Tapping the Subconscious Will Deliver Better Online Fraud Protection


key_security_660

infocux/Flickr



The number of high-profile data breaches last year was nothing short of historic – and shocking. Big-name retailers in particular were caught with their cyber security pants down. While it is their job to protect sensitive customer data, no IT team can prepare for all the attacks that come their way, either in terms of volume or of new type. Malicious actors are endlessly clever; it seems, in devising new ways to steal data.


Oftentimes these cyber criminals are specifically looking for credit card numbers that could be reused on other e-commerce sites or sold to the highest bidder on the digital black market. While dealing in stolen financial data is still a lucrative endeavor, we are seeing a sea change in the value of another commodity: usernames and passwords. Because many people use the same credentials across multiple Web accounts, a cascading effect occurs if a hacker gets hold of those credentials. Suddenly, all those accounts can be accessed – including emails accounts, if those credentials work for email as well.


What’s the best way to protect your user community? Current methods to validate users include sending an SMS message to a user’s cell phone and Knowledge Based Authentication (KBAs), in which users answer pre-defined questions (“What’s the name of your first pet?” “Where did you meet your spouse?” etc.) While these methods provide an added layer of protection, they also add customer friction, potential customer insult and lost conversions, all of which a business wants to avoid.


The new kid on the user authentication block skips personal questions and cell phone codes in favor of looking directly at the subconscious aspects of a user’s behavior. This grants insight into whether they really are who they claim to be. This is called subconscious metrics, and they look at how a user functions at the most basic level – just below the level of awareness. In day-to-day life, this can be as simple as always putting on your left shoe first. When online, it’s more complex, like the speed you type your email address into a username field on a website. These experienced-based data points are unique to the user and very difficult to mimic or forge. The collection of this data is 100 percent non-intrusive to the end user and gives you the ability to monitor, authenticate, verify and gain confidence in who your users are, all in real time.


Account takeover schemes abound in today’s crime-ridden online world, including Brute Force, Username Testing and Account Testing. For anyone trying to protect their Web or mobile user accounts from such schemes, including, the concept of subconscious metrics is an exciting one. If you can verify that the username and password entered are correct and also that the subconscious behavioral patterns match previous interactions, you can feel much more comfortable allowing that user to proceed. The opposite is true as well; if the user comes back with the correct username and password but the subconscious behavioral elements drastically differ from prior interactions, there is now powerful intelligence available to protect both the account holder and the overall brand.


Behavioral profiles can be composed based on hundreds of subconscious behavior measures, making it very difficult for a fraudster to impersonate a legitimate user. This allows us to determine that a change in a user’s behavior is not malicious, like using a computer instead of a smart phone, while still providing insight that a majority of the behavioral elements displayed by the user are accurate. Most of today’s authentication systems may have created customer friction based solely on a user logging on from a different device.


A recent research note by Gartner, Inc. security and privacy analyst Avivah Litan states, “The ultimate goal of OFD [online fraud detection] is: continuous behavioral profiling of users, accounts and entities.” A best practice for organizations looking for an authentication approach is to search for on that creates the most accurate behavioral, account and entity-profiling model available.


Authentication success comes from leveraging vast amounts of data to gain the best understanding of who is really responsible for a transaction. This is called complex behavioral biometrics. The subconscious aspects of this behavior elevate our strategy so firms have a powerful weapon to protect their community of users against dangerous attacks such as account takeover and identity theft – and do it absolutely passively.


Tapping the subconscious is the future of authentication for all properties looking to protect their user base. Mainstream use of continuous, unobtrusive authentication has begun.


Ryan Wilk is the director of customer success for NuData Security.



No comments:

Post a Comment