In the world of business, one word tends to make people cringe: fraud. This is understandable. Fraud cost businesses $16.3 billion in 2014. In addition to lost revenue from fraudulent purchases themselves, fraud also costs customer trust. Many customers who experience fraud will choose not to return to the business.
A large amount of this cost ($6.4 billion) in 2014 was card-not-present (CNP) fraud. CNP means exactly what it sounds like, purchases or payments made when a credit card does not have to be physically present. Transactions made via computer or smartphone are CNP transactions. Those made in a store by handing a credit card to a salesperson are not.
These types of transactions have exploded in popularity. The ease of online shopping has many customers making the switch from brick and mortar to CNP purchases. The benefits also mean the emergence of many online-only businesses. The result is a flourishing world of e-commerce.
Unfortunately, where the money goes, fraudsters follow. With the increasing popularity of shopping online and via mobile devices, e- and m-commerce fraud is increasing. Also, the recent adoption of EMV chip cards in the United States means fraudsters will have a harder time committing fraud in person. Thus fraudsters are expected to migrate to online and mobile fraud avenues. All in all, CNP fraud is expected to grow to 4 times that of fraud when a card is present by 2018.
Changes in how customers shop or access their money require changes in how businesses manage and prevent fraud. While fraudsters continue to think up new ways to commit fraud, many businesses continue to use the same fraud prevention methods.
Fraud vs. Friction
In the world of fraud prevention, the password remains king, even though Bill Gates declared in 2004 that the password is dead. Today, the average web user has over 50 accounts with each requiring a password. The popularity of password authentication poses a problem for customers and businesses alike.
Passwords are in the “something you know” category of the three types of authentication. Unfortunately, passwords can easily be stolen or guessed by fraudsters. The average user has a hard time developing a unique password for each of the 50 accounts, so they use easily guessed passwords or the same password for multiple accounts. Thus a fraudster who accesses one password-protected account can often access others by the same person. Passwords can also frustrate customers who don’t want to have to re-enter a password every time they want to access an account.
Authentication methods like passwords cause high friction for users. This increases checkout time, resulting in more abandoned shopping carts. Of course, businesses don’t want this, so they try to reduce friction by providing easy options like one-click payments. Often, reducing friction can also mean skimping on security and welcoming fraudsters in.
The best practice in online security today is two-factor authentication, which requires users to prove their identity twice. By providing two hurdles for fraudsters to jump instead of one, it makes a fraudster’s job harder. Thus it is less likely a fraudster can hack into an account.
Unfortunately, two step authentication often increases friction for users. For example, here’s how a user logs in to Gmail by Google:
Step 1: Enter a password.
Step 2: Enter a validation code sent to the user’s mobile device.
While two-factor authentication is more secure than simply entering a password, it comes with more friction, which detracts potential customers.
New methods of addressing fraud must balance security and friction. High security, low friction methods are needed to keep purchases secure while allowing customers to shop without becoming frustrated by lengthy checkout processes.
The Ever-Evolving Fraudster
In addition to the problem of friction, businesses have to fight the evolution of new fraud methods. New fraud prevention and detection methods must adapt as the way fraudsters commit fraud continues to change.
The traditional methods of fighting fraud are no longer enough to catch up with hackers. In 2014, many big companies like Target and Home Depot were targets of massive attacks. Customers and businesses alike began to wonder how they could protect themselves when a big company like Target couldn’t.
As one industry expert notes in an article by PYMNTS.com, “There’s a hacker for everything.” This means security isn’t achieved by one fraud prevention method. The key is to develop a security plan that addresses many different avenues fraudsters may use and stand up to new evolving attacks.
Fraud prevention and detection must enter the 21st century if businesses want to secure themselves. If not, businesses and customers alike can’t be sure they are protected. Businesses don’t want to realize they could have prevented the newest threat when it is already too late.
What is Behavioral Analysis?
With businesses looking to reduce friction and keep up with emerging fraud methods, new ways of detecting and preventing fraud are being developed. One of these 21st century methods is behavioral analysis.
Behavioral analysis relies on something inherent in a user: how they behave. What a user does may be a better indicator than who they say they are, which is the common question challenged by authentication.
