Hackers seem to have perfected the ability to nab your online-shopping passwords. But, so far, they haven’t found a way to learn the cadence with which you type them.
Retailers, and the cybersecurity companies that help them, are increasingly turning to invisible indicators known as behavioral biometrics to fight e-commerce fraud. Behavioral biometrics are behind-the-scenes gauges, such as typing speed, swipe patterns and phone angles, that are unique to us.
The standoff between retailers and fraudsters has heightened as more commerce has moved online during the pandemic. About 90% of payment fraud now happens through so-called card-not-present transactions — mainly online transactions — up from 75% prior to the pandemic, said Chris Reid, Mastercard’s executive vice president for identity solutions.
The goal of behavioral biometrics is not only to thwart fraudulent activity, but also to create a safer consumer shopping experience for legitimate customers without making people spend their time solving puzzles or answering security questions to verify their identities. Retailers worry that hurdles like one-time passcodes can frustrate true customers enough to make them abandon their shopping carts and head to a rival site.
“What we’re really looking to do is replace the password with the person,” said Reid.
Passwords represent a major vulnerability in the security chain, especially as consumers are likely to reuse account information from site to site. Many username and password combinations have been exposed through data breaches, and bots can test those combinations rapidly to determine which still work, according to David Mattei, a strategic advisor at market-research firm Aite-Novarica Group. One fraud executive at a large financial institution told him that his bank sees 10 malicious login attempts for each good one.
Eventually, behavioral biometrics could work alongside traditional biometrics to eliminate the need for passwords altogether, according to some in the industry.
“I definitely see a passwordless future,” said Signifyd co-founder Michael Liberty, whose company uses behavioral biometrics as part of its e-commerce-fraud services.
Breaking down the tech
There are key advantages of behavioral biometrics, according to Liberty. For one, indicators such as how long you linger on a given key when typing in your email address are “otherwise meaningless to a person.” They’re also passive, so consumers can authenticate themselves simply by going through all the normal steps when they checkout.
The technology is one way that companies are trying to build the same sort of customer familiarity in the digital world that exists in the physical world, Mastercard’s Reid explained, noting that you might receive speedier service once you become well-known at your local coffee shop. Behavioral biometrics can help build knowledge of customers’ digital patterns so that legitimate shoppers can avoid stumbling through Captcha codes before making their purchases.
Fraud is big business to bad actors, but no more than 1% of transactions actually result in fraud, according to Mattei. He sees promise in behavioral biometric technology for businesses looking to enhance and protect the consumer experience for the more than 99% of shoppers who are making legitimate purchases.
“If a large percentage of transactions are good, why throw up a lot of security roadblocks and compromise that user experience?” Mattei said. Companies could instead try to “keep it as smooth and clear as possible.”
While merchants don’t want to let fraudulent transactions through, they risk losing customers for good if their models decline too many legitimate buyers.
Still, the stakes are higher than ever for retailers, as the average value of attempted fraudulent purchases increased by 69% last year while the amount of money spent by online shoppers almost doubled, according to research from Sift, an antifraud company that uses behavioral biometrics in its offering.
Fraudsters “are not just getting more bites of the apple but taking bigger bites,” said Jeff Sakasegawa, Sift’s trust and safety architect.
It’s a costly problem for merchants, who just “spent all this money on promotions attracting new buyers” during the pandemic only for some of them to be “known fraudsters,” said Colin Sims, chief operating officer of fraud-detection company Forter.
For every dollar lost to fraud in the beginning part of 2020, merchants incurred $3.36 in costs around merchandise replacement, fees and more, according to research from LexisNexis. That was up from $3.13 in 2019 and $2.40 in 2016.
Solving a puzzle
The application of behavioral biometrics in practice goes beyond simply measuring whether someone types in an account password at a consistent speed, as companies are looking to synthesize thousands of signals with artificial intelligence.
The way people interact with return policies is one indicator that antifraud companies can examine when trying to determine if a buyer is legitimate, noted Signifyd’s Liberty, but the nuances of customer behavior there show why looking at just one data point isn’t enough.
““Often fraudsters will operate in a way that’s not really human.””
— Jeff Sakasegawa
That someone is viewing a company’s return policy suggests the shopper is considering the possibility of returning an item later, and it’s “unusual that a fraudster would have that intent,” he said.
But in other cases, fraudsters might be trying to take advantage of policies, such as by falsely claiming that orders never arrived or returning knock-off goods and keeping the real items, part of a pattern of customer abuse that Signifyd estimates costs retailers $15 billion annually.
