The power of the subconscious to protect against online fraud
Ryan Wilk, director of customer success, NuData Security
Experts estimate that a billion data records were stolen in 2014 as a result of the tidal wave of data breaches that hit organizations across all industries. Retailers were hit particularly hard, leaving consumers skeptical about the ability of even the big brands to keep their identities and financial information safe. While these brands had implemented security strategies, they clearly weren't enough.
Malicious actors are endlessly clever, it seems, in devising new ways to steal data. These cybercriminals often are specifically looking for credit card numbers that can be reused on other e-commerce sites or sold to the highest bidder on the digital black market. While dealing in stolen financial data is still a lucrative endeavor, a shift is occurring in the value of another commodity: usernames and passwords. Because many people use the same credentials across multiple Web accounts, a cascading effect occurs if a hacker gets hold of those credentials. Suddenly, all those accounts can be accessed – including emails accounts, if those credentials work for email as well.
It can be difficult to determine the best form of protection for users. Popular user authentication methods include sending an SMS message to a user's cell phone and Knowledge Based Authentication (KBAs), in which users answer pre-defined questions (“What's the name of your first pet?” “Where did you meet your spouse?” etc.) While these methods provide an added layer of protection, they also add customer friction, potential customer insult and lost conversions, all of which a business wants to avoid.
A new method has begun to gain prominence, one that avoids customer friction because customers never know it's taking place. This method studies the subconscious aspects of a user's behavior, which grants insight into whether users really are who they claim to be. This is called subconscious metrics, and they look at how a user functions at the most basic level – just below the level of awareness. In day-to-day life, this can be as simple as always putting on your left shoe first. When online, it's more complex, like the speed you type your email address into a username field on a website. These experience-based data points are unique to the user and very difficult to mimic or forge. The collection of this data is 100 percent non-intrusive to the end user and gives you the ability to monitor, authenticate, verify and gain confidence in who your users are, all in real time.
Taking over accounts has become a favored ploy among cybercriminals, so for anyone trying to protect their Web or mobile user accounts from such schemes, including the concept of subconscious metrics is an exciting one. If you can verify that the username and password entered are correct and also that the subconscious behavioral patterns match previous interactions, you can feel much more comfortable allowing that user to proceed. The opposite is true as well; if the user comes back with the correct username and password but the subconscious behavioral elements drastically differ from prior interactions, there is now powerful intelligence available to protect both the account holder and the overall brand.
Thanks to this intelligence, it takes a whole lot more now that a username and password for a fraudster to successful mimic a legitimate user. Behavioral profiles can be composed based on hundreds of subconscious behavior measures. This allows us to determine that a change in a user's behavior is not malicious, like using a computer instead of a smartphone, while still providing insight that a majority of the behavioral elements displayed by the user are accurate. Most of today's authentication systems may have created customer friction based solely on a user logging on from a different device.
Security and privacy experts understand that the role of online fraud detection (OFD) is changing. Gartner analyst Avivah Litan recently wrote, “The ultimate goal of OFD is: continuous behavioral profiling of users, accounts and entities.” A best practice for organizations looking for an authentication approach is to search for one that creates the most accurate behavioral, account and entity-profiling model available.
When huge quantities of data can be accumulated and analyzed, validating users becomes highly accurate and the incidence of fraud is reduced. This is complex behavioral biometrics at its best, and it leads to authentication success. The fact that the behaviors being measured are subconscious is what makes this form of OFD so powerful. This new tactic safeguards users with a passive, behind-the-scenes method from account takeover and identity theft.Complex behavioral analysis for OFD is biometrics at its best. Monitoring and analyzing the subconscious actions of users is a dynamic way for organizations to authenticate users and protect both users and the organization's reputation and finances.