of five a day, a minimum.
And that’s exactly the point which makes the subject of this podcast, online fraud so important. These stories that I heard in the living rooms of my parents and my aunt on a random afternoon in September… they get repeated over and over and over, throughout the world, and the stakes can be a lot greater, a lot more devastating that the inconveniences that my mom and my aunt suffered.
My name is Peter Beardmore. As I mentioned, I’ve worked in the computer security, risk management, and anti-fraud businesses for a couple decades. And I recently joined a company called BioCatch, who supported my idea to create this podcast.
Over the course of this first season, we’re going to explore what happens in some of the criminal networks that perpetrate cybercrime and fraud all over the world – how financial institutions go about detecting and preventing fraud – and how some organizations / like BioCatch / are innovating with new technology and statistical analytics to defy the conventional approaches to how fraud prevention happens – and in doing so – identify the behavioral tells that tip the hands of cybercriminals – and flip the tables on fraudsters.
Let me draw a frame of reference for what BioCatch is up to, from a story you may have already heard.
Have you ever read the book or seen the movie MoneyBall? This was a book written by Michael Lewis, and the movie starring Brad Pitt. It’s the story of Billy Beane, who as general manager of the Oakland A’s faced an impossible task. How to build a professional baseball team in a small market that can compete with teams like the New York Yankees and The Boston Red Sox who have 3 times the budget to pay for top talent. What do you do? Well in the case of Billy Beane, he followed a cast-off statistical philosophy called sabermetrics, which identified inefficiencies in how baseball players were valued and how the game itself is played. It turned out that the statistics that baseball had relied on for decades (batting average, runs-batted-in, pitch speed, fielding errors) These were NOT the best indicators of player value. While the top teams were paying top dollar for home runs, Billy Bean was paying bargain prices for on-base percentage and slugging. His successes revolutionized a game that literally had a century of conventional thinking behind it.
Now online banking isn’t a century-old game… but the banking industry …. modern banking is many centuries older than even baseball. Let’s think for a moment about the security structures that banking relied upon. Remember Willie Sutton – the famous bank robber who when asked why he robbed banks answered, “Because that’s where the money is.”
Back in the day, bank security depended on big safes, heavy trucks, men with guns, guys in suits chasing check fraudsters like Frank Abignale… and tellers. Yes, you heard me right… bank tellers. For decades, the lynch pin of banking security was the teller. The person who would check your ID if they didn’t know you before a withdrawal… but more probably knew you by name and maybe even knew your family.
But when online banking became a thing a couple of decades ago, that all changed! Imagine for just a moment, all your money – accessible to anyone with the right username and password. And you know, for a while, that was the state of the industry. It evolved of course. Know Your Customer (or KYC) and Anti-Money Laundering (AML) regulations came about, requiring steps to validate authenticity of new accounts. But when usernames, passwords, government ID’s, addresses, phone numbers, credit card #’s, personal history… when all this stuff has been hacked in data breach after data breach and is now available for pennies on the dark web… what’s the point? Fraud prevention services that matched IP addresses and fingerprinted devices came into fashion. Today, if you add a new payee or make a large transfer, you may be asked to enter an one-time-code that the bank texted to your phone…. But all of these techniques of course, can be overcome by criminal ingenuity… and malware, remote access technologies and social-engineering scams. And while none of these security techniques are any panacea… they can also be frustrating for customers… the exact same people who bankers and merchants want to delight with easy online experiences!
Oh, and here’s the other problem, when you robbed a bank back in Willie Sutton’s day, the most you’d get away with was the currency and valuables locked in the vault of that particular branch. The Willie Suttons of today have much more lucrative targets. In episode two, we’ll look at a crime syndicate whose account take-over campaign made away with $100 Million.
So, like in a high-stakes card game, what are the cyber-criminals’ tells that might tip their hand. When the field of play is seemingly too imbalanced, what is the sabermetrics of online banking and commerce?
It’s a topic we’ll be exploring throughout this podcast series: Behavioral Biometrics.
Before we get into a detailed explanation, let me let you into a conversation with Uri Rivner, one of the founders of BioCatch, and how he came across this technology as it was first presented to him by the other founders.
So I was sitting at the conference room of the RSA Development Center in Israel. RSA acquired a startup company in Israel. I was head of new technologies. And that was a few months after the very famous RSA hack where foreign state invaded the RSA network was a very famous story on the news. A couple of folks came to present their new technology and behavioral biometrics.
So Uri was working for RSA, which at the time was one of the biggest vendors in cybersecurity – and they had just been breached – majorly – and as you’ll hear later – in addition to managing their own breach… their ability to help bank fights fraud was also under major pressure. Here’s Uri again…
And I was immediately intrigued. They were talking about collecting mouse information, collecting the way the user is typing. But beyond just creating a profile, they had a very interesting notion. And the notion is that as the user operates inside the application, they say that you're moving the mouse, you want to click on something en route to the target and the system would close the cursor, the mouse cursor to essentially veer off just a bit. So if you're if you make no corrections, you're going to miss the target by an inch. Let's say. Now, your brain would simply not let you do this. Your eyes will pick up on the fact that the mouse is veering off your brain, will immediately calculate and create a corrective maneuver and you're going to be on target. The thing is that you have to be aware of that. It's part of the automated motor control functionality that happens naturally. Now, if you're a bot, you're not going to be able to do that. You don't have a set of eyes, brain and this sort of corrective mechanism and different people are responding in a different way, which is fascinating.
