A close understanding of user behavior can help banks to better protect their clients' accounts from being taken over by criminals, an issue that has taken on a new, technological twist with the rising problem of cyber-crime.

An ever-present threat to clients is the computer hacker seeking to raid their accounts. Almost daily, there are stories of attacks: last year, for example, JP Morgan said up to 76 million (yes, million) accounts had been affected by an attack although no evidence of loss was established.

Over in Asia, the Hong Kong Monetary Authority regularly warns the public of fake emails and websites seeking to lure people into divulging private data.

Earlier this summer in London, sister publication WealthBriefing was struck by the hundreds of cyber-security firms touting for business at a trade fair in Olympia.

Cyber-security is a multi-billion dollar business and a significant part of the “fintech” ecosphere. Against such a background, Ryan Wilk, director at NuData Security, based in Vancouver, Canada, examines how clients and their service providers can combat takeover of accounts. This publication is grateful for these insights and welcomes responses from readers.

The Ponemon Institute’s 2015 Cost of Data Breach Study showed a 23 per cent increase in the total cost of a breach from 2013 to 2014. In other terms, companies paid an average of $154 per lost or stolen record. Multiply that by the hundreds of millions of records that were compromised last year, and it’s clear to see that we have a security crisis on our hands.

These records include incredibly personal data such as a person’s Social Security number, name, address, phone number, credit card number, name of local bank branch, etc. Data thieves sell this information to aggregators, who cross-reference and compile full identities – called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.

A full identity allows a cyber criminal to file a tax return or create new bank accounts under an actual person’s name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road. In a recent New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could be problematic for the rest of her life, because her Social Security number was stolen.

Stolen data has repercussions for the victims, sometimes for years to come; this is the ripple effect of cybercrime.  Small data breaches appear on the surface to be minor losses of data, but they can quickly expand out across the digital waters, converging into a wave of personal information so detailed that undoing the damage is next to impossible.

There is a hierarchy of value on the “dark web” for stolen data. Fullz sell for $5 apiece, but require a more in-depth and risky scam to realize value. Working user accounts with a payment method attached go for $27 each and can translate into hundreds to thousands of dollars in stolen money and merchandise.

It only makes practical sense, then, that account takeover has become a new favorite fraud tactic. In account takeovers, fraudsters attempt to hijack valid user accounts instead of creating new accounts. ATOs can be automated or can be done with small human teams. Helping out the scammers are middlemen who play a key role in testing the log-in credentials before they are used again to commit actual fraud.

The current industry average is three high-risk log-ins for every high-risk checkout. The first log-in is to verify if the account works. The second time is to gain intelligence, and the third time is the actual fraud attempt. The transaction is no longer the point of focus for fraud – it is the log-in. By protecting the log-in pages of your sites, you cut fraudsters off at the source. You stop them from being able to take control of the account in the first place.

This leads to the question of how to protect log-in pages. This is where behavioral analytics comes into play. Why? Most merchants look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms. And, as detailed above, full identities are prevalent and cheap.

If it seems too difficult to distinguish between legitimate users and fraudsters, it’s time to ask yourself the question, “Do I understand my user in enough detail?”

This is what behavioral analytics does for you. User behavior analytics observe and understand how the user behaves, in an effort to answer bigger questions. For instance, how did the user behave previously when they logged in? Are they behaving the same now?

When the user is inputting data, is it similar to how they’ve interacted on the same device before, or is it completely different? Is their behavior repeated? If the behavior is the same every time they visit, perhaps we can say it’s a good user. But if it’s the same behavior that 1,000 users are all repeating, it could indicate the activity of a crime ring executing a distributed, low velocity attack.

For these reasons, observing user behavior in detail enables the best chance of beating fraud. Merchants are beginning to realize they can no longer rely on basic data validation measures anymore, because when it comes to account takeover, all of the data may be compromised and will be correct regardless of who logs in. As ATO gains steam, fraud detection and prevention efforts need to be focused on behavior.

Behavioral analytics looks beneath the surface of matching usernames and passwords to truly understand user behavior. These behavior patterns reveal details that fraudsters can’t fake despite their best efforts.