Among the security technologies that have been seeing increased adoption in recent years, behavioral biometrics is, in a sense, the dark horse. The technology is expressly designed to run in the background, without being noticed; but a growing number of organizations – especially those in the financial services sector – have been paying attention.
At the vanguard of this security trend is buguroo Offensive Security, a behavioral biometrics specialist that has been garnering industry acclaim and catching the eye of investors. The company is poised to get even more attention after the recent launch of its new Policy Manager tool, which supplements its platform’s Fraudster Hunter solution with additional defenses for enterprise security frameworks.
Naturally, buguroo CEO Pablo de la Riva was happy to delve into exactly how these solutions work together in a new interview with Mobile ID World President Peter O’Neill. But the conversation encompassed much more, touching on the impact of privacy regulations on the security industry, the role of AI and machine learning in powering digital security solutions, and the rising demand for behavioral biometrics solutions generally.
Read the full Mobile ID World interview with Pablo de la Riva, CEO, buguroo Offensive Security:
Peter O’Neill: We have been reporting on behavioral biometrics for the past eight years when behavioral really launched into our marketplace; it was quite a fascinating time. Why do you think behavioral biometrics is seeing so much growth at the moment?
Pablo de la Riva, CEO, buguroo Offensive Security: The rising adoption of behavioral biometrics is clearly driven by the rise in fraud. During the financial crisis of 2008, it was more or less the same. Then, fraud increased six times, year over year. Then, during lockdown fraud increased as well, and it was especially driven by impersonation attacks through social engineering. Since this is exactly where behavioral biometrics is most effective – detecting impersonation while maintaining a frictionless user experience – it’s no wonder the technology is rapidly gaining popularity.
Peter O’Neill: Well, we’re certainly reporting a lot on just what you mentioned, the increase in fraud, the increase in attacks, it’s growing exponentially. I think a lot of it has to do with COVID and just the amount of remote working. Now, buguroo has won multiple cybersecurity awards for the past several years. And I think several already this year. What makes your company stand apart from other solutions in the marketplace?
Pablo de la Riva: We have a unique vision which is constantly driving our roadmap and the launch of new features. We have been working in anti-fraud for the last 15 years. We realized early on that fraudsters pose a constant threat, and no matter what technologies are being introduced to create roadblocks in their paths, they will always adapt their tactics in the pursuit of easy profit. After years of studying the cat-and-mouse game in the industry, we launched a tool designed to break this cycle and do something fundamentally different: adapt ahead of the fraudsters. Of course, creating a truly proactive anti-fraud tool requires out-of-the-box thinking on data and intelligence, and we spent a long time refining the capabilities that make our technology unique.
Then, almost by accident, we came upon behavioral biometrics and the pieces of the puzzle fell into place. It’s the perfect way to analyze every aspect and moment of an online session, from device and network information to the way the user is interacting online – including parameters such as mouse movements, typing rhythm and even the angle at which they hold their mobile phones. Building on behavioral biometric data, we then created functionalities that can guarantee to financial institutions that their customers cannot be manipulated or impersonated at any point. If you can guarantee these two things, you will prevent fraud from occurring.
The way our detectors are built, the different kinds of data we collect and the massive amounts of parameters we use to analyze them make our solution extremely customizable. This has also naturally opened up new avenues for us in the world of behavioral biometrics-driven fraud prevention. Our link analysis tool Fraudster Hunter helps identify and reveal fraudsters in banks’ online systems and automatically block future fraud attempts by recognizing fraudsters’ cyber DNA or usual modus operandi. Another example is our 3D Secure solution which uses behavioral biometric analysis to fail-proof the 3D Secure risky transaction verification system during e-commerce transactions. Together, these capabilities mean our systems have a much wider scope than any other solution on the market
Peter O’Neill: What other trends have you been seeing at the moment in our industry around security protocols and specifically regulation?
Pablo de la Riva: There are two main regulations that are driving the adoption of anti-fraud technologies in Europe. On the one hand, we have Strong Customer Authentication (SCA) rules within PSD2 and data protection laws in accordance with GDPR. This means financial institutions must use the data they have on customers to guarantee their security as well as their privacy, all while ensuring a frictionless experience. Behavioral biometrics – and specifically, keystroke dynamics – analysis is one of the techniques validated by the regulator, which means a biometric challenge can be used within the second step of two-factor authentication. The analysis is carried out without introducing friction into the user experience, which is a top priority for banks alongside security.
On the other hand, also driving behavioral biometrics adoption is the customer authentication requirement of the 3D Secure process, mandatory when making card-not-present transactions. Here, again, strong customer authentication must be paired with a frictionless approach.
