The problem with security of all kinds is best typified by an experience anyone reading this can relate to — going through the security lines at the airport. After September 11, there are exactly zero adults in the United States who do not understand the extraordinary importance of properly screening people before we let them board a pressurized, jet-fuel packed, aluminum tube that blasts through the air at ~500 miles per hour — since the consequences of insufficiently doing so are quite catastrophic.
However, as the distance from 9/11 got longer, security measures — like no shoes, no belts, no normal-sized shampoo bottles, no water, no breast milk and random security screenings that always somehow seem to line up with a flight you’re already running late for — caused the bloom to start to fall off the security rose.
Thank goodness, cybercriminals don’t hijack planes like terrorists do (at least not yet and we hope they never do). Instead they commandeer servers, personal computers, point-of-sale systems and any other digital thing they can get their bots into. And while cybercrime may not have the body count associated with it that terrorism does, it makes up for its lack of apparent violence with its incredible reach and the swath of financial destruction it creates.
By some estimates over half of all American adults were hacked between 2013 and 2014. A recent MasterCard survey on security reported that one in three survey respondents said that they had been the victim of some sort of breach, no doubt a nod to the number of high-profile breaches this year that included the State Department, Anthem and even the IRS.
Given the obvious scope of the problem, it’s unsurprising that the ecosystem has so speedily ratcheted up its interest in securing its systems. According to the PYMNTS Investment Tracker, security has been one of three areas to dominate investor interest in the last 18 months (the other two being alternative financial services and mobile payments technology). What has been interesting to watch, however, is how that security is evolving into almost two schools.
One school is the “TSA” school of thought that relies on building better gates to bounce out those who aren’t supposed to be boarding the digital ecosystem. This is the movement toward increasingly complicated passwords that need to be 17 characters long, have at least three symbols and not be one that you have used in the last year. The “build a better gate” approach also includes various forms of secondary authentication that make it harder for anyone to crash through those gates.
And while gates have merit, gates can sometimes slow down the operation. But unlike travelers who pretty much have to get on the plane, online shoppers can just opt out and abandon their transaction if it takes too long to check out given all of the gates that good guys have to get through to check out.
“If we look at the history of access, it starts with the idea you know that is unique — a password or how to type out a code. Those secrets are becoming less and less secrets — passwords and user IDs can be compromised easily,” Ron Moritz, interim CEO of Israeli cybersecurity startup BioCatch, said. “The step that we’ve taken over the last decade has been to move away from the concept of something you know to the concept of something you have — a token, device ID, sending a one-time password to a cell phone and leveraging an out-of-band authentication.”
“Where the world is going is to make this about you and something you are. This is where biometrics comes in — a fingerprint or an iris scan — which is part of identity that is hard to steal. The problem with all of that stuff is it is pretty high friction, and they can all be hacked since the form of biometrics on iPhone and laptops is pretty light.”
[Ignore for the moment that in the hack of the Office of Personnel Management that fingerprints were said to be stolen…]
BioCatch is a digital commerce and finance security firm that specializes in the “Las Vegas” model of digital security — a technique whose analog is to watch consumers closely enough to see a consumer (or bot) “doing math in their head.” It’s called cognitive biometrics, and BioCatch’s CEO says it’s hard to hack because it looks at so very many data facets.
“Cognitive biometrics uses the brain as a biometric component. So it turns out the way you interact with your keyboard, and the way you interact with your mouse, the way you navigate your applications and the way you think about your applications at certain times of the day, or after you consume alcohol, are measurable. And that is what we are effectively doing.”
BioCatch starts with a user profile that looks at the user technologically — what is user’s IP address, what are the features of the network, what type of hardware and software does a user favor — things that Moritz notes are somewhat par for the course for background security monitoring platforms. The secret sauce for BioCatch, however, is how complete a profile it draws and how broadly the fields it pulls its user data from are.
“We create a physical profile about a consumer that looks at how they hold their cell phone when they interact with the app that is being protected by BioCatch. So, whether the consumer is in motion or is sitting at a desk, how the consumer swipes, their hand eye coordination and things like that. From that we can tell all kinds of things: Is the consumer right- or left-handed? How hard do they normally hit the keys? What time of day do they like to shop? Whether they use the mouse to navigate, and when they use a computer, how they link things.”
All in, BioCatch goes after 500 different measures when it creates a consumer profile. No individual measure is used as definitive, Moritz noted — instead the platform works behind the scenes to create a holistic picture that only pings a transaction when it significantly diverges from the “norm.” A customer might injure her dominant hand and start swiping in a different way — but everything else about her won’t change — that won’t trigger a false positive. A customer that starts using a different hand, starts visiting different sites, starts shopping at a different time of day with a lot more or less manual dexterity than usual — that will upset the system and flag the transaction as potentially fraudulent.
“The user does not know BioCatch is running. There is no token they need to carry, and no fingerprint needs to be scanned. Instead we look at 500 metrics,” Moritz explained. “The fact that you are tired and a little intoxicated will only change one or two metrics. We still have enough information through the other metrics we are extracting through the cognitive and physiological measurements of thinking in order not to create an alarm. We can see even through altered behavior. We can really decide to assign a relatively low fraud score.”
That low score means merchants can avoid “step-up” authentication, which consumers generally don’t like because it is a hurdle between them and whatever online transaction they are trying to complete. The system doesn’t want consumers lining up at a gate; it wants users to behave normally while BioCatch watches them really hard to determine when they are them — and when a bot or hacker might be trying and failing to imitate them.
BioCatch is betting that it’s a lot harder to hack 500 things than it is to try and hack one — whether that one thing is a fingerprint, a password or a token. Moritz says it is not impossible, and that we can bet that as this technology gets more widespread, hackers will become increasingly invested in trying to beat it. Some probably will, but then, he noted, someone stealing from you is a generic problem in retail and while it can’t be solved entirely, it can be mitigated.
“If you look at fraud over the last five years, there’s data that indicates that the actual amount of successful fraud is decreasing. Not that the attempts of fraud [are] decreasing, but the actual amounts of fraud are going down,” Moritz noted. “When you look at it in those terms, the tools that have been deployed are providing value. The challenge is that fraudsters will invest in creating technology to overcome the tools. The cost of theft has long been factored in to brick-and-mortar retail, and those loss counts are also made in eCommerce. And there comes a point where the risk of driving away customers with security is worse than the risk of fraud.”
Going forward, BioCatch wants to make it easier for retailers to lower that risk of running off a good customer as much as imaginable while making them susceptible to as few fraudulent fake purchases as possible. Because in BioCatch’s opinion, the future of security isn’t in building the most impenetrable system — it’s in building the system that is the most user-friendly all the way around.