Whether we realize it or not, our shopping habits reveal our unique behavior. For example, how often you shop, what time of the day you shop, and where you shop all reveal important information about your behavior. Retailers can use this information to tell what is authentically you and what is someone using your information to make a purchase.
Types of Behavioral Analysis
Behavioral analysis relies on a user’s unique behavior to build a profile of behavior that is normal. Suspicious behavior that strays too far from the norm can then be singled out as fraudulent. It can be used in many different ways to detect fraud via online channels.
Here is an example from SiftScience to show how behavioral analysis works:
User 1: Login → Click on Product #8473 → Click on Product #157 → Click on Product #102 → → Complete Purchase
User 2: Failed Login → Request Password → Direct Link to Product #821 → Change Shipping Address →Complete Purchase
Which behavior is suspicious?
The second one. While the first user successfully logs in and takes time to browse before making a purchase, the second user fails to log in, navigates to one product and changes the shipping address before completing the purchase. For behavior analysis, the second user would raise a red flag.
The amount of time a customer is likely to spend browsing, their browsing history, and how they browse are all online shopping behaviors that can be critical to preventing and detecting fraud.
Browsing behavior is an example of one type of behavior analysis. Another is physical behavioral data taken from devices themselves. Electronic devices themselves hold the ability to collect all sorts of data via sensors to tell businesses more about a user’s behavior. What this data is and how helpful it is at determining fraud varies.
”Just as when you touch something with your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a 'cognitive fingerprint',” explains a contract document for research into behavioral biometrics at West Point, the U.S. Army’s military academy.
Here are some examples of behavioral data that can be collected via different electronic devices.
-Swipe speed and distance
Smartphone Behavioral Biometrics:
-Speed, style, and position on screen of a signature
-Angle a user holds the phone
-Movement across a screen
As you can see, mobile devices can collect a wider variety of rich data than computers. This data can piece together a picture of the user. For example, fraudsters tend to have a higher heart rate than a normal user.
Difference in heart rate between fraudster and legitimate users via Riskified.
In addition, measured skin conductivity tells how much a user’s hands are sweating. Fraudulent users tend to sweat more than authentic users, so this data can be used to identify whether a user is good or bad.
The History of Behavioral Analysis: From Static Biometrics to Behavior
In the quest to reduce fraud, technology businesses have developed new, better methods. Behavior analysis as a fraud security measure evolved from shortcomings of other methods.
Behavior isn’t the only biometric used. Physical biometrics like fingerprint, voice, eye, and face recognition involve inherent characteristics of a person. This is one of the longest used ways of identifying a person. Biometrics have been used by humans since 30,000 years ago when the first cave painting was signed with a hand print.
In recent times, the development of biometric methods has skyrocketed. In 2013, Apple came out with Touch ID for its Apple Pay application. This involves validating identity via fingerprint. Intel Security’s True Key uses facial scanning. Fujitsu developed a method to scan irises. They also developed a way to use palm veins to identify a user. Mastercard is expected to roll out a “pay by selfie” authentication method in 2016. (“The Future of Consumer Authentication (And It’s A Little Weird)”)
Although physical biometrics seem like secure methods of user identification (someone can’t “steal” something that is a part of your physical body), there are a lot of problems associated with them. Different static biometrics have varying levels of security.
Fingerprints, for example, sound extremely secure. Fingerprint scanners are thought of as something straight out of sci-fi movie. The problem is people leave their fingerprints on everything. This makes this identifier a target for fraudsters to steal. Fingerprints can even be copied from public photos and used to hack into a person’s device.
Although not every physical identifier can be stolen, these biometric methods often require a user to take the time to validate themselves as a true user. They also tend to use only one data point: the scan of a fingerprint or ear, a photo. This can make it easy for a valid user to be shut off because “fraudster” or “no fraudster” is determined by one piece of information.
Thus the need for another biometric method evolved. The idea of using something a person is inherently is a good idea, but without the need for user friction and hardware outfitted with new sensors. Behavior is a more multi-faceted method of authentication.