“Our goal is to capture as much detail of the user behavior as possible” using “thousands and thousands of different data points,” Liberty continued.
Companies are trying to get at the root of human behavior online, which is helpful in the many cases where a customer is new to a particular website. Businesses might not have information about how that specific user enters account information, but they have a sense about typical human psychology on the web.
“Often fraudsters will operate in a way that’s not really human,” said Sakasegawa, offering that a normal consumer might add and subtract items from a food-delivery menu before checking out, while a fraudster could load up quickly on the most expensive items.
Borrowing from banking
Behavioral biometrics are newer in the e-commerce world after finding applications in the banking industry, according to Akif Khan, an analyst at Gartner who focuses on payment fraud.
Account takeover represents an issue in e-commerce just as it does in banking, especially now that people are creating more accounts and reusing passwords across different sites.
Fraudsters “will do everything they can to strip value out of the account,” whether it’s by stealing loyalty points or draining a PayPal account of its funds, said Signifyd’s Liberty. Given the threat of account compromises, companies like Signifyd “have to return to other signals to authenticate the user.”
The e-commerce experience also presents a series of challenges that don’t exist in banking, Gartner’s Khan noted, including that consumers are often making new accounts with retailers or conducting guest checkouts. With bank accounts, customers have usually logged into their accounts many times before and banks understand their login patterns. E-commerce companies might not have that familiarity with shoppers, which creates opportunities for fraudsters.
“You understand your legitimate users very well but what you’re trying to detect is outside your data set,” Forter’s Sims said. “You really have to peel back the intentions and dig into the narrative that customers are weaving with their behavior and reputation to find out if they’re a legitimate buyer or not.”
Another problem is that retailers and their financial-services partners have to communicate with one another while making nearly instantaneous decisions about whether to allow a given purchase.
Even if fraudsters are able to get into someone’s bank account with stolen credentials, it takes some time before they are able to execute anything malicious. Payments, on the other hand, “have to be real-time,” said Mark Nelson, the senior vice president of product and solutions at Visa Europe. “You have a second.”
Visa has run pilots around behavioral biometrics in Europe, leveraging the fact that consumer devices collect behavioral data points that one of the company’s partners can access through application programming interfaces, or APIs. In thinking about the potential for behavioral biometrics to enter the “payment flow,” Nelson sees an opportunity for Visa to “facilitate the data transfer,” helping translate behavioral data from a user’s device and get that information to the banks that issue credit cards.
Moving it forward
Behavioral biometric indicators are currently used in conjunction with other means of authentication and could help augment better-known technologies, according to Tempestt Neal, a professor at the University of South Florida who focuses on cyber identity and behavioral research.
She sees room for “a reduction in bias compared to physical biometrics,” noting that behavioral biometrics don’t rely on information like a user’s race or gender, “which can cause the system to fail if not trained properly.”
Visa’s Nelson posits that the technology could play a more significant role in cases where more traditional biometrics prove less reliable, giving the example of a fingerprint sensor that doesn’t work properly in the rain or a facial scan that can’t recognize the user behind a mask.
“You could have behavioral biometrics in there and it could see when you have a mask on” but that you’re also holding the phone the way you normally do and walking at the same level above the ground, he said.
Though behavioral biometrics are becoming a bigger part of the antifraud conversation, there are still questions about how far they can go.
The technology is still “on the margins,” in the view of Forter’s Sims, whose company is trying to understand the context behind a transaction and beyond any one data point. Context is “the secret sauce, and it requires a deep understanding of purchasing behavior, fraud methods, and visibility across merchants and verticals,” he said.
Sims sees “a fine line between behavioral biometrics and consistent behavior.” Whether someone using a ride-sharing service takes a trip on a familiar route might be behavioral, but in his view it’s not a behavioral biometric by a strict definition.
Others are more upbeat about the technology’s promise, including Signifyd’s Liberty, who views behavioral biometrics as a crucial key to eliminating passwords and strengthening the security chain.
Traditional biometrics can help authenticate a user in lieu of a password, but even as that technology improves, Liberty expects that the behavioral aspect will play a crucial role as well. It’s important to make sure that the person binding his face or fingerprint to a payment instrument is the correct person, for example.
Passwords are “the most vulnerable part of the security hierarchy,” he said. “We’re on the cusp of being able to authenticate people without them, but that doesn’t necessarily mean there’s no knowledge involved.”