Webinar Recording

Combatting Fraud Proactively With Behavioral Biometrics


Log in and watch the full video!

Digital businesses are facing an increasing onslaught of fraud enabled by malware, social engineering, and other cyber criminal activities. Strong authentication is essential, especially in the context of PSD2, but it can be challenging to achieve without adding friction to the user experience.Join security experts Martin Kuppinger, Principal Analyst at KuppingerCole and Olov Renberg Co-founder and ​VP Business Development & Strategic Partner at BehavioSec​ as they discuss the security and regulatory challenges faced by financial institutions and other organizations doing business in the digital era, and explore the value of behavioral biometrics in addressing them.

Martin Kuppinger explains the importance of identity verification and why fraud detection needs to be fast and accurate. He also shows the importance to business of continuous, zero-friction authentication, and how this can be achieved in a reliable and trustworthy way. Olov Renberg explains how behavioral biometrics is being used to prevent banking trojans in Switzerland and how the technology can be used to find malware and spot fraud within Open Banking Payments Initiation Service Providers (PISPs) in a GDPR-compliant way. 

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome to our coping co webinar, combating fraud proactively with behavioral biometrics. This webinar is supported by behavior sec. The speakers today are rebar who's, vice president business development, and one of the co-founders of behavior sec and me Martin Ko principle Analyst at co Cole call. Before we dive into the subject subject of, of today's webinar, I quickly want to, to highlight some of the upcoming our call events and do some housekeeping, and then we'll directly dive into the theme of today's webinar. So we have a, a number of Casey life virtual events in 2022. The first two will be around privileged access management and around zero trust taking place in February and in March next year. And then from May 10th to 13th, we, again, we run our European identity and cloud conference in Berlin. This time, this will be a fully hyper event where you can attend Berlin or you can attend remotely online.
It's the flagship event that it's the most important event is the management gathering in Europe. So don't to be there from a housekeeping perspective, audio control. First, your muted central is you don't have to care about this. We are running pulse and the first one will be quite quite soon. At the beginning of this webinar, we will do a Q and a session by the end and last and least we are recording the webinar and we will provide the slides for download as well. So everything available then right after the webinar. And so we further I do let's get started. And the thing I I'd like to start first with is, is a poll, looks a little bit more about concerns and, and hope that so the insights that you get during the webinar might be able to, to reduce some of these concerns or to, to trust them fully mitigate such concerns.
But what would I like to ask you is to, to say, okay, what, what is your number one concern when it comes to this idea of behavioral biometrics, more fear of performance down creating authentication is a lack of user acceptance, or might it be concerns of your workers council? So I'm from Germany and we have this a lot, or might it be more too many, the fear of too many false positives or false negatives, or is it just, you don't have concerns. So let's get this poll started and looking forward to your responses. So please vote now.
So I give you another 10 to 15 seconds here. Okay. Another few seconds. And then we'll close up, Paul. So thank you with that. And as I said, further, I do is that further I do let's look at the agenda. So in the first part, I'll talk about the future for authentication, fast, accurate, accurate friction free, and also how behavioral biometrics play into this. And the second part, all of Berg of behavior cycle will talk about how behavioral biometric helps banks the matters in fraud reduction. And then as I've said, we will do our Q and a. We also will time allows, have a look at the polar results. So this is what we will do then in the, the closing part of this webinar. And so, so when I look at where's authentic heading, then I think all this is related to, to the identity fraud, risks, the risk in general, general speaking around identity identities, identity, takeovers, or account takeovers, other types of identity, fraud and attacks are very common as an attack vector to organizations.
And so what we, what we observe is that there's cause a growing demand on how can we make authentication more secure? And I think an interesting indicator here has been that the us CS a, so there, their cyber security agency, which is responsible for guidelines, they just recently declared for instance, a single factor authentications or trust username password, for instance, as a bad practice. And, but even a stronger authentication is, is not easy. And we have a couple of challenges. It is, is Martin really the one when we all bought him Martin, the one who's returning and Martin still on his computer or on his device, or that this device has been, or the session has been taken over someone else. So we have a couple of stages we need to look at and we need to look at how can we do this? Well, how can we do this as good and strong as, as possible?
And I'd like to start with, with one thing, which is always verified. This is the term you, you, you probably have heard the context of zero trust, so don't trust, but always verify and doesn't specifically relevant to the identity. So, so don't trust, trust, verify, verify as much as you can and simply asking for user password or for one of those certifications and let everything happen. Trust might not be enough. It might trust, not, might not be sufficient. And this is where, where we need to think about how can we make it better. Identities are at the forefront security attacks user, as I've said at user identities. So, so verified identities are essential. And it's interesting. So, so when I look at broad reduction and, and we just recently published the update of our, of our leadership on fraud reduction and intelligence platform insured, and most of the, the technologies used in fraud reduction, or many of these are related to the user behavior.
