Fintech

Banks watch your every move online. Here’s how it prevents fraud.

How fast you type or move your mouse can help banks verify your identity. But the idea that financial institutions are monitoring customers this closely has drawn online backlash and regulatory scrutiny.

Person holds credit card in front of laptop

Banks can detect your mouse movements — and use that information to fight fraud.

Photo: Pickawood/Unsplash

In April, systems at the National Australia Bank watched as a customer tried to raise her account transaction limit from $20,000 to $100,000. She logged in with the right username and password and seemed legit, but recently-installed software detected that her behavior was significantly different from previous sessions.

"The way she was using her mouse looked different," Chris Sheehan, a National Australia Bank investigations manager, told Protocol. "The number of clicks on the mouse looked different. Her cutting and pasting details looked different."

The deviations were picked up by the bank's new BioCatch software, which led the bank's anti-fraud team to figure out that the customer was in trouble. She was on her cell phone with a fraudster and was stressed by the account changes he was coaching her to make. The team quickly called her landline to warn her and she put things to a stop.

The rapid rise of online banking has led financial institutions to embrace behavioral analytics, AI-powered technology designed to flag potential fraud based on a user's actions and even their mannerisms on a website. That trend has accelerated during the pandemic, though the widening adoption of the technology is coinciding with heightened worries about the use of AI in financial services.

This was highlighted last week when insurance company Lemonade faced backlash for bragging in a Twitter thread — which it deleted and apologized for — about its AI, suggesting that it's been able to boost profits by using AI to deny customer claims based on "non-verbal cues."

Watching for fraud

A behavioral analytics system records clients' website interactions and uses the data to keep track of them and verify who they are when they're online. Web browsers have long provided information about mouse movements and typing, though few internet users realize they're being surveilled in such fine-grained detail.

The technology is also used to flag user behavior that indicates an attempt to open fraudulent accounts using stolen identities.

Behavioral analytics provides another security layer on top of other forms of identification, said BioCatch CEO Howard Edelstein. In fact, the technology can be an even more powerful security tool at a time when Social Security numbers and other personal information — like your mother's maiden name or what street you grew up on — are now also vulnerable to hacking and theft.

"Every time they ask for knowledge-based authentications, I kind of laugh because everyone's stolen every piece of information," he told Protocol. "You mean you can't find out your dog's name or whatever? … You can get around deterministic things. You can steal them. Somebody's got it."

But behavior is tougher to steal or replicate with precision, he added: "The machines learn you, and they follow you. If you start changing your behavior too rapidly, it's an alert."

Logan Allin, managing general partner at Fin VC, which is an investor in Neuro-ID, another behavioral analytics startup, echoed this point: "Digital footprints don't change, and imitating or faking human behavior is next to impossible."

Jack Alton, CEO of Neuro-ID, cited examples of legitimate customers who would type in their information, such as their Social Security number, based on "long-term memory." On the other hand, a criminal armed with a list of stolen information would do it differently. "If I stole your credentials, and I tried to log in, even if I got your name and your password right, I'm going to do it at a different cadence," he told Protocol.

Anton Klippmark, a product manager at BehavioSec, said the company's technology could distinguish between a legitimate customer or a fraudster based on the user's familiarity with a specific task. A legitimate user would type a name and Social Security number with ease, but may take a bit more time filling out a bank routing number. A fraudster working with stolen information "can be the exact opposite."

"You're very familiar with the form, and with things most people don't know, like a routing number," he told Protocol. "That's stuff that a lot of fraudsters or criminals would know very well because that's their working environment."

Edelstein of BioCatch said the company's technology can even make an educated guess about a user's age based on how fast the person types, clicks on a mouse and moves the cursor on the screen. "Every year that you age, you slow down by about 12 to 15 milliseconds," he said. "If you're a 55-year-old card owner and you're typing like a 28- to 34-year-old, that's a fraud flag."

