With smart phone usage growing year over year, mobile banking is the preferred method of customer engagement with banks. In Singapore alone, a third of the adult population is projected to have a digital bank account by 2025. We can expect this number to grow rapidly with the recent announcement by the Monetary Authority of Singapore (MAS) on awarding digital full bank licences to non-banks. This move means the increase in personalisation and convenience for consumers, with all-in-one banking services at their fingertips 24/7.
However, existing financial institutions (FIs) and new players are today facing a unique challenge: they must invest in solutions that will continue to provide consumers with a frictionless experience while ensuring top-of-the-line security. This comes as 64% of Asia Pacific mobile threat incidents were driven by financial motives, as reported in Verizon’s 2020 Data Breach Investigations Report.
One way to overcome this challenge is to build behavioural biometrics into the fraud prevention stack. Behavioural biometrics detects anomalies in user behaviour by monitoring how information is entered, not what. The technology satisfies both business and risk objectives by providing top security and enabling consumers to go about their banking activities with less friction.
A Different Approach to Mobile Banking Security
Behavioural biometrics leverages mobile-specific sensors such as accelerometer, touch, orientation, and gyro to continuously analyse user behaviour on three levels throughout a mobile banking session. First, profiling a user based on physical traits such as how the user holds their device, swipes, scrolls, and taps. When the current session looks different from the historical profiles, this might indicate that someone other than the legitimate users has accessed the account. This is the case even if a cybercriminal steals password information and logs into an account from their own device, or remotely logs into the banking app on the user’s trusted device. Unlike traditional fraud controls that heavily rely on device elements, user behaviour cannot be stolen, spoofed, or replicated.
Second, profiling a user based on cognitive choices, such as how the user inputs data or navigates a session, to identify genuine versus criminal behavioural indicators. Third, profiling to determine user intent and emotional state in the context of the activity to detect complex situations indicating high levels of risk. For example, behavioural insights can detect when a user falsely claims their age as part of the account opening process, or when a user is conducting a transaction under the guidance of a voice scammer.
Striking a Balance Between CX and Security
The appeal of behavioural biometrics is that the technology runs continuously in the background during sessions, using machine learning to build up user profiles. How a consumer interacts within a session differentiates them from any other potential user, including hackers and automated attacks.
It also allows banks to accurately distinguish between genuine users and cybercriminals based on behavioural insights, rather than traditional factors like location or device ID, which are known for high-false positives. Though they are meant to protect consumers, it is still unpleasant when a bank incorrectly flags a transaction or account opening as fraudulent. Consumers must then go through additional steps to identify themselves via step-up authentication such as entering an out-of-band SMS passcode or making a call to customer service. Behavioural biometrics reduces false declines by continually monitoring user behaviour, not only their location or device, to assess the risk of a fraudulent session.
With this in mind, all customers must do is be themselves, which is a big improvement from current fraud detection solutions, which slow users down, and ultimately still fail at keeping cybercriminals out. Traditional fraud controls are treating customers like criminals, causing a lot of friction. Behavioural biometrics is a modern approach that delivers better detection by understanding behavioural intent to detect illegitimate activity versus that of a legitimate user.
Unique to mobile banking applications is the ability to extract touch and gyro data to detect subtle behavioural anomalies against natural user characteristics, such as dominant hand, touch size and pressure. When a user types on their mobile device using the keypad, the precise location where the user touches down is unique, as well as the surface area covered and the pressure the user applies. These insights enable the detection of subtle inconsistencies across sessions that may indicate elevated risk.
Scrolling on a mobile application is a perfect example because it is quite unique to every user. Below is an illustration of six different users scrolling on the same page of a mobile application. The blue lines represent the user’s natural swipe patterns as they interact with their device screen. If a user shows different swipe patterns during a protected session, this can be a good indicator of malicious activity.
Going forward and accelerated by 2020’s global pandemic crisis, mobile banking will continue to be the main channel through which users transact and interface with financial institutions – well exceeding web, branch, and telephone banking. However, we have seen that there is a fine line between frictionless user experience and institutional risk. It is important to acknowledge that cybercriminals are constantly evolving their methods and are becoming more sophisticated.
Behavioural biometrics, when built into the fraud prevention stack, can provide powerful insights gathered from real-time physical and cognitive behaviour of users across digital channels. As financial institutions – which now include non-banks in Singapore – continue to offer more functionality in their mobile banking apps, rest assured that they are also looking for new and improved ways to prevent fraud and ensure security in a today’s mobile era.
The views expressed in this column are the author's own and do not necessarily reflect this publication's view, and this article is not edited by Asian Banking & Finance. The author was not remunerated for this article.
Do you know more about this story? Contact us anonymously through this link.
Christopher Yap is the Regional Head of ASEAN and Hong Kong at BioCatch. As a Certified Fraud Examiner (CFE) and Certified Anti-Money Laundering Specialist (CAMS), Christopher has over 15 years of experience working with financial institutions to improve their fraud detection processes. In his current role, Christopher is responsible for driving sales and partnerships in ASEAN and Hong Kong, enabling customers of BioCatch to detect fraudulent account openings and account takeover attacks, as well as safeguard users against social engineering scams.