So it is analyzing the user behaviors. It's still the same behavior, still the same type of access. It is the behavioral biometrics, passive biometrics. So behavioral biometrics being the interesting part where you look at it's the way the use of uses the keyboard or swipes the smartphone is the same that the user always has. And they are interesting. And all of will elaborate in this. They're very interesting difference between different types of users in the, whatever the power or someone puts on the class, the speed of swipe and all these things. And so we have a lot of things, clearly there's other areas like bot intelligence, credential intelligence, device intelligence, but even there, it is not, not rare that it related to is biometrics. Like when we look at improving a writing or some behavior stuff. Cause when you look at, for instance, bot intelligence, a bot behaves different than a human.
So it's part of a behavioral analyzes, a behavioral intelligence thing, which comes in here. So we, we, when we look at what already is reality, then the behavior, as well as the biometric are important factors and the biometric behavior clearly is a specific interest because it's about really sort of what is the user doing just now? So this is clearly a very, very interesting thing to do. The other thing, when we look at our, it must be fast. You talk about at speed because when, when, when things are slow speed during onboarding not only authentication, but also onboarding or during recurring authentication, I think people hate most is things that, that slow down pro processes. So if you, for instance, for every authentication to a financial service would have to proof again, by, by looking into the camera of your smartphone that you're marked in and that you're alive, then that is not a positive user experience.
So we need to think about how can we make this better? How can we make this sort of, nonintrusive less visible and fast if you're sitting in front of the computer and wait until the altercation has happened, it is also something which, which doesn't increase user acceptance. So optimizing process keeping drop off and churn rates low. These are things where good, seamless, convenient ation plays, but on the end it also must be accurate. So we have all this false positive and false negative thing. So both are not good. Both are a problem. So false positives where you say, okay, this probably not Martin, even while it's Martin, they are negative because Martin might be annoyed. Say, oh God, I go to another bank or whatever false negatives where Martin is not Martin, but it's the bad guy or the bad girl. And the background using Martin's account are, are increasingly they are, are equally negative.
They increase risk. So those are problematic. I think false negatives are worse. I I'm put it wrong here at the end. Those are negative. You, you must minimize them. And it's very important that you do this well. And it's also interesting to look at when you look at numbers of banks and probably all of will cap up with that and look at how much money is spent in processes and business processes for calling to users. So I just recently had it with my, my bank. I, I just made a, a prepayment for, for vocation in Switzerland. And my account manager from the bank called me and she said, oh, did you just do it? Manage transfer to a, to a Swiss bank account, a lot of effort at a bank. And I have to take a phone call, answer questions, etc. And all these things, which are not normal, which are anomalies, which require a verification, cetera, they are not good.
So to speak, what we are talking about is zero friction. What I want to have now authentication is zero friction. It should be smooth and it should work everywhere. I should maybe even have options and stuff like that, but it should be smooth. And things that work in the background that increase the level of security in the background, without whatever requirement we need to take by smartphone and look into the camera or in these days, everything which is, is, is just face recognition. Sometimes doesn't work well when I'm traveling by train face recognition is, is really not the ideal way to do it because it would require me to take off the mask and I'm obliged to wear the mask. Good thing is my, my notebook has also fingerprint reader. So I used that one and, and it's fine. But zero friction is, is really appointed.
The cool thing is today. Today we have the option, not just to balance convenience and security, balancing convenience, and security is the wrong approach. It is. It means convenience goes down while security goes up or security goes down for improved convenience. That's not a smart thing. What we need is both. We need to bring up both convenient and secure. We can do that when we utilize modern technology, because things like behavioral biometrics, behavior and analytics can run the background, they can increase security without sort of interrupting the standard process user expects without so to speak annoying user. So what we need to do this is the modern way to do it is combining convenience and security. We need to get more secure, no doubt about it, but we also need to ensure that things are getting smoother and smoother because users are used today, fingerprint on the iPhone or face recognition here, or there are used to approaches that are convenient and last or least authentication must be super reliable.