The BioCatch system also uses "invisible challenges." For example, the software collects data on how a legitimate customer would typically move a mouse whenever the cursor disappears. When there's suspicion of fraud, the software would intentionally make the cursor vanish and verify if the user is legit based on the person's reaction. "You might curse Microsoft for making the cursor disappear, but it's more likely than not [that it's] not Microsoft to begin with," Edelstein said, laughing.

Pandemic push

The benefits of behavioral analytics have been highlighted in the pandemic, when banks were forced to close branches and conduct business mainly online, and when there was also a dramatic spike in fraud cases. In the United States alone, more than 1.4 million cases of identity theft were reported in 2020, about double what was reported in 2019, according to the Federal Trade Commission.

But the growing adoption of behavioral analytics is also happening in a time of mounting concerns about the use of AI and big data technology in financial services. In April, five U.S. agencies, led by the Federal Reserve Board and the Consumer Financial Protection Bureau, announced that they were soliciting insights into the way banks and tech companies were using AI in financial services.

Privacy is a major worry. Companies like BioCatch, Neuro-ID and BehavioSec are required to comply with strict privacy laws in the U.S., Europe and other countries.

Edelstein of BioCatch said the company does not record detailed information about a customer: "We get a hash ID from a bank, and we basically make sure that whenever that hash ID is online, that his behavior is consistent with that ID."

Sheehan of the National Australia Bank said its customers always "know what we're doing," adding that privacy "is a legitimate concern and it's something we have to always pay attention to." The bank's privacy policy mentions collecting "information about how you interact with us when you use internet or mobile banking (such as information about how you use your devices)" but doesn't describe the detailed tracking that allowed it to catch the fraudster in the April case.

Guarding against bias

Bias in AI systems is another concern, underlined by the uproar over Lemonade's description of its automated claims process in which customers are required to "record a video on their phone and explain what happened."

"Our AI carefully analyzes these videos for signs of fraud" and is able to "pick up non-verbal cues that traditional insurers can't, since they don't use a digital claims process," the company wrote in a now-deleted tweet. This system "ultimately helps us lower our loss ratios (aka how much we pay out in claims vs. how much we take in) and our overall operating costs," it added.

Responding to the backlash, Lemonade subsequently acknowledged that "a poorly worded tweet of ours (mostly the term 'non-verbal cues') led to confusion." The company stressed: "We do not use, and we're not trying to build, AI that uses physical or personal features to deny claims."

Thomas Lee, an assistant professor at University of California, Berkeley's Haas School of Business, said using "tools to monitor and measure human behavior" is a widely-accepted practice in designing software products and services. But "we need to be judicious" about using such technologies for identifying and authenticating individuals, he said, especially when it involves "high-stakes decision-making."

Sheehan of the National Australia Bank said that behavioral analytics is a compelling tool in banking at a time when fraud is increasingly conducted by sophisticated, fast-moving global operations. Huge amounts of money can now be stolen from banks in a matter of hours and traditional anti-fraud tactics are often too slow to stop the fraud.

"While we might detect the scam, the money has often already left," Sheehan said.

Ray Wang, an analyst with Constellation Research, said behavioral analytics can also give banks and fintechs an edge by providing "decision velocity" — for example, by flagging fraud in real time "if I suddenly use my credit card for venues I normally don't use."

BioCatch has attracted the attention of top investors, including Bain Capital which put in $100 million of the company's $145 million series C round last April. The company has raised a total of $215 million.

The company's software is being used at more than 50 major global banks and financial institutions, including Barclays, HSBC and American Express. BioCatch "has led to more robust fraud detection during the online application process in the U.S." according to an American Express spokesperson.

Sheehan said BioCatch, whose software the bank began implementing in stages in late 2019, has helped the National Australia Bank save roughly $450,000 a month that it otherwise "would have lost to fraud."

The costs of using BioCatch can range from "a few hundred thousand dollars for a smaller bank to the low seven figures for a larger bank" that's using more capabilities, a BioCatch spokesman said.

The case of the National Australia Bank customer underscores the speed and brazenness of today's bank fraud operations, Sheehan said. The fraudster had managed to deceive the client into thinking that he was helping her resolve problems with her internet service and online banking connection.

"She was being coached and she was unsure about what she was being asked to do, and it was causing her some agitation," Sheehan said.

Even so, it was a close call. The BioCatch system assigns a score for every online session from zero to 1,000, with a score of over 900 flagged as "a high-risk event," Sheehan said. The customer had a score of 910. When a team member reached her on her landline, the bank rep could hear her talking to the fraudster on her cell phone, Sheehan said.

"He was telling her to ignore us and that she can't trust the bank," he said. "Fortunately, she did trust us."

A 'Soho house for techies': VCs place a bet on community

Contrary is the latest venture firm to experiment with building community spaces instead of offices.

Contrary NYC is meant to re-create being part of a members-only club where engineers and entrepreneurs can hang out together, have a space to work, and host events for people in tech.

Photo: Courtesy of Contrary

In the pre-pandemic times, Contrary’s network of venture scouts, founders, and top technologists reflected the magnetic pull Silicon Valley had on the tech industry. About 80% were based in the Bay Area, with a smattering living elsewhere. Today, when Contrary asked where people in its network were living, the split had changed with 40% in the Bay Area and another 40% living in or planning to move to New York.

It’s totally bifurcated now, said Contrary’s founder Eric Tarczynski.

Keep Reading Show less
Biz Carson

Biz Carson ( @bizcarson) is a San Francisco-based reporter at Protocol, covering Silicon Valley with a focus on startups and venture capital. Previously, she reported for Forbes and was co-editor of Forbes Next Billion-Dollar Startups list. Before that, she worked for Business Insider, Gigaom, and Wired and started her career as a newspaper designer for Gannett.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Fintech

Binance CEO wrestles with the 'Chinese company' label

Changpeng "CZ" Zhao, who leads crypto’s largest marketplace, is pushing back on attempts to link Binance to Beijing.

Despite Binance having to abandon its country of origin shortly after its founding, critics have portrayed the exchange as a tool of the Chinese government.

Photo: Akio Kon/Bloomberg via Getty Images

In crypto, he is known simply as CZ, head of one of the industry’s most dominant players.

It took only five years for Binance CEO and co-founder Changpeng Zhao to build his company, which launched in 2017, into the world’s biggest crypto exchange, with 90 million customers and roughly $76 billion in daily trading volume, outpacing the U.S. crypto powerhouse Coinbase.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Enterprise

How I decided to leave the US and pursue a tech career in Europe

Melissa Di Donato moved to Europe to broaden her technology experience with a different market perspective. She planned to stay two years. Seventeen years later, she remains in London as CEO of Suse.

“It was a hard go for me in the beginning. I was entering inside of a company that had been very traditional in a sense.”

Photo: Suse

Click banner image for more How I decided seriesA native New Yorker, Melissa Di Donato made a life-changing decision back in 2005 when she packed up for Europe to further her career in technology. Then with IBM, she made London her new home base.

Today, Di Donato is CEO of Germany’s Suse, now a 30-year-old, open-source enterprise software company that specializes in Linux operating systems, container management, storage, and edge computing. As the company’s first female leader, she has led Suse through the coronavirus pandemic, a 2021 IPO on the Frankfurt Stock Exchange, and the acquisitions of Kubernetes management startup Rancher Labs and container security company NeuVector.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Enterprise

UiPath had a rocky few years. Rob Enslin wants to turn it around.

Protocol caught up with Enslin, named earlier this year as UiPath’s co-CEO, to discuss why he left Google Cloud, the untapped potential of robotic-process automation, and how he plans to lead alongside founder Daniel Dines.

Rob Enslin, UiPath's co-CEO, chats with Protocol about the company's future.

Photo: UiPath

UiPath has had a shaky history.

The company, which helps companies automate business processes, went public in 2021 at a valuation of more than $30 billion, but now the company’s market capitalization is only around $7 billion. To add insult to injury, UiPath laid off 5% of its staff in June and then lowered its full-year guidance for fiscal year 2023 just months later, tanking its stock by 15%.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Latest Stories
Bulletins