Embed Size (px)
Citation preview
www.securedtouch.com | 1
BEHAVIORAL DATA: THE KEY TO UNLOCKING BETTER FRAUD PREVENTION
www.securedtouch.com
2020 | WHITEPAPER
1
TABLE OF CONTENTS
2
STRIKING A BALANCE BETWEEN USER EXPERIENCE AND FRAUD DETECTION………….
WHAT IS BEHAVIORAL DATA AND WHY DOES IT MATTER?....................................................
BEHAVIORAL DATA BOOSTS FRAUD DETECTION.........................................................................
BOT DETECTION.............................................................................................................................................
ACCOUNT TAKEOVER...............................................................................................................................
NEW ACCOUNT FRAUD.............................................................................................................................
EMULATOR DETECTION............................................................................................................................
THE ADDED VALUE OF BEHAVIORAL DATA.......................................................................................
BEHAVIORAL DATA IS CORE IN THE FIGHT AGAINST FRAUD.................................................
4
6
6
8
10
11
12
13
3
STRIKING A BALANCE BETWEEN USER EXPERIENCE AND FRAUD DETECTION
STRIKING A BALANCE BETWEEN USER EXPERIENCE AND FRAUD DETECTION
3
Across the globe, fraud and payments teams share the same pains. Why? Their tools
share the same shortcomings in one way or another. They either forego strong fraud
detection for a smoother user experience, implement it at the later stages of the
customer journey to reduce the impact on user experience, or to save on fraud ops
related costs. The ramifications of this choice can sometimes be difficult to quantify.
Yet, there is no doubt that late detection of suspicious transactions and undetected
fraud continues to overburden internal resources and chargeback related costs. It is a
tough pill to swallow but the alternative choice creates friction for users, which leads
to angry customers and lost sales.
It’s not all doom and gloom.
The development of Behavioral Biometrics offers a solution that can strike a balance
between friction and security. Behavioral data – the data used in Behavioral
Biometrics technology - represents users’ innate behavioral interactions with
websites, applications, devices and more. It is a powerful data source that excels at
rooting out fraudsters. In this whitepaper, we will take a deep dive into the WHAT,
HOW and WHY of behavioral data, and the ways it is helping businesses combat fraud
while providing a better user experience.
WHAT IS BEHAVIORAL DATA AND WHY DOES IT MATTER?
When a user interacts with a device or application, they do so in a way that represents
‘normal’ human behaviors. Throughout any session, every interaction, e.g. swipe,
mouse click, generates information that can be represented by a data set. This is
behavioral data. What’s interesting about this data is that up until now, it has been
ignored. It’s a rich source that can provide unique insights into behavioral patterns.
Behavioral data provides a new perspective on fraud by identifying the user’s intent,
thereby helping fraud fighters accurately distinguish between fraudsters and
legitimate users. Fraudsters have distinct behavioral patterns; bots and emulators
present distinct behaviors. Their intent here, behind the activity, is the key.
Let’s put it into context. Fraud solutions that are popularly used in eCommerce sit
almost exclusively on the payment stage of the customer journey. The data used to
approve a transaction is static and compared to historical data in order to make a
decision (see image 1). This is a siloed approach that gives limited visibility into the
legitimacy of the user. What’s missing here is all the behaviors and interactions that
have taken place since the beginning of the session, there is a gap. And this gap is
what fraudsters are exploiting. Moreso, there are even opportunities now for
fraudsters to monetize their attacks without the need to complete a typical
transaction.
WHAT IS BEHAVIORAL DATA AND WHY DOES IT MATTER?
4
The key to fraud detection is identifying user intent
WHAT IS BEHAVIORAL DATA AND WHY DOES IT MATTER?
Behavioral Biometrics uses machine learning in order to adapt and learn from the
moment a user session begins. This is its key differentiator. It provides a holistic view
of the entire customer journey flagging suspicious activities earlier before any
damage can be done. In the case of bots and emulators in particular, this allows for
much more rapid and efficient detection. In order to detect manual fraud, nuanced
behavioral anomalies are flagged. The depth of behavioral data that Behavioral
Biometrics uses provides a level of visibility into users’ actions that is far more
granular than has been used before. This is how we can recognise user intent.
