Online fraud continued to rise last year. ThreatMetrix alone stopped 122 million attacks globally in just the fourth quarter, a 35% increase on the final three months of 2015. It’s a symptom of the riches up for grabs for the bad guys as more and more businesses put digital at the heart of their organisation. But it’s also a reflection of the increasingly sophisticated attacks many firms are struggling to spot.
Behavioural analytics tools are seen by many as a silver bullet to the problem. But they will only work if based on comprehensive, global data sets and used dynamically to pinpoint behaviour down to the individual user, and at an even more granular level to IP address, location, device and so on.
Fraudsters tool up
Exactly what are we up against today? Fraudsters armed with an array of tools and techniques designed to mask their true identity and confound traditional filters. These include IP and device spoofing, and increasingly popular bot technologies. The latter include highly effective automated software designed to improve the efficiency of info-stealing attacks on confidential data like logins and payment details. In addition, networks of compromised computers known as botnets are being used to run massive identity testing sessions, imitating legitimate traffic.
The problems are compounded for firms because consumers today are highly mobile, transacting numerous times a day across a range of different devices and geographies. They might buy via a mobile app from their favourite high street clothing store on the way to work, check their bank balance on the company laptop at lunchtime and log-in to their mobile social media account on their way home. Gone are the days when a customer interacted with an organisation on one static device in just one or two locations.
In short, behaviour is less predictable, more diverse and less confined to static definitions of what is or isn’t “safe” or “acceptable”.
More than just a buzzword
For many, behavioural analytics offer a possible solution to the problems presented by modern fraudsters. Like machine learning before, it’s become quite the buzzword in anti-fraud circles. But there are some crucial caveats. First, behavioural analytics are only as useful as the data behind them. In order to be able to generate effective insights into user behaviour, firms need to be able to use all the information they know about how that user transacts online: across geographies, through time and across a range of different devices.
Second, they need to use this information to create dynamic business rules which can then be incorporated to great effect into their decision flow. Static business rules alone are fast becoming less effective as human behaviour becomes ever more diverse and unpredictable. Transferring £5,000 for one banking customer might be a highly unusual event, for example, but for others it could be a normal weekly occurrence. That makes it tricky to create fixed pre-defined rules for what is considered “risky” behaviour – it’s bound to frustrate customers who are the outliers of what’s considered “normal”.
The only choice
That’s why dynamic behavioural analysis is the only choice for effective fraud prevention today – supported by global data updated with all the rich diversity of user behaviour patterns as they transact online. This can transform a static rule of “flag a customer who travels more than X times in a day”, to “compare today’s distance against average distance travelled per week in past six weeks”. Behaviour can be modelled on a global, per-site, per-event, per-device and per-identity basis, making it far more specific to an individual user.
This makes for improved fraud detection and can drastically reduce the false positives, manual reviews and operational costs which can challenge or even surpass fraud losses. False positives in particular can add to the customer friction many users experience when a transaction is blocked or stepped-up after raising the alarm. It’s the kind of thing that could prompt even the most loyal customer to take their business elsewhere.