There’s a pressing need for innovative cyber security systems. Analysis from Juniper Research found the rise of professional cyber criminals could result in more successful attacks in the future. The firm estimates that data breaches could cost businesses over $2.1 trillion by 2019.
Founded in 2011 by former Israel Defense Forces intelligence officer Avi Turgeman and cyber security expert Uri Rivner, BioCatch is one example of innovation. The company offers a variety of user authentication and fraud prevention services to businesses based on its use of behavioral biometrics. The company has a portfolio of 34 patents, seven of which have been granted, raised $1 million in seed funding in September 2013, and brought in another $10 million in a series A round in 2014.
What is behavioral authentication?
BioCatch offers cloud-based behavioral authentication services for mobile and web applications. Using behavioral biometric data is one of the cutting-edge ways companies are authenticating users, and it’s potentially one of the best ways to keep your system secure.
Greg Hluska, a web developer and self-described hacker, explains traditional authentication methods differ from behavioral authentication in one key way. Typical authentication methods rely on something the user knows, like a password or passcode. Newer two-factor authentication methods rely on something the user knows and something they have, such as a password and a code that’s sent to their phone or an email account.
Behavioral authentication, on the other hand, changes things up by adding a verification layer based on how a user acts rather than what they know or have.
When companies like BioCatch try to track behaviors of people as they use mobile devices, they typically look at three different types of activity, explains Jason Sinchak, co-founder and CTO of mobile security company Sentegrity.
- User interaction: How users touch the screen and type on the keyboard can be used to identify them or detect fraud.
- Environment: Input from environmental sensors on the device, such as GPS, time, and Wi-Fi connectivity.
- Device movement: How a user holds a device and activity associated with the device prior to an authentication attempt, such as running or walking.
Similar tests are implemented for computer-based systems. For example, if someone steals your information and logs in to your account, a behavioral authentication system might be able to detect the potential fraud based on typing patterns or how the cursor moves.
How does BioCatch’s behavioral authentication work?
BioCatch isn’t the only company in the behavioral biometric and authentication space, but it is one of the industry leaders. The company currently has clients in the banking and e-commerce space in North America, Latin America, and Europe and analyzes over a billion transactions each month.
Hluska says he’s familiar with BioCatch primarily because of the co-founder Turgeman’s previous service in Unit 8200. Unit 8200 is a decades-old intelligence unit within the Israeli Intelligence Corps. “They’re extremely hardcore,” Turgeman says. “It’s like the Jedi Academy of the InfoSec world.”
According to its website, BioCatch uses more than 500 parameters to create unique user profiles. Once you log in to an account, such as your online bank account, the software starts to build a “signature” for you based on how you interact with the site, the device you use, and other identifying information. In the future, when someone tries to log in to your account, their actions can be compared to your normal usage to help detect fraudulent activity.
To build and strengthen its profile, BioCatch creates “Invisible Cognitive Challenges” (ICC) for users to complete. They’re invisible because the user might not even realize they’re taking place. For example, on a mobile device the user might be prompted to input a date, and BioCatch could detect how quickly the person spins each wheel, how they stop, and how they handle corrections if they spin a wheel too quickly. On a computer, ICC could make a user’s cursor disappear after they complete a task and detect how the user goes about “searching” for the cursor.
Even without a user’s profile, BioCatch can help detect and prevent cyber crime by matching a user’s actions with known indicators. For example, cyber criminals tend to use keyboard shortcuts and copy and paste more often than other people.
In addition to helping authenticate users, BioCatch’s platforms offer a variety of protections against malware, bots, and social engineering. As a client, you can log in to a web portal to access a real-time assessment and easy-to-understand visualization of current sessions and associated risk scores based on the user’s biometrics.
Is implementing a behavioral authentication system always a good idea?
“Humans are the weakest link in many organizations’ cyber defenses,” says Joshua Crumbaugh, CEO of cyber security firm PeopleSec and a professional hacker. Cities, casinos, Fortune 500 corporations, and the U.S. government have all hired Crumbaugh to try and find weaknesses in their cyber security systems. Crumbaugh draws his conclusion from the ideas that humans can be “hacked” and can’t be updated or patched, and often people don’t think before they click. “This easily allows attackers to get a foothold within the network and bypass key protections such as multi-factor authentication,” says Crumbaugh. He also thinks that using behavioral biometrics could be a positive game changer for cyber defense.
While he may be right, there could be more to the picture than security. Thomas P. Keenan, a professor in the Faculty of Environmental Design and an adjunct professor in the Department of Computer Science at the University of Calgary, points to the “creepiness” factor inherent in collecting biometric data. “Monitoring things like how we hold our phones may indeed give people reason to dislike the company that is doing this to them,” says Keenan. “If another company makes a point of not tracking you in this way, that may constitute a competitive advantage.” However, a customer also likely won’t be happy if their account gets hacked or their personal information is stolen, so it’s a trade-off that could be worthwhile.
Should you give BioCatch a shot?
While no cyber security system is failproof, BioCatch’s behavioral biometric, authentication, and malware services are worth considering if you’re trying to protect mobile or web applications. The company has expertise working with banks, software vendors, and e-commerce clients and appears to have a good track record. Still, you may want to interview several companies to find the one that best meets your needs and budget.