In order to turn this abstract idea into something more concrete, we are going to
apply this to the problems you face on a regular basis. We will extract key behavioral
data that allows us to close these gaps.
zip code CVV
IP address
Image 1: Examples of Static Data Currently Being Used
5
BEHAVIORAL DATA BOOSTS FRAUD DETECTION
BEHAVIORAL DATA BOOSTS FRAUD DETECTION
6
BOT DETECTIONWe are all familiar with bots; legitimate tools used to
automated actions at scale, quickly and efficiently -
exactly why they are a popular tool used by fraudsters.
Yes, there are good bots, but for the purpose of this
whitepaper we will focus on the bad ones. They are used
to commit various types of attacks against merchants:
DDoS, credential stuffing, price scraping attacks and
more. We will explore specific examples further on.
Current bot detection solutions focus on data sources like device attributes and
velocity checks, which offer limited scope and their detection range is limited to
known bots (bad or good). This makes them ineffective at catching newer or more
sophisticated bots. To make matters more challenging, bots are becoming
sophisticated enough at mimicking human behaviors to bypass popular bot detection
systems like Google reCAPTCHA. This is the precursor to late detection in fraud. The
bots are just too fast, completing their task before any flags are raised.
In late 2018, attackers created a script that allowed them to steal access tokens and
take over a total of 30 million Facebook accounts in two waves. By using bots, they
were able to scrape a hoard of personal data before the breach was discovered. It
hasn’t yet been determined what has been done with this data, it’s likely the
fraudsters used it for further attacks. This is the tip of the iceberg when it comes to
understanding the potential damage fraudsters can inflict on businesses.
BEHAVIORAL DATA BOOSTS FRAUD DETECTION
HOW BEHAVIORAL DATA CLOSES THE GAP Despite their effort, even the most advanced bots can’t fully imitate gestures and
interactions that reflect innate nuances in normal human behavior. They can
complete very simple actions or can be customized to process logic. In order to
complete large scale attacks at speed, simple bots will be used, such as API direct
attacks or credit card stuffing. While slightly slower and subject to more investment
from the fraudster, more sophisticated bots are used to satisfy logic based challenges
presented by the GUI of a higher value target. Regardless, they expose themselves by
exhibiting non-human behaviors:
7
For example, a finger swipe on a mobile device has multiple dimensions: speed, angle,
pressure, and changes in the device’s orientation. Bots can’t generate this type of
sensory data, or they do so in a noticeably unrealistic way. They can also reveal
themselves by ‘moving’ the mouse too quickly, rapidly switching between keyboard
and mouse inputs, or by inputting text too fast. These types of behaviors are
inconsistent across these tools, requiring a flexible solution that can accommodate
these disparities. Machine learning provides this adaptability and can be trained to
look for non-human behaviors. Since it doesn’t rely on pre-defined rulesets or
signatures, it can identify and learn behaviors of new bots.
Performing unusually fast
swipes, mouse movements,
or other actions
Leaving the same behavioral
footprint on different devices
Copying and pasting data
at very fast rates
Attempting to mimic human
gestures while adding
random noise
Bots expose themselves by exhibiting non-human behaviors
BEHAVIORAL DATA BOOSTS FRAUD DETECTION
ACCOUNT TAKEOVERSMany merchants require customers to create an account
in order to complete a transaction. Some will offer special
rewards to loyal customers as an incentive. It gives
merchants access to data about their customers that in
turn, allow them to sell more. This is why account
takeover attacks are so attractive to fraudsters.
Accessing these user accounts can include saved
payment details, access to additional PII, and other perks
like account reputation.
Of course, customers need to have a login and password to secure their accounts. We
will not delve into the controls that may be set at this stage of the customer journey,
however, it is critical to understand that they are susceptible to the same type of
vulnerabilities as the payment stage, described above. Furthermore, with the amount
of stolen PII available on the dark web, the chances that fraudsters can beat (or even
bypass) this security control, are exceptionally high.
