Slowing Down Faster Payments Fraud

Fraudsters are good at what they do. Payments got faster, but so did criminals. Banks built more defenses, and bad guys jumped over them with glee. But Uri Rivner, BioCatch co-founder, head of cyber strategy and vice president, said in a recent webinar with PYMNTS’ Karen Webster that things are getting better — and the U.S. has a chance to learn from the U.K.’s mistakes.

Setting the Scene

Back in 2004, fraud was on the rise globally. Digital fraud was a new beast, and people didn’t know any better than to be tricked by phishing emails that today would raise red flags for even the most technologically illiterate consumers — sketchy email addresses, poor grammar and those classic sob stories from Nigerian princes, to name a few.

Banks decided to do something about all of that. By 2007, they had come up with Stronger Authentication featuring two-factor authorization. The process created a lot of friction, requiring a user to type his or her PIN, complete an on-screen challenge to receive a one-time code, and then feed that code into the page to complete a transaction. But it worked. In 2007, fraud losses decreased.

Then, in 2008, faster payments were introduced. As fraud losses tripled over the next three years, it became very clear that Stronger Authentication wasn’t strong enough. One-hundred percent of fraudulent transactions were coming from authenticated sessions. Somehow, criminals were getting around the multi-point authentication process to access customers’ accounts.

At first, they did so using malware. Why go to all the trouble of stealing data to enter yourself when you could get customers to do it for you? Once a user had authenticated his or her session, fraudsters would launch an automated script to complete the theft. A fake bank page would pop up asking for the user’s authenticating data, and because the process looked familiar to customers, they would enter their information willingly.

By 2011, banks had developed solutions to enough of the malware they were facing that fraudsters turned their efforts to other methods. Instead, they waited for money to move and targeted funds while it was in transit. Fraud losses did decrease that year, although they still remained much higher than the initial numbers from before the introduction of faster payments.

Then, criminals figured out how to install invisible Trojan viruses on remote computers. These could, without the user’s knowledge, relay information entered into forms on bank websites. With Trojans, fraudsters could watch users type usernames, passwords, credit card numbers, PINs, and CVV codes into sites that displayed all the visual markers of security — the correct URL address with the little green lock symbol beside it that indicates the session is secure.

They had come a long way from the sketchy phishing emails of the early aughts. Fraudsters hijacked millions of PCs using malware and Trojans, and the ironic part was that users were doing all the work for them. Phishing emails were effective less than 1 percent of the time even back in 2008, while malware was able to collect all the info a criminal could want through a phony web page 40 percent of the time.

But things were about to get worse. In 2014, anti-malware solutions managed to get on top of the malware threat just in time for criminals to figure out remote access transactions — RAT attacks. Fraud losses skyrocketed.

Once again, banks needed a new type of solution. That’s where BioCatch found its niche.

Catching the RATs

BioCatch uses behavioral biometrics to catch fraudsters where traditional methods are both failing to keep them out, and failing to spot them once they’re in. This type of technology was introduced on a large scale in 2015, and most U.K. banks had it by 2016.

Behavioral biometrics looks for habits around user interaction so that, if a fraudulent transaction occurs, it will be easy to spot the differences — even if all the authenticating data lines up. Mouse and keyboard movements indicate a certain degree of hand-eye coordination and are therefore quite personalized, like a fingerprint, which is why “biometrics” is a good way to think of this kind of verification.

Does this user typically use the keyboard or mouse to select fields? Does she click or hit the Enter key to confirm information? How do users navigate between fields — tab or click? Do they scroll using the scroll bar, or perhaps a mouse wheel or touchpad? When he makes a typo, how does he fix it: backspace or delete, and does he tap the key or hold it? How do she move the cursor around the screen?

Banks can use behavioral biometrics to create a profile of each customer. Then they can determine whether a transaction really came from a customer, and even go beyond that to determine whether the activity was good or bad — i.e., whether the customer meant to conduct the transaction, whether malware on her device did it for her, or perhaps if a scammer was on the phone instructing her.

If, for instance, the map of cursor movements from a particular transaction looks broken and clunky, that can be a telltale sign of fraudulent activity. This is because fraudsters can encounter latency issues when controlling from overseas, or even from nearby using the internet.

Rivner gave one example of a large transaction in a customer’s account that looked suspicious — not due to anything out of order with the authentication or process, nor the location or IP address from which the transaction originated, but simply due to the amount. Sure enough, looking at a map of cursor movements showed uncharacteristic activity, including the telltale broken hand-eye coordination.

In another instance, a customer received a phony call from a service provider asking for a fee payment. She sent the money and soon after got another phone call — this one allegedly from her bank — stating the first transaction had been fraudulent and she would need to transfer her funds to a new account for security. She was instructed to transfer her funds in chunks of $50,000 at a time. But when she did so, the money was actually being deposited into a fraudster’s fake account.

Using behavioral biometrics, the bank was able to see that, despite all the authentication data checking out, the customer’s behavior had been uncharacteristic during that transaction, including “doodling” with the cursor between transactions.

A Happy Ending?

Rivner said the industry recovered from remote access fraud in 2016 when behavioral biometrics was introduced. That year, fraud losses dropped by 24 percent. The situation is still improving, he said, but banks and customers should always remain wary — because fraudsters are smart, and eventually they’ll find their way around this, too.