Heidi Bleau, Director, Demand Generation and Content for BioCatch tells us what is the difference between 'good' and 'bad' in behaviour biometrics, diving deep into the subject
Can a click of a mouse prevent consumers from being scammed and turning their life savings over to a cybercriminal? By examining fraud patterns and how good users behave, the answer is yes. A click, a swipe, typing patterns, how a person navigates a website - these otherwise mundane behaviours actually have a story to tell.
There’s a trove of data to be gleaned from digital behaviour that can provide insights into a person’s emotional state when they are conducting business online. After all, people have a strong emotional connection to money. Understanding even subtle shifts in digital behaviour offers tremendous potential to make digital transactions and experiences safer and easier.
Consider the action of setting up a new payee for a fund transfer – a generally straightforward, emotionless behaviour. But in situations where someone is being guided by a scammer pretending to be a bank representative or government official - or even a potential romantic partner – there are slight micro-behaviours driven by subconscious currents that are displayed as subtle shifts in online behaviour. These slight changes can help build a picture of a user’s emotions during an online session and suggest a social engineering scam may be underway.
Insert behavioural biometrics. Simply put, behavioural biometrics analyses physical and cognitive behaviour patterns to identify fraudulent or malicious activity within digital channels.
There are numerous scenarios where the distinction between good and bad can be used to uncover digital risks and protect customers. Account opening fraud, account takeover, social engineering scams, financial malware, bots, and mule account detection are just some of the cases where behavioural biometrics is being put to work by financial institutions worldwide.
So, what exactly defines ‘good’ vs. ‘bad’ behaviour? Let’s explore examples of some ‘bad’ behaviour patterns using the case of a social engineering scam and how often they occur compared to the genuine user population.
Typing Patterns
The way a user types can provide insights such as whether they are receiving instructions from a cybercriminal to perform an action or whether they are using long- or short-term memory when inputting information. Segmented typing patterns by a user can indicate dictation. For example, a cybercriminal dictating an account number for a victim to enter and transfer funds to. This one pattern is present in 1 out of every 20 social engineering scams as compared to 1 out of every 500 genuine sessions.
Mouse Doodling
A key sign that a user is distracted is excessive mouse doodling. This behaviour is logical given the long waits, pauses and dead time caused by a cybercriminal explaining or dictating instructions to a victim or to keep a digital session from expiring in the process. The average number of doodles across all confirmed social engineering scams is six. While only one percent of the general population exhibit six or more doodles in a session, that figure rises to 38% in reported fraud cases.
Session Length
The active intervention of a cybercriminal in social engineering scams prolongs a session significantly. Only one percent of genuine sessions last more than 30 minutes. However, 10% of sessions that involve an impersonation scam last that long. That number is even higher in social engineering scams that involve the use of a Remote Access Tool (RAT) to take over a victim’s computer. In scams where the use of a RAT is detected, 12% of the sessions are more than 30 minutes, likely accounting for the time it takes a victim to download it.
Each of these patterns on its own does not imply a scam is in progress, but when combined with hundreds of other data points and compared against good behaviour, these insights can be used to build powerful risk models to detect a wide variety of cybercrime attacks.
The effectiveness of traditional fraud controls that rely on device, IP, and network characteristics are continually being diminished. For example, the recent release of Apple iOS 15 includes an opt-in feature that allows users to disguise their IP when using Safari. As consumers and cybercriminals look for ways to ‘hide’ – albeit for very different reasons – it is a clear demonstration that we need to look past traditional fraud controls and double down on understanding behaviour to better fight fraud and protect customers. Behaviour is the one thing persistent across sessions and nearly impossible to disguise.
Join the webinar Ways to Stop Account Takeover Before Cash Disappears with The Paypers on 14 October where real-world account takeover attack cases will be examined and you will decide whether online activities are being conducted by a genuine customer or cybercriminal.
About Heidi Bleau
Heidi Bleau is the Director of Content at BioCatch, a leader in behavioral biometrics, where she is responsible for planning, developing and implementing the company's global content strategy. Prior to her role at BioCatch, Heidi was the Global Marketing Lead for RSA’s Fraud & Risk Intelligence business and lead author of the RSA Quarterly Fraud Report for more than a decade. She is an avid follower and content creator for all things fraud, cybercrime and technology and her work has been covered in several leading publications.
About BioCatch
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now