Protocol | Fintech

Banks watch your every move online. Here’s how it prevents fraud.

How fast you type or move your mouse can help banks verify your identity. But the idea that financial institutions are monitoring customers this closely has drawn online backlash and regulatory scrutiny.

Person holds credit card in front of laptop

Banks can detect your mouse movements — and use that information to fight fraud.

Photo: Pickawood/Unsplash

In April, systems at the National Australia Bank watched as a customer tried to raise her account transaction limit from $20,000 to $100,000. She logged in with the right username and password and seemed legit, but recently-installed software detected that her behavior was significantly different from previous sessions.

"The way she was using her mouse looked different," Chris Sheehan, a National Australia Bank investigations manager, told Protocol. "The number of clicks on the mouse looked different. Her cutting and pasting details looked different."

The deviations were picked up by the bank's new BioCatch software, which led the bank's anti-fraud team to figure out that the customer was in trouble. She was on her cell phone with a fraudster and was stressed by the account changes he was coaching her to make. The team quickly called her landline to warn her and she put things to a stop.

The rapid rise of online banking has led financial institutions to embrace behavioral analytics, AI-powered technology designed to flag potential fraud based on a user's actions and even their mannerisms on a website. That trend has accelerated during the pandemic, though the widening adoption of the technology is coinciding with heightened worries about the use of AI in financial services.

This was highlighted last week when insurance company Lemonade faced backlash for bragging in a Twitter thread — which it deleted and apologized for — about its AI, suggesting that it's been able to boost profits by using AI to deny customer claims based on "non-verbal cues."

Watching for fraud

A behavioral analytics system records clients' website interactions and uses the data to keep track of them and verify who they are when they're online. Web browsers have long provided information about mouse movements and typing, though few internet users realize they're being surveilled in such fine-grained detail.

The technology is also used to flag user behavior that indicates an attempt to open fraudulent accounts using stolen identities.

Behavioral analytics provides another security layer on top of other forms of identification, said BioCatch CEO Howard Edelstein. In fact, the technology can be an even more powerful security tool at a time when Social Security numbers and other personal information — like your mother's maiden name or what street you grew up on — are now also vulnerable to hacking and theft.

"Every time they ask for knowledge-based authentications, I kind of laugh because everyone's stolen every piece of information," he told Protocol. "You mean you can't find out your dog's name or whatever? … You can get around deterministic things. You can steal them. Somebody's got it."

But behavior is tougher to steal or replicate with precision, he added: "The machines learn you, and they follow you. If you start changing your behavior too rapidly, it's an alert."

Logan Allin, managing general partner at Fin VC, which is an investor in Neuro-ID, another behavioral analytics startup, echoed this point: "Digital footprints don't change, and imitating or faking human behavior is next to impossible."

Jack Alton, CEO of Neuro-ID, cited examples of legitimate customers who would type in their information, such as their Social Security number, based on "long-term memory." On the other hand, a criminal armed with a list of stolen information would do it differently. "If I stole your credentials, and I tried to log in, even if I got your name and your password right, I'm going to do it at a different cadence," he told Protocol.

Anton Klippmark, a product manager at BehavioSec, said the company's technology could distinguish between a legitimate customer or a fraudster based on the user's familiarity with a specific task. A legitimate user would type a name and Social Security number with ease, but may take a bit more time filling out a bank routing number. A fraudster working with stolen information "can be the exact opposite."

"You're very familiar with the form, and with things most people don't know, like a routing number," he told Protocol. "That's stuff that a lot of fraudsters or criminals would know very well because that's their working environment."

Edelstein of BioCatch said the company's technology can even make an educated guess about a user's age based on how fast the person types, clicks on a mouse and moves the cursor on the screen. "Every year that you age, you slow down by about 12 to 15 milliseconds," he said. "If you're a 55-year-old card owner and you're typing like a 28- to 34-year-old, that's a fraud flag."

The BioCatch system also uses "invisible challenges." For example, the software collects data on how a legitimate customer would typically move a mouse whenever the cursor disappears. When there's suspicion of fraud, the software would intentionally make the cursor vanish and verify if the user is legit based on the person's reaction. "You might curse Microsoft for making the cursor disappear, but it's more likely than not [that it's] not Microsoft to begin with," Edelstein said, laughing.