So it's the always on thing. It is the forefront of your business. If authentication doesn't work, the door is closed for whoever comes in, whoever you want to, to, to authenticate who, who whomever you want to onboard wherever you need this verification, if it doesn't work you're in trouble. So reliably abilities is, is, is, is key. It's about doing things very efficient and it effective. So it must always work. There must be not a bypass to weak commercial down and it must not interrupt business process. So when we look at this, we need to ensure that this works well, that it works reliable, that it also works different wise. There are a ton of other challenges we are facing there, but, but I strongly believe that that certain elements of the technology we have today, like a lot of stuff around path or less authentication, well, behavioral biometrics that works seamlessly in the background can greatly sort of improve our security post post when it comes to, to everything which is related to in the broader sense, identity broader, this is a challenge we are, we are having.
And I want to add one thing. It's not only a challenge for banks or other financial services, or maybe for e-commerce. It is a challenge. We have everywhere in every organization. So we really need to think about how can we make secure things better when it comes to identity related attacks in the broadest sense and most attacks are of that time. So there is a little bit of my, and my perspective on that. And so I hope it gave you some, some interesting insights, at least right now, after a second poll, I will hand over to all of the TV dive way deeper into the details than I do. But before we do that a second poll, and I'm curious about the status of your organization regarding bio behavioral biometrics. So are you using it? Are you blending it or rolling it out trust now, are you saying maybe after that talk oh, worse to look at or do you just say no, not a topic for me, so please vote here. So another few seconds. So come on. Okay. I think we can close the pulse. Thank you for participating. And with that, I had over to Ola.
Thank you, Martin. Really interesting insights. I think it's, you know, hopefully I will get this into the, the topics that you brought up. I think it's very similar of, of course, you know, talking a little bit, of course, to your framework and you know, about paper biometric and why we think this fits very well in the, the seamless new world that we sit in. I think it's, it's obviously I'm speaking on my own behalf, but we're very chief proponent of the idea that the paper mattress can solve a lot of the dishes that you brought up and also make sure that everyone is happening and safe, which is important. So yes, a quick introduction. My name is I'm one of the co-founders of behavior. And we started in, in Sweden, north Sweden, but I stayed in Stockholm, Sweden. Now, today we are a global company, so we are sped out a little bit.
So we have headquarters out in San Francisco in the USA. So a lot of the, the details that I have in the slide is actually from the us perspective. But like I say, we are also based in, in Europe, we have operations all across Europe, as well as in Asia, where we operate, we serve around 200 million users and that is, you know, our client users. You have to remember, we, we don't serve the users ourself, but, but we protect, I would say 200 million users. And also a lot of transactions we quote here around 30 billion, but of course can be more, but what's important. I think we're gonna talk about a lot about today is exactly, like I said, how do we make, you know, force processes goes down, but still maintain high level of security for all these clients across the globe. That's what I will do.
So the reason we start a behavior sec and where it kind of comes from is the idea that the current kind of checks for, for all is know not really enough. And it's a little bit going back to what you were saying, Martin, that, you know, we need to balance convenience. Right. And a lot of the checks was focused more on maybe the device, right? So you had something that we're looking at device coming into your channel saying that, Hey, do we trust this device or not? And yes, of course, that's also part of, like you said, the behavior in itself, but we thought that it's more important to actually look at the user that's coming. And that's where we come in. Of course. And also the, a lot of the shacks were slow, which means you couldn't act in kind of real time and make decisions before it was too late.
So you weren't able to kind of prevent these losses. And that's also something that we built all system to be, be very accurate and fast, and also accurate is important because you don't want to create all these false positives and false negatives that you brought up. And that's why, because if you have too many of these, you have score overflows, you have, you know, alarm overflows, then you can't really focus on the one that will actually prevent the attacks that are gonna hit you. And that's where we think, of course, that behavior biometric comes in, that it protects against these more complex attacks. You know, that you're starting to see now with social engineering. I think you talked a little bit about vision, you know, we're talking about how people being coached, but also in the same time. Exactly. Like you mentioned, you still need to prevent bots, you know, machine coming into your site as well, non human behavior.
So to say, or prevent crunch, stuffing attacks, traditional ATO attacks, cetera. So behavioral biometrics, we think of course, you know, fits it very well into these whole attack vector that you see. And because it's an ever increasing to use the word, I guess now pandemic, pandemic, what I would call it. The problem with fraud is that it's probably not going to stop. It's just going to accelerate. And this, like I say, taken from the federal trade commission in the us. But I think we see the same in all across Europe and other places where people are working with this on a day to day basis, it is a flow. It is not going to stop because of the pandemic. It has even gotten worse. Right? I think we're all aware of that. And I'm not going to go into details and on these numbers, but we also seeing that criminals are now switching over to, to, to a more scams, because it's easier because you can do it digitally.
