Did you know that every zebra has its own unique stripe pattern? Just like a human fingerprint, every zebra can be identified by their distinctive set of stripes. Luckily, zebras don’t use mobile devices, or manufacturers would be hard at work on stripe recognition technology. But they’d also be working to supplement their stripe recognition and biometrics with behavioral analytics.
In this blog, and in an accompanying one by my Thales colleague Juan Asenjo, we will discuss the subject of big data analytics, and how it is enabling a new behavior-based authentication evolution for easier and more robust identity management. In the following paragraphs, I will focus on behavioral analytics and how it can help us detect increasingly sophisticated impersonation and fraud attempts. I invite you to read Juan’s blog to learn more about the challenges and approaches to protecting the big data behind the analytics.
About six months ago, I got an email from a good friend of mine, who I’ll call Alex (not his real name). Alex and I talk occasionally and serve on some alumni committees together, so it’s not unusual to hear from him. He also has a very distinct email style – a lot of spacing and extra punctuation, like multiple exclamation points. This email from Alex was similarly spaced and punctuated and asked if I could do him a favor. Thinking it was something related to our committee work, I mindlessly begin to reply with a, “Sure, what do you need?” type of email … but then I happen to notice an extra letter in the “Reply-To” email address.
Wait a minute. Let me look at that message again.
I take another look at the email. While it does have Alex’s distinct correspondence style, a few things are off. Alex opens the note with “How are you?” – that’s not how he’d typically open a note to me. He tends to jump right into the topic. And Alex would never sign off an email to me with “Thanks!” – he’d use a traditional sign-off of our shared alumni organization. Alex also tends to be rather loquacious in his emails – this one is a little short and not quite as flowery in its language.
I don’t think this is Alex.
So, like any security person and good friend, I send Alex a text and a voicemail asking if the message was from him. Sure enough, Alex emails me a few hours later confirming that his email account was hacked and thanking me for bringing it to his attention.
Honestly, I was lucky to catch this one. On first glance, the style of the email was very similar to Alex’s; it was only after I noticed the different email address in the reply-to field that I took a closer look and realized that it wasn’t quite right. The would-be attackers did a pretty good job impersonating Alex.
Let’s face it, attackers are getting more sophisticated about identity fraud, whether it’s skillful impersonation (as in the case of my friend Alex), creating fake social media profiles to influence public opinion, or wider scale financial fraud. Not long ago, it was revealed that a popular Black Lives Matter page on social media had turned out to be fake and had defrauded unsuspecting donors out of over $100,000. Synthetic identity fraud is another example. Synthetic identity fraud occurs when an attacker creates a new identity, sometimes using components of a real identity, and then uses that false identity to apply for credit cards, get bank loans, or engage in other forms of fraud against businesses or individuals. Of course, once the attacker has accomplished their goal or gotten enough money, they can abandon that identity. Unfortunately, the banks, organizations, and individuals who engaged with that identity are left holding the bag. This is a growing problem for credit card companies. Aite Group estimates U.S. credit card losses due to synthetic identity fraud sits at almost $1B (“Synthetic Identity Fraud: The Elephant in the Room”, Julie Conroy, May 2018).
Humans, on our own, are not great at consistently catching identity fraud, and as the fraud becomes more sophisticated, it’s going to be harder and harder to catch with the naked eye. That’s why behavioral analytics is so important for identity, authentication, and fraud detection. As attackers mine information about user appearance, likely passwords, and basic behaviors, more sophisticated behavioral analysis can help us determine whether a person, device, or system is what they claim to be.
Behavioral biometrics, for example, are gaining popularity as a form of authentication or a factor in determining whether a stronger authentication method may be needed. Factors such as keystroke patterns, touchscreen swipe patterns, mouse movements and gait can enhance existing data points to help verify identity. As the machine learning space continues to develop, it’s easy to imagine natural language processing being used to develop baselines for an identity’s communication habits and flagging written or oral communication that doesn’t seem quite right (as in the case with my friend Alex). And multiple techniques will be necessary to address synthetic identity fraud: Aite mentions behavioral biometrics, device identity, email lineage, and mobile device ownership as factors that will help credit card providers recognize fraud. Identity proofing, which helps establish the veracity of the user identity before a corresponding digital identity is created, is also emerging as an essential part of the process.
Now in order to effectively analyze behavior and identify fraud, what does a system need? Lots of data, of course! First, you need sufficient and accurate data to establish the baseline. Then, you need to be sure that future transaction and behavioral data is accurate, so that you can correctly identify outliers that may indicate an attack. And given the personal nature and sensitivity of that data and rightful privacy concerns, you’d better be sure that the data is protected at all times…
Sandy Carielli is the Director of Security Technologies for Entrust Datacard, a Thales eSecurity partner. For more information about Entrust, please visit our partner page.