In India, 2FA and RASP can keep fraudsters out, but increase user friction. Can biometrics be a good alternative?

Early this year, India’s central bank and financial regulatory authority, the Reserve Bank of India (RBI), announced comprehensive guidelines governing India’s digital payments ecosystem.

The rollout of the guidelines could not have come at a better time, fintech experts have noted. One of them, Vikram Gidwani, Business Head (South Asia), BioCatch, felt that behavioral biometrics are a feasible solution to fend off cyber threats in the banking sector.

“While the opportunities for businesses in a digital economy are vast, so are the risks. We have seen this with the explosive growth of digital payments in India, as UPI hit two billion transactions per month, and banks and consumers find themselves a lucrative target for cybercriminals,” Gidwani noted.

What other thoughts did the cybersecurity professional share with DigiconAsia? Read on to find out…

Vikram Gidwani, Business Head, South Asia, BioCatch

CybersecAsia: What is the current cyber-threat landscape plaguing the Indian banking sector and which kinds of attacks are more prevalent?

Vikram Gidwani (VG): The growth of digital banking in India was accelerated by the pandemic, and along with the rapid rise of digital, cybercriminals have taken advantage of the crisis. These are the most common fraud attacks we currently see in the banking sector:

  1. Identity theft or use of synthetic identities: Stolen or phished user credentials are used to open or take over bank accounts and/or instant financing applications and other digital assets.
  2. Social engineering: Cybercriminals are using human psychology to fluster and convince victims to perform actions like money transfers. The scams are most commonly carried out through a phone call. Such scams are the hardest to detect, because it is a genuine user acting under duress. Once the money leaves the bank account, it is almost impossible for the bank or authorities to recover it. 
  3. Advanced TTP: Malicious actors use remote access tools (RATs); malware; bots; device and GPS emulators; VPN; proxies, to hide their identity and intent, mimic most of the static parameters like device, browser, network information, and evade detection and response.
  4. Other threats: Money mules, hybrid bots, business email compromises, and threats due to network breaches.

CybersecAsia: How can the banks ensure the cybersecurity of their customers and their data through digital tools and solutions?

VG: Cybersecurity is a multi-layered approach, and banks have to strike a balance between customer friction and fraud prevention. The need of the hour is the right team that focuses on data attributes that are hard or impossible for a fraudster to mimic or recreate. This will allow banks to stay ahead of the emerging fraud vectors across digital channels, while still fulfilling consumers’ demand for frictionless experience. 

This is where behavioral biometrics data can play an important role.

CybersecAsia: How does behavioral biometrics tech help to prevent financial fraud?

VG: Behavioral biometrics distinguishes between legitimate users and cybercriminals and identifies people by how they behave (e.g. trying to access information they normally are not privy to) and interact online (e.g., unconventional behaviour) rather than via static information or physical characteristics (e.g., date of birth).

Behavioral biometrics solutions have become a game changer across the world, because they are data-rich and focus on characteristics that are nearly impossible for the fraudsters to mimic, and are beyond the scope of human interpretation or typical rules-based systems.

CybersecAsia: How can other identity authentication technologies serve to prevent/detect financial fraud and cybercrime?

VG: Currently, most traditional fraud detection and prevention technologies in the space address one type of fraud attack and follow a siloed approach. They cannot detect or protect against the new fraud attacks, such as social engineering scams, bots, RATs, malware, emulators, etc.

Assuming a fraud detection technology can identify more than one fraud modus operandi, then the channel becomes a constraint. A classic example would be a Runtime Application Self-Protection (RASP) solution, which focuses only on the mobile channel and increases a lot of friction with the end-user. Cybercriminals like technology, and learn and evolve quickly. With the rise of social engineering scams, the victims are often fooled into (unknowingly) defrauding themselves with the legitimate attributes considered for profiling customers like device, IP, etc. which the technology relies on. 

Authentication providers are another solution that banks depend on to correctly identify users when customers log in. As the name indicates, these solutions provide authentication of end-users, allowing customers to do business safely. However, authentication providers struggle to provide both security and customer convenience. They often require the customer to take additional action to access their account like Two-Factor Authentication (2FA).

The other setback for authentication solution providers is that they only offer detection services at a single point of time and not continuous protection. As the adoption of digital channels increases and frauds become smarter, banks should focus on continuous protection. Network security systems are crucial for banks taking a layered approach and protecting themselves against organizational hacks.

CybersecAsia.net thanks Vikram for sharing his insights.