Topic of the Month

Behavioural Biometrics for Digital Payments

Fintech Newsletter December 2020 topic of the month 01

-Ashutosh Dubey, NPCI

Smart mobile devices are now an integral part of daily life; they are our main interface to cyber-world. We use them for on-line shopping, education, entertainment, and financial transactions. As such, it is not surprising that companies are working hard to improve their mobile services to gain competitive advantages. Accurately and non-intrusively identifying users across applications and devices is one of the building blocks for better mobile experiences, since not only companies can attract users based on their characteristics from various perspectives, but also users can enjoy the personalized services without much effort

Major Digital Payment Frauds and prevention mechanism

  1. Phishing >> IP / Browser Intelligence
  2. Dynamic IP Proxy / VPNs >> Device Intelligence basis collection of device information
  3. Trojan Attacks >> Malware Detection tools
  4. RAT (Remote Access Trojan) Attacks >> Behavioural Biometrics
  5. MITB(Man-in-the-browser) Attacks >> Behavioural Biometrics
  6. Social Engineering Voice Scams >> Behavioural Cognition

Behavioural Biometric/Cognition Solutions

Behavioural Biometrics provide digital payment apps with an invisible layer of security that continuously authenticates users by analysing the unique ways they interact with their device via keystrokes, swipe patterns, scroll speed, etc. With the help of this data, behavioural biometrics parses through hundreds of parameters, which combined, are impossible for fraudsters to mimic. Behavioural Biometrics offer continuous, passive authentication, which can differentiate between real users and fraud attempts while reducing friction past the initial authentication.

Without real-time follow up, authentication at the login is not good enough. Behavioural Biometrics technology enables digital payment apps to provide users with continuous authentication, an approach that is especially useful in detecting malicious bots, RATs, hijacked sessions and other automated attacks that are based on using stolen valid user credentials. With fraud attacks growing in both volume and sophistication, the need for a passive, frictionless continuous authentication technology is becoming evident. The following are the specifications for implementation:

  1. Data collections methods:


    2. a. Mobile Screen Touch
    b. Web scrolling
    c. Device Details
    d. Key Strokes

  2. Information Collected for the behavioural scoring:


    3. a. Interaction preferences
    b. Use of shortcuts
    c. Swiping
    d. Data entry attributes
    e. Speed of Key stroking
    f. Press size
    g. Segmented typing
    h. Mistakes in typing

The information collected will result in the performing Behavioural profiling of the individuals and predicts the Fraud score between a range associated with the probability as per defined business rules. Some of the major context that can be used for profiling:

  • Various web services track clicks and mouse cursor activity on web pages and search engines, but in touch-based interfaces such as smartphones, a cursor doesn’t exist, and touch events don’t represent user interest correctly.
  • On small screens, users move the viewing area left-right and up-down to read through the text. Users also zoom in/out to switch among overall layout and enlarge the content of the page to be examined. Thus, tracking these user behaviour metrics creates multiple insights.
  • A display can track the user’s behaviour of viewing different areas of content and the duration the user spent in each area through bounding boxes and heat maps. This creates a visualization of the parts of the web page the user focused on.
  • A short dwell-time in a particular region indicates low-user interest, while long dwell-time indicates the user read through the written content in the region.
  • The information can be used for advertising, user profiling, and web-page analysis.

Challenges in implementations

  1. Violation of Data privacy
  2. Strong business rules to stop false positives which might result in rejection of multiple transactions
  3. Continuously adding context to the rules with the inputs provided by model as well as external ecosystem
  4. Deployment at third party server
  5. Delay in the transaction flow

Conclusion

User identification is a fundamental, but yet an open problem in mobile computing. Traditional approaches resort to user account information or browsing history. However, such information can pose security and privacy risks, and it is not robust as can be easily changed, e.g., the user changes to a new device or using a different application. Monitoring biometric information including a user’s typing behaviours tends to produce consistent results over time while being less disruptive to user’s experience. Furthermore, there are different kinds of sensors on mobile devices, meaning rich biometric information of users can be simultaneously collected. Thus, monitoring biometric information appears to be quite promising for mobile user identification