One of the main pains in catching ATO is that detection will come after the fact, and
the damage is already done. An added complication is now attacks are focused on
monetizing earlier, bypassing even the need to complete a traditional transaction. The
fraudster’s journey is not so simple as a quick log in, transaction and log out. He now
looks for other vulnerabilities to get the highest ROI he can: they look for other ways
that they can monetize. The AirBnB example below is a perfect example of how an
ATO attack can be even more sophisticated. These attacks can be taken even further,
email addresses, account settings and payment methods can be changed.
8
ATOs are a growing threat, recent statistics show that the amount of attacks
increased by 30% between Q2 & Q3 last year. In one of countless examples, a
fraudster hacked into a user’s Airbnb account and charged over $1,000 in bookings.
The charges appeared legitimate to both Airbnb and the owner’s card issuer and were
only identified when the owner reviewed her credit card bill. Meanwhile, the
fraudster locked her out of the account and continued booking trips while she was left
fighting the charges and for access to the account.
BEHAVIORAL DATA BOOSTS FRAUD DETECTION
HOW BEHAVIORAL DATA CLOSES THE GAP ATO can be performed using both automated and/or manual techniques. Based on
the previous section, it’s quite straightforward to understand how behavioral data
can be used to catch a bot in this context. The differences within this type of attack
are more nuanced and are augmented further depending on the stage of the
customer journey that the fraudster is focused on: the login, the session and
monetization. More often than not, after a successful credential stuffing attack,
monetization is completed manually.
Manual methods are more difficult to detect as it is not such a straightforward case
of separating between human and non-human behaviors. A fraudster using this
technique is likely to be sophisticated and experienced, with their sights set on high
value accounts. Behavioral data generated by these actions represents a
behavioral footprint of the fraudster that is distinct from that of a normal user. The
very fact that a fraudster’s interactions with a website or app are driven by his
mission is what gives him away; repeated behavioral patterns of the same flow on
different accounts include how fast he's navigating between the pages or moving
the mouse to the next "click". The way he's filling in fields on a form, how fast he's
typing, where and when he is using copy/paste are added data points that make
these behaviors so distinct from good users. Since fraudsters tend to target
accounts that are frequently used and in good standing, this distinction becomes
even clearer. Detecting the fraudster’s intent early in the customer journey, long
before they reach the payment stage is possible using this approach.
9
57% businesses are experiencing increasing fraud losses associated with account takeover and new account fraud
BEHAVIORAL DATA BOOSTS FRAUD DETECTION
NEW ACCOUNT FRAUDUsing fake or synthetic identities to create new accounts,
fraudsters will make use of legitimate payment details and
complete transactions without raising red flags, making
transaction analysis a non-issue. Neither the merchant nor
the victim would know they were defrauded until after it
happened. This method is also used to commit referral
fraud in loyalty programs by creating fake new accounts to
make use of introductory rewards.
Instances of synthetic and fake identities are popular and growing. Using these
identities to create fake accounts, it is estimated that fraudsters net an average of
$15,000 per attack, with some attacks earning as much as $200 million. According to
their 2019 Identity Fraud Study, losses from new account fraud increased from $3
billion in 2017 to $3.4 billion in 2018.
HOW BEHAVIORAL DATA CLOSES THE GAP
10
In the same way behavioral signatures are generated by an ATO attack, fraudsters
behave in noticeably different ways to legitimate users that allows their intent to be
determined. They will also use a mix of automated and manual methods, such as:
Performing consistent, repeated actions, eg. entering the sign-up process
multiple times with different data
Navigating between pages in a steady, rehearsed way
Performing the identical actions on multiple different devices, indicating
bots or emulators
Creating many accounts from a single device
For new accounts in particular, these behaviors are extremely unusual. For instance, a
normal user would not be familiar with the placement of a registration form or the
order of the fields, this would be apparent from behavioral patterns such as
navigation fluency. The depth of data available allows Behavioral Biometric systems
to recognize and flag them as indicators of fraud.
