National Westminster Bank in London is tracking every movement customers make on its website or mobile app, looking for behavior that doesn't match past actions or clues that users are not who they purport to be.
Behavioral biometric software is catching on in the industry, typically as one of an array of measures to prevent digital banking fraud. The recent cybertheft at Tesco Bank in Edinburgh, Scotland, in which about $3 million was stolen from 9,000 customer accounts, has brought the need for such defenses to the forefront.
"I've seen banks in the U.K. use behavioral biometrics and I've seen a lot of interest amongst major U.S. banks," said Avivah Litan, a vice president at Gartner. "Behavioral biometrics has proven to reduce false positives."
After several months of trials, NatWest, a part of Royal Bank of Scotland, went public Wednesday with its use of BioCatch's behavioral biometric software.
The machine learning software, which is embedded in the bank's mobile app and online banking site, monitors and captures metrics on 500 different bank customer online and mobile behaviors — from the angle at which the user holds her iPhone to the amount of pressure she uses when she taps on a screen to the cadence of her keyboard stokes to the kinds of typographical errors she tends to make. BioCatch builds a unique biometric profile for each customer and conducts comparisons against it each time the user logs in to an app or online banking site.
It also does something that physical biometrics such as fingerprints, retina scans and facial scans can't do — it provides nonstop authentication.
"When it's deployed across our network, it lets us continuously authenticate that you are who you say you are, then it works by flagging inconsistencies or raising suspicions," said Kevin Hanley, director of innovation at NatWest. So even if the login procedure looked normal, "if the behavior of the user deviates from what's expected, it raises flags."
So far it's using BioCatch to protect several hundred thousand business banking clients, and the software has already proven its worth.
"We've been able to prevent fraud in the millions of pounds," Hanley said.
Al Pascual, senior vice president and research director at Javelin Strategy & Research, said some of his firm's largest clients are implementing or actively testing behavioral biometrics to detect threats online and in mobile banking sessions.
"While not a silver bullet, behavioral biometrics do allow for banks to make smarter decisions about when to allow certain types of account activity and when step-up authentication is warranted," he said. "New concerns about the growth in account takeovers across both retail and commercial accounts are providing plenty of motivation for banks to give them a shot."
Behavioral biometics are especially good at recognizing the work of malware such as remote-access Trojans, Hanley said. "Machine-automated behaviors bear no resemblance to human behaviors."
Hanley said he was drawn to the technology largely because it could catch and stop fraudsters in the act of setting up a new payee or a wire transfer.
"It provides an ability to alert and prevent fraud taking place as opposed to helping you detect or correct after the event," he said. "It's much more powerful; it's much more useful to me if I can prevent something happening."
NatWest already uses physical biometrics: It was the first U.K. bank to use TouchID fingerprint matching and it uses voice recognition in its call centers.
BioCatch alerts the bank's fraud team about every sign of unusual behavior. If a user suddenly starts to use the scroller in the middle of a mouse when she never has before, that's red flag No. 1. If the same customer starts using the numeric keypad to the right of a normal keypad, that would be red flag No. 2. Strange mouse movements would be a third tipoff.
In one recent case, an alert led the fraud team to discover a user ID had been compromised and the person was attempting to set up a new account payee.
"They were trying to transfer a sum of over 1 million pounds from the user's account to a spurious new payee they set up," Hanley said.
The software even helps verify first-time users of a mobile banking app or online banking site, where there's no pattern of past behavior to go by, going by a profile of typical fraudulent user behavior. For instance, lightning-fast data entry is more likely to be the work of malware than a human.
What behaviors are most telling when you're trying to verify identity?
"The beauty of that is it cannot be answered," said Eyal Goldwerger, BioCatch's CEO. "We use machine learning to analyze your behavior. However that doesn't mean we will analyze you the same way we analyze somebody else. … Whatever identifies you as unique will be different than me."
Goldwerger said BioCatch counts three of the top U.K. banks among its customers.
One persistent worry about any kind of fraud analytics is false positives — if a system generates thousands of alerts a day, there's no way to investigate all of them, so in effect they become useless. NatWest has yet to see this problem with behavioral biometrics.
"We're not finding hundreds of cases flagged as fraudulent and we find out it's legitimate," Hanley said. Upon investigation, most of the alerts have turned out to genuinely be fraud.
And customer convenience hasn't been disturbed, at least so far.
"In the unlikely instance where their usage patterns deviate from those that are expected, the occasional call from our fraud team saying they're following up because they see some behavior patterns that are inconsistent and are reverifying credentials — I think our customers will understand that," Hanley said.
Another benefit to behavioral biometrics is that the customer doesn't have to do anything — there's no enrollment necessary and no fingerprint, selfie or iris scan needs to be taken.
The technology has its drawbacks.
Behavioral biometrics software is not accurate enough to be used on its own — it provides 85% accuracy in identifying users, Litan said. There is a lack of data to feed the analytics and the analytics need improvement.
"It's a data issue — there's simply not that much typing and biometric behavior that can be analyzed when a user logs in to a bank session," Litan said. "It's not like they are typing a term paper."
Another weakness is that if someone undergoes a dramatic physical change, their behavior will naturally deviate from their usual patterns.
"Say you cut your hand. You might have to try twice or make a call," Goldwerger said. "This is not a daily activity. I always get this question; it never comes up in business."
And what if someone is really drunk?
"BioCatch recognizes patterns of behaviors to recognize known users, so unless you are an alcoholic and regularly drunk — in which case your drunkenness will be your normal behavior — this represents an anomaly," Goldwerger said. "If you are drunk enough to behave differently enough then at some extreme point their behavior won't match the regular one."
If the behavior would raise a risk score for the transaction that is high enough, the bank may ask for a secondary authentication. Worst case, drunk users would not be able to wire money from their account.
"Our customers are generally OK with this," Goldwerger said.
Editor at Large Penny Crosman welcomes feedback at email@example.com.