Dan Holmes shares his unique perspective on fraud in financial services, explaining how Behavioral Biometrics can be added as an additional layer of defense for fraud and risk decisioning by combining the way a user interacts with their device, with digital identity intelligence from the LexisNexis® ThreatMetrix® solution.
“In online fraud over the last few years, we’ve seen a meteoric shift in terms of the type of fraud challenges that we see banks and other businesses face,” said Dan Holmes, Director of Solutions Consulting at LexisNexis® Risk Solutions.
Holmes has had a unique ringside seat to this ‘meteoric’ shift in the banking fraud landscape, having worked in the industry for the past decade at a large UK bank. Holmes wore many hats in his past position at the bank and undertook a variety of fraud-related roles, explaining that he ‘caught the fraud bug’ because ‘you can go home at the end of the day and realise that you’ve made a tangible difference to both the bank and its customers.”
Explaining some of the shifts he has seen in online banking fraud, Holmes continued;
“If you look back four or five years, it was very much an environment where account takeover fraud or third-party compromise was the prominent fraud threat – along with things like malware and spyware attacks. As banks armed themselves with the technology to fend off those kinds of threats, fraudsters adapted as well. We have now emerged into an environment where it’s no longer the bank technologies and fraud defenses which are the weakest link in our chain. It’s now the individual consumer and the victim themselves that have become the weakest link. As a result we have started to see fraudsters prey on the customer, coercing them to unwittingly execute payments on their behalf, with social engineering taking many different forms, such as romance or deception scams.”
So in the midst of a rapidly evolving fraud landscape, with changing consumer behaviors and shifting fraud typologies, how can banks tackle fraud and build trust with genuine, good customers? For Holmes, it’s all about layers of intelligence, from device and identity intelligence, to consortia data sharing among banking peers.
“LexisNexis ThreatMetrix provides a fraud and identity solution for digital identity intelligence and authentication, powered by shared intelligence insight from billions of transactions, embedded machine learning, and a powerful decision platform,” explained Holmes.
“This data and its capabilities allow you to accurately differentiate between malicious users and legitimate ones across the user lifecycle, as events happen.”
Making reliable risk decisions increasingly involves layering multiple pieces of intelligence in a way that imposes little restriction on good, trusted users. The latest product capability launched by LexisNexis Risk Solutions has been designed to give organizations yet another dimension of intelligence, capturing how an end user behaves and interacts on their device.
Distancing the Behavioral Biometrics product capability from the concepts of FaceID and other commercial biometric products used by consumers, Holmes explained:
“Behavioral Biometrics is the field of study related to the measure of uniquely identifying patterns in human behavior. So, this is very much what you might call dynamic biometrics, because we are looking at the way you interact with a web session. So we can look at the way you move your mouse, how you interact with your keyboard and if you use keyboard shortcuts, for example. Using this kind of data, we are able to baseline behavioral patterns and tendencies at an individual user level and drive real-time comparisons to that baseline.”
“The way in which this data is captured allows us to respect the privacy of our users. We process pseudo-anonymised data and cannot identify the individuals behind it. This approach provides the necessary data capture to inform good fraud decisioning, whilst ensuring the privacy of the user is respected and maintained,” Holmes explained.
Viewing the Behavioral Biometrics product capability as an additional layer of intelligence is a recurring theme for Holmes, who argues that not one single prevention solution is going to solve the entire fraud problem, such is the diversity of attacks banks face.
“Having that layered approach is something that has been really effective for our customers, in the sense that not one single fraud technology is ever going to allow you to stop all the different fraud threats and fraud typologies that are out there. So having a layered approach to your fraud ecosystem allows you to have a multi-pronged strategy, essential in giving you the defense required against a wide range of fraud activity,” said Holmes.
“So whilst digital identity technology, combined with traditional measures such as payment modelling and monitoring, may allow you to detect the majority of the fraud, Behavioral Biometrics is the next layer that will allow you to find incremental value on top of the core benefits that these established solutions already deliver. It’s very much about that that layered approach.”
Although only released in March 2020, there has already been some early success with Behavioral Biometrics. Initial results suggest up to 20% additional fraud is being captured on top of current detection performance. With an aggressive roadmap behind Behavioral Biometrics, LexisNexis Risk Solutions intends to keep driving the success of its latest capability within the LexisNexis ThreatMetrix solution:
“Our success so far has been geared around web-based biometrics. We’re launching the mobile component later this year, so that’s where we’re able to get into things like gyroscopic information and touchscreen patterns. With an ever-growing consumer mobile adoption rate in online banking, we’re keen to protect app-based interactions, as well as the browser-based interactions,” said Holmes.
Moving away from online banking and entering the world of card not present transactions, the application of Behavioral Biometrics could also be harnessed in other use cases, specifically with Strong Customer Authentication (SCA), as Holmes explained:
“We also want to look at using Behavioral Biometrics not just for fraud detection, but also leveraging the same data to confirm positive affirmation of an individual. So using Behavioral Biometrics to authenticate and recognize users. That’s something that very much fits into the guidance around SCA. I’ll give you an example: SCA guidance mandates two-factor authentication in various payment scenarios. The go-to authentication approach from the card issuing market has been SMS one-time passcode (OTP) as the first factor, and then a password for the second factor. Both are what you’d call traditional authentication measures, and whilst both are technically compliant with the regulatory standards, neither are great for customer experience. But if we were to replace one of those forms of authentication with positive affirmation via passive Behavioral Biometrics, we could really enhance the customer experience, whilst at the same time maintaining the regulatory compliance and increasing the level of security for the customer” Holmes continued.
“For example, if we collect the behavioral data that’s available whilst the SMS OTP is being entered, we can then confirm that that behavior is consistent with what we’ve seen before as the second factor. From a user experience perspective, it’s a much better experience for them to go through, because it’s passive and quicker.”
In such a dynamic environment, with fraud typologies and consumer behavior in a current state of flux, Holmes remains confident that Behavioral Biometrics can keep pace with the ever-evolving fraud landscape.
“There is no doubt that the fraud landscape will continue to change. We’ve already seen this meteoric shift as I described earlier from third party attacks, through to social engineering attacks,” said Holmes.
“As fraud threats continue to change, it is essential that fraud technologies continue to evolve to keep pace with the fraudsters. Failure to do so will result in drastic consequences for banks and their customers, as well as other online businesses,” concluded Holmes.