FindBiometrics recently dedicated an entire month to behavioral biometrics, the passive modality on the rise promising to change the ways we fight fraud and authenticate users online. As one of the leading vendors in this booming space, NuData Security, a behavioral biometrics company recently acquired by MasterCard, figured prominently into our featured coverage.
FindBiometrics had the chance to speak with Robert Capps, VP of Business Development, NuData Security, to gain further insight into the intricate and dynamic world of behavioral biometrics. The conversation begins with a discussion of the factors driving demand for behavioral biometrics in financial verticals and how the passive nature of the modality improves customer experiences. O’Neill and Capps then proceed to discuss the omnichannel benefits of NuData’s NuDetect solution, potential IoT applications of behavioral authentication, how behavioral biometrics fight malware threats, and more.
Read the full interview with Robert Capps, VP of Business Development, NuData Security, A Mastercard Company:
Peter O’Neill, President, FindBiometrics: The financial market has enthusiastically embraced behavioral biometrics. What is driving this high level of interest?
Robert Capps, VP of Business Development, NuData: Customer convenience first and foremost. The industry is moving towards providing consumers options in how they want to authenticate. Most smartphones offer secure fingerprint verification capabilities that financial institutions are taking advantage of in their native apps. By building in a multimodal approach to authentication and then layering in convenience, along with a needed level of security using passive behavioral biometrics – the consumers and the FIs are happy. When we start looking at behavioral biometrics and passively collected biometrics coupled with active biometrics, in an online scenario what we have at that point is a seamless and safe user experience. The financial institutions can provide the consumer what they want while garnering the benefits of higher accuracy verification, lower fraud, and a better customer experience.
FB: Can you please describe the end-user experience in the case you just outlined?
NuData: Consumers continue to do what they normally do. They go to their financial services website, they go to their online retailer, they go to their favorite gaming site, whatever it happens to be and they enter their username and password like they normally do and just the act of interacting with those pages and forms and doing the things they normally do, passive biometrics and passive consumer behavior analytics allows the authenticating party to strongly verify they are who they say they are without jumping through any hoops. So, generally what would happen is the user land on the login page, they’d log in using their password and hopefully succeed because they’ve remembered their password, and then there would be some analytics behind the scene looking at the IP address of the customer, looking at the time of day they are logging in, looking at the device ID and if things sort of generally line up to the expectations of the website owner, then that transaction or interaction would be allowed to occur.
But nine out of ten times, what we are seeing is they are being hit with a request for multi-factor authentication – whether it is a PIN code, a one-time password, a text message or a request for a physical biometric verification. At first, consumers thought it was really cool. You could log in with an iris scan or a selfie to finish a transaction, but people started to get weary of those interactions as the primary method of authentication, and there were times that taking a selfie was not appropriate like in a meeting. And so, I think the financial institutions are now looking for solutions that provide options to the consumer while maintaining that same level of accuracy and remediation of risk. And then what happens is once the behavioral biometrics and the passive biometrics analysis and verification is completed most customers are going to sail right in because they are strongly authenticated without any additional actions.
For those that aren’t able to authenticate for various reasons, then consumers can interdict themselves through other physical biometrics verifications and other mechanisms to step those customers up. So instead of putting every customer through friction you only put those that truly look risky versus every other customer.
FB: NuDetect is an omnichannel solution that can be used for web and mobile applications. Does this aspect of your technology also open it up to the Internet of Things, robotics, other growing applications?
NuData: Yes, it does open up the horizon to Internet of Things. IoT is definitely something that is on the horizon. Specifically, items that tend to surround you as a human could be additional points of plausibility for verification of your identity. So, if you think about let’s say the electronics that I have sitting in front of me right now – I’ve got my laptop that has Bluetooth turned on, I’ve got my iPhone that also has Bluetooth turned on, WIFI and I’ve got my smart watch that is connected to all three of these things. As I’ve got this sort of web of devices that is present around each other, they are looking at my heartbeat potentially, they are looking to see if my body temperature is normal, and those sorts of things – all of which is additional data that can be used to strongly authenticate someone. So, we play into that space, and I can’t unveil future product offerings, but can say there has been a lot of thought into this space with regards to passive biometric verification – not just with us but with other parties in this industry as well.
FB: Your NuDetect technology also protects against malware and fraud attempts which are such a growing concern. What are the most common of these threats and how does NuDetect address them?