Finally, there is the emergence of remote working. Technology giants Google and Apple have already made promises to extend the work-from-home arrangement into the foreseeable future and the vast majority of companies are likely to follow suit in some form – be that by allowing everybody to work remotely a percentage of the time or permanently allowing some people to work from home. This will mean businesses must extend the same trust and protections to their remote workers as those within their perimeter enjoy. In fact, we are receiving growing interest from other industries who wish to use behavioral biometric solutions to keep their employees and businesses safe and secure.
Peter O’Neill: We’re seeing exactly the same thing, Pablo, and almost every industry and every company out there is having to deal with this right now. The need is urgent, as we see it right now. Convenience and end user experience has been a hot topic at shows like Money 20/20, et cetera, over the past several years. How can you use behavioral biometrics to stop fraudsters from falling through the gaps caused by banks, trying to balance security and that convenient end user experience?
Pablo de la Riva: Behavioral biometrics provides the smartest solution to maintaining the balance between security and a seamless user experience. Consider how there are no two people who would write the same word in the same way on a piece of paper. In the digital world we see this replicated in users’ unique set of behaviors when interacting with a device, creating completely different inputs from person to person.
For example, my name is Pablo and I have a lifetime of experience writing and typing “Pablo” which is unique to me. A fraudster who might try to impersonate me will inevitably type “Pablo” in a different way to how I do it – even if their own name is Pablo! Maybe they are not as confident as me when typing it or have a different rhythm to their typing. It could be that what makes me unique is when I’m pressing the key “P”, I maintain the “P” key press for twice as long as I hold down the “L” and move onto the following letter “O” much more quickly. This is just one, very basic, example of a short string of characters – when you add in other behaviors involving the user’s devices, mouse, keyboard and screen, you can use all of this information to create online ‘cyber-profiles’ that are completely unique to each individual online user. Using these, banks can not only differentiate a fraudster from a legitimate user, but also an automated bot from a human, or a known user from an unknown one.
It is remarkable what you can achieve through inputs that are theoretically invisible, because you don’t need to be intrusive with the user experience, but you can gather enough data to differentiate between good and fraudulent actors. Moreover, the non-intrusive nature of the technology means fraud detection can be carried out throughout the whole session, as opposed to just during the login or before a transaction takes place. For example, if two minutes after logging in a fraudster gets remote access to a user’s device – through tactics such as man-in-the-middle or remote access trojans – and is performing any kind of action, banks can detect that the user has been impersonated. Today, this is simply the best and easiest way to negate impersonation attacks.
Peter O’Neill: As well as identifying fraudulent activity, how useful is machine learning and behavioral biometrics for comprehensively preventing online bank fraud?
Pablo de la Riva: In my opinion, it is absolutely key. Deep learning and other forms of artificial intelligence are key to classifying fraudulent behaviors, because the sheer amount of data that you need to collect in order to build user profiles detailed enough to accurately authenticate each user is so huge that you cannot depend solely on one system to classify if a user’s online behavior matches their typical profile during each individual interaction.
Additionally, the technology needs to be intelligent enough to adapt to changing behavior, as there is no human that behaves in the same way twice. There will always be little modifications, but actually it’s those small alterations in behavior are what makes you and your behavior unique. So to accurately predictand determine in real time if the information being gathered from the individual way the user is moving the mouse or tapping on the keyboard, and so on, are expected or not for each specific human in an environment in which you there are million of different users, you have to have artificial intelligence to understand what makes each user unique in the whole ecosystem.
Artificial intelligence also helps us to answer one of the biggest challenges in preventing online fraud, which is to answer the very complex question of if the user is not who they claim to be, then who are they? Here the technology can help us understand the fraudster’s behavior during that session, and then we can start to match this behavior with previous fraudster behavior or with all the users that are also making similar movements through the identifiers the users have in common. In doing such investigation we build routes to tracing individual and groups of fraudsters through common points in their previous attacks, and start to predict and prevent future attacks.
Peter O’Neill: Just to reflect back on a comment you made earlier in this interview, you have some new product updates that have just been released and one is the Fraudster Hunter tool and Policy Manager. Can you tell us a little bit more about those and how do they work?
Pablo de la Riva: Well, Fraudster Hunter is a tool specifically designed for answering this question of, if a user isn’t who they say they are, then who are they? It does this through performing link analysis. One of the things that makes this tool so special is that we can link almost any single kind of information, from devices to IP addresses to biometric information. The analysis and the kind of in-depth investigation that you can perform through this platform is amazing.
One of the common success stories that we are having with our customers who are using Fraudster Hunter is that having detected a potential fraudulent transaction, they can use the Fraudster Hunter tool to identify commonalities with other users, devices, accounts or previously fraudulent sessions. So, for example, customers have discovered entire networks of mule accounts through identification of a similar device or a similar network or a similar behavior or similar patterns or similar toolbars installed in his browser, and so on.
