Pattern detection is based on what people typically do—types of transactions, how they navigate a website, when they usually access the site, and how often, Shanahan explains.
“Once you know the pattern, it’s not only easier to detect fraud, it’s also easier to know when you don’t have to be suspicious,” he says. “For example, when a member who usually doesn’t do wire transfers suddenly does one, it creates grounds for suspicion. But if the transfer has been preceded by the member’s usual pattern of activity, that tells us it’s legitimate.”
Another company, VeriSign, also uses pattern detection to verify someone’s right to access a credit union account.
“We use a risk-based authentication engine that watches each user’s patterns and then builds a profile,” says Kerry Loftus, vice president of user authentication. “For example, Katie almost always logs into her account between 9 a.m. to 5 p.m., at work on a PC. Occasionally, she’ll access it from home on her Mac. If activity on her account departs from this routine, the credit union can notify her, send a password to her mobile phone, and ask her to enter it on the website to keep the account active. Or it can ask her to call customer support.”
The passwords, called “OTPs” for one-time passwords, are numerical sequences issued to one user only. “They’re viable only for the short time—usually 60 seconds—allotted to them,” says Loftus. “The assumption is that there must be something that you know, such as a name or a password, and something that you have, such as a cell phone. Say a stranger steals your mobile device. While he has physical possession of one part of your ID, he doesn’t know the other part—your name and password.”