Last month, after testing, ANZ introduced a new anti-scam measure to combat fraud attempts against their customers: behavioural biometrics collection to ensure that the person doing remote banking really is who they say they are. The backdrop here is a rising number of scams costing New Zealanders somewhere in the region of $200 million a year, with calls being made for the banks to do more help customers against the devastatingly effective fraud attempts.
What is behavioural biometrics then? Alan Thomsen, ANZ’s head of customer protection said the technology measures a range of things like how you move your fingers for swiping and scrolling, and the cadence of typing in the goMoney app, or the bank’s website.
Other information that is collected includes customers’ device models, and the operating system on them, along with their Internet Protocol (IP) address.
Asked if the system works similarly to Javascript-based ad tech fingerprinting of users, Thomsen said it’s very different.
“The system looks at how you use the app and website, and not what you click on,” Thomsen said.
It takes three months to build up a customer behavioural biometrics profile. Once a customer profile has been created, Thomsen said a score for the person in question is generated. If it’s low, the score indicates that the person is likely who they say they are; if it’s high, it might not be the actual customer, and the bank can automatically pause the transaction.
When that happens, ANZ’s 24-hour anti-scam and fraud team contacts the customer to check that it is them behind the transaction.
This contact helps avoid false positives, such as when customers are overseas and typing differently, perhaps due to being jet lagged.
Accuracy is paramount to ensure that the system can detect anomalous use, such as “live scamming” events.
“Beyond situations where the customer’s credentials have been captured and are used by someone else, [the technology] can detect when the scammer is on the phone telling people what to do,” Thomsen said.
ANZ has received official confirmation that the data collection, which is covered by the Privacy Act in New Zealand, is fine to use. “We ran it by the Office of the Privacy Commissioner, and they were OK with it,” Thomsen said about the behavioural biometrics collection.
The data shared with ANZ's security partner is anonymised and cannot be used to identify customers. Nor will it be used for other purposes than security, the bank said.
As of yet, there is no local data for how effective the technology is as it is new but the bank expects it to work well to protect customers.
“In Australia, where ANZ uses a similar system, it has led to a 35% reduction in remote access scams,” Thomsen said. In New Zealand, ANZ along with other banks will roll out confirmation of payee systems this year, adding another line of defence against fraudsters pretending to be legitimate users and/or organisations.
ANZ in Australia has also used artificial intelligence to ferret out "mule accounts", used to transfer money for scammers, identifying 1400 of them.
Westpac stops scams with Biocatch implementation.
While ANZ declined to name their technology partner for the behavioural biometrics they use on either side of the Tasman, another of the Big Four banks, Westpac, has implemented a system from Biocatch as a defence against scammers since September last year.
Biocatch said its tech picks up over 3000 physical traits on how customers use banking apps and sites.
"In 2023 we implemented biometric behavioural technology which helps us identify when a customer’s account may have been compromised and act quickly to prevent or recover funds that may have been lost fraudulently. It has already helped us prevent millions of dollars of customer losses so far this year," a Westpac spokesperson told interest.co.nz.
In Australia, Westpac's parent bank said that it had prevented A$11 million in customer fraud losses through biometric onboard.
2 Comments
I had a pop up on my ANZ app requesting access to my phone while the app was open. So i called them and received the usual non disclosure word salad. My burning issue is tho, if they can do it legitimately then a scam app could also be doing the same or a more intrusive access to my phone.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.