The Ins and Outs of Behavioral Analysis
Here’s where we are so far with our thinking about behavioral analysis:
Each person behaves uniquely. A profile of that person’s behavior is recorded. A user who acts vastly different from the behavior profile is suspicious.
How exactly does this all work? What happens if a user behaves differently?
Businesses need a way to stop fraud before it happens. They also need to reduce the chance that a perfectly fine customer is turned away from making a purchase. Thus a system is needed to gather data and make an informed decision about whether a user is a fraudster and should be blocked from a purchase.
This is where machine learning comes in. Machine learning algorithms take the data gathered and determine patters to predict the probability that a purchase is fraudulent.
Here’s a simple outline of the steps of behavioral analysis to detect fraud:
- Gather loads of information to form a template of the user’s behavior and “train” the system
- A behavioral pattern is determined and a threshold is set to identify when behavior translates from normal to fraudulent. This threshold can be a probability percentage that a transaction is fraudulent (for example, 95%).
- When a user is encountered, a probability of the transaction being fraudulent is calculated based on behavior. If the percentage is above the threshold (95% in this example), the user is blocked from the transaction.
In essence, machine learning algorithms develop a pattern. Then a risk value is calculated using this pattern. If the risk is deemed high enough, there is a large chance the user is fraudulent. Then the user is either blocked from accessing an account or blocked from completing a purchase, depending on how the behavioral analysis is being used.
The risk threshold can be adjusted. Having too high of a threshold means potentially blocking out authentic users, while having too low of a threshold means fraudsters might not be detected.
The number of false positives varies depending on the behaviors analyzed and the accuracy of the technology used to gather data. In general, behavioral biometrics tend to have less false positives than other detection methods.
Pros of Behavioral Analysis
Besides decreasing the instance of false positives, there are many reasons behavioral analysis is a good choice for mitigating fraud.
-Behavioral methods gather large amounts of diverse data. For example, a smartphone that gathers behavioral information has many data points to evaluate fraud potential, while static biometrics have less information to go off of. This results in a richer profile of who an authentic user is and who a fraudulent user is.
As a Tech Radar article notes, “It's like having your finger on the fingerprint sensor on your phone throughout the whole process.”
-It is frictionless and non-invasive. Behavioral biometrics are also called “passive biometrics” because users don’t have to do anything different for them to work. They don’t have to put their fingers over a certain button or speak into a microphone.
They only have to keep behaving as they always do. There’s no interference to the user and, therefore, no friction. In addition, it’s non-invasive, as security relies not on what you are doing on your phone but how you are doing it.
-Behavioral analysis can detect fraud in early stages. It can detect fraudulent activity before a purchase is attempted. This makes it easier and cheaper for companies to prevent losses (Behavioral Analytics for Detecting Fraud).
-Behavioral analysis can detect new fraud schemes. Because it relies on behavior, it detects abnormal behavior, regardless of the attack scheme. This makes it good for new attacks that aren’t yet exposed.
-It doesn’t require new hardware. Behavior analysis works on all smartphones because of the sensors embedded in these devices already. This means users don’t have to buy a token or a wearable technology to authenticate. They don’t have to purchase the newest type of smartphone outfitted with a fingerprint scanner. This means behavioral analysis has the ability to be widely implemented.
Looking to the Future
Behavioral analysis has the potential to be adapted to many different devices, including an entire smartphone’s operating system, not just certain apps that use the technology. This means an entire phone can be protected. Just as you use a case to protect your phone from physical damage, behavioral damage can protect your phone from fraud damage.
The main takeaways about behavioral analysis and fraud:
- Behavioral analysis can gather a lot of data. Gathering more data=better identification and less false positives.
- Reduced friction. Users don’t have to enter a password or authenticate via a static biometric. This means customers can get back to shopping and not abandon checkout in frustration.
- Behavioral analysis is a high security, low friction method of fraud prevention. Businesses can integrate it with traditional security measures like passwords to build a system resistant to old and new fraud methods.
While fraudsters have found a way around many security measures, fraudsters can’t possibly mimic every aspect of a user’s behavior. As fraudsters are driven to online and mobile avenues of wreaking havoc, this is a technology capable of adapting. This way, the evolution of fraud prevention can catch up to the speed of fraudsters.