Pandemic push

The benefits of behavioral analytics have been highlighted in the pandemic, when banks were forced to close branches and conduct business mainly online, and when there was also a dramatic spike in fraud cases. In the United States alone, more than 1.4 million cases of identity theft were reported in 2020, about double what was reported in 2019, according to the Federal Trade Commission.

But the growing adoption of behavioral analytics is also happening in a time of mounting concerns about the use of AI and big data technology in financial services. In April, five U.S. agencies, led by the Federal Reserve Board and the Consumer Financial Protection Bureau, announced that they were soliciting insights into the way banks and tech companies were using AI in financial services.

Privacy is a major worry. Companies like BioCatch, Neuro-ID and BehavioSec are required to comply with strict privacy laws in the U.S., Europe and other countries.

Edelstein of BioCatch said the company does not record detailed information about a customer: "We get a hash ID from a bank, and we basically make sure that whenever that hash ID is online, that his behavior is consistent with that ID."

Sheehan of the National Australia Bank said its customers always "know what we're doing," adding that privacy "is a legitimate concern and it's something we have to always pay attention to." The bank's privacy policy mentions collecting "information about how you interact with us when you use internet or mobile banking (such as information about how you use your devices)" but doesn't describe the detailed tracking that allowed it to catch the fraudster in the April case.

Guarding against bias

Bias in AI systems is another concern, underlined by the uproar over Lemonade's description of its automated claims process in which customers are required to "record a video on their phone and explain what happened."

"Our AI carefully analyzes these videos for signs of fraud" and is able to "pick up non-verbal cues that traditional insurers can't, since they don't use a digital claims process," the company wrote in a now-deleted tweet. This system "ultimately helps us lower our loss ratios (aka how much we pay out in claims vs. how much we take in) and our overall operating costs," it added.

Responding to the backlash, Lemonade subsequently acknowledged that "a poorly worded tweet of ours (mostly the term 'non-verbal cues') led to confusion." The company stressed: "We do not use, and we're not trying to build, AI that uses physical or personal features to deny claims."

Thomas Lee, an assistant professor at University of California, Berkeley's Haas School of Business, said using "tools to monitor and measure human behavior" is a widely-accepted practice in designing software products and services. But "we need to be judicious" about using such technologies for identifying and authenticating individuals, he said, especially when it involves "high-stakes decision-making."

Sheehan of the National Australia Bank said that behavioral analytics is a compelling tool in banking at a time when fraud is increasingly conducted by sophisticated, fast-moving global operations. Huge amounts of money can now be stolen from banks in a matter of hours and traditional anti-fraud tactics are often too slow to stop the fraud.

"While we might detect the scam, the money has often already left," Sheehan said.

Ray Wang, an analyst with Constellation Research, said behavioral analytics can also give banks and fintechs an edge by providing "decision velocity" — for example, by flagging fraud in real time "if I suddenly use my credit card for venues I normally don't use."

BioCatch has attracted the attention of top investors, including Bain Capital which put in $100 million of the company's $145 million series C round last April. The company has raised a total of $215 million.

The company's software is being used at more than 50 major global banks and financial institutions, including Barclays, HSBC and American Express. BioCatch "has led to more robust fraud detection during the online application process in the U.S." according to an American Express spokesperson.

Sheehan said BioCatch, whose software the bank began implementing in stages in late 2019, has helped the National Australia Bank save roughly $450,000 a month that it otherwise "would have lost to fraud."

The costs of using BioCatch can range from "a few hundred thousand dollars for a smaller bank to the low seven figures for a larger bank" that's using more capabilities, a BioCatch spokesman said.

The case of the National Australia Bank customer underscores the speed and brazenness of today's bank fraud operations, Sheehan said. The fraudster had managed to deceive the client into thinking that he was helping her resolve problems with her internet service and online banking connection.

"She was being coached and she was unsure about what she was being asked to do, and it was causing her some agitation," Sheehan said.

