BioCatch – Behavioral Biometrics for Fraud Detection

Can you imagine traveling to the U.S. as a citizen of a foreign country and being delayed at the airport because of who you are? Having to subject yourself to additional questioning, be looked at as if you were some kind of a freak show, being discriminated against all because of some oppressive circumstance that you cannot help? We’re talking of course about adermatoglyphia, a rare genetic disorder that results in certain people not having thumbprints. As it turns out, the thumbprint isn’t the only way your fingers can identify who you are. No, it’s not the shape of your hand or fingers but rather the way that you type. That’s right. The method you use to type on your computer can actually be used to identify you. We found that to be such a fascinating piece of information that we just had to dig into it a little deeper. One startup, BioCatch, is doing very well in the “behavioral biometrics” space.

About BioCatch

Founded in 2011, Israeli startup BioCatch has taken in $11.6 million in funding so far to develop a very unique “behavioral biometrics” platform that goes about detecting fraud in some pretty clever ways. We first came across this interesting startup over the weekend while researching the various types of biometrics in use today.

Update 04/16/2020: BioCatch has raised $145 million in funding to enter new verticals beyond the financial services world. This brings the company’s total funding to $186.6 million to date.  

Before we go digging into BioCatch’s technology, we first need an idea of the sorts of problems that might require some extraordinary methods to detect.

• One problem that software vendors face is that people share login credentials. For example, they may purchase a single license for a cloud-based software solution but then they share the login so that multiple people on a team can use it. We’ve never done anything like that with our image vendor before. Promise.
• “Phishing” is that annoying Indian South Asian guy that tells you he’s from Microsoft and starts asking for personal information. Anytime someone gets you to give them personal information that they then use against you, that’s called “phishing”. Over 466,000 phishing sites were recorded in Q2 2016.
• Someone who gets your credentials can then empty your bank accounts. 68% of funds lost in such “cyberattacks” are never recovered.

Here’s a look at the sort of sophisticated scams that are operated today which are nearly impossible to detect using traditional methods:

If you have older parents, you damn well better warn them about such scams because they are very compelling and are happening frequently all over the United States. In one case we observed ourselves, a scammer with perfect English called Grandma claiming to be “her grandson Johnny” and started rattling off information about relatives that they presumable found on Facebook. Of course the scammer knew that Johnny was traveling in Europe because Johnny is stupid enough to plaster his entire life on Facebook. Of course “Johnny” was in trouble for something and needed Grandma to “wire money” because he was embarrassed to bring it up to his dad. Fortunately Grandma told him to fcuk off. Can you believe that? That is a very sophisticated type of scam and evidence that we need more technologies like BioCatch.

In order to solve these problems, BioCatch came up with a solution that can be integrated with a simple bit of JavaScript on your website. BioCatch collects and analyzes over 500 traits including hand-eye coordination, pressure, hand tremors, navigation, scrolling and other finger movements, etc. To create the user profile, the system then uses artificial intelligence (AI) (machine learning to be specific) to detect the parameters that you exhibit most strongly, those parameters for which you do not behave like the rest of the population. Each person’s “cognitive signature” is made up of different unique parameters and can be linked across devices. Here are some examples of “traits” that make up your cognitive signature:

Now that BioCatch has your profile information, they can then setup an “Invisible Challenge”. In the above example, the user is choosing dates from a “spinning wheel” date selector which requires the user to use a unique set of gestures in order to select the date:

The next time you see one of those, don’t panic and act differently because you’re probably being tested as part of an “invisible challenge”. If multiple “invisible challenges” are failed consecutively, it’s probably pretty certain that someone else is logged in as you. While this can protect you from someone who “phished” your credentials, you can also easily see how this can be used to detect shared logins. This is called “frictionless” because it doesn’t require you to do stuff like “check your SMS and enter a 6 digit code” and referred to as “continuous authentication” because it is constantly happening behind the scenes.

Check this out. Let’s say you’re on a website and then BioCatch makes the cursor disappear. We’ve all had that happen right. Well guess what? Instinctively when that cursor disappears, it doesn’t matter who you are, you’re going to do a certain little wiggle with the mouse to get it back. How fascinating is it that every single one of us has our own unique little wiggle, just like the people you see below?

How accurate are these techniques? The false error rate for the BioCatch behavior detection algorithms is just 1% and of those false errors, BioCatch can detect 95% of them. While intuitively it’s hard to believe this thing is that accurate, remember this. You don’t need to use the software to identify one person out of 100,000 like you may have to do with DNA in a criminal case. Instead, you only need to compare two biometric signatures – the one that’s logged in at the moment and the one you have on file. If you have multiple people in the same household using the same accounts, the system is quick to pick up on that.

Another innovative offering by BioCatch is software that can detect people who are setting up a new account. Usually this is the same South Asian guy who was trying to “phish” you and he’s learned from his mates how to open as many new accounts as possible. Therein lies his downfall, as the software can detect the following:

• Someone who is overly familiar with the new account creation process – you can tell just based on how quickly they click through the fields or pages.
• A proficiency with keyboard shortcuts and function keys that you wouldn’t see with real users.
• “Cut and paste” data entry for values that would be intuitive to a legitimate user.
• Someone who pauses too long before inputting a birth date or their address is probably looking it up from somewhere other than long term memory

So just how well does this stuff work? Extremely well. One UK bank reported a 99% reduction of fraud in one channel following a BioCatch implementation and as of 2015, at least 35 million banking customers were under the watchful guard of BioCatch software. Even though this amazing technology is covered with over 40 patents, there are still other startups that want to play in this space too.

We’re being a bit ethnocentric by making a U.S. startup the focus of this article when there’s a Swedish startup doing much the same thing as BioCatch. Stockholm startup BehavioSec has taken in $8.2 million in funding to develop their behavioral biometrics platform which is already handling billions of transactions. In a pilot trial with Danske Bank, they identified imposters in 99.7% of cases. While BehavioSec looks like a formidable competitor, they’re not the only one. Another startup called Zighra took in $1 million in seed funding in December of last year to analyze behavioral patterns on smart phones. This Ottawa based startup managed to land a pilot project with Barclays, and frankly we’re a bit surprised that every bank hasn’t adopted something like this yet. Any of the three companies we’ve talked about in this article shouldn’t have a problem finding a successful exit via acquisition given how effective behavioral biometrics appears to be.

Conclusion

Outside of authentication, you can easily see how this might be integrated into the corporate world, not only in the context of external cyber threats, but also just as part of your work profile. Your actions may go to a special place for review if you try to pretend you’re someone you’re not. The same AI algorithm that is then used to fire you will then tell all its robot friends in recruiting what you did and you’ll never work in the industry again. Be forewarned.

Leave a Reply Cancel reply

Your email address will not be published.

Comment

Name

Email

Save my name, email, and website in this browser for the next time I comment.

Δ

1. I’m just wondering if you have looked at a Canadian company called: 3D Signatures inc. (DXD-TSX.V) headed by Sabine Mai-one of U of Manitoba’s “Canada’s most powerful women” awarded female scientist. Its about analysis of response to therapies (mainly drug) on cancer cells with the goal of providing efficient tailoring of effective treatment.

   Reply