Alright – so there’s a lot to unpack here – but Uri’s explaining that he’s stumbled upon technology that can differentiate between human and bot behavior. Meanwhile, bots and malware infections were rampant… and the major solution at the time to thwart bots were those captchas that ask you to type in letters that appear in cursive… or click on the palm trees in the picture… Users HATE those… high abandonment rates… and here’s something that can accomplish the same task, continuously, without requiring any additional user interaction. But wait, there’s more….
let's say that the mouse disappears, which happens from time to time. People search for the mouse in a different way, some of them in very wide circles, some of them very nervous and edgy. Some of them use the trackpad, some of them type something on the keyboard. There are all sorts of response strategies to these sort of things.
And so, what Uri was realizing here (with the benefit of a decade of hindsight of course I can say this like it was obvious… it wasn’t) was that not only could the technology differentiate between bots and humans… but also between humans… because each person has their own behavior patterns.
I just said, hey, this is this is very cool. This is out of the box thinking. And it might help because the traditional controls were no longer holding. And I'm talking about cybersecurity is a general sort of thing, but also fraud detection. Back then, fraud detection had some sort of crisis point because the fraudsters were beating every possible line of defense that the banks had around end users and were able to kind of sneak into the end user account, typically using some sort of malware or a social engineering and things like that and essentially move money out.
What Uri and the team at BioCatch had uncovered… 10 years or so ago… was the realization of a few key facts:
First, how you move your mouse, or hold your phone, or even your typing speed in certain fields – the pauses you take. These behaviors can all be quantified and analyzed.
Of course, back in 2011 and 2012 the notion that online behavior could be shared through the cloud in real-time, run through machine-learning algorithms informed by a decade of transactions and indexed behavior, and immediately used to determine if the user is genuine, if the user’s intentions are malicious, if the user may be under the influence of a scammer… that all seemed like science fiction. And it was… at the time. But the seeds of possibility had been planted. And today, Behavioral Biometrics, those capabilities to seamlessly root-out online fraud by using machines to observe behavior… It’s REAL.
In later episodes, we’ll discuss exactly how it all comes together – we’ll even share some of the indicators that inform behavioral biometrics.
But before we do that, I want to wrap up this episode with part of a conversation I had with Howard Edelstein. Howard was a semi-retired New York City fintech executive, who was doing some investing and serving on some corporate boards when he came across BioCatch just a few years after Uri.
Well, my first impression being from New York was that you got to bloody kidding me, right? You're going to actually know who I am by how I interact with my machine. And it took me a bit of a while to say, OK, science fiction, I've got this really young guy, really smart, telling me that how I type it, move my mouse and hold my phone and do all kinds of things like that, could actually profile me.
An analogy that Howard shared with me was imagine meeting a friend at a restaurant at night. And your friend is approaching the restaurant, but you can’t see their face… but you can recognize them somehow. Maybe by their gate, the way they walk. Now if someone asked you to describe, or even mimick their gate, you probably couldn’t do it. Nevertheless, you somehow know it’s them as they approach… without a view of their face, or even hearing their voice.
And it became really clear that you could actually recognize someone's identity by their behavior. And if you could do that in the street, going up to a restaurant at night, you should be able to do it online. The trick is, what were the variables? What were the data inputs? What were the signals that you would use to collect in order to do that? And that's what these guys, you know, pioneered. And I found it very science fiction, quite frankly, and wanted to see if it was real.
Suffice to say, Howard eventually was convinced. So much so that he invested in the company, and eventually took on the role as BioCatch’s CEO.
We’ll hear again from Howard and Uri in future episodes. We’ll hear from industry experts, a former federal financial crimes prosecutor, another victim or two, and we’ll hear from some of the people who are in the trenches – applying Behavioral Biometrics (this technology that seemed like science fiction just a few years ago) to do some amazing things, like protecting my mom and my aunt; and you and yours.
Speaking of elderly relatives and innovating with science fiction-like technology. Would you believe that Behavioral Biometrics can (with high reliability) estimate the age of an online user? So when information for someone in their 80’s is entered by someone actually in their 30’s… well, that mismatch can be detected. We’ll delve into age analytics in future episodes too, just another way Behavioral Biometrics makes life online more trustworthy and satisfying.
Digital Tells is written and narrated by me Peter Beardmore, in partnership with my producer Doug Stevens of Creative Audio and Music, and with the unwavering support and sponsorship of my employer, BioCatch.
Special thanks to my mom and my aunt, and to Uri Rivner and Howard Edelstein.
For more information about this episode, behavioral biometrics , or to share a comment or idea, visit biocatch.com/podcast.
Join us for episode 2, in which we’ll explore Account Take Over fraud: what happens when cybercriminals get into banking accounts, and how behavioral biometrics changes the game.
Until then, take care.