You can do it remote. You have to remember. They're also remotely working here in, in the new, in, in new kind of world that we're living in. So, so it gives them a, can be in a very nice, comfortable environment to still get the money out of their accounts. That's why we're here to stem. We actually have our publish a blog about it. But what's interesting is that we also see the same, like I said, this is the American perspective where the consumer financial protection bureau have said that anything that, that comes like an electronic fund transfer, even though that the user is being lured to give away the credentials is being wished being fished. What have you, if they give away the credentials should still be the bank's responsibility to make sure that they will get the money back. And this is a little bit different in Europe right now, but I think, and I think we might all going to see a change in this because how much, you know, are we going to push on the consumer?
Are we going to make sure that they need to have and be a hundred percent security aware? I think we're all that are working fraud, working security. We totally agree. But we also have to remember that they are consumers, you know, exactly like Martin said, they want to buy goods online. They're not thinking. And we clearly see that a lot of these scams and attacks are happening on a day to day basis. I mean, if you turn on the news, like say these are American news, but if you turn on, you know, German news, if I turn on the Swedish news, it will be the, and it's, we have to remember that we obviously are, you know, selling new technology, but you have to remember the fraud service also always using bleeding edge, new, secure, and new technology, not secure new technology to capture this information.
So they're making, you know, even more advanced bot that will intersect this one time passwords or, you know, inject stuff automatically via your mobile phone or, or your web browser, etcetera. So we have to always stay one step ahead. And we think obviously that we sack and be biometrics is that solution. And the reason for that, and this is, you know, traditional the OOC, you know, that what I'm trying to pitch in the far right corner. Right. But, but think about it. If you have the kind of triangle of something that needs to be good user experience, it needs still to be secure. And also it needs to be everywhere. So that's where we come in. We are a software, right. You know, compared to, to some of the, the, the, the ideas behind, you know, other tokens that you're holding in your hand, for example.
So it's easily to distribute everywhere. And if you compare this to, to, like I said, to a pin code, you can layer it over it, which makes even the pin code even more secure. And we saw us in a different slide or the earlier slide that, you know, these SMS can be, of course, SMS OTBs can be captured. They can be SIM swapped. We all know the attack vectors that's out there. So it's really important. We provide this kind of invisible, new protection layer for consumers using and trying to buy goods and use online banking. So that's where we come in and we created this idea about continuous authentication and the continuous authentication is protecting the user from when they come into your service. So when they're onboard, when they do new accounts, when you set up a new account, basic look for kind of changes for anomalies from the normal uses that have sign up, of course, automation as well.
You would see if they inject stuff, if the copy and pasting of course, information, that sort of stuff. But once they actually go in and try to use the login credentials that they might have fished behavioral biometrics will have this unique profile. So we compare my behavior against the fraud, right? So when the fraud tried to act like me, be, would say, this is not the right person trying to log in, and then you can take action on it. And even like I said, even those kind of things swap attacks or fish credentials are Reed useless for them. And of course, then they try to go in later in the channel. So maybe they get you to log in and get the right person to log in. They deploy complex social and area attacks, or even use malware androgen, trying to inject man and browser man and involve their men in the middle stuff.
And that's where, where behavior is also where successful or behavioral and biometrics is very successful that we can detect these kind of changes because in remote access, you know, your behavior will not look the same because they, they are moving the mouse. You are not moving the mouse on the screen, or in some cases today, just trying to tell you what to type in. And when they're telling you to type in, you will have to think about it and type much differently than you're doing your day to day banking day to day payments online. And like I said, the idea is not just to prevent this bad attacks, but also to reduce friction, meaning that it's very good. If you, as a consumer, you know, don't always have to be stepped up whenever the, the, the behavior looks okay. Is it now really the time exactly Martin said to get that phone call, because if it actually is you, why should they then force you to verify that?
And that's where we come in. I'm gonna give an example of that, how we actually used a lot of friction from one client of ours without fortune to mention the name, but that's how it is with this kind of webinar. So how does this be biometric technology work? So we have a te knowledge that I said you deploy either on, you know, on the online channel or on your mobile phone. It captures the key stroke timings, how long you hold down a key and release and go to next one. So not the speed. Think more of the rhythm, how you move a mouse, how do you diverge up and down from straight line deflection, the mobile channel, you know, you get various more signals coming from the device itself. You get, how are you press on the screen? And you get how you hold the phone when you do in that.
