For years, BioCatch has been one of the foremost pioneers in the area of behavioral biometrics, offering innovative technology that can automatically spot signs of potential fraud in end users’ behavioral patterns with respect to things like how they hold a mobile device and how quickly they fill out online forms. Assessing over 2,000 parameters, the BioCatch platform can generate real-time risk scores to flag fraudulent behavior even as it’s underway, so it’s no wonder that a growing number of organizations, including major financial institutions, have embraced its solution.
In the wake of a global pandemic that has driven vastly more end users into digital channels, the enthusiasm for BioCatch’s solution has only intensified. The company raised $145 million in a Series C funding round in April, and followed that up with an additional $20 million in funding last month, after BioCatch was named to the CB Insights FinTech 250 list. So it’s a good time to check in with BioCatch CEO Howard Edelstein, who spoke with FindBiometrics President & CEO Peter O’Neill in an exclusive interview touching on remote work security, the threat of account takeover, improvements to the BioCatch platform, and more.
Read the full FindBiometrics interview with BioCatch CEO Howard Edelstein:
Peter O’Neill, President & CEO, FindBiometrics: It has been widely reported that the move to employees working remotely due to the coronavirus has led to a spike in fraudulent attacks over the past few months. We’ve been reporting quite a bit about this at FindBiometrics. How does BioCatch differentiate between employees working from a new location and cyber thieves?
Howard Edelstein, CEO, BioCatch: It’s a good question, Peter. First of all, fraudsters – bad guys – love to take advantage of disruptions to normal environments, so you’re right. Attack vectors are bigger and attacks are basically off the charts. We use behavioral biometrics, and what that means is we develop profiles based not on the user’s location or credentials, but on the user’s behavior. Just like you can identify your friend walking down the street by their gait before you ever see their face, we verify you based on your interaction with your device – be it the keyboard, mouse pad, phone, whatever. We don’t really rely on location nor do we rely on device characteristics; we rely on behavior. That’s number one.
Number two, it’s actually not just employees we worry about. Customers of our clients used to walk into the bank. Obviously, some of them don’t walk in at all anymore; some branches aren’t even open anymore. Employees had to get relocated and large corporations had to deal with massive dislocation of their teams. Banking by and large had moved online even before the coronavirus accelerated the trend. We use online behavior as a way to protect banks, their clients, and their client’s assets by indicating the likelihood that the person using a particular identity and login credentials is in fact who they say they are. And that’s based on our having accumulated 150 million behavior profiles and analyzed billions of transactions over the years. By building up these behavioral profiles, we can give comfort to the bank that the person is who they say they are.
Peter O’Neill: Well, I’m sure this is all escalating tremendously, as you mention, with coronavirus and so many changes happening now in our marketplace. What are some of the things that you have seen develop in 2020 from your clients, and how are you reacting or solving some of these issues?
Howard Edelstein: Obviously account takeover is one. That’s been a sweet spot of ours for several years now, and it’s the most common type of online banking fraud. But there’s also a lot going on with new account openings, whether it’s a credit card, bank account, loan application, whatever. We are seeing a rise in online applications, because naturally people can’t easily go open an account in-person right now. Online applications have severe abandonment rates. Mobile applications are even worse, losing applicants as much as 90 percent of the time before completion. We are working with our clients to leverage our data bank and identify patterns that allow them to successfully on-board more customers digitally and banish friction from their application process.
We are doing that by helping banks defend against fraudulent account openings. We reduced the fraud rate in some of these cases by more than 50 percent. That is, again, driven by behavior. We have such a large behavioral data set that it allows us to differentiate between a legitimate potential customer and a fraudster. As with account takeovers, we are able to give the bank a good indication of the risk that Howard is opening up an account in Peter’s name. And we are able to do that because, while Howard may have bought Peter’s personal information and tried to open up an account in his name, Howard doesn’t know the information the way Peter knows it. That shows up in Howard’s behavior when opening up the account. Whether it’s a synthetic account or uses a stolen or fraudulent identity, we actually have a really good interception rate in these situations, and are able to help banks make sure Peter is actually Peter.
Another problem we’ve seen rise recently are the use of mule accounts. This is when an individual creates an account – we call them mules – for the sole purpose of assisting cyberthieves with money laundering. Let’s face it, there are a lot of people out of work right now. It makes them vulnerable to someone offering them money to open up an account that can be used for illegal purposes. Of course, fraud is a crime and as you know, you can’t really eliminate it, you have to fight it. You have to fight it daily. And you have to continue to innovate to fight it.
Peter O’Neill: I’ve been following BioCatch for many years, your growth, and exciting new launches. What’s the latest with your product? What have you added in around your behavior-based technology to counter some of the issues you’re seeing out there now?
