BioCatch: Catching Fraudsters with Behavioral Biometrics
Howard Edelstein is the Chairman and CEO of BioCatch, a revolutionary digital identity company that uses Behavioral Biometrics to capture how users interact with their devices for identity proofing, authentication and fraud prevention. But what is this rapidly growing technology and how does it work?
In this interview, Howard tells us about his arrival at BioCatch and the truly innovative technology that the company pioneered and the work that they do in protecting banks, their clients and their assets.
You are probably best known as a pioneer and innovator within the FinTech industry. In fact, Global Custodian magazine even anointed you as one of the “Legends” of Fintech. How did you end up as CEO of a cybersecurity company?
I’ve spent most of my career trying to apply the latest technology toward improving the financial system, whether at Thomson Financial, Omgeo or BT Global Financial Services. I’ve been maniacally focused on increasing efficiency, mitigating risk and solving problems by applying technology to finance. Today this is known as FinTech but back in the day it was “simply “a matter of automating and improving manual processes. I had a pretty successful career doing that and more recently I began to invest in FinTech-related companies, helping young entrepreneurs and sitting on their boards. I came across BioCatch in 2011 while looking for investments, met the founder and his small team, and they showed me some of the most interesting and compelling technology I had seen in the last quarter of a century. I got involved as an investor, a board member and an advocate, and helped them raise capital to become a scalable company. Eventually I was named Chairman and more recently CEO as well. Now we are working together to build a unique digital identity business that services financial institutions. So I am still essentially in the Fintech space.
BioCatch is the leader in Behavioral Biometrics. Most people know what Biometrics is – fingerprints, facial recognition, etc. – but what is Behavioral Biometrics?
To answer that I will start by asking you to suspend disbelief for just a moment – if it’s the first time you’re hearing about behavioral biometrics, it can seem a little bit like science fiction. Behavioral Biometrics is based on the fact that we all have unconscious personal preferences and habits in life – the way we walk, the way we talk, comb our hair and so forth. For example, if I asked you to cross your arms, you would do it the same way every time. If I then asked you to do it the opposite way, it would feel very awkward, very abnormal. Because you have a preference when it comes to how you cross your arms, something you may not have even realized.
In the same way, everyone has preferences that uniquely identify them when they interact with technology, be it their computer, mouse, keyboard or phone. The speed of their typing is one example. Their use of the scroll bar as opposed to the arrow keys is another. We are actually able to measure around 2,000 of these factors in total. Every individual has somewhere between 50 – 100 behavioral factors that, when found in combination, point very strongly to them. From these factors we create behavioral profiles that allow us to authenticate online users. This solves the problem created by authenticating people purely based on what only they are supposed to know, such as a username or password, when many such “secrets” are readily available on the Internet due to security breaches, which have become almost commonplace of late. We use behavioral profiling as a mechanism to ensure that people are who they say they are when they are online.
What’s wrong with existing identity-proofing methods like two-factor authentication or plain old biometrics?
Everything the industry has relied on to this day is based on something static – that is, it never changes. You have a password, or a town you grew up in, or a fingerprint. But with personal information like passwords, phone numbers, and even social security numbers now in the hands of fraudsters and other criminals, financial institutions want to know if you are really you, or if someone is posing as you. And you want them to know it is you as well. The advantage of using behavior is that it’s almost impossible for today’s technology to copy it. Behavior is not static and thus it is difficult to mimic. Behavioral data is an untapped goldmine and as fraud becomes more complex, establishing your digital identity beyond your physical identity will be important part of a person’s online experience.
The typical use case for a bank, for example, is what we call “account takeover.” This most often happens remotely but can occur physically as well when people leave their computers unattended. If you logged into your bank account and had a friend sit down at your machine, within five seconds the bank would know that it’s no longer you operating the computer based on that person’s behavior alone, even though you initiated the session. That’s the beauty of behavior and what separates it from a static biometric mechanism. Behavior can be monitored throughout an entire online session. It is fast, friendly and frictionless.
How is BioCatch different from traditional authentication solutions?
Two-factor authentication is a reasonably strong solution for now, but it comes with an enormous amount of friction to the user, whereas the BioCatch approach is frictionless and invisible. Currently we typically add an additional layer of security on top of traditional identity proofing and antifraud solutions. So you still use your username and password to log in, but we then monitor your complete online session, seamlessly and transparently. We provide a risk score to the bank based on the data collected during the session and how it compares to your past behavior as well as to our data set of 90 million users. And if it turns out your online behavior does not match your pre-existing behavioral profile, or changes, we alert the bank, which can then choose to either stop the session or further authenticate you – what banks refer to as an escalation. This ultimately protects you and your assets, as well as the bank.
How many of these profiles have you collected at this point?
We now have more than 90 million distinct individual profiles — so many that we can identify good behaviors from bad behaviors with an extremely small margin of error. This allows us to assist our clients right from the account signup or initial authentication phase. When you are the custodian of someone’s assets, you are in a position of trust and want to take every precaution to make sure those assets are protected. Until BioCatch came along, no one thought about using behavior as a way to protect customers and get to know them better at the same time.
Can you tell us who some of BioCatch’s major customers are?
We typically serve large global banks and other types of major financial institutions, though we do have smaller institutions as clients as well. In the UK, the top banks are all BioCatch clients, including two who have spoken publicly – Royal Bank of Scotland and Barclays – to show that they are forward-thinking institutions that use the latest technology available to protect their clients and their assets.
In the U.S. one of the top three universal banks is a BioCatch client, as are major financial institutions such as American Express and Principal Financial. Most of our clients prefer to remain anonymous though.
Can you share any success stories for clients like these?
I could share many were it not for non-disclosure agreements! We’ve identified imposters pretending to be bank officials, police investigators, even tax authority employees. In one memorable instance we even – Lazarus-like – raised a potential customer from the dead! In that instance, the user entered their social security number with a typo, which identified them as deceased, but everything else they did checked out. The returns on investment for most financial institutions from these types of things are very significant. In fact, ROI is typically so high that they often get payback within a couple of months. And client service improves as well. When a bank “knows” who is actually their client and who is not when a user enters their credentials, they will not lock you out when you log in from a vacation destination, for example.
We hear so much today about AI – Artificial Intelligence. What role, if any, does AI play in the BioCatch solution?
AI is actually a very important component of what we do at BioCatch. If it weren’t for AI we couldn’t do any of the things that we do to protect our clients and their customers. We’ve actually been using AI since the early days of the company and have thus become highly proficient at it. With the profusion of new data – such as behavioral data – the ability to search and analyze large data sets today is key. Today there is no online security without AI.
What are the biggest threats you see on the horizon at the moment?
The main problem is the bad guys are getting better every day. They coordinate better than the good guys do, and technology is making it cheaper and easier for them to bypass normal channels and normal authentication mechanisms. At the end of the day this is really about crime. You can’t stop crime – you can only fight it. And to fight it effectively these days, you need a robust, next-generation weapon. Just continuing to do what you did over the last 10 years is not likely to be effective. The bad guys have become too smart and too well-organized. You have to come up with something new.