Paygilant in Payment Week

You Need More Than Behavioral Biometrics in Mobile

We all know that security is still the big problem in mobile payments. Despite a slew of advancements to the contrary, it keeps coming up as the problem of the day. What’s more, even the heaps of advancements we have now only just keep up with the pace of criminals eager to find new solutions. That’s led many mobile payments companies–among others–to look into biometrics for security. A new report sent our way from Paygilant, however, says that a behavior-based biometrics platform alone will not do the job.

Mobile payments today, the report notes, face a paradox. Customers want access to super-convenient, high-speed systems with virtually no hassle, but want these systems secured with iron imperviousness. In other words, they want a door that can’t open to anyone but them. Too much security eliminates convenience, and vice versa, making the customer’s demands seemingly irreconcilable. Enter biometrics, which connect to a certain part of a customer’s biology like voiceprints or thumbprint.

At first, this seemed like the ultimate solution. Behavioral biometrics also became part of the mix, as authentication processes considered the speed of your scrolling, the angle at which you hold a device, or other factors. The problem with these, however, is that they could be simulated by bad actors. If a hacker learned what angle you held your device at–possible with enough observation–that hacker could effectively pretend to be you. Hence the study, which found that depending on this form of biometrics was a recipe for failure.

Honestly, the point of this study somewhat eludes me. Most users likely don’t even consider behavioral biometrics to be biometrics in the first place. We think of thumbprints, fingerprints, iris scans…things immediately related to body parts that can’t be simulated or stolen beyond the realm of science fiction or outright horror. Yet here we’ve also seen how biometric advances don’t last; remember how Google’s facial recognition systems were beaten by a photograph?

The Paygilant study demonstrates to us what we’ve known all along; no one security mechanism is perfect and can be counted on absolutely. We must use multiple methods, and we must continually refine these methods to ensure our systems are safe, even if we must surrender at least some convenience to do the job right.

Device Attributes

Various attributes observed on the device can contribute to the detection of fraudulent behavior and to the derivation of a device ID. Device model, screen, memory, UUID, OS, IP, geolocation, app permissions, and more are observed. Geolocation is probably the best example for a device attribute used for detecting fraud - if a transaction is attempted from Moscow a short while after the preceding transaction was carried out in New York, then that is a strong indicator of fraud. Restricted app permissions is another indicator that the user might be hiding something. Another example is app permissions that are restricted by the user – that, in combination with other things, night suggest that the user might be hiding something.

Transaction Data

Paygilant employs propriety transaction behavioral maps. The Behavioral Maps represent the purchasing patterns/behavior of a specific customer and her nearest neighbors and are created using Paygilant's proprietary machine learning algorithms. The behavioral maps typically comprise a large amount of information but must be compact 9 enough since they are securely transmitted to the mobile device. To achieve this Paygilant utilizes its depth of field (DOF) approach from digital photography to compress the information so that complex calculations that do not require work intensive CPU and memory. A Behavioral Map shows a clear, high resolution picture of the different risk zones and is a key factor in determining the risk of a specific transaction and has the following key characteristics: - User specific: each map is unique, calculated and maintained on a per user basis, therefore representing a transaction risk level for each customer’s transaction. - Lightweight: Resolution variations enable maintaining only the necessary data, reducing the map's weight to a bare minimum. - Dynamic: As the purchase behavior changes, the map will be modified.

Device DNA

Bio Markers

Paygilant observes bio markers to passively identify the user behind the transaction. Common bio markers Paygilant observes include touch time, time between touches, size of touch inputs, finger velocity, scrolling pace and drag length, typing biometrics, and more. Paygilant’s robust bio markers are just one of the several intelligence sets that make up the broader solution and is designed to augment the fraud/no-fraud decision that precedes any step-up authentication request.

App Interactions

Paygilant looks at how the user interacts with the mobile application to determine if the interactions are consistent with a legitimate user. For example, if a user navigates directly to a high-ticket item and immediately proceeds to check-out, then that suggests something fraudulent might be happening. If a user inputs his name and address on the payment form in a manner that is not consistent with how normal users would do it (i.e. slower than expected because typing-in unfamiliar strings), then that provides another clue that something fraudulent might be happening.

User Data

Intelligent, privacy preserving analysis of user data on the mobile device provides valuable insights into fraudulent activities. User data analysis is especially helpful in hard-to-analyze scenarios like new account origination, where there is no established history for the user/account. Some examples for how device data can be used include comparing user accounts on the device with the payment cardholder identity, or the identity disclosed on a new account registration form – a mismatch provides a strong indicator for fraud. No media on the device, empty contacts list, and sparse call logs are also examples of fraud indicators that can be collected from user data on the device.

[contact-form-7 id="1746" title="Contact+PDF_new"]

[contact-form-7 id="1390" title="Contact+PDF_copy"]

[contact-form-7 id="1397" title="Contact_copy"]