• Announcement: BehavioSec® is now part of LexisNexis® Risk Solutions    Press Release >>

End Helpdesk Fraud with Behavioral Biometrics, a Continuous PSD2-Factor

  • Olov Renberg
  • Blog
  • Share

Helpdesk fraud, also known as the original Tech Support Scam, refers to when fraudsters call victims to offer technical support services. Historically, many fraudsters targeted Microsoft Windows users, hence the alternative name ‘Microsoft-fraud’ but now it has become a growing menace across both platforms and industry verticals.

These fraudsters rely on social engineering and confidence tricks, enticing the victim to install remote access software on their computer and allowing the fraudster to gain access to the victim’s digital identities. The reason this fraud has been particularly hard to stop is related to the nature of legacy security, where security measures simply end after the initial one-time authentication. Whilst legacy security is decent at stopping gateway attacks, generally by introducing friction-based elements, it is often powerless when the fraudster is already past the gate.

Extend the Password with Behavioral Biometrics for Strong Authentication

What is behavioral biometrics and how does it stop helpdesk fraud?

Behavioral biometrics is the measurement of human behavior in order to verify a person’s digital identity, see more in my previous post. In practice, this means observing human interactions in real-time to determine whether it is the same human accessing and using a digital identity. Behavioral biometrics provides the ability to protect a digital identity continuously throughout a session, instead of just at the point of entry.

This continuous factor is the reason behavioral biometrics is excellent at protecting against past-the-gate attacks, like helpdesk fraud. A great example of this occurred during a pilot with one of our long-standing customers, prompting them to conclude the pilot and sign a multi-year contract the same week.

The bank’s fraud analysts were investigating a high value transaction request even though the legacy systems said it was all clear; the high amount (>$600,000) made the analysts suspicious. When they decided to look at the newly implemented behavioral biometric feed it all became clear, the account owner had indeed signed in, leading the legacy systems to clear the transaction entirely but there was someone else in the session as well. By investigating the behavioral data, they immediately saw both the remote-access signal, as well as behavioral indications that there were two people in the session. They halted the transaction and called the account holder who told them about the polite “customer service representative” who had kindly offered to help fix his computer.

PSD2-directive Approves Behavioral

Many of our European customers are anticipating the new regulations coming to place and we are excited to announce the first PSD2 compliant Behavioral Biometrics solution generally available. The Payment Service Directorate 2 (PSD2) states that PSPs and financial institutions:

“Payment service providers therefore need to devise an authentication method that uses two elements from two different categories, for instance one element categorised as knowledge (such as a password) and one as inherence (such as fingerprints). An element based on inherence is typically based on biometrics (including behavioural biometrics), provided they comply with the requirements under Article 8 of the RTS.”

Of specific interest to BehavioSec, is the introduction of the legal requirement for PSPs to implement “strong customer authentication.” Strong customer authentication requires that prior to a customer completing a transaction, they must be authenticated by two or more elements based on knowledge (something only the user knows), possession (something only the user possesses), and inherence (something the user is). These elements must be independent of one another, so that the compromise of one does not compromise the reliability of the others.

Better Customer Protection and Experience

If the PSP does not provide strong customer authentication, then the customer will not incur any financial losses unless the customer has acted fraudulently. A PSP is required to use strong customer authentication where the customer:

1.      Accesses a payment account online.

2.      Initiates an electronic payment transaction.

3.      Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Additionally, the PSPs must provide strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific customer. Doing this with Behavioral allows for less friction and smoother payments.

If you are interested in more information, please read the full whitepaper or request a demo on our website.