Howard Edelstein: For starters there are derivatives of the basic core products that we offer today, which really revolve around account takeover and account opening. One of the derivative products, for example, identifies social engineering. For example, account takeover is based on the fact that we know the identity and we know the behavior of the current user. Peter’s trying to log in, we can authenticate that as Peter. Now, as I said earlier, we can tell if somebody is not Peter, but here’s the rub. More and more social engineering involves somebody convincing Peter, through phishing or a phone call – what we refer to as voice phishing, or “vishing,” that they are a bank officer, and that it is urgent that Peter log into his account and do something not in his interest. He may be actually opening himself up for further fraud or attacks or something of the sort.
So we have a social engineering detector, because if you think about it, if somebody calls you from your bank and tells you to do something, your behavior will change from what your normal behavior is. Think about yourself working online. You work from your mind to your fingers and they move in a certain way and you’re parallel processing. Now you get a phone call and you get convinced it’s your bank that’s talking to you. Your general behavior stays the same but there are nuances that change.
For example, if someone’s talking in your ear giving you instructions, you’re no longer processing information the way you would like to. You actually have to listen for one character at a time or one word at a time, and if you make a mistake, you backspace. You’re not familiar with what you were just told. These nuances help us to identify social engineering. We also get a good view of whether you’re fearful or are hesitating or are rushing through something that you normally don’t rush through, because these are all behaviors that change when someone is inducing you to do something urgently that you’re not used to doing. That’s a pretty cool thing, by the way.
Peter O’Neill: Yes…very cool indeed, and as you’re describing that, I couldn’t help but think about – as you mentioned earlier – the dramatic increase in these types of attacks, especially we’re finding and reporting a lot on elders in maybe care environments, et cetera. They are so vulnerable because they’ve been in isolation for a while probably and when somebody calls and says they’re the bank, they really can’t differentiate. So, your solution right now in the market is critically important.
Howard Edelstein: Agreed. One of the cultural aspects of BioCatch is we’re really, really proud to be on the good guy side, and we’re really pleased to be helping banks protect their customers. And I very much appreciate that I hear almost weekly, if not every few days, about things that we’ve done to save people’s life savings or assets, or even if the customer is a company, stopping a large wire transfer that should not go out. I feel really good about that, really, really good because we are doing a good thing for society. And the dollar amounts we are talking about are astronomical!
Peter O’Neill: We also reported that you recently announced a capital raise from several major financial institutions that also came with a space on the newly formed Client Innovation Board. Can you tell us a little bit about that please?
Howard Edelstein: Absolutely. It’s no secret we work with some of the world’s most innovative and sophisticated banks. We’re very proud of the fact we’ve been able to add value to what they do. Of course, they add value to what we do also. So we don’t really view it as a client-vendor relationship, we view it as a partnership, and as a result, we work very closely with our clients. The benefit to us, of course, is designing products that address their actual needs and the benefit to our bank clients is that we help them protect their customers. So it’s a win-win for both of us. In the case of the Client Innovation Board, we have a number of major global clients that would like to see us doing more together, both bilaterally and multilaterally, to harness the power of behavior. Bilaterally, it’s an acceleration of the work we already do today in product development.
But we’re also giving rise to the notion that cooperation amongst multiple banks and sharing information – not personal information, not client information – but sharing behavioral patterns would be a great benefit to the industry as a whole. We believe that by helping banks pool their anti-fraud efforts, we can do much more to serve the industry. The truth is that the bad guys share all the time. They sell information on the dark web or even just put it out there for free. The good guys are a little bit more sensitive about sharing with one another. By serving as an intermediary, we could actually use the patterns that we find for one bank to protect other banks as well.
If you know there’s a bad actor attacking bank number one and you let other banks know, you’re creating a better defense posture, reducing the attack vector around a group of banks. You’re building a bigger moat. We see this as the very early days of a very big benefit for the industry.
Peter O’Neill: We’re seeing the need for identity solutions and fraud prevention across a number of other industries, but one that comes to mind for me right now is healthcare because everything has gone remote, including sharing patient records. Are you starting to think about other markets that would benefit from your technology?
Howard Edelstein: We get asked that a lot. We’ve developed a deep expertise in the financial industry, because, as the famous bank robber Willie Sutton once reportedly said: “That’s where the money is.” So financial institutions are far and away the most attractive target for fraudsters. However, our models are not applicable to finance alone. We already have clients within e-commerce and we also do some work with government. In general, there are a lot of industries where what we do for banks, whether it’s account takeover, account opening, employee credential sharing, or social engineering, is applicable. For example, the telecom industry.
