Behavior Piercing Technology

When an unauthorized user gains access to someone’s account, what we call “account takeover”, fraudsters realize that they are committing a crime and in order to remain undetected they hide their identity and intent. It doesn’t take much knowledge to become anonymous online, appear to use a different web-browser and route your web-traffic through another country.

The ability for a fraudster to get access to your user’s password is an easy prospect.

  • Example

    I downloaded an app which allows me to book a table at my favourite restaurant chain. I created an account with my email and my usual and seemingly secure, 10-character, alphanumerical password. Using the app allows me to get rewards for regular bookings.

    The app developer for the restaurant chain didn’t spend much time researching security best practices, after all, why would a hacker want to book a table posing as someone else or even steal their reservation?

    Regardless, the database containing all of the users’ email addresses and passwords is stolen and overnight, my email address and usual password are on the free-market.

  • The point here is you cannot assume that every other website that your legitimate user subscribes to, is going to have the same level of security that you have painstakingly put into your website. Behavior piercing, if done properly, will give you a critical additional layer of user validation.

    Once the fraudster has the user password list it is time to scale up. The fraudster writes an automated program to automatically try to login with each one of stolen details in a few minutes, precisely because it would take too long for a human to perform. This is different and often undetected by websites because each attempt to login is exactly that – just one attempt. It isn’t enough to arouse suspicion.

    Once the user is logged into an account, the fraudster must act quickly so the actual user doesn’t notice what is happening, yet still act within the bound of normal behavior.

    What we end up with is known as “synthetic behavior” where fraudulent users exhibit a combination of behaviors which in isolation are normal but when looked at in the aggregate are very rare and therefore very suspicious.

    Behavior based profiling or behavior piercing is a technology that has surfaced in the past few years to complement the user login process and cut through synthetic behavior.

    Originally this technology focused on simple indicators such as your IP address and ‘header’ containing information about things such as your device, browser, language and time-zone but have expanded to include intricate user-specific data such as how fast and where users click on a screen (click flow), the path a user has taken through a website (page-flow) and even how quickly they swipe their touch-screen device. By noting in depth behaviors, behavior piercing technology now has multiple layers of analysis to draw upon.

    Just as there are many avenues for collecting behavior, there are equally as many levels of context to analyse this behavior in. It is in the layers of analysis that separate the very simple behavior detection security controls to those that truly do behavior piercing in a meaningful way that is actionable.

    Having four layers of context vastly reduces the number of false positive results seen from simpler threat detection models. In addition, the more advanced Behavior Piercing solutions are self-learning. As the risk model starts noticing risky behaviors, it constructs a behavior pattern. This means that every fraudulent activity attempt ends up making its repetition harder for itself in a split second.

    This makes automated login from stolen usernames and passwords increasingly difficult to capitalize on, once the online world moves to a more secure method of authentication, it will become even harder again.