Why we are our own best protection: The case for biometrics

There’s nothing a criminal likes more than chaos. As the world retreated from COVID-19, they stormed cyberspace, taking advantage of sudden spikes in online volume and new traffic patterns to fly under the radar.

In March, when stay-at-home lockdowns took hold across the globe, NuData, a Mastercard company that uses passive biometrics and analytics to weed out illegitimate users for financial institutions and merchants worldwide, spotted a 679% increase over average in suspicious account creations for one global retailer. 

Fraudsters may be creating fake accounts to make purchases using stolen credit cards, or using identifiers from the dark web to apply for lines of credit. In such unusual times, unexpected activity can raise so many alarms as to render them white noise. 

“Merchants don’t know what to expect,” says Kyle Williams, a Cyber & Intelligence product development director at Mastercard. “Some are tempted to remove certain layers of their security barriers to prevent good users from being blocked, such as one-time password requests, because it’s hard to discern what interactions are genuine and what are not.”

You can’t just look at one piece of data – or a handful of data points – to make a decision; it takes a holistic approach to cut through that noise and separate the good actors from the bad. And that can’t be accomplished with a single eight-character password (one uppercase letter, one number, and your third-favorite Egyptian hieroglyphic, please).

Advancements in biometrics —the technologies that use our unique attributes for identification and authentication — are shifting from knowledge-based methods of verification to recognition-based ones, according to “From Password to Person: The Evolution of Biometrics,” a Mastercard white paper produced with Purdue University researchers.

For those of us who don’t use password managers, static passwords and PINs are only as reliable as our memory — which is to say, often unreliable. Microsoft, for example, spends $2 million a month on help desk calls from customers who need assistance changing their passwords, the report says.

Physical biometrics — those that compare physiological credentials such as a fingerprint to a verified match — have become commonplace for mobile devices since their introduction in the early 2010s. Biometric cards with fingerprint authentication, which Mastercard introduced in 2017, have proven to be a convenient and safe method to verify cardholder identity for in-store purchases as an alternative to a PIN. Another innovation that eliminates the need for passwords is Mastercard’s Identity Check Mobile, which uses fingerprints or facial recognition (aka “selfie pay”) to verify identity, improving security while significantly speeding up online checkout.

“Security and a seamless experience should never be mutually exclusive,” says Ranjita Iyer, senior vice president, Identity Solutions, Cyber & Intelligence. “Physical biometrics solves for both, helping us deliver greater trust in the digital payment ecosystem, particularly at a time when peace of mind is in such short supply.”

The biometrics behind the scenes

Increasingly, passive biometrics are powering recognition. These behaviors include the specific patterns we use on our laptops or phones: How fast we type in our login, whether we use the right shift or the left shift to capitalize, how hard we tap, the way we swipe the screen, the angle at which we hold the device. These are all “tells,” and while we may not behave the same exact way every time, these hundreds of different signals can still help build an accurate picture of who we are.

These passive behaviors aren't bulletproof, but they can be combined with device recognition (is the device at a new location and with a connection that is new or suspiciously masked?) and account history (is the connection speed much slower than usual; why is the user suddenly using a different browser to surf the web?). From this, a unique user profile emerges. 

This combination of content and context creates a dynamic, real-time verification process that works seamlessly behind the scenes. With machine learning, NuData is able to look at hundreds of anonymous data points before and during a transaction to determine whether it's a real user or a bad actor, flagging high-risk transactions to its customers. 

Industry research continues into other characteristics that could help tighten authentication, from the way a smartphone camera can capture your eye movement to how the pulse throbs in your wrist.

At NuData’s Global Intelligence and Cyber Centre in Vancouver, British Colombia, engineers set up a near-field communication sensor and had employees walk toward it as if it was a subway turnstile, taking out their phones and pretending to tap for entry. The motion sensors inside the smartphones can share how they approached the sensor — how fast they walked, how quickly they took out their phone, the angle at which they tapped — to determine if those traits could be assembled into a signature.

“You can argue that two people may have the same gait,” says Marc Grimson, a senior consultant at NuData, “but that information can be tied in with other information to give you higher confidence that they are who they say they are.”

These hundreds of data points per user become billions of aggregated and anonymous profiles, giving NuData’s clients a clear picture of what good customers would and wouldn’t do. Accounts created between 2 a.m. and 4 a.m. are 50% more likely to be fraudulent, for example.

“It’s ridiculously hard to find a needle in a haystack,” Williams says. “Our approach is to first identify the normal behavior — the hay. By looking at it this way, identifying the anomalies — the needles — is that much easier."