One of the big threats we’re facing these days, if you’re a fraudster and you can’t get into a bank, you get into the telco of the cell phone provider, or steal credentials that will help you access somebody’s mobile phone account. SIM swap fraud is also quite big. People don’t really think about their cell phone as providing easy access to their bank account. Meanwhile, the bank may believe it’s protected, but it may actually be vulnerable because its customers aren’t fully protected. Banks in general are trying to do more and more to protect their clients, whether it be individual retail clients or corporate clients.
If you think about behavior, this is why it’s so much better than relying on a device and a physical location. The unique thing about behavior is that you bring your behavior with you. So we can actually model and maintain a confidence level that the person is who they purport to be, no matter where they’re coming from. Whether they are coming through a corporate network or a personal phone on a home Wi-Fi network, you can match their behavior against their existing profile to make sure they are who they say they are. And that’s the beauty of not being dependent on physical things like devices or locations or any sort of personal information, all of which can be spoofed or stolen. Behavior is a probabilistic thing. It’s really, really hard to mimic someone’s behavior because it morphs, it changes over time, so at any particular moment, you don’t know what it is. And our service keeps close track of that.
In the end, though, it’s all about the data. The data that somebody throws off with their behavior makes them relatively unique in the eyes of an authentication process. And that data has never really been captured or correlated to all the other things that are already gathered, like your social security number, your driver’s license, your passport, et cetera. All the fixed data that you’re familiar with has already been collected at credit agencies, in bank records, and so forth. Behavior is new. We know it’s very valuable for what we’re doing today, but every day we’re finding new ways to make it more valuable by helping our clients enhance other types of detection or identity-proofing mechanisms.
Peter O’Neill: We’ve been following behavioral biometrics since it first launched into the marketplace about seven years ago, and you were one of the first companies we covered. We knew back then it was going to be an important, even critical piece of the identity future moving forward. In the financial services marketplace, it’s critical and it was always being talked about, but again, the urgency now because of COVID has really increased that demand.
Howard Edelstein: Let me just say one other thing. Covid has been a tremendous accelerant to adoption, I’m glad you remember back to seven years ago. Back then, if you Googled ‘behavioral biometrics,’ you got 100,000 to 200,000 hits. If you Googled it a year later, you got 300,000 to 400,000 hits. In the last few years, it’s gone to several million. I haven’t done it recently, but the last time I did it, I got six million hits! This is all largely driven by the success it’s had in the protecting individuals. It really is unbelievable. And yes, you’re right, BioCatch was in fact the pioneer and we are very proud of that. The founders of this company were onto something way ahead of their time. They were patenting behavioral biometrics techniques as early as 2010.
Peter O’Neill: Wonderful. And Howard, before I let you go, could you just give us a little future gazing? What do you see now coming over the next several years, especially with regard to how we keep up with fraud? Fraud is constantly evolving, constantly changing. In some of your comments earlier, the fact that your technology evolves and adapts on its own to match that – is that what’s going to happen?
Howard Edelstein: I think we’re going to continue to evolve and innovate because this is still early days. By the way, I just Googled it up and got 8.3 million hits. It was six million just a couple months ago, just to give you an idea. I’m blown away by that, really. When I was out on the fundraising circuit talking about this early on, working with our founder, Avi Turgeman, it was like talking gibberish to people – science fiction. Today, it’s science. Why would I use a bank that doesn’t use behavior to tell them who I am? I want them to know who I am. I don’t want them to give my assets to someone else, thank you very much.
Anyway, innovation is key. It is absolutely key. No one knows what we can actually do with this technology. The machines are getting better. The technology is getting better. We’re detecting things that we couldn’t detect even a year ago. We’re saving banks money. We’re protecting assets. It’s all good
As someone who’s worked on several cooperative industry initiatives in capital markets and in risk management, I believe in my heart of hearts that helping banks collaborate on behavior as a security protection device is a big deal. By this I mean collaborate in a way that privacy protected, meaning not sharing client information, but protecting themselves and their clients because they can learn from each other and help each other. The bad guys don’t really care which bank they rip off. They just go from one to the next. Using behavioral biometrics is like having a German Shepherd in front of your house; house thieves just move on to the next house. But if everybody has a German Shepherd, the thieves have got to step up their game. The industry needs to have an increased degree of protection around as many banks it can, and I think that’s going to be driven by innovation and cooperation. The Client Innovation Board will accelerate the industry’s ability to stay ahead of the thieves.
Peter O’Neill: Well, I think it’s a very exciting move, Howard, and I’m also really happy you mentioned privacy protection. That’s a critical component and glad to see you’re putting that front and center with all of this. And congratulations on the great growth of BioCatch over the last several years. The future looks very bright. Thank you very much for taking the time to speak with us today.
Howard Edelstein: Peter, I appreciate the opportunity as always. You guys do a great job and we’re always happy to have any conversation on this field we invented. It’s really been a game changer.