And of course accelerate the readings. And, and you can also of course tell if they're on the phone and trying to bank at the same time, which could be an indicator. So a lot of interesting stuff can be gathered for that, from that. And then you also have, of course, the environmental factors that we take in from the device data, that's there maybe looking for, you know, VPN, exit points, tour, exit points, the sort of stuff that, that will probably indicate some level of, of shady behavior. So to say, but do not worry if that's your normal behavior like me sitting behind a VPN when, when I'm working and that will be a part of your normal behavior. So it will own the flag when you're changing it and doing anomalous. So to say, do not worry about that. So I think this is a, just a simple explanation or, or what we do, right?
So if you take something that is as easy as an upwards swipe on a mobile phone, you think everyone does the same, right? You know, you swipe upwards and it looks the same for everyone. But if you actually start applying these metrics on top of it, like we say, the length of the swipe, the pressure or hard press on screen, we are doing the curvature of the swipe. And also of course, the speed. Then you can start grouping the behavior. You can tell very easily that Martin would swipe differently than UDA would do on his online bank or on his phone. So to say where we're embedded. So what is so different between be biometrics supplied by be? And I think the really core here is that we look for these unique profiles. You know, we create one profile for Martin. So whenever Martin is logging in, we verify against that.
Of course we don't know that Martin that's all on the customer channel, but it's important to know that we are in that sense of behavioral biometric, that we compare embarrassed by that user coming in from channel. If it is the right person, if it is the same person that it's going to be authenticated. And we provide that in real time. And of course you get immediate value, even though we don't, haven't learned Martin yet, you know, we still would detect the, any sort of automation. A lot of, you know, S are also very quick at adapting. So for example, you know, the might deploy bots, of course, they might use this kind of remote access tools that I mentioned to lure you out new money, pretending to be say a Microsoft support. I think we all heard that one, but not just that. We also see that we're using screen scraping FinTech applications to able to wire mine out from accounts to get instantaneous payments out of your bank.
So it doesn't take time to move some mul accounts, etcetera. So they're really using the latest trends into getting the money out. So it's important to also use the latest technology to protect against it. And I think compliance is of course, one factor of it. We all know that you need to have secure customer authentication, need to have strong authentication, something, know something happens, something, and data comes in as the, the inheritance factor, the, the, the behavioral component in that biometric. And the idea about continuous. It's not just when you log in, it's not just when you're authenticated, it's all the time until you actually leave the service, right? So you have to think about it like this constant protection going on. Whenever you're trying to do something online that has behaviors that enabled it'll constantly make sure that it is the right person doing everything until they log out and leave the service.
And this is fully made out API. So it's signed for automation. I mean, you can automate everything that's going on. So it's not us that will sit there and tell you how to do it will in real time and make decisions and report to the systems that you want act on the policies that you tell it to, or the, that you implement yourself. And it's also complimentary, which means that we're not trying to rip and replace what you already have in terms of risk engines or big data analysis tools we're feeding into those. So, which means that if you are already using some tools that you were happy with, we will just make a signal into it and it will make it much better and actually map much more accurate. And we give a couple of examples of that as well. So what you need to do in order to, to capture or get EK sense up and running, while you first and foremost, you need to install the collector inside your application or choice being either a mobile phone.
I can mention application to use our SD SDK for IRS or Android, or on the web application. You would use our JavaScript SDK, what that does, that they would send the behaviors according to formats, of course, over to what we call data sounds. The background be sense will do a calculation in real time, you know, create this unique user profile, or if it's already has the user profile, it will compare against it and deliver back these scores saying that, Hey, we believe it is all low with a 99% accuracy. And then also apply risk to it. If there are certain flags or something that looks odd compared to my normal day to day behavior. And like we mentioned, you can apply that into your existing risk or whatever you're using in the backend. We obviously have a number of platform partners that we support out the box, but what's important here is that you can use anything that you are aware, it familiar with all red.
So I think now we're gonna tell you a little bit what customers use it for or how they benefit from it. I think really important here is that you have to remember that we cannot mention names, but a lot of our clients, you know, are very successful financial services. They have really huge large base where, where they're, they're trying to support multiple things. They have authentication already in place, strong authentication. Normally. I mean, that depends on, but a lot of the rules is you need to have strong customer authentication as Martin mentioned earlier, but still, you know, frauds are not stupid. So they lure phishes credentials out, username, the passwords, those be tokens. What have you, they might deploy malware against you as a financial services. They might use this more advanced social engineering Schutze attacks. But what we can see quite quickly is that whenever someone deploy, this is what this kind of graph is trying to tell you that the fraud losses will go down.