The amazing thing about this tool is that once you’ve identified one mule account, you can trace every account that is connected with it and accurately predict which other accounts in the bank’s system will be used as mule accounts in the future, identifying potential fraud and proactively stopping it before the fraudster even tries to move the money. It’s something that is working really well, and gives banks the unique flexibility of understanding how the campaign started and who was carrying it out, whether it was a single bad actor or a group of fraudsters. Fraud teams can understand all the connected devices, all the networks that they are using and all the accounts that are being compromised, and even who the fraudsters are based on their own unique online profiles, who can then be blocked from performing fraud at the same bank in future. It’s real forensic investigation that gives a wider view of the entire ecosystem of the bank’s system and the fraud occurring within it, and how you can manage all that data to improve your security and block fraud in the future – it’s amazing.
This actually links with our newest functionality: Policy Manager. We launched Fraudster Hunter a year and a half ago, and now we are launching Policy Manager which allows customers to fine-tune how the tool behaves in terms of raising alerts, creating campaigns, creating reputation lists, creating groups, and to fine-tune the kind of investigation and detection that you can perform with Fraudster Hunter, and also, what kind of predefined actions you want to automatically trigger once you detect a specific, potentially fraudulent behavior. Basically, it allows for the creation of bespoke, campaign-based fraud prevention specifically targeting the fraud at your bank.
So, for example, with policy management, you can build a white list with the IPs of the users that banks employ to test their own security – for example, if they are performing ethical hacking services. Probably, the auditors that are using those accounts are going to try to perform actions that should normally be conceived of as fraudulent, using automated actions, and making a lot of noise, and connecting from many different devices..
So through Policy Manager you can add those accounts to a white list to ensure the actions aren’t flagged and blocked. And that same kind of example we’re using for accounts, we also have for IDs, networks – well, any kind of parameter that you can manage with our tool that is huge.
You could create lists and rules based on IDs, as well as information such as locations, ISPs, operating systems, browsers, geolocations, and even kinds of risk indicators, like remote trojans, or specific web injections for malware… Basically, you can customize almost everything to include in a white list, or in a black list, to modify what happens as a result. For example, the risk score might increase or decrease, or specific alerts raised depending on what potentially fraudulent activity is detected, and that can be fully customized depending on your needs at that time.
Let me give you another simple example to illustrate the level of detail the Policy Manager tool allows you to reach in your customization: Based on information I have or previous fraudulent activity, I might decide that if I detect a remote access trojan in a session coming from Jamaica between 5:00 PM and 7:00 PM, for example, then I want to receive the alert with the maximum severity. Then you decide what kind of action you want triggered in this instance like, for example, blocking the transaction completely, stepping up the security and asking for second factor authentication.
Peter O’Neill: We talked a little bit about COVID and how it’s affecting the industry. You’ve been focused mainly in the financial services area, but now all companies across every industry are faced with significant challenges. Are you finding that you’re starting to look at other industry verticals now?
Pablo de la Riva: The reason we began with a focus on financial services is because they are probably facing the most complex fraud situations. They have been targeted by fraudsters for many years, and fraudster techniques are usually much more advanced than those of fraudsters targeting other industries.
By building our solution to face the most complex problems first, we hope to guarantee that our tool has enough versatility to adapt to face any situation. We are receiving more and more interest from e-commerce, FinTechs, and in fact any industries that have onboarding processes or offer security services. Cybersecurity has got to the point where basic authentication is no longer enough. Enterprises need strong customer authentication and behavioral biometrics is one of the smartest ways, or probably the smartest way, to guarantee that you can authenticate an online user without deploying too much friction to their online journey. Physical biometrics such as face recognition and fingerprint, et cetera, are very good strategies for authenticating users online, but the drawback is that these methods depend on the quality of the hardware of the devices that the users have, whereas behavioral biometrics can be used in the same way with any device being used to access the internet.
So behavioral biometrics is definitely something that has seen more and more demand. So, we are still focused on the financial services industry and comprehensively preventing online banking and payments fraud, but as our technology is flexible in its approach to preventing online fraud, we have started to expand to other verticals based on demand, as companied approach us with their different use cases and ask us for our help and expertise.
Peter O’Neill: Well, Pablo, thank you very much for telling us about all the great things going on at your company. I personally have been a big fan of behavioral biometrics ever since we first saw it spring onto the marketplace about eight years ago and my, how it has grown. And again, we see it as a foundational situation, especially in financial services, but I’m starting to see it in healthcare now where they’re trying desperately to figure out how to do remote telehealth, remote prescriptions, etc. So thank you again for carving out some time with us today. It’s been a pleasure to speak with you.
Pablo de la Riva: My pleasure, Peter. It’s great to spend time with people who are fascinated by the same things.