The use of mobile phones for mobile banking and transactions is becoming increasingly widespread, necessitating stronger security measures capable of identifying when user credentials have been compromised. Hackers are coming up with more and more ways to steal personal details, whether via account takeovers or automated bot attacks.
Is Your System Really Safe?
Data security today is most often dependent on passwords. Individuals tend to use the same passwords for a slew of usernames because it is too much of a hassle to remember a different set of usernames and passwords for a dozen apps and websites. While you may think your system is well protected, you are still exposed to the use of stolen or guessed credentials. For example the recent cyber heist at the Bangladesh Bank was traced to the attackers obtaining valid credentials used by bank officials to log into the SWIFT system and using that access to transfer $81 million. The deficiency of passwords as the means to protect your system from hackers is staggering. Verizon Data Breach Investigation report shows that overwhelming 63% of confirmed data breaches in 2016 involved leveraging weak, default or stolen passwords.
Looking Beyond the Login
But passwords are pretty much passe for hackers. The transition of users to mobile has motivated fraudsters to come up with new ways to acquire credentials via apps. They are now creating apps that appear legitimate but actually steal personal data. If the end user’s smartphone is not protected with antivirus software, it is vulnerable to malware and botnets. The bot lies in wait until the end user opens up an app and then takes over, copying credentials and even a fingerprint.
Faced with these kinds of threats, enterprises are searching for effective methods to identify account hacking in real time in order to prevent the mass breaching of user credentials.
Which Method Works Best?
The growing use of mobile for a wide range of applications, combined with the Bring Your Own Device (BYOD) policy adopted by many employers, has raised the ante when it comes to security precautions for a wide range of work and personal devices.
Let’s examine the advantages and disadvantages of methods currently used to repel attackers and prevent credential takeover:
Context-aware Identity and Access Management (IAM)
Context-aware security relates to the use of different types of contextual information in order to strengthen security practices. In the past, security systems focused on who was trying to gain access and what they would be allowed to do once they gained entry. With context-aware IAM systems, user authentication is more stringent, only enabling a login to proceed to the next stage when relating to such issues as how, when and where access is requested. Equipped with in-depth data about the user, the system can offer not just accurate individual authentication but also authorization, thereby narrowing down the chances of false positives. However, the main drawback here is that once the user is signed in, no additional security checks are conducted, leaving the system open to subsequent attacks if the initial entry was fraudulent, as in the case with an account takeover (discussed below).
- Behavioral Analytics
Behavioral analytics tracks, collects and assesses user activities and data to record individual patterns of use within a website or an app. Some companies use these insights to analyze consumer behavior and weed out fraud. But identifying certain patterns is not always a reliable indication of who the user really is. For example, using this form of analytics, a security system will note if a particular customer who usually checks his balance every morning has suddenly switched to the evening. Or if he has changed the regular day that he transfers certain funds. But while the system will regard these instances as red flags and declare them fraudulent, the user may simply have legitimately broken with habit. This type of analysis yields a high rate of false positives and cannot accurately be applied to mobile.
- Behavioral Biometrics
As opposed to the two methods mentioned above, behavioral biometrics focuses on inherent physical activity and how individuals connect with their devices. It is not reliant only on an arbitrary habit or a static physical trait (which can be copied) but rather on personal interaction. Based on machine learning, the system studies variances continuously over time, until it actually “knows” the individual and creates an accurate user profile.
The added value of this method is that even if the user credentials were deviously entered correctly by a human or bot, the system will raise a red flag at the first behavioral deviation. Account takeovers, mentioned above, are increasingly being performed with the help of malicious bots that can be programmed to mimic human actions. Bots are increasingly becoming more sophisticated and can undertake all kinds of hacking activities including taking over legitimate user accounts. Bots can masquerade as legitimate mobile apps to steal user credentials through fake login pages. However, even if they succeed to steal the credentials in this way and get in, behavioral biometrics is well equipped to identify non-human behavior and stop them in their tracks, before any fraudulent transaction can take place.
Winning the War on Fraud
Since behavioral biometrics continuously utilize unconscious users’ behaviour, they are incredibly difficult for to mimic. Behavioral biometrics has the ability to stop a fraudster in the initial stages of an attack. This early ability to identify when user credentials have been compromised - even if they appear to be perfectly legitimate - is the most effective weapon to fighting fraud, especially in the industries that require a careful balancing of security and customer experience, such as financial and banking applications.