And that's what happened with all the clients that is currently using in just the first three years. They have to move probably to some other bank, which is always unfortunate. If there is someone that is unprotected, then we go for that one because we will make it too hard for them to get any sort of money out of that bank. So they will probably move somewhere and try other schemes on other unprotected sites. But what's important here is not just a fraud reduction, but also reduction of false positives, which is something that we're very proud of. So you might have in like say different risks that are being brought up and be said, what we do is we layer over that and we tell you that if the behavior looks good, you can let this one through or in the opposite way. If you know, the bay looks bad, you probably should now do that phone call and step it up.
But in general, we can actually reduce multifactor step, you know, using that OTP token and using that multifactor authentication that you have, we can reduce it by over 88%. We've seen in a number of clients, but this is an example from a client when they deploy basic, for example, they were targeted by specific matter bank Trojan that is targeting them because they have obviously a lot of money inside the bank. There, they have high net worth individuals, for example, and that is a target for these kind of flow. And they still claim this is like say early on, but they still claim. There's not one malware that have not called. So you have to remember, we're not looking for the malware on the end point. We're not looking for that. We're looking when the malware risk trying to inject information or when the malware is trying to do things on your behalf.
That's when we detect it and, and fishing. All our clients say that they reduce fishing by a hundred percent like fishing is not a problem for all our clients. And then you have the more complex attacks. I mention the Microsoft support scam, very typical fraud pattern that we're seeing on a number of these banks, where unfortunately, the lure people that they're gonna help them with a computer, something is wrong, get them to install team, for example. And then, you know, either the fraudster self control, the screen might even black it out. Or in some cases, the fraudster are just telling the other one what to do, you know, set up this new digital ID, do this and that. And, but we will also detect these signs of using remote access tool. And we can prevent those kind of scams, advanced scams as well. So you have to think about coaching or social engineer, whatever you call it in some cases as well, they don't deploy this remote access.
And then we're looking for science or stress. Like, are you hovering over buttons? Are you, you know, like I say, are you bored? Are you typing with one hand, all sort of things that indicate this, or like I say, you loading your short term memory, you're typing birth compared to when you normally keying in that information inside your bank or in your online payment services. So how do you then become really successful with deployments? Like I mentioned, this is from a, a real client case where they could reduce the outbound phone calls by over 90%. And they deployed this simple metric. And this is, this is important because the, the C was very, they had both responsibility for authentication and fraud, meaning that they could design this, this may give themselves, but they said whenever risk signals and the behavioral biometrics looks okay, then we just step up inside the phone.
So you get the traditional, like step up that you might have used in the past saying that, Hey, was it actually you that performed this transaction? Or was it someone else or wasn't used so to same? And you do? Yes, no, but in, if both of us saying that something looks bad, both the transaction information looks shady and the behavioral does not look okay. We don't recognize it. Or there's high risk attached to it. Like I mentioned, with those remote access, et cetera, then that's when they call out the clients. So they could report enormous benefit in, in user experience that we're so happy about that they are not calling them all the time. Exactly. Like you mentioned earlier, Martin, in your presentation that, you know, you get fed up with these verification calls. And not only that, like say we also save a lot of fraud losses and in some, some, some clients, you know, like I mentioned earlier, that might be the consumer that is losing the money.
That is not the bank in certain areas like in Switzerland, you know, they are actually responsible for, for the fraud, lost us. And it's the same as you could hear in the, in the us where they're now changing into that mind mode as well. We can also reduce this multifactor step, you know, when you get the challenge and we use it ourselves, you know, when we log into services, EK, if it's looks like all of logging in, then of course you don't need that step up and you can, you know, then mitigate it and we can do the same on online payments. Cause we know a lot of these online payments, you know, where you get that 3d secure challenge, you know, is it really needed because we know like for example, NOx for, I am that a lot of these step ups is around. I think it's like 98%. I think visa said in a report, do you actually need to do that access step up all the time? Shouldn't you just do it when it looks risky based on, you know, that something looks old when I did the credit card information or when I typed in, you know, something on that, that merchant. So we do not just support financial and banks and we also support eCommerce deployments as well. So with that, I thank you for time and you to this webinar. I think we are for Q a
