Online fraudsters are getting smarter by the day. As soon as banks and financial institutions smoke them out, they find new ways to outsmart the system.
One noteworthy case happened a year ago in the UK when a woman got a call from someone saying they were from her mobile phone provider and telling her she was late with her payment. The woman used her debit card to pay the 60 UK pounds she was told she owed.
Five minutes later, she got a call from the fraud team at her bank telling her she had been scammed. Because her debit card was linked to her bank account number, they said, it was advisable to move her money into a new bank account.
They asked her to log in to the bank online and move all of her money to a new bank account number they provided her, in a number of small batches of up to 9,000 UK pounds each. Once each sum had been cleared, they would tell her when to transfer the next batch. And so she did.
Unfortunately, it was a double scam. The first caller was working hand in hand with the second caller. The woman, however, really believed she had been defrauded by the first caller and that her money was at risk. So she did what the (fake) fraud team told her to do, transferring her money in relatively small amounts at the request of the fraudsters, in order not to raise the suspicions of the real fraud team of the bank.
So, the rightful owner of a bank account transferred legal amounts of money voluntarily to another account. How can a scam like that be detected or avoided?
“The user was basically scammed and conned to move the money,” said Uri Rivner, the co-founder and chief cyber officer of Israeli startup BioCatch, which was brought in by the UK bank in question to help them with the case. “There’s no technology that can actually stop it.”
The scam was a classic case of social engineering, he said, a term used to describe a process in which people are psychologically manipulated to perform certain actions or divulge private or confidential information.
Social engineering has been around for thousands of years, said Rivner, “from the days of Jacob and Esau, in the Bible,” when Jacob tricks Esau out of his birthright by bribing him with a dish of lentil stew.
The initial reaction of the UK banking industry to this new form of scam was “This is not our problem,” said Rivner. If gullible users fall for such a scam, it’s entirely their fault; the banks clearly played no role in the situation. After all, the users provided all the necessary authentications and authorizations — and the banks just acted upon the instructions.
When, however, more scams of this nature surfaced, banks in the UK were instructed by the financial regulators to try and find a solution to this new fraudulent tactic, now known as Authorised Push Payments voice scams.
BioCatch, an Israeli pioneer in the field of behavioral biometrics, was called in to look into the matter by the UK bank.
Behavioral biometrics are a breakthrough in cybersecurity technology that identifies people by how they do what they do — rather than by who they are, as is traditionally done through face recognition or fingerprinting; or what they know, such as a secret question or a password; or what they have for identification, such as a token or a one-time code sent by text message.
Everyone has a distinctive way of moving a mouse, tapping a phone or typing on a keyboard, and behavioral biometrics is able to measure and analyze these patterns. Moreover, when people identify themselves at their bank or an online store by inserting information about themselves, like their home address or date of birth, they are using long-term memory rather than short-term. This can be seen from the way they interact with their computer or smartphone, and behaviors that are divergent from this familiar pattern can be flagged as unusual, generating an alert.
BioCatch has developed software that checks 500 bio-behavioral, cognitive and physiological parameters to create unique user profiles and a personalized web presence for each user of banking and eCommerce sites.
The startup, founded in 2011 by Avi Turgeman and Rivner, has raised some $50 million in funding to date, and employs some 100 people. It has been selling its detection products to banks and other customers globally.
Now, it was being tasked with its newest challenge: how to know when customers are duped into doing damaging things.
“We realized we have a new problem, and the initial reaction was: what can you do? It’s the user, it’s the human being, it’s the person themselves being tricked,” said Rivner in an interview from the BioCatch offices in Tel Aviv. “So, because we are experts in fraud and data science and neuroscience, we started to look at the data.”
What they found “almost immediately,” Rivner said, was that in the case of the defrauded UK woman, after the first payment of money to the new bank account number, she had been “randomly and nervously” moving her computer mouse on the screen. “She was nervous, she was told to wait, she needed to wait for confirmation,” he said.
The woman didn’t leave the banking website after the transaction, as people normally do. She hung around online, waiting for further instructions, and while she was waiting, she was nervous. And this nervousness was reflected in the movements of her mouse.
She was doing the transaction, Rivner said, “but there was something strange about the way she was interacting right now.”
The mouse movement was “much, much longer than the norm,” he said, which indicates that the person is “not completely focused” on the transaction but preoccupied by other things.
“Behavioral biometrics is the science of understanding human behavior,” he said. “It’s not about just authentication. It is also your state of mind.”
The more the cyber researchers studied the data, the more they realized that there was a common pattern among people who had been duped in a similar manner.
“We saw that she was not alone,” Rivner said. There were very specific traits in online users who had been conned in a similar way. “A normal person would spend maybe 20% of their time just moving (the mouse) without any purpose. Whereas this sort of victim, because of the fact that they’re being guided over the phone and they’re more distracted, it’s 40% to 60%.”
The more the team investigated, the more common signs it found. “I can’t really tell you everything,” Rivner said. But the BioCatch team set up a list of “hundreds of those very subtle behavioral signals,” such as hesitation, stress signals, and signs of duress or of being guided or dictated by someone.
“All of these are very subtle behavioral biometric signals,” he said. Each of these signals, taken on its own, may be a weak predictor of something being amiss. But taken together, these hundreds of subtle signs can “quite accurately say that something is very off about this specific activity.”
Based on this research, BioCatch recently launched its “voice scam detection software,” which studies these parameters based on mouse and keyboard movements or the way the person scrolls and swipes on their phone.
Some banks in the UK are already using the new product, he said. “It is helping them right now.”
The firm is now looking into how these behavioral indicators can be used not only to detect financial crime but for other “interesting directions,” he said. “We have a lot of interesting research that we do with some companies, on additional capabilities beyond fraud detection, and that is more or less all I can say at this point.”