Data breaches have been increasing exponentially every year. In the first half of 2018, there were 4.5B consumer records exposed as a result of data breaches1, and in 2019 more than 2.7B identity records exposed and sold on the “dark web”.2 As you can imagine most of your data, and other U.S. consumer’s data has been exposed. There’s a whole fraud ecosystem that revolves around taking that exposed data and building robust consumer profiles. As a result, in a digital interaction, if businesses just look at the information the user presents to them, the bad actors look just like the good consumer.
The impact of letting one of these bad actors into your network can be tremendous.
In 2018, there were more than 16.7 million victims of identity fraud in the U.S. with an amount stolen of over $16.8 billion.3 New account fraud across credit cards, mortgages, student loans, and car loans resulted in more than $3.4 billion in losses. More than 167K credit cards were fraudulently opened using stolen names and credentials of real people who had no connection to these newly opened accounts. In the same year, account takeovers, where fraudsters used stolen customer credentials to hijack consumers accounts increased by 79%.4 Out-of-pocket costs for victims average $290.00 and take an average of 16 hours to resolve, resulting in more than $1.7B of out of pocket costs and 62.2 million hours of lost time.5
When a fraudster with stolen customer information, interacts with a website the details they enter look as good as any other legitimate consumer interacting with the site. To understand whether the person on the other side of this digital transaction is legitimate, you can’t just look at the personal data that they provide. You must look beyond the data to examine elements of the user’s behavior in their interactions with the website, to get clues to their true intentions.
The interesting thing is that you can tell a lot about a user and even their intent by the way they interact with their device and with a website. When you think about something as simple as completing an application for a credit card, a legitimate customer will comfortably be able to provide details about their personal information when required. A fraudster will not. A fraudster will be looking up information, using reference material or scripts, navigating extra slowly or extra quickly when filling out a similar application.
Organizations are starting to turn to Behavioral Biometrics as a method of gathering insights about their users. These behavioral biometrics can be a great complement to using risk based behavioral analysis to differentiate the good customers from the bad actors.
Behavioral biometrics and Behavioral analysis sound very similar, so here’s a quick breakdown of the terms.
- Behavioral analysis: The patterns that a user exhibits as they interact with different websites or across a network (Time of day, frequency, average transaction dollar amounts, etc.)
- Behavioral biometrics: How a user interacts with their device – keyboard patterns, mouse movements, sensors as well as the orientation of the device
People are much more than a name or number. We are all unique. Just like each of us has a unique fingerprint or iris pattern, each person has their own unique way of interacting with the world. There are hundreds of minute things that we do every day that are unique to us as individuals – the stride of our walk, our voice pattern, how fast we move or type. A fraudster might be able to identify and imitate some of our behavior patterns, but they can’t replicate all of them. Additionally, certain behavior patterns are clear signals of fraudulent activity.
Below are some samples of potential indicators:
- Good customer: A good user knows his name and address and other personal details, and can intuitively produce them, with fluid navigation, and not much pause.
- Behavioral Analytic checks: Device commonly associated with the user, normal time range, expected location, consistent day/time access of website
- Behavioral Biometrics: User types naturally, fluidly navigates screen, some variability on how the device is held, but consistent with previous interactions with user
- Bad actor: Their carefully cultivated stolen user profiles aren’t memorized, they will typically have to refer to names, addresses and other attributes when creating or accessing an account. They don’t necessarily know where their stolen information will work, so they typically probe across many websites when attempting to take over accounts or create new accounts
- Behavioral Analytics: High velocity of interactions with a page within a short period of time (as well as across institutions), geolocation often disguised
- Behavioral Biometrics: Time and fluidity of navigation on page will be much different because they will need to look up names, addresses and other details off of some reference sheet; The device might be completely stationary if you think of a situation like a device farm.
As you can see, there are some clear differences in behavior between the good guys and bad guys, and if you use a tool to catch these behavioral biometrics insights, it’s easy to write rules to check for these indicative behaviors, and increase the accuracy in your ability to detect fraud.
It is also possible to use these insights to create a great experience for a good customer. Because everyone has their own unique patterns, after your good user has returned to your website a number of times, you can start to recognize their pattern of behavior, and set rules to reduce any friction they may encounter in their experience.
By catching bad actors earlier in the lifecycle, you can help reduce the negative exposure for your customers, as well as help reduce your operational costs. Taking advantage of these additional insights, will allow you to be more confident in identifying your good customers vs. bad actors, allowing you to help provide a seamless experience to your customers while stopping fraud in its tracks.
1. Gemalto. (2018, October 9). Data Breaches Compromised 4.5 Billion Records in First half of 2018. emalto.com/press/pages/data-breaches-compromised-4-5-billion-records-in-first-half-of-2018.aspx
2. Nuvision Credit Union. (2019, January 23). Breaking News: Massive Data Breach Exposed 2.7 Billion Email and Password Combinations. https://nuvisionfederal.com/blog/memberresources/2019/01/23/breaking-news-massive-data-breach-exposed-2.7-billion-email-and-password-combinations
3. Javelin. (2018, February 6). U.S Victims in 2017, According to New Javelin Strategy & Research Study. https://www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-million-us-victims-2017-according-new-javelin
4. Douglas, R (2020, January16). 2020 Identity Theft Statistics – Trends and statistics about identity theft. https://www.consumeraffairs.com/finance/identity-theft-statistics.html
5. Insurance Information Institute. Facts + Statistics: Identity theft and cybercrime. https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime