Fintech

Banks watch your every move online. Here’s how it prevents fraud.

How fast you type or move your mouse can help banks verify your identity. But the idea that financial institutions are monitoring customers this closely has drawn online backlash and regulatory scrutiny.

Person holds credit card in front of laptop

Banks can detect your mouse movements — and use that information to fight fraud.

Photo: Pickawood/Unsplash

In April, systems at the National Australia Bank watched as a customer tried to raise her account transaction limit from $20,000 to $100,000. She logged in with the right username and password and seemed legit, but recently-installed software detected that her behavior was significantly different from previous sessions.

"The way she was using her mouse looked different," Chris Sheehan, a National Australia Bank investigations manager, told Protocol. "The number of clicks on the mouse looked different. Her cutting and pasting details looked different."

The deviations were picked up by the bank's new BioCatch software, which led the bank's anti-fraud team to figure out that the customer was in trouble. She was on her cell phone with a fraudster and was stressed by the account changes he was coaching her to make. The team quickly called her landline to warn her and she put things to a stop.

The rapid rise of online banking has led financial institutions to embrace behavioral analytics, AI-powered technology designed to flag potential fraud based on a user's actions and even their mannerisms on a website. That trend has accelerated during the pandemic, though the widening adoption of the technology is coinciding with heightened worries about the use of AI in financial services.

This was highlighted last week when insurance company Lemonade faced backlash for bragging in a Twitter thread — which it deleted and apologized for — about its AI, suggesting that it's been able to boost profits by using AI to deny customer claims based on "non-verbal cues."

Watching for fraud

A behavioral analytics system records clients' website interactions and uses the data to keep track of them and verify who they are when they're online. Web browsers have long provided information about mouse movements and typing, though few internet users realize they're being surveilled in such fine-grained detail.

The technology is also used to flag user behavior that indicates an attempt to open fraudulent accounts using stolen identities.

Behavioral analytics provides another security layer on top of other forms of identification, said BioCatch CEO Howard Edelstein. In fact, the technology can be an even more powerful security tool at a time when Social Security numbers and other personal information — like your mother's maiden name or what street you grew up on — are now also vulnerable to hacking and theft.

"Every time they ask for knowledge-based authentications, I kind of laugh because everyone's stolen every piece of information," he told Protocol. "You mean you can't find out your dog's name or whatever? … You can get around deterministic things. You can steal them. Somebody's got it."

But behavior is tougher to steal or replicate with precision, he added: "The machines learn you, and they follow you. If you start changing your behavior too rapidly, it's an alert."

Logan Allin, managing general partner at Fin VC, which is an investor in Neuro-ID, another behavioral analytics startup, echoed this point: "Digital footprints don't change, and imitating or faking human behavior is next to impossible."

Jack Alton, CEO of Neuro-ID, cited examples of legitimate customers who would type in their information, such as their Social Security number, based on "long-term memory." On the other hand, a criminal armed with a list of stolen information would do it differently. "If I stole your credentials, and I tried to log in, even if I got your name and your password right, I'm going to do it at a different cadence," he told Protocol.

Anton Klippmark, a product manager at BehavioSec, said the company's technology could distinguish between a legitimate customer or a fraudster based on the user's familiarity with a specific task. A legitimate user would type a name and Social Security number with ease, but may take a bit more time filling out a bank routing number. A fraudster working with stolen information "can be the exact opposite."

"You're very familiar with the form, and with things most people don't know, like a routing number," he told Protocol. "That's stuff that a lot of fraudsters or criminals would know very well because that's their working environment."

Edelstein of BioCatch said the company's technology can even make an educated guess about a user's age based on how fast the person types, clicks on a mouse and moves the cursor on the screen. "Every year that you age, you slow down by about 12 to 15 milliseconds," he said. "If you're a 55-year-old card owner and you're typing like a 28- to 34-year-old, that's a fraud flag."

The BioCatch system also uses "invisible challenges." For example, the software collects data on how a legitimate customer would typically move a mouse whenever the cursor disappears. When there's suspicion of fraud, the software would intentionally make the cursor vanish and verify if the user is legit based on the person's reaction. "You might curse Microsoft for making the cursor disappear, but it's more likely than not [that it's] not Microsoft to begin with," Edelstein said, laughing.

Pandemic push

The benefits of behavioral analytics have been highlighted in the pandemic, when banks were forced to close branches and conduct business mainly online, and when there was also a dramatic spike in fraud cases. In the United States alone, more than 1.4 million cases of identity theft were reported in 2020, about double what was reported in 2019, according to the Federal Trade Commission.

But the growing adoption of behavioral analytics is also happening in a time of mounting concerns about the use of AI and big data technology in financial services. In April, five U.S. agencies, led by the Federal Reserve Board and the Consumer Financial Protection Bureau, announced that they were soliciting insights into the way banks and tech companies were using AI in financial services.

Privacy is a major worry. Companies like BioCatch, Neuro-ID and BehavioSec are required to comply with strict privacy laws in the U.S., Europe and other countries.

Edelstein of BioCatch said the company does not record detailed information about a customer: "We get a hash ID from a bank, and we basically make sure that whenever that hash ID is online, that his behavior is consistent with that ID."

Sheehan of the National Australia Bank said its customers always "know what we're doing," adding that privacy "is a legitimate concern and it's something we have to always pay attention to." The bank's privacy policy mentions collecting "information about how you interact with us when you use internet or mobile banking (such as information about how you use your devices)" but doesn't describe the detailed tracking that allowed it to catch the fraudster in the April case.

Guarding against bias

Bias in AI systems is another concern, underlined by the uproar over Lemonade's description of its automated claims process in which customers are required to "record a video on their phone and explain what happened."

"Our AI carefully analyzes these videos for signs of fraud" and is able to "pick up non-verbal cues that traditional insurers can't, since they don't use a digital claims process," the company wrote in a now-deleted tweet. This system "ultimately helps us lower our loss ratios (aka how much we pay out in claims vs. how much we take in) and our overall operating costs," it added.

Responding to the backlash, Lemonade subsequently acknowledged that "a poorly worded tweet of ours (mostly the term 'non-verbal cues') led to confusion." The company stressed: "We do not use, and we're not trying to build, AI that uses physical or personal features to deny claims."

Thomas Lee, an assistant professor at University of California, Berkeley's Haas School of Business, said using "tools to monitor and measure human behavior" is a widely-accepted practice in designing software products and services. But "we need to be judicious" about using such technologies for identifying and authenticating individuals, he said, especially when it involves "high-stakes decision-making."

Sheehan of the National Australia Bank said that behavioral analytics is a compelling tool in banking at a time when fraud is increasingly conducted by sophisticated, fast-moving global operations. Huge amounts of money can now be stolen from banks in a matter of hours and traditional anti-fraud tactics are often too slow to stop the fraud.

"While we might detect the scam, the money has often already left," Sheehan said.

Ray Wang, an analyst with Constellation Research, said behavioral analytics can also give banks and fintechs an edge by providing "decision velocity" — for example, by flagging fraud in real time "if I suddenly use my credit card for venues I normally don't use."

BioCatch has attracted the attention of top investors, including Bain Capital which put in $100 million of the company's $145 million series C round last April. The company has raised a total of $215 million.

The company's software is being used at more than 50 major global banks and financial institutions, including Barclays, HSBC and American Express. BioCatch "has led to more robust fraud detection during the online application process in the U.S." according to an American Express spokesperson.

Sheehan said BioCatch, whose software the bank began implementing in stages in late 2019, has helped the National Australia Bank save roughly $450,000 a month that it otherwise "would have lost to fraud."

The costs of using BioCatch can range from "a few hundred thousand dollars for a smaller bank to the low seven figures for a larger bank" that's using more capabilities, a BioCatch spokesman said.

The case of the National Australia Bank customer underscores the speed and brazenness of today's bank fraud operations, Sheehan said. The fraudster had managed to deceive the client into thinking that he was helping her resolve problems with her internet service and online banking connection.

"She was being coached and she was unsure about what she was being asked to do, and it was causing her some agitation," Sheehan said.

Even so, it was a close call. The BioCatch system assigns a score for every online session from zero to 1,000, with a score of over 900 flagged as "a high-risk event," Sheehan said. The customer had a score of 910. When a team member reached her on her landline, the bank rep could hear her talking to the fraudster on her cell phone, Sheehan said.

"He was telling her to ignore us and that she can't trust the bank," he said. "Fortunately, she did trust us."

SKOREA-ENTERTAINMENT-GAMING-MICROSOFT-XBOX
A visitor plays a game using Microsoft's Xbox controller at a flagship store of SK Telecom in Seoul on November 10, 2020. (Photo by Jung Yeon-je / AFP) (Photo by JUNG YEON-JE/AFP via Getty Images)

On this episode of the Source Code podcast: Nick Statt joins the show to discuss Microsoft’s $68.7 billion acquisition of Activision Blizzard, and what it means for the tech and game industries. Then, Issie Lapowsky talks about a big week in antitrust reform, and whether real progress is being made in the U.S. Finally, Hirsh Chitkara explains why AT&T, Verizon, the FAA and airlines have been fighting for months about 5G coverage.

For more on the topics in this episode:

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

COVID-19 accelerated what many CEOs and CTOs have struggled to do for the past decade: It forced organizations to be agile and adjust quickly to change. For all the talk about digital transformation over the past decade, when push came to shove, many organizations realized they had made far less progress than they thought.

Now with the genie of rapid change out of the bottle, we will never go back to accepting slow and steady progress from our organizations. To survive and thrive in times of disruption, you need to build a resilient, adaptable business with systems and processes that will keep you nimble for years to come. An essential part of business agility is responding to change by quickly developing new applications and adapting old ones. IT faces an unprecedented demand for new applications. According to IDC, by 2023, more than 500 million digital applications and services will be developed and deployed — the same number of apps that were developed in the last 40 years.[1]

Keep Reading Show less
Denise Broady, CMO, Appian
Denise oversees the Marketing and Communications organization where she is responsible for accelerating the marketing strategy and brand recognition across the globe. Denise has over 24+ years of experience as a change agent scaling businesses from startups, turnarounds and complex software companies. Prior to Appian, Denise worked at SAP, WorkForce Software, TopTier and Clarkston Group. She is also a two-time published author of “GRC for Dummies” and “Driven to Perform.” Denise holds a double degree in marketing and production and operations from Virginia Tech.
Policy

Congress’ antitrust push has a hate speech problem

Sen. Klobuchar’s antitrust bill is supposed to promote competition. So why are advocates afraid it could also promote extremists?

The bill as written could make it a lot riskier for large tech companies to deplatform or demote companies that violate their rules.

Photo: Photo by Elizabeth Frantz-Pool/Getty Images

The antitrust bill that passed the Senate Judiciary Committee Thursday and is now headed to the Senate floor is, at its core, an attempt to prevent the likes of Apple, Amazon and Google from boosting their own products and services on the marketplaces and platforms they own.

But upon closer inspection, some experts say, the bill as written could make it a lot riskier for large tech companies to deplatform or demote companies that violate their rules.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs WordPress.com, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool Parse.ly and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Workplace

Ask a tech worker: How many of your colleagues have caught omicron?

Millions of workers called in sick in recent weeks. How is tech handling it?

A record number of Americans called in sick with COVID-19 in recent weeks. Even with high vaccination rates, tech companies aren’t immune.

Illustration: Christopher T. Fong/Protocol

Welcome back to Ask a Tech Worker! For this recurring feature, I’ve been roaming downtown San Francisco at lunchtime to ask tech employees about how the workplace is changing. This week, I caught up with tech workers about what their companies are doing to avoid omicron outbreaks, and whether many of their colleagues had been out sick lately. Got an idea for a future topic? Email me.

Omicron stops for no one, it seems. Between Dec. 29 and Jan. 10, 8.8 million Americans missed work to either recover from COVID-19 or care for someone who was recovering, according to the Census Bureau. That number crushed the previous record of 6.6 million from last January, and tripled the numbers from early last month.

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.

The fast-growing paychecks of Big Tech’s biggest names

Tech giants had a huge pandemic, and their execs are getting paid.

TIm Cook received $82 million in stock awards on top of his $3 million salary as Apple's CEO.

Photo: Mario Tama/Getty Images

Tech leaders are making more than ever.

As tech giants thrive amid the pandemic, companies like Meta, Alphabet and Microsoft have continued to pay their leaders accordingly: Big Tech CEO pay is higher than ever. In the coming months, we’ll begin seeing a lot of companies release their executive compensation from the past year as fiscal 2022 begins.

Keep Reading Show less
Nat Rubio-Licht
Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.
Latest Stories
Bulletins