Threat Management

Anti-fraud tech flags digital behaviors that don’t jibe with user’s stated age

Act your age, fraudsters, or you might just get caught by a newly launched user and entity behavioral analytics (UEBA) solution that flags anomalous digital activity that deviates from the typical norms of a user or account-holder’s age bracket. 

The technology, called Age Analysis from BioCatch, can be particularly useful in helping financial institutions and other businesses spot instances of stolen identities and account takeovers, especially when the scam is perpetrated against the elderly. For example, is the user typing unusually fast and efficiently for a senior citizen? Then perhaps someone is fraudulently impersonating one.

press release issued this week by the New York- and Tel Aviv, Israel-based firm reported that the solution is already being used by a major global credit card issuer, which had previously noticed that 40% of the fraudulent credit card applications it received were supposedly submitted by a person aged 60 or older.

Even the applications that were actually legitimate were likely to be flagged for manual review, which would drag out the time it took to process and approve such requests, resulting in higher than average cancellation rates among applicants who were 60 and above.

This finding by the credit card issuer is no aberration, noted Ayelet Biger-Levin, vice president of product strategy at BioCatch, in an interview with SC Media. It’s actually a trend facing many financial services providers. According to statistics gleaned from BioCatch’s client base, only about 10% of bank accounts are opened by people over 60, yet 40% of fraud targets them. Indeed, cybercriminals’ tendency to successfully target older victims became even more flagrant during the COVID-19 crisis, she noted.

“When it comes to the elderly population, what has changed with the pandemic is that … a large population that has not been using digital channels — that has been used to going to the bank — now had to go online if they wanted to access their bank account,” said Biger-Levin. “So this is a population that's not necessarily savvy when it comes to online activity, and there were some challenges with that.” Namely, some of these older users have been opening themselves up to phishing, identity theft and fraud, and not realizing when they fall victim to it. And this creates a trust issue among financial institutions, leading to the aforementioned manual and time-consuming validation process.

To combat this issue, companies can implement on UEBA solutions to look at user behavior and detect unusual deviations from normal patterns. Sometimes that means ingesting and analyzing data corresponding to a user’s past behavior, ensuring that this activity remains the same over time. But it can also mean comparing one individual’s behavior to other larger populations of people who all share similar attributes — like age range in the case of Age Analysis.

To evaluate an account holder’s physical and cognitive digital behavior and assess the likelihood that person is within five years of their stated age, BioCatch looks at roughly 100 data points, including length of time is takes for account holders to fill out their forms, users’ typing cadences, and how people click, swipe and touch their mobile devices, Biger-Levin explained. In doing so, the solution is looking for actions that are more akin to a cybercriminal than an older banking client.

“Typically cybercriminals are not in their 60s; they're typically younger, in their 20s in their 30s, maybe 40s,” said Biger-Levin. “So if we [can] say, ‘OK, you're entering data that belongs to someone who’s 70 — or maybe [even someone] very young — but based on how you behave, you resemble someone who's in their 30s,’ then you can definitely say, ‘OK, something is off here. We need to check that.’ But if it actually does fit — and also there are many, many other indicators that this is a good, legitimate application, [then] you can reduce those manual reviews.”

So how do the young and old differ exactly? There are a number of data points that serve as subtle age-based fraud indicators.

For starters, “as you age, you type slower,” said Biger-Levin. For example, if you hit the Shift key and then a letter to capitalize it, “the time from the Shift [key] to hit the letter increases by a few milliseconds every year over 40.”

Older users are also more likely to hold their handheld devices in such a manner that allows them to type with a single finger, rather using two thumbs. And “as you get older, the frequency of using landscape [device orientation] versus portrait increases over time,” Biger-Levin added.

Moreover, it should on average take longer for older users to type income information into their account applications, because they’re more likely to have higher income or multiple sources of income.

Therefore, someone typing and filling out forms quickly, using two thumbs, while in portrait orientation, might be indicative of a young fraudster impersonating an older person.

Of course, not every senior types slowly or uses portrait mode — so is it fair to profile older customers in this manner?

"It’s always possible to identify relevant findings within any data set based on whatever perspective a company chooses. Mathematically, we always want to find the equation that maintains the highest overall accuracy with the least number of variables necessary to determine those outcomes," said Armaan Mahbod, director of security and business intelligence at DTEX. But noting that humans are so varied and random in behavior, Mahbod said that an even more accurate determination of authentic user vs fraudster could be derived from also looking at additional basic data such as "ethnicity, location, housing, family, health condition, and so on."

Indeed, Biger-Levin said that companies can avoid succumbing to age bias by using Age Analysis in conjunction with other UEBA models to create a much more comprehensive picture of a user’s behaviors.

Despite the emphasis on elderly customers with this latest product announcement, financial institutions can also use BioCatch technology to protect against other kinds of fraud that tend to affect younger people, such as money mule scams, said Biger-Levin. “We’ve seen during the pandemic that there’s significant targeting of younger populations, between the ages of 21 and 30 … to become mule accounts,” she added.

The solution is not limited to financial services, either. “It could be telco, it could be health care, it could be anything that includes an online account," said Biger-Levin.

And there may be even be more opportunities in the future for companies to use current event trends to assess the likelihood of fraud. For instance, banks could look at the digital activity of customers and look for atypical behaviors to root out cybercriminals looking to commit stimulus fund fraud, Biger-Levin said.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.