You already know how to tell the difference between someone you know well, perhaps your spouse or long-time friend and a stranger that might try to impersonate them. You recognize the timbre of their voice, the speech patterns that are unique to them. You know little characteristics like how they hold a phone or how they hold a pen when they write. Perhaps you even know their touch or their scent.
All of those characteristics you use to identify someone you know allow you to know that a person you’re communicating with is really that person. That’s what Nuance is doing with latest version of its Security Suite. The software is using things about you that make you unique and using those characteristics for authentication.
But the company has developed a number of capabilities that go beyond simply identifying a specific person. According to Brett Beranek, director of security strategy for Nuance, the company has also developed methods to unmask people while they’re in the act of committing fraud and stop them in their tracks.
“We look for conversation patterns typical of fraudsters,” Beranek explained. “Fraudsters will go through a set of interactions with the organization in order to perpetrate the fraud. They will create a sense of urgency or panic, and use that to create stress. That’s quite different from a customer.”
He said for example that a criminal might call up a credit card company and using information gained from a previous breach, try to obtain a new credit card. But even if the fraudster has all of the required information, the Nuance security software can detect a difference in the voice when compared with a real customer.
The software can also detect speech patterns associated with fraudulent behavior. It can even tell if you’re the actual customer by the way you hold your phone versus how the criminal will hold the same phone.
While Beranek didn't provide specifics, modern smartphones contain accelerometers and multi-axis electronic gyroscopes that can detect even the tiniest of movements. Each person has a characteristic way in which they hold a phone when they're talking or otherwise using the device. An authentication system can detect the pattern of these movements as a way to tell you from someone else, even if they're using the same phone.
Beranek said that while Nuance keeps voice prints on some 300 million people, they don’t need a voice print to identify an individual. They can identify and authenticate a person by the way they use a keyboard or handle a mouse or by the way they tap or swipe a cell phone or tablet.
Each person moves a mouse or swipes a screen in a slightly different way. Those movements form a pattern that's unique to each person. Reading mouse movements to use for authentication, as you'll see on sites that ask you to check a box saying you're not a robot. People have mouse and swipe movements that are different from each other, and different from robots.
Nuance is doing more than collecting information on customers to be used for authentication. The company is also collecting biometric information on the fraudsters themselves. This way, if a company that’s using the Nuance Security Suite gets a call or other contact from a fraudster, they can recognize him immediately and flag the communication.
“We pop on their screen that it’s a known fraudster that’s been detected,” Beranek explained. “They may transfer [the call] to a fraud group. Others may end the conversation.”
Typically the Nuance software would flash the screen green if it recognizes the caller, red if it doesn’t know them and purple if it’s a known fraudster.
Beranek said that the fraudsters are becoming more sophisticated, such as by pretending that they’re a customer who is under stress as a way to socially engineer a person on the other end of a call. “There is a difference between individuals under some form of stress and those going through the motions of some kind of stress,” he said. And the Nuance software can tell the difference.
“We’ve seen them try to use recordings,” Beranek said. “They try to emulate the customer’s interactions.” He said that he expects to see malware that will attempt to record a person’s voice and speech patterns, but he said that so far, that hasn’t worked. “We’ve seen fraudsters increase their sophistication, but they haven’t been able to overcome the biometrics.”
“We assume that fraudsters are going to get their hands on the source, such as by recording your voice,” Beranek said. “So we’ve built our biometric systems with mitigation in mind.”
Beranek said that Nuance is working on a hybrid approach in which authentication takes place on a device, much like the way that Apple’s Face ID takes place entirely on the iPhone, and fraud detection takes place on a server, likely in the cloud. He described in as being like Windows Hello on steroids.
That way, a user can authenticate on a device that contains all of the data, so it won’t require a network connection. But to go beyond that, it needs more processing power. “Fraud detection capabilities require a server infrastructure,” Beranek said.
The advantage of the type of biometric authentication that Nuance has developed is that you don’t need to be in the presence of the device. In fact, you don’t need to be talking to a person or to a digital assistant. The Nuance software can use typing patterns or mouse usage if you’re authenticating through a website. Or it can use voice authentication and that can take place over the phone, via a VoIP connection or even in person.
While you can use fingerprints or facial recognition, you can move beyond that into identifying the mobile device since every radio transmitter has a unique fingerprint, or identifying the way the mobile device is used and where it is. So even if the criminal is able to somehow sound like you and act like you, they also have to be where you are or the software will notice. And if they are where you are, chances are that you’d notice.
So far the criminals haven’t been able to beat the Nuance biometrics, but that’s at least partly because there are other ways to perpetrate fraud, such as by infecting a device with malware. After all, there’s no point in going to the trouble to bypass the authentication if you can simply break in.
Beranek concedes that no security system is perfect. “We’re in an arms race,” he said. But the technology that Nuance has developed seems to go a long way into reaching the holy grail of a password free environment, and that’s an accomplishment worth doing.