One point I'd like to bring up because I just recently had a, had an interest interesting discussion in the, in our Analyst cybersecurity council, which is a, a strict growing group of CSOs only. And we discussed about how to justify the cost of investments in cybersecurity and one product. He also has at least for a part of his job, he had a sort of a split role of being on one hand responsible for, for fraud and risk. And the, for traditional Caesar roles said it was way easier for fraud at risk to, to get the money. Because if you can say, okay, if we invest whatever 1 million and we get our fraud down at 5 million with a high likeliness, then the question might be only, do you want 2 million to get it on 10 million or something like that? So it is something where, where, where the willingness to spend clearly is, is a little higher because it's rather easy to explain, which I, I believe is very important for, for many of, of comes to, to convincing the, the owners of, of spending money for cybersecurity, even in these days.
Yeah. I think in the case we brought up, obviously, you know, you had 10 X cost savings in some of the cases, but, but not just fraud, like you mentioned, and that's where you need to then take into consideration the user user experience. How much is that worth, which is obviously, you know, it can always be, you know, if, if for example, you reduce SMS OTPs, you can, you can calculate on it because you know how much an SMS costs, right. But if it's just a user experience and, and, you know, you're switching to an app instead of calling up, you obviously save the, the on phone calls, which is, which is like, say very costly for both the bank and for the consumer or the user of the service as well. So, so I mean, it's, you need to take all this into consideration when, when you're doing it and, but user experience, I think digital, you know, experiences need to be calculated in part of it. And, but it's hard to measure, of course.
Yeah. So we have a couple of questions here and, and also again, to the audience, if you have questions, please enter them. The more we have the better, but, but I think we have, have two, two questions, which are related a little bit from different perspectives. So sort of one is I, I feel like, like my behavior changes a bit in the different situations. So when I'm tired, I might having might slow down for example, or the other question was around what is when I, for instance, get Parkinson and I will slow down. And many of my movements, which was leads to how, how well does it work for instance was so sort of that's for, for people with, with some disabilities. And it also might, might lead into something which is more, more technical. So for instance, when I'm in my home office, I, I just have a different keyboard than I have in my office. And when I'm on my notebook, it's again different. And when I go to the surface go the small one, it's, it's again different. So also really for some of the other devices, it might change with the device, at least my typing speed and the number of mistakes I make clearly depend a little bit on the keyboard and how, how much I'm used to it. So, so how do we deal with all these differences that might occur?
Yeah, I think one of the, of course the true answer is that, you know, we have done this over a long time period. You know, we're not just a new startup, you know, we've been doing this for more than, more than a decade to take in this data. Obviously we have, like I mentioned 200 million users where, where we've learned a lot over the years from, from our clients. Right. And what they're telling us, but the, the second answer to it is that, you know, we don't train, like we don't force you to do something. We don't tell you like Martin type this. And then we train on that. The idea is that it should just train invisibly, which means that you are, we're learning your normal day to day pattern. Right? So even if you are having smaller, you know, changes in your behavior that won't affect, like, for example, if you're moving from one keyboard laptop, and then you're all sudden using a bigger, you know, we, we won't tell difference, baby will still deliver probably, you know, a good score based on both of those two.
And we can see the same. We have device inheritance. You know, if, for example, we switching mobile phones, you know, they might have a different form factor, but also there is also similarities. So you, you know, if you pass the behavioral score, it'll learn this new device and say that, you know, there's device change and we will bind this new device to it. So it's actually, there is a, there's a lot of, you know, richness in this. So it's not just, you know, trying to make it really hard for you to switch devices. That's not the point the, the solution is built for, like I said, these, these millions of user deployments constantly. Right. And you have to remember like our users, in some cases, you know, they are switching devices all the time, the traveling, but we're trying to get rid, get away from these rigid rules for saying you can't travel and you can't, you know, switch device. We're trying to say what, you know, as long as your behavior looks the same, it's you're going to get in. So it actually is a positive, more than negative. I would.
Okay. Another question we have here is about that's your solution needs specific settings for different browsers like safari Chrome or so?
No, no, no. So it's, that's the case. It's just, you know, it's just, it will be there, you know, if your browser supports JavaScript, it will be there and then collect the, the behavior. So there is no real changes in safari or, or Chrome or what have you, we're agnostic to that.
Okay. So, so when we look at the deployment options, maybe can elaborate a little bit, little bit more. You said you as behavior, like only sort of, so you don't know exactly that it Martin. So, so how is this interface between, well here's Martin and here's the behavior. And, and so also I think this all important, for instance, when it comes to deployment models, such as the, the manager operations by behavior or the behavior psyched approaches. So maybe you can elaborate a little bit more on that.
