Our eye was recently caught by a story that said biometrics is not enough in the fight against fraud and we accepted an invitation to talk to Ryan Wilk (RW), VP of Customer Success at NuData Security.
DisruptiveViews (DV): Ryan, thank you for talking to us today, perhaps you could start with a little background about your approach to biometrics and fraud.
RW: Absolutely. It is important to say that we are talking about passive biometrics, and what we do is help banks and ecommerce companies really understand their customers behaviour. The problem is that with the amount of data out there, and the variety of it, the information becomes more and more difficult to manage, more dangerous. For instance, in the Office of Personnel hack last year, the perpetrators stole a large number of fingerprints as well as everything else.
What we did was take a look beyond the one touch point approach and ask the question, ‘who is the person sitting behind the machine, who is the person reacting with your environment?’ We brought together the behaviour and identity of that user and the multiple different layers of information that make up that user. We work on passive biometrics to work out how the person is reacting with the machine. This means how they type, if they use their right hand, left hand, how they hold their device, do they type with one thumb or two. Then we aggregate that information, so when there is a return user you can go back and see if it really is who they say it is when they enter username and password.
DV: An interesting approach. Can hackers really use fingerprints?
RW: That is what makes that hack dangerous. They have the fingerprints of high-ranking employees, including people in the military. It is actually pretty easy to replicate fingerprints and fool fingerprint readers on iPhones and Android devices. Voice prints can also be replicated, all of those mechanism are what we call active biometrics. The passive biometrics realm is how you interact with something and more difficult to fake.
DV: So, you are saying that there is no one touch point solution to fraud, and that building up a profile and knowing who should be behind the device is key.
RW: Our view is that with a single touch point it is very difficult to work out who the person is. Faces can be identified physically, in the bank, for instance, but online it is much more difficult. We look at four different layers – the device, the behaviour, how the user is interacting compared to his last visit, compared to others, and has the user’s behaviour deviated. With that unique profile we can build a probability score. We run the largest behavioural network in the world to do this.
DV: You said ‘our behavioural network.’ Does that mean you run your system on top of others? How does that work?
RW: It’s a Software as a Service (SaaS) offering. We integrate code into a browser or native app. Then we collect information as users log in or check out, then feed real-time results back to our customers. In 2015, we tracked 40 billion user events and we will do 90 billion this year.
DV: What do you see as real fraud challenges currently?
RW: It’s a question of how dangerous data has become. In 2015, 700 million records were exposed. Companies are at real risk. It is very easy to go onto the dark web and get a ‘Fullz’, a set of data about you. Then you can set up a new current account, a new credit card account. The issue is, how does the bank or ecommerce site know it is you or not? Traditional credit card fraud is becoming tedious and cards lose their value really quickly. You can buy credit card information for about 22 cents now, so the transition to ‘account take over’ is becoming more lucrative. A PayPal account is worth about $6, a Facebook account about $3. The new trend is new account creation, or financial identity fraud.
DV: We have read, actually we have published, several stories about ransomware becoming a trend. Do you agree with that?
RW: It’s another risk, similar to malware, or stealing a password. The difference is that it is right in your face, ‘send us a cheque or we lock out your files.’ Overall, people need to become more careful what they do online. But ransomware is just another new tactic. It is a fad. The thing is they want to make money and skimming banking credentials and using the account is easier than trying to get a cheque off someone.
DV: We also read, and this is the other end of the spectrum, that there is a video – a step by step guide, on YouTube, on how to set up a SIM box fraud operation. So I guess we have low tech risks as well.
RW: I am not surprised, it is amazing what is out there. Let’s face it, it is amazing how many people still send bank account details to Nigerian Princesses.
DV: Too true. Ryan, thank you for talking to us today.
RW: A pleasure, thank you.
Recent Comments