The Digital Rush

The year #2020 marks the landmark year especially for Indians as we dreamt of becoming a
‘Complete Nation’ or ‘Superpower’ whatever you call it, through balanced growth,
technology driven economic stability and perceptibly the millennial’s potential. I am tired of
hearing news blaming covid #19 for whatsoever damage it caused to our human race; on an
optimistic note, I see a lot of opportunity around this fiasco which has actually intensified
“The Digital Rush” - The digital adoption growth rate cannot be compared with any other
country globally, completely reimagining the way we operate and thrashing us out of our
comfort zones.

By this time, everyone would have read on how BIG the digital market is? And definitely I
won’t bore you with the business view projected by the various market analysts. But one
thing which I would like to reiterate is on the transition to digital world has become “the
essentials” for existence by any financial institution during the pandemic rather than a
sophisticated digital product offered in tier#1 cities/states. With NPCI clocking 2 billion
transactions on UPI with a monthly growth rate of 100% and the number of mobile phones
exported & imported during the festive season clearly denotes we are a mobile #1 nation
with many millennials rushing to create their digital identity.

As smart APPs, digital wallet, IoT etc., are super-spreaders, all financial
institutions/aggregators capitalize the Smartphone penetration to generate revenue. The
growth is so exponential that institutions forget to realize the trap; on the other side the
institutions could not achieve the projected business value if they were conscious about the
trap. The institutions are trying to strike a balance by bringing in various validations ensuring
the millennials don’t lose their curiosity. In this process, institutions face a lot of challenges
which are not only restricted to:
1. User’s outlook on trusting people.
2. Belief over freebies.
3. Lack of education:
a. In using Smartphone.
b. Vulnerabilities of using Smartphone.
c. Vulnerabilities in mobile APP.
d. On the steps/process around making payments/transfers.
e. On what is sensitive & personal information?
f. Loopholes in the payment process.

Being one of the foundation stones for digital transformation, Unified Payment Interface
(UPI) transactions are hitting all-time high; RBI/NPCI ensures the safety & security of this
huge flagship digital platform with constant mandates as there are many participants
involved in the transaction. Due to pandemic, there is surge in frauds around the digital
transactions especially around UPI. The list below shows on how fraudster use different
ways to make it happen:
1. Vishing
2. Social Engineering
3. Money mule
4. Malware
 5. Remote Access Tool
6. SIM Cloning
7. Phishing

Frauds around UPI is one of the fastest growing financial crimes despite constant steps
pursued by RBI/NPCI & participants through educating customers, deploying mobile security
software’s, checking beneficiary handle/VPA (Virtual Private Address) etc. All starts with a
phone call from a fraudster posing as a representative from a legitimate organization such
as bank, utility company or government agency. Fraudster uses variety of tactics most often
claiming there is a cashback/offer. The fraudster then tells victims that they have processed
the cashback and just needs to be accepted through the UPI APP.

At the core of UPI scams is advanced social engineering. The fraudster who perpetrates
these attacks are well-scripted and often knowledgeable about the security practices and
processes. What makes these scams so hard to detect is that the transaction or payment is
being conducted by the genuine user who is logging in from their own device. In addition,
even if required to provide additional authentication credentials, such as a one-time
passcode, the legitimate user will be able to provide them or fraudster access it through
RATs. In a recent article on The Economic Time, many small towns have mushroomed as the
hubs of cybercrime by high-profile gangs as such frauds are very hard to find.

Working together with several of our customers, BioCatch set out to find whether digital
behaviours could be used to detect social engineering scams, and if so, determine what
behaviours should be examined.  How could we take what we know about digital behaviour
based on clicks, swipes, and typing patterns and marry that to human psychology to develop
models that produce highly accurate profiling to detect advanced social engineering?  

It is in these advanced scams that the power of behavioural biometrics comes into play. The
assumption was to start with finding differences in actual human behaviour that was
statistically significant enough to determine a user’s intent and emotional state in context of
the activity being performed. Some of the differences in digital behaviour we uncovered to
indicate a user was acting under duress or the coercion of a cybercriminal include:
 Length of session.  The length of a session takes significantly more time and
behaviours such as aimless mouse movements are common indicating a person is
fiddling while they wait for instructions.
 Segmented typing.  These patterns indicate dictation such as a cybercriminal reading
off the account number to transfer funds to.
 Hesitation.  The time it takes to perform simple, intuitive actions such as clicking on
the Submit button show a statistically significant increase on average.
 Displacement.  This is indicated by actions such as changing the orientation of the
device often. For example, continuous movement of the phone to suggest the user is
picking the phone up to take instructions and placing it back down to perform the
actions instructed by the cybercriminal.

While technologies such as behavioural biometrics have alleviated some of the risk from
advanced social engineering scams, there is still no undermining the value of continued
awareness and education. Today, with billion transactions happening on the UPI platform
there is motivation more than ever to implement the right technology to prevent fraud
losses from advanced social engineering scams and build trust with customers.