Yeah, that's good. And I actually might have skipped over that in the kind architecture slides. It's really good that, that someone asked about it, but normally we do on-premise, which is also, you know, a really stronghold for, because we are, you know, on-prem in a lot of our clients, which means that they are operating and running this, which means that the time the, in the real time response we give back is based on, you know, what, what sort of data and what sort of hardware that they're deploying there. But, but secondly, as well, you know, we can also of course run it in the cloud, which is more and more becoming more and more popular, you know, it's, it's easier, you know, we can use any sort of VPC, virtual, private cloud, what have you to deploy it. But, but the idea between is that you shouldn't give, like I said, data to, to behave with, I mean, we can obviously host it for you in, in AWS or Azure or, or Google cloud. That's not the point, but the point is that you can rest assure that the data is safe within your, within your financial service.
Yeah. Sorry. I lost my voice here, I think. Yeah. So, so you, we offer, like I say, cloud hosting, virtual private cloud, or you can use on premise deployments.
Okay. A question goes back a little to, to probably to, to previous questions, but I think it's really important to understand. So a person accessing for a laptop and a mobile phone, isn't that person considered as being one user or two users.
I mean, that's also up to the integration that you do, but normally, you know, you tie the user ID that we don't know marketing, we don't know your user name. We don't know user ID or doesn't know it. So you need to tie it all together with the user ID, which should be unique. Right. But if you tie those together, essentially if you using, be sense, use the dashboard, you can see the market, you know? Yes. These kind of devices, you know, yes. He has his laptop. He has his mobile phones, one, you know, what, what, what you have and you get one profile for each. So you get one call, bigger web from that SK you will run from wherever mobile. And of course, if you have a tablet, you will have a tablet. Cause it's a different form factor as well. So, but it will be under one user if you do it correctly. And we of course supply this kind of information inside the developer. Porwal
Okay. And I think the final question I have here for now, maybe some come in, but one I have here for now is, and I think it's, it's a question you have heard quite a lot biometrics and behavior analytics, probably even more is a privacy concern for many consumers and users. So, so how, how is behavior assuring is concern is, is being considered and, and handled well.
Yeah, I think we're like a, we build behavior sec with privacy first perspective. And that's the idea about paper biometrics. Like I say, it's not, you know, a fingerprint or like say a face photo of you. It is this digital, you know, print about how you behave when you access that specific service. And as we mentioned, you know, we don't collect any PII from you. You know, we don't care about your, your ethnicity. We don't care about your, your political views of course. And none of that is captured, there's no context applied to it. So there is no PI collect that. And that print, like we mentioned, will sit at the bank and, and at their disposal or financial service or eCommerce providers. So, I mean, it's not us that are, is collecting this data and it's stored according them to the GDPR rules and, and being accessible and removal as well. Of course.
Okay, great. So I think we, we are done with the questions I think was very, very interesting. Thank you very much for, for explaining this. These were, I believe a lot of very valuable insights also demonstrating that we have quite a lot of options for making our authentication, our onboarding, our continuous authentication process during usage, more secure and reducing, mitigating quite a lot of the risk you're facing as organizations beyond by the way, beyond the financial services industry. So Ola, thank you very much for the time. Thank you very much to the audience for listening to this webinar. Hope to have you back soon to one of our auto webinars and yeah. Thank you. Bye.
Thank you. One more time.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #122: How to Deal with the Increase and Complexity in Consumer Fraud

John Tolbert and Matthias discuss the question of whether companies in retail, finance, healthcare, insurance, etc. are really able to keep up with the scale and sophistication of attacks aimed at committing fraud? Are they considering FRIP solutions for specific use cases?

Webinar Recording

Prediction #3 - Identity Proofing & Fraud Reduction Everywhere

The pandemic has dramatically accelerated the shift to online transactions in most industries, with the financial industry as an example for a heavily regulated sector being in the forefront of a movement to establish a global standard that leverages the assurance level of online identity…

Analyst Chat

Analyst Chat #81: Fraud Reduction Intelligence Platforms Revisited

In episode seven of this podcast, John Tolbert and Matthias first looked at Fraud Reduction Intelligence Platforms more than a year ago. Much has happened in this market segment since then, and on the occasion of the release of the updated Leadership Compass, they look at the latest innovations.

Webinar Recording

Entering the Virtual World With Identity Verification

The way consumers access products and services across sectors has changed forever as interactions move from physical to digital engagement. What started as a change born from convenience, is now a necessity and solidifying into a long-term behavioural shift. As consumers choose to access…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00