Examples of unusual behaviors that signal malicious intent
BEHAVIORAL DATA BOOSTS FRAUD DETECTION
EMULATOR DETECTIONEmulators were originally created as a way to play mobile
games on desktops, and have become a tool for fraudsters
to replicate or mimic devices. What makes them even
more attractive tools, is that security on mobile devices
tend to be more lax than desktops. Many fraud detection
solutions try to detect emulators based on superficial data,
such as the type of hardware that they’re running on.
However, high quality emulators can replicate genuine
hardware or provide false information, inadvertently
helping fraudsters to avoid detection.
HOW BEHAVIORAL DATA CLOSES THE GAP A major shortcoming of emulators is their inability to replicate certain types of
sensor readings - understandable as this is not their original function. The data
they provide is either incomplete or inconsistent with that of a normal device.
This makes it harder for fraudsters to emulate complex gestures, like slight
movements of the device when swiping a finger.
Behavioral data uses multiple sensor readings to detect complex and nuanced
gestures. For example, tapping a device always results in the device moving. If a
tap doesn’t change the phone’s acceleration or orientation in a specific
correlation to the tap X/Y coordinates, it does indicate the tap was emulated or
otherwise artificial. This is apparent regardless of the user - it could be a bot
being used with an emulator or a fraudster performing his task manually.
Behavioral data flags these anomalies by differentiating them from normal
usage and non-human behaviors.
Emulators can play a role in all forms of fraud, including new account fraud. For
example, Gett, a global provider of corporate on-demand transportation, discovered
an increasing amount of fraud involving emulated devices. Because emulators can
easily obfuscate real device attributes, using rule-based detection resulted in a high
rate of false positives and flagging of legitimate users.
11
BEHAVIORAL DATA BOOSTS FRAUD DETECTION
Behavioral data does more than fight fraud. It improves the user experience by
replacing intrusive authentication measures such as step-up authentication, while
working continuously and invisibly throughout the customer journey. This allows for a
better overall customer experience by reducing friction, generating fewer false
positives, and lowering the chances of a successful attack.
It can also lead to reduced costs in fighting fraud. Successful attacks can result in
significant losses due to not only the fraud itself, but the decline in customer trust and
reputation. Behavioral data is unique in that it has no significant onboarding costs,
provides instant bot detection, and requires no changes in user behavior.
Behavioral data is widely available, and the number of users is increasing. By 2023,
over 1.5 billion smartphones will use it to support Behavioral Biometrics. This will
place Behavioral Biometric technology in the hands of billions of customers;
organizations simply need to leverage it.
THE ADDED VALUE OF BEHAVIORAL DATA
12
Friction at the checkout contributes to the majority of cart abandonment
BEHAVIORAL DATA IS CORE IN THE FIGHT AGAINST FRAUD
BEHAVIORAL DATA IS CORE IN THE FIGHT AGAINST FRAUD
Fraudsters are getting smarter, so we need smarter solutions for detecting and
combating them. Behavioral data provides a stronger, more intelligent form of
identification that doesn’t add steps for users. It supports a fraud detection solution
that can adapt to even the most sophisticated forms of fraud, works on all stages of
the customer journey, allows for early detection of fraudsters, and does not rely on
private user data.
Users are oblivious to the collection of the data and that’s the beauty of it. It allows
Behavioral Biometrics technology to work invisibly and continuously to protect
transactions and combat fraud without requiring direct user intervention. After all,
users shouldn’t be overly preoccupied with the processes underlying their
transactions. The easier it is for customers to complete transactions, the less likely
they are to abandon them.
Leveraging the power of behavioral data, Behavioral Biometrics is a novel approach
to fraud detection and the market is quickly adopting it. It has the power to provide
stronger, seamless fraud detection that doesn’t negatively impact the user
experience. Enterprises can stay ahead of the constantly changing fraud landscape
and support a fast track to transaction completion for customers.
See more insights on behavioral data here: securedtouch.com.
13