Even so, it was a close call. The BioCatch system assigns a score for every online session from zero to 1,000, with a score of over 900 flagged as "a high-risk event," Sheehan said. The customer had a score of 910. When a team member reached her on her landline, the bank rep could hear her talking to the fraudster on her cell phone, Sheehan said.

"He was telling her to ignore us and that she can't trust the bank," he said. "Fortunately, she did trust us."

With Andrew Bosworth, Facebook just appointed a metaverse CTO

The AR/VR executive isn't just putting a focus on Facebook's hardware efforts, but on a future without the big blue app.

Andrew Bosworth has led Facebook's hardware efforts. As the company's CTO, he's expected to put a major focus on the metaverse.

Photo: Christian Charisius/Getty Images

Facebook is getting ready for the metaverse: The company's decision to replace outgoing CTO Mike "Schrep" Schroepfer with hardware SVP Andrew "Boz" Bosworth is not only a signal that the company is committed to AR and VR for years to come; it also shows that Facebook execs see the metaverse as a foundational technology, with the potential to eventually replace current cash cows like the company's core "big blue" Facebook app.

Bosworth has been with Facebook since 2006 and is among Mark Zuckerberg's closest allies, but he's arguably gotten the most attention for leading the company's AR/VR and consumer hardware efforts.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.


Keep Reading Show less
Nasdaq
A technology company reimagining global capital markets and economies.
Protocol | Fintech

Here’s everything going wrong at Binance

Binance trades far more crypto than rivals like Coinbase and FTX. Its regulatory challenges and legal issues in the U.S., EU and China loom just as large.

Binance CEO Changpeng Zhao is overseeing a global crypto empire with global problems.

Photo: Akio Kon/Bloomberg via Getty Images

Binance, the largest global crypto exchange, has been hit by a raft of regulatory challenges worldwide that only seem to increase.

It's the biggest example of what worries regulators in crypto: unfettered investor access to a range of digital tokens finance officials have never heard of, without the traditional investor protections of regulated markets.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Protocol | Policy

Facebook’s scandals have obliterated any goodwill left in Congress

Lawmakers were supposed to wade into questions about Big Data's effect on competition. Instead, their vitriol at Facebook was unending.

Image: Alexander Shatov/Unsplash

In the wake of last week's damning series of reports about Facebook, senators at a hearing that was initially supposed to be about competition instead unleashed their ire on the firm, comparing it to Big Tobacco, suggesting it lied to Congress and all but accusing the social network of profiting off teens' anxiety and suicidal thoughts.

The bipartisan parade of fury on a politically salient issue lasted hours on Tuesday. Senators focused particularly on a Wall Street Journal report about the company's careful research into the corrosive effect of Instagram on young users' mental health. But the show, coming during a hearing that was supposed to examine the impact of Big Data on competition, was also the latest evidence that Congress' periodic fits of anger at tech companies and the way Facebook obsessively deflects can create a loop that gets in the way of what Washington actually wants to do.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

How tech is inventing better ways to read the internet

The market for read-later apps is heating up again, and the apps are much smarter this time.

The reading experience of the internet sucks. But some startups are trying to fix it.

Illustration: cihanterlan/Getty Images and Protocol

The internet, as a reading experience, is mostly terrible. The heavy pages riddled with ads and trackers, the unexpected pop-ups, the bespoke designs that in too many places end up broken. Over the years, many have tried to fix this problem — Google with AMP, Facebook with Instant Articles — and none have succeeded. It can often feel like things just keep getting worse.

Ben Springwater certainly felt like things were getting worse. In 2016, he was working at Nextdoor, lamenting with one of his colleagues, Rob Mackenzie, that reading on the internet was so complicated. The reading experience was part of the problem, but so was the internet's unlimited supply of stuff. "It completely boggles the mind that so much of this stuff is really excellent, this life-changing stuff we could read," Springwater said. But there's only so much time in the day. "So we have filters: We go to Twitter, we check the headlines or what comes into our inbox. But those decisions for most of us are really suboptimal, relative to the potential of what we could be reading."

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Latest Stories