NuData: We can probably back up a little bit and talk specifically about what NuDetect does. What we do is give our customers the ability to identify whether or not a human is involved in an interaction. So, when there is a web session occurring on in the online banking site, someone is trying to log in and transact, is that coming from a human? If it’s not coming from a human, is it good automation or is it bad automation? Is it a personal financial manager application like Intuit or QuickBooks or something logging in to look at a balance, or is it software trying to break into an account and log in to verify a stolen username and password were valid. And so, a big piece of what we are doing up front for anti-fraud and security is the detection of automated actions that are inappropriate and the protection of consumer accounts where automation is being used to either verify the credentials where they have been stolen elsewhere or brute force them to other means. So, first and foremost we are protecting accounts from inappropriate access.
Downstream, once we understand that there is a human involved, we can identify whether it is the right human. So, is this Robert trying to login to his online banking account or is this a fraudster who happens to have stolen Robert’s credentials through some malware or other technique. Account takeover protection is really a core feature set of our product which is the gateway to other financial fraud when we talk about online transactions.
FB: Your solution takes advantage of a huge number of user metrics, you’ve mentioned a couple, and that creates a valuable user profile. Are there any privacy concerns you must consider with behavioral biometrics? Is there potential for push back from end users?
NuData: Any time you talk about evaluating consumer data, there is the possibility of push back. With NuDetect, the data points that we are collecting directly from consumers are non-personally identifiable information. So, we are not looking at social security numbers, we are not looking at dates of birth, we are not looking at static data points as far as our evaluation of the human and the human interaction. We are looking at the device that is coming in, we are looking at where it is coming from, we are looking for anomalies that we can detect within that device that might show that this device really isn’t what it says it is: it might say it is a MacBook Pro, but we know it is running on a Linux machine; we might think that it is running Safari, but in reality, it is running Chrome. That sort of analysis gets us started down the path of trying to understand the risks of this transaction.
We then look at behaviors. Is this session exhibiting behaviors that would make us think that it is not a normal customer session or not a normal session for Robert? We’ve looked at all the sessions across the given banking platform, and we know those that stand out as being anomalous. We can also do this based on the user. So, if Robert’s account is being accessed and his account is trying to transact in certain ways – we look to see if it matches previous behaviors we have seen in Robert’s account, and if it doesn’t, then it is suspicious. And then we start looking at the actual passive biometrics. This is actually looking at the consumer interactions themselves as they are trying to log in, or navigating pages and things like that. Here, we are looking specifically at things like typing cadence, typing accuracy and so forth. Did they type it with a backspace to correct something, that sort of thing? Think about the dwell time between sequences, how long does it take you to move your finger from the R to the O to the B and so forth. That is the dwell time between key clicks. And then we look at things like how much time the key is held down, so if I hit R – how many milliseconds is that R depressed before it’s released. That sort of data is very predictive as to whether I am actually involved in the transaction or not.
We can also analyze things like navigational patterns and behaviors. Humans have habits, they build them up over time and tend not to vary from those habits. So, when you think of someone interacting with the login page, as soon as it loads they grab the mouse, and they move the mouse over to the login field and start typing. But what do they do from there? Do they grab the mouse and go down to the password field? Or do they hit the tab key? Do they do something else? At the end of the page do they just hit enter, or use the mouse or keystrokes? If you look at customers’ behavior on those pages over and over you will see that there are tell-tale signs of their interaction and behaviors.
Then, we take all that data and can compare that data across other interactions even on other brands and sites. So, any site we are protecting their logins and their applications, we can look at data points across those customers to protect a common customer account across multiple sites. So, if I bank at Bank A and Bank B, and both are NuDetect customers, there are some aspects of my interactions that can be verified across both of those sites to verify that I am the right person logged in. All while not sharing our intelligence and data with either bank.
FB: As you described that Robert, it got me thinking back to one of your original comments which was about convenience and you know user privacy is obviously something that we all must consider in the biometric and identification field, but if the end consumer gets the feeling of security and ease of use and convenience then solutions like this are just gold for them because it allows them to proceed with confidence. And right now, it is not a confident situation where we hear about all these data breaches from very large organizations that shouldn’t be having them. What and who is protecting me? And it sounds like this is one of those solutions that really does provide that.
NuData: Yes, it strongly authenticates the consumer so that any interaction is tied back to the consumer, and those that aren’t can raise the appropriate level of review, investigation or interdiction to mitigate risk. At the end of the day, what that equals is safety for consumers and even in the face of massive data breaches where we see hundreds of millions of records being breached and stolen constantly, consumers should be not only aware that this is occurring but that they should also have an expectation that their data is out there. And so, if there are technologies like this that can tie their data to their natural physical interactions within that session, it makes them a lot safer than sites that don’t use such technologies and don’t have capabilities of tying that all together.
FB: Robert, thank you very much for taking the time to describe NuData’s NuDetect’s technology. I look forward to seeing you at some of the upcoming FinTech shows.
NuData: It has been my pleasure, Peter.