The way in which customers navigate e-commerce and online banking sites provides analytics that could ultimately help secure their accounts.
Israel-based BioCatch plans to use the $10 million it recently secured from investors to boost adoption of its behavioral biometric authentication technology for banks and merchants in North America, Europe and Brazil.
Clients using BioCatch's cloud-based system will have access to data analysis on more than 400 behavioral, cognitive and physiological parameters that create user profiles to help screen website visits, says Uri Rivner, co-founder and vice president of business development and cyber strategy at BioCatch. The company also has offices in Boston and London.
The round of funding from Venture Capital firms OurCrowd and Blumberg Capital will help BioCatch attract more interest from banks and retailers, Rivner says.
"BioCatch is not a software download. It is a subscription service in which we do the coding onto the necessary pages on a bank or online site," Rivner says. "The bank fraud team then has access to a dashboard to see scores and patterns, devices and locations, as well as authenticated activity scores."
Those scores are compiled from factors such as how the customer moves a mouse cursor or navigates a touchscreen.
"It is cognitive behavioral analytics, or the monitoring of user responses to opening apps or having mobile or online sessions," Rivner says. "It's like getting into a cat-and-mouse game with fraudsters with deep analytics."
BioCatch can determine whether users are right- or left-handed, what types of patterns or curves they make with a cursor, how fast they navigate a page and how much pressure they put on a mouse or tablet.
Ultimately, BioCatch can use these observations to determine when malware is being used to impersonate a user.
BioCatch provides an extra layer of security that banks or retailers can't get in most other solutions because it monitors an entire session on an account site, says Al Pascual, senior analyst for Javelin Strategy & Research.
"It gives you a leg up if an account was taken over by a remote access tool or a criminal using a virtual machine," Pascual says.
In addition, BioCatch is scalable across channels, Pascual says. "You can use it online, or for m-commerce and mobile banking and it doesn't interfere with the experience, regardless of the channel," Pascual adds. "If you want your business to be omni-channel, you need a solution that scales in order to contain costs and deliver a consistent user experience."
BioCatch generally monitors about 10 sessions per account before establishing a user profile for its clients. The profile can even ascertain that two different people, possibly a husband and wife, access the same account on a regular basis, Rivner says.
"We do not know the accountholders by name," Rivner says. "This service is set up to protect their accounts, and BioCatch does not need to know their identities."
The BioCatch interface shows a red line for the cursor movement and a blue line for hand position. The system knows the account owner's hand position and how the user generally navigates to the site's "submit" or "pay" button. It also knows how a person tends to move the mouse around when searching for a cursor that is suddenly not visible on a page.
The client's fraud team generally studies user sessions over a period of time, but can contact BioCatch in real-time if a suspicious case is unfolding, Rivner says. In one such case, he says, a bank suspected that a session originating from the Czech Republic appeared fraudulent, but BioCatch's analysis indicated it was the proper accountholder. When the bank contacted the customer, it turned out he was in the Czech Republic on business.
The system is effective for banks or retailers in screening customers who open new accounts, Rivner says. "The system can tell if it is a human or malware robot filling out the form," he adds. "Robots fill them out the same way each time."
If a legitimate accountholder tends to use a computer mouse every time, but in one session uses only keyboard shortcuts, BioCatch would flag the keyboard-only session as potential fraud.
The company can integrate its service into existing fraud prevention platforms. Though he could not provide names at this time, Rivner says several banks and e-commerce sites are using the system.
BioCatch began developing its behavioral authentication system when the company was founded in 2011 and began testing the system last year, Rivner says.
"We were looking for something to change the game in favor of banks against the fraudsters," Rivner says.
Behavorial analytics has been a security option for banks and online retailers for years. PayPal famously named its early anti-fraud system "Igor," after a particularly diligent fraudster who kept poking holes in its methods for scanning for fraud attempts.
Other bank technology vendors offer similar systems for building user profiles and scanning for use patterns that might signal a fraud attempt.