Johannesburg, 18 Sep 2023
It starts with the authentication process. Someone logs into a device using biometrics – their face ID or fingerprint – but it’s actually the start of a scam, the problem being that because the first step in the authentication process has been cleared, the rest isn’t queried. “They don’t know they’re making a bad payment, whereas with behavioural biometrics, you can see that it is the person making a payment but he is not acting normally,” explains Rob Woods, LexisNexis Risk Solution’s Director Market Planning: Finance SME International Fraud and Identity. “Behavioural biometrics is not just about showing you who is behind the device, but also if it is doing something that isn’t normal to them.”
Behavioural biometrics technology (like LexisNexis BehavioSec) is an additional way to expand your ability to trust digital transactions, reduce fraud and ultimately improve the experience of your consumers. “It gives additional insight into transactions and provides an added layer of protection for customers,” he says, adding that behavioural biometrics is a way to paint a good picture of digital identity. “It’s about looking past the device and seeing the human factor. Is it the genuine person using the device that we expect to see?” asks Woods.
While one part of behavioural biometrics is being able to differentiate between human and bot, it is also about authorisation or verification and identifying good users. “There are two different types of behavioural biometric experiences. There’s a new account opening where you've never seen the customer before, they are new to your organisation, and you have no baseline behaviour to measure,” he says. “But then you have all your genuine customers who, for example, have registered for internet banking and you can look at their behaviour and train models to identify what is normal for them.”
This results in a behavioural biometrics score, which allows a business to choose how much friction is added into a user journey. For Woods, there is a fine line between appearing that you’re doing anything because a customer is low risk, adding elements that introduce friction and providing comfort. “It depends on what you want to achieve as a business and this often comes down to the customer experience – communicate and get things very customer-centric,” he says. “It should be about protecting the genuine customer and, by default, making a better experience and keeping out the bad guys.”
With so many companies focused on fraud, Woods' understanding is that you can achieve the same outcome by approaching the problem a little differently – authenticate genuine users rather than assessing anomalous behaviour. “If you try and solve the problem by identifying the good customers and give them better experiences, by default you identify the bad guys,” he explains. “Whereas if you just try and identify the bad guys, some of the good guys might be identified as bad guys because they're doing something a bit different that day. It is a slightly different way to approach them, but it can yield different results.”
Woods' recommendation is to first identify genuine customers and then authenticate those customers. The next step is building up the profile of those customers and their interactions through intelligence gathering and turning that data into a trustworthy score. “Focusing on identifying the genuine customer helps, because if you think of authentication generally in fraud controls, one of the biggest concerns is not just keeping the bad guys out, but also false positives and stopping customers doing what they want to do,” says Woods. “Having a customer focus in genuine user identification process, rather than identifying the fraudster, means that you probably have fewer dropouts, you have fewer false positives…”
Woods also recommends frontloading behavioural biometrics at the beginning of a journey rather than for decisioning or just having it just at the end – continuous authentication, from login through to the end of a session. “When a bank has their app on a device and they allow their users to use face ID or touch ID or the Google Android equivalent, all they get from the handset is a yes-no response. Yes, this is the face the user has loaded onto the phone. They don't see the biometric because it's a device-only and yes, there is a risk associated with this,” he warns. “But then what happens when, during an internet banking experience, the behaviour changes? Behavioural biometrics gives the power back to the bank to say we have our own intelligence; we need to do something different here.”