By Mike Wood, Business Development Director, Unisys
Our unique human traits—from the beat of our heart to our cognitive behaviour patterns—are the latest techniques being considered to authenticate customers online and weed out cybercrime. Fingerprint scanners, voice recognition, face recognition and other authentication methods are starting to replace the traditional password as a means to confirm a user’s identity and simplify the login process. Part of the driver for this is that fraudulent activity and cyber-crime is a growing problem and costs the banking, financial services and insurance sectors billions each year.
The predicament is: How to protect customers and fight fraud, using self-service, digital channels that ensure that it is easy and convenient for customers to transact online? The key and the challenge for banks is to make use of some of the innovative, disruptive technologies that exist to maintain watertight security against fraudsters and criminals, whilst at the same time ensuring that the overall experience is seamless and with minimum “friction” for legitimate customers.
We’re starting to see this happen; for example, banks such as RBS and NatWest now allow customers to access accounts on their smartphones using fingerprint-recognition technology. In today’s sharing economy, consumers are more connected than ever, and they expect technology to work quickly and intuitively: “one click and done”. However, at the same time, online criminals are cunning, intelligent and have in-depth knowledge of how business processes and systems work.
Gartner predicts that 30 percent of organisations will use biometric authentication for mobile devices by 2016, but biometrics alone is not a silver bullet. Beyond the traditional first- and second-factor techniques—usually something you have, such as a debit card or token, and something you know, such as a password or PIN—there are a number of additional “invisible” elements that can support reliable, seamless authentication, and detect cybercriminals. Unlike a PIN or password, these additional factors can’t be stolen, socially engineered or inadvertently lost. This starts to get interesting when we analyse new behavioural patterns through the growing field of behavioural biometrics.
Human beings are creatures of habit and have a natural cognitive bias. Just like when you leave behind a fingerprint after touching something, you leave behind a “cognitive fingerprint” after interacting with technology, based on the way your brain has processed the information. Behavioural biometrics software makes use of these patterns to identify whether someone is friend or foe, and it is most powerful when combined with multiple “hard” and “soft” factors to build a picture of who that person is.
Let’s take a closer look at some of these elements.
Where are you?
Your IP address, GPS location and mobile cell site analyses are great examples of rich location data that can be captured and compared to create patterns of behaviour that can help validate identity. For example, if a customer spends most of his or her time in two single locations, such as home or work, and decides to transact within this area, there’s a higher probability that it’s a genuine transaction than one made at a location he or she doesn’t normally visit. In addition, location information can be mapped against the time of day, or day of the week, to build a more detailed behavioural pattern.
How are you accessing my site?
Regardless of the device you use, it will have unique characteristics of identification. This can be combined with other system information—for example, the operating system you’re using, the browser type and version, and the level your machine is patched to. The software can then create a “digital-device personality” that makes each customer, or fraudster, uniquely identifiable.
When are you accessing it?
Consistencies in behaviour are also distinguishable by the time of day, week or month during which we tend to operate. Humans like to form routines—we often fall into patterns of when we do specific activities, such as banking, shopping, gaming or accessing services online. If you’re operating within these peak hours, which are unique to you and your lifestyle, then it creates a higher “trust score” than if outside of your prime hours—meaning you’re less likely to be flagged on the system as a potential hacker or fraudster.
Who are you?
We all take a unique journey and have a distinct way of using and navigating through a website. There are hundreds of tiny factors that can be used to map out a picture. For example, page sequence, click speed, dwell time, typing cadence, velocity and acceleration. This can help identify machine-driven access (e.g., malware or other robotic behaviour) as opposed to human. With enough information and frequency, we can identify which human you are by building your unique behavioural profile. There are other elements that you may not even have considered; for example, the way we swipe, gesture or naturally quiver our hand can all be measured by exploiting advanced smartphone technologies such as capacitive touchscreens, accelerometers and gyroscopes, along with other information about how we perform certain tasks.
Who else do you know?
Social-media profiles provide a rich insight into the personal lives and preferences of customers. For example, if someone is linked to a large number of people whom you recognise as having a high trust score—meaning that they are legitimate accounts that haven’t been flagged in the past—that individual’s score is also more likely to be trusted. Whilst it is relatively easy to create a new social-media identity, there are a growing number of tools designed to score the legitimacy of social-media profiles, and this is an interesting and developing area to be investigated.
All of these different factors can be measured and brought together to create a distinctive personal profile, which can be given a confidence or trust score. Individual profiles can also be compared against the “crowd” of legitimate users to spot abnormalities or anomalies. Any red flags will prompt the software to test the user with tiny, invisible challenges and regularly revalidate and check against a known profile of a customer, which helps provide continuous authentication.
The secret to success when looking to implement these techniques is to use the best of breed packaged applications (where the hard work has already been done) and integrate them together with enhancements to improve quality and user experience. For the financial sector, the winners will be those who can take a holistic approach and build risk factors (rather than binaries) to balance risk with probability or confidence.
To be effective, this also needs to include a simple enrolment process, life-cycle management and automated workflow. Organisations should also build functionality to correctly calibrate risk engines, in order to create a weighted-risk score that is attributable to each of the authentication factors, and relative to the value of the transaction. For example, checking a balance is a low-risk activity—so would therefore have a lower-risk tolerance; but a higher step-up authentication would be required for transferring a large sum.
Multi-factor authentication offers a huge opportunity to reduce the friction of modern banking and thus provide the enriched experience that customers are increasingly expecting. This applies to a broad range of financial-services providers: not just personal banking, but corporate banking, wealth, asset management, pensions and general insurance. If the customer experience is truly frictionless, then continuous authentication becomes the nirvana.