Want Better Online Fraud Protection? Delve into the Subconscious

Featured Article By Ryan Wilk, Director of Customer Success, NuData Security

2014 will surely go down in the history books as the “Year of the Data Breach.” Hundreds of millions of records, including PII (personally identifiable information), were stolen – the consequences of which may ripple out for years to come. These consequences include not only the credit and identity monitoring that affected individuals must undertake but the good faith of those individuals toward the companies that suffered breaches.

No IT team can prepare for all of the various types and volumes of attacks that come their way. Cyber criminals are increasingly sophisticated at creating new ways to steal data. They are often specifically looking for credit card numbers that can be reused on other e-commerce sites or sold to the highest black market bidder. While dealing in stolen financial data is still a moneymaker, we are seeing a shift in the value of another commodity: usernames and passwords. Because many people use the same credentials across multiple Web accounts, a cascading effect occurs if a hacker gets hold of those credentials. Suddenly, all those accounts can be accessed – including email accounts, if those credentials work for email as well.

It’s an organization’s responsibility to protect its user community, and there are a variety of current validation methods. You can send an SMS message to a user’s cell phone or use Knowledge Based Authentication (KBAs), in which users answer pre-defined questions (“What’s your favorite book?” “What color was your first car?” etc.). While these methods provide an added layer of protection, they also add customer friction, potential customer insult and lost conversions, all of which a business wants to avoid.

A newer authentication method bypasses the above-mentioned tactics and goes deeper, looking directly at the subconscious aspects of a user’s behavior. This grants insight into whether they really are who they claim to be. This is called subconscious metrics, and they look at how a user functions at the most basic level – just below the level of awareness. In day-to-day life, this can be as simple as always putting on your left shoe first. When online, it’s more complex, like the speed you type your email address into a username field on a website. These experienced-based data points are unique to the user and very difficult to mimic or forge. The collection of this data is 100 percent non-intrusive to the end user and gives you the ability to monitor, authenticate, verify and gain confidence in who your users are, all in real time.

An identity theft ploy that’s gaining popularity lately is account takeover. Methods include Username Testing, Account Testing and Force. For anyone trying to protect their Web or mobile user accounts from such schemes, including, the concept of subconscious metrics is an exciting one. If you can verify that the username and password entered are correct and also that the subconscious behavioral patterns match previous interactions, you can feel much more comfortable allowing that user to proceed. The opposite is true as well; if the user comes back with the correct username and password but the subconscious behavioral elements drastically differ from prior interactions, there is now powerful intelligence available to protect both the account holder and the overall brand.

Hundreds of subconscious measures of behavior can be used to create behavioral profiles, making it very difficult for a fraudster to impersonate a legitimate user. This allows us to determine that a change in a user’s behavior is not malicious, like using a computer instead of a smart phone, while still providing insight that a majority of the behavioral elements displayed by the user are accurate. Most of today’s authentication systems may have created customer friction based solely on a user logging on from a different device.

“The ultimate goal of OFD [online fraud detection] is: continuous behavioral profiling of users, accounts and entities,” Avivah Litan, a Gartner, Inc. security and privacy analyst, recently wrote in a research note, A best practice for organizations looking for an authentication approach is to search for one that creates the most accurate behavioral, account and entity-profiling model available.

Complex behavioral biometrics is the new standard in online fraud detection: leveraging vast amounts of data to gain the best understanding of who is really responsible for a transaction. Fraudsters can steal or buy online credentials, but they cannot mimic their victims’ subconscious behavior patterns. Organizations that use this level of information possess a passive yet powerful defensive weapon to safeguard their user communities against today’s identity theft and account takeover schemes.