Alternative Solutions - One could use Urchin Tracker and other Google web analytics to assess user behavior, but this won't provide real-time behavioral monitoring. Device Identification and Hot/Warm Lists can be used to identify past users that have displayed bad behavior in the past, but there is no true alternative to Behavioral Monitoring
Building this In-House - Most online businesses already monitor site behavior to some extent with Urchin trackers to see which pages users are visiting and where they are coming from. This could be built out into a low-cost, low-end form of Behavioral Monitoring, but the value of a software or service provider is that behavior is reported in (near) real-time so it can be identified and acted upon immediately. The provider may also provide an interface and ability to build rules and containers around users currently displaying bad behavior.
BEHAVIORAL MONITORING TECHNIQUE OVERVIEW
Behavioral Monitoring helps detect and prevent fraud by recognizing anomalous and risky behavioral patterns of users on a website. All web traffic and activity is monitored and typical or normal behavior is defined. Users displaying high risk behavioral patterns, or those not consistent with what is considered good or normal for that site, are flagged.
Key considerations when implementing or buying this functionality include:
At what points are user behaviors tracked? Behavior should be tracked pre-login, post-login, during site navigation/product browsing and through every stage of the order and purchase process.
Will the service recognize negative behavior on a large scale, such as with DDoS attacks?
Does the service only look for anomalous behavior or can it also look for/profile specific behaviors associated with fraud or high risk?
How often does the service update user behavior records and what is considered ‘normal’ behavior for a particular business or site?
Does the service only analyze normal behavior based on the entire pool of good users, or can it also profile normal behavior down to the individual user level?
HOW DOES IT WORK?
By monitoring web traffic, how users navigate through a website and other behavioral characteristics high risk and fraudulent activity can be detected and stopped. The system may flag orders or users that displayed behavior different from what is normal or expected, it may identify specific behavioral patterns that are associated with high risk, or the service may do both.
By tracking the behavior of good users the system analyzes what behaviors are normal and identifies user behavior that is anomalous or outside of this norm. The system may also look for particular behavioral patterns that are associated with fraud or high risk activity. For example, a typical customer may go to a merchant’s home page, click on a product category like Electronics, click on a sub-category like Tablets, and then browse through the items they may want to purchase. Whereas the typical behavior of a fraudster may be to go directly to the page where they can buy an iPad, and Behavioral Monitoring will recognize and flag this transaction as displaying high risk behavior.
Behavioral Monitoring services designed for online banking and financial institutions go a step further. They will also track the behavior of individual users, and when these users login to access services their current behavior is analyzed against their typical behavior based on past logins and activity. This is important in recognizing account takeover as a compromised account may begin displaying behavior that is very different than the typical behavior of the true account holder. When
Behavioral Monitoring services can analyze and compare behavior on the individual user level, as opposed to comparing one user’s behavior to what is considered normal site behavior based on the entire user base, it is able to detect account takeover and prevent or contain losses.
HOW DO YOU USE THE RESULTS?
When anomalous or high risk behavior is detected the business will receive notification. In the event of a DDoS attack or negative behavior site-wide or on a large scale the provider will send a notification so the business can respond immediately. When it comes to flagging individual users or orders for risky behavior there are a few different ways merchants can use these results.
Depending on the software or service used, the results from Behavioral Monitoring may be incorporated with building and executing rules. When the service recognizes unusual or high risk behavior from a user or group of users it may offer the ability for the merchant to build rules around these users to prevent or contain losses. The merchant may put automatic breakers in place, for example when a user or transaction is flagged for odd or risky behavior this can trigger certain rules or affect the orders overall weighted risk score. In more advanced applications a Behavioral Monitoring provider may offer an interface where the Fraud Manager can view the behavior of flagged users in real-time while creating and applying new rules to these specific groups of users.
A merchant may also set automated rules or outcomes based on Behavioral Monitoring signals. For example, a merchant may choose to manually review any order where the user’s behavior was considered atypical, or they may decline all orders where the service recognized the user as displaying known high risk behavior.
DID YOU KNOW
Behavioral Monitoring may also be known as: Real-time Monitoring, Anomaly Detection, Website Behavior Monitoring or User Behavior Monitoring.
Behavioral Monitoring is used by many online merchants, financial institutions and other businesses that transact with consumers online. Behavioral Monitoring services profile and collect information on the behavior of website users to gain an idea of what typical, good behavior is for that business or website. When users display behavior that is different from the norm, these users and sessions are identified so the business can prevent or contain their negative behavior.
For most merchants and sites the typical behavior of a fraudster is very different than that of a legitimate customer. Simply recognizing how a consumer arrived at a webpage to purchase a product can help distinguish a good from fraudulent order. Not only can Behavioral Monitoring recognize activity that is very different from typical, good behavior, but it can also recognize behavior highly associated with fraud.
Often Behavioral Monitoring providers not only consider the typical behavior of good users overall, but they may also profile the behavior of individual users. This is useful in recognizing account takeover as a fraudster accessing someone else's account will likely display behavior far different than that of the legitimate account holder.
"Gotchas" with Behavioral Monitoring:
There are businesses that offer Behavioral Monitoring and businesses that offer Website Monitoring, and although they are similar services they have very different uses. Website Monitoring refers to tracking and monitoring how users navigate and use a website, but the main goal of the service is to optimize sales and conversion. These services track how users arrive at their purchase decisions, at what points they abandon the checkout process and other characteristics that affect sales. These businesses often refer to their services as Behavior Monitoring or another term that could be confused with Behavioral Monitoring for fraud prevention. But the Website Monitoring services intended for monitoring and maximizing sales and conversion do not have the same capabilities as Behavioral Monitoring for fraud prevention and cannot be effectively used as such.
THE FRAUD PRACTICE
KEY NOTES
Alternative Solutions - One could use Urchin Tracker and other Google web analytics to assess user behavior, but this won't provide real-time behavioral monitoring. Device Identification and Hot/Warm Lists can be used to identify past users that have displayed bad behavior in the past, but there is no true alternative to Behavioral Monitoring.
Building this In-House - Most online businesses already monitor site behavior to some extent with Urchin trackers to see which pages users are visiting and where they are coming from. This could be built out into a low-cost, low-end form of Behavioral Monitoring, but the value of a software or service provider is that behavior is reported in (near) real-time so it can be identified and acted upon immediately. The provider may also provide an interface and ability to build rules and containers around users currently displaying bad behavior.
The Cost - Typically this service is offered on a subscription basis. The costs are moderate.
Sample Vendors - NuData Security (MasterCard), BehavioSec, BioCatch, mSignia