Can continuous authentication counter rising cybercrime?

The wave of cybercrime keeps rising. It is the second most reported economic crime globally, according to PWC research (though many incidents go unreported). It has already affected 32% of organisations – some with million-dollar losses – and there is a wide degree of unpreparedness, says the research.

According to Europol, online fraud – one of the most common types of cybercrime – could now be the most common crime in many countries. The volume, scope and costs to business and individuals are set to keep rising, warns the enforcement agency.
Behavioural biometrics is an emerging countermeasure to these crimes that are increasingly popular among financial services. This technology has developed rapidly in the last few years and can now measure a huge number of idiosyncratic traits that identify genuine users and help detect suspicious behaviour.

Multi-factor logins ‘insufficient’

Most online financial services accounts ask users for multiple authentication factors – such as email, PIN, password and security numbers – when logging in.

But biometrics firms such as Biocatch claim these authentication processes are increasingly insufficient because criminals are finding ways to bypass them.

Frances Zelazny, VP marketing for Biocatch, says 100% of the frauds her system catches have already been through multi-factor authentication because, for example, the identities have been stolen or fabricated.

Using a process called continuous authentication, Biocatch uses biometrics to look beyond the login to continually measure and test whether the user is genuine while they use the application.

‘It uses more than 500 parameters around the way a person interacts with a device or application,’ she explains. ‘These include the way you type; scroll; toggle; and use shortcuts. It also includes the pressure you use; the way you hold the phone or tablet; if you have a hand tremor; and right or left-handedness…’

The software then identifies the 20 parameters from those 500 that are most distinctive to the individual to create a unique profile. A further step is to test users’ idiosyncratic reactions to small, imperceptible events, such as when the cursor disappears temporarily.

‘We have 10 invisible tests but are discovering and adding more all the time,’ adds Zelazny.

‘Because nobody knows what their 20 parameters are, nor when they are being tested, there is no way the profile can be copied. This makes it almost unbreakable.

‘The invisible tests also help detect malware and robotic activity used by fraudsters. That means we don’t need to keep malware libraries, which is a “game-changer” in cyber security.’


Zelazny says the software can still work with ‘guest logins’ where there is no user profile, as it uses machine learning to detect many different types of potentially suspicious activities.

Continuous authentication is not a replacement for multi-factor logins. Zelazny says all Biocatch customers use it alongside traditional login and malware detection systems.
She denies that all this measuring activity could impact the user experience, adding ‘It is very light on the front end and all the processing is done on the back end.’

It is possible that a criminal could trick or coerce an existing user into using the system for the criminal’s gain. But Zelazny claims that, even then, the user is likely to behave differently to usual, due to stress for example; and the system can detect this. According to Biocatch, the only major limitation is the cost of false alarms. ‘This technology, provides savings from fraud mitigation and on operational costs. However, 20% to 25% of alerts tend be false alarms, so it might cost four dollars on average to field a customer call about a false alarm and rectify. Plus there can be lost revenue due to customers giving up on a potential purchase.’

Companies need to offset that against the cost savings and decide how much fraud is the optimum amount to catch. They might calculate that catching 90% of the biggest frauds and ignoring the smallest 10% is the most profitable balance.

But Zelazny says there are still huge savings to be made. ‘We took some conservative assumptions about the number of customers, likely frauds caught, average amount etc for a large bank,’ she says. ‘We calculated this could save them $200 million a year.’
Biocatch currently monitors one billion transactions a month and nearly all its clients are in financial services. But in future, Zelazny says this technology is likely to go beyond this into areas such as healthcare and the public sector.

‘It’s currently hard for people to accept that all fraud comes from authenticated sessions,’ she concludes. ‘Once they do, the whole thinking behind cyber security will change.’