Share your experience using FraudNet

In my current role at TD Bank, I work for banking clients, where we worked on integrating BioCatch behavior biometrics, enhancing fraud detection during high-risk user sessions. We use BioCatch SDK on the front-end side. Currently, I work as a full-stack developer. On this project, we use BioCatch SDK on the front-end side to capture behavioral signals such as typing rhythm and navigation habits, and we send this data to BioCatch platform, which generates a behavioral risk score in real-time. When it comes to the back-end side, we use Java Spring Boot and Node.js. We built APIs to consume their scores and feed them into our risk engine based on a risk level, where the system triggers additional verification such as MFA, multi-factor authentication, step-up authentication.

I have worked with the behavioral authentication feature in BioCatch, where the user interaction is based on how they interact. Instead of relying only on passwords such as OTPs or biometrics such as fingerprints, BioCatch authentication uses behavioral signals collected from user sessions, including movement, touch gestures, scrolling, and hesitations. We also use this authentication decision where in the back-end risk engine, it consumes the scores and makes decisions for MFA or blocking the same user coming multiple times.

Terrestrial steps involve keystroke dynamics, checking typing speed, rhythm, pressure, and holding intervals. Next, we utilize pointer movement to check mouse cursor speed, acceleration, and patterns. We also analyze touch and gesture patterns on mobile devices, checking swipe speed, direction, and pressure. As the next step, we perform navigation checks, where we order the pages visited and the time spent on those pages. Lastly, we examine session levels, including session duration, idle time, and page transition timing, covering the complete login, transaction, and profile updates.

The best features of BioCatch include analyzing how users interact and creating unique profiles for each user, which is what I appreciate most. The real-time risk scoring is impressive. It generates a behavioral risk score from 0 to 1,000 for each session in milliseconds. It also enables real-time decisioning for approving, challenging, or blocking transactions. In my banking domain, it blocks transactions in real time as well. It recognizes the same user behavior across different channels - not only on mobile but also on web or tablet. Supporting multi-channel banking platforms is one of the significant benefits.

On the security measures side, having cross-device functionality helps. Regarding blocking to the user side for fraud prevention, BioCatch never collects any personal information. It only collects behavioral telemetry such as mouse movements and touch gestures, and the data sent to BioCatch is tokenized before every transmission. All communications between the client SDK and BioCatch and the back-end side are fully encrypted using HTTPS or TLS 1.2 encryption. For authorization controls, we currently use OAuth 2.2 for back-end integration with JWT tokens for API keys, and for secure SDK integration, we load only on specific trusted web or mobile pages.

The main benefits I have seen from using BioCatch are its detection of account takeover and bot attacks in real time. There is also a smooth and frictionless customer experience where the customer experiences a smooth login and transaction process. It provides good behavioral risk scores and risk indicators for each session. It also integrates with fraud or authentication engines, and with multi-channel and cross-device coverage, it works across web, mobile, or tablet platforms. It gives an adaptive and continuous learning experience and is privacy-friendly. Overall, it captures every behavioral signal, not only personal identifiable information, but it helps meet different GDPR compliance requirements.

We experienced some stability issues including API latency, SDK initialization failures, and session ID correlation. We mitigated these by synchronous SDK loading, monitoring API performance, ensuring fallbacks for unsupported devices, and regular session validation. Load testing and error logging also help maintain reliability at scale.

Currently, I do not have anything to say on present features of BioCatch because we use it frequently but have not explored it completely. As a Java developer, I work on both front-end and back-end. If something could be developed in BioCatch, I see potential in how users interact with devices, such as typing patterns. Also, integration-friendly aspects, such as the lightweight SDK for web, native, and iOS and Android SDKs, along with continuous authentication, real-time risk scoring, and multiple fraud detection models such as account takeover and bot detection, would be beneficial. It could work across web and mobile platforms while maintaining privacy and compliance.

I have been working with BioCatch for the last three years.

We experienced some stability issues including API latency, SDK initialization failures, and session ID correlation. We mitigated these by synchronous SDK loading, monitoring API performance, ensuring fallbacks for unsupported devices, and regular session validation. Load testing and error logging also help maintain reliability at scale.

Based on my experience, I would rate the stability around 8 to 8.5 on a scale of 1 to 10.

When it comes to scalability, the limitations of BioCatch depend on the usage, but as we continue using it, it remains good. BioCatch 2.0 release achieves risk score calculations in under 500 milliseconds. The platform captures thousands of behavioral data points such as keystrokes and device interactions for comprehensive fraud detection. However, to maintain optimal performance, it is crucial to implement best practices.

Regarding tech support for BioCatch, I do not recall escalating any questions. For managing support issues, we need to open new cases, track existing ones, and review ticket history. We also access knowledge resources such as release notes, deployment guides, and customer success materials occasionally.

Positive

I have not used any other solution of the same kind; I am exclusively using BioCatch.

I was not part of the initial setup when BioCatch was introduced because currently, I work as a contractor. They hired me in the middle of the project, so I was not part of any authentication setup from the beginning. I would appreciate the chance to work on BioCatch from scratch, but I have not gotten that opportunity yet.

For the onboarding process, they recruited me for the coding round. They sent me an assessment link with multiple-choice questions and one coding challenge using an online tool for the assessment. This was followed by a direct interview.

Regarding the pricing, I think I heard it is a subscription-based model, where the number of accounts or channels covered impacts the cost, usually per active or per user session.

It is cost-effective. We use BioCatch extensively. From my experience, especially in banking, where we deal with complete user-facing platforms 24/7, BioCatch is vital for authentication, such as MFA or step-up authentication. So for me, it is totally a cost-effective option.

I do not have any answer for evaluating other solutions. Rather than alternatives to BioCatch, I have heard there are some competitors, such as Zighra and SecureTouch for biometrics and authentication, but I never worked with them. I only have experience with BioCatch.

There is always something we could learn more with BioCatch. So far, I do not think I am 100% fully experienced in BioCatch, but if I could get the chance to work entirely on it, there are undoubtedly things we need to learn every time. I want to take a deep dive into the system. I feel I am almost there to learn everything.

For assessing the value of behavioral insights in fraud detection and prevention, we use a variable in code, for example, from a JSON response or JavaScript object. We also access a BioCatch risk score from API response. Once we specify which value we are assessing in real time, if we are on a call, I can show you exactly how to access it with an example in Java, Node.js, or front-end side, where we use this variable value in code.

My advice for using BioCatch effectively would be to start with piloting, ensuring the SDK loads efficiently in the UI, and to monitor session integrity closely. It is better to combine behavioral biometrics with other security layers, such as device fingerprinting, and to actively use risk indicators to guide fraud detection decisions. Finally, it is vital to balance security with customer experience for authentication, especially when the risk is high.

I rate BioCatch 10 out of 10.

IBM Trusteer is an anti-fraud solution that is used for account takeover fraud, new account fraud, account fraud, and online frauds on platforms such as mobile platforms and web applications.

For IBM Trusteer, one of the advantages is its AI and machine learning capabilities, which are very strong. The solution provides the ability to manage fraud in every session of a user, from login to logout of the user experience. It operates quickly and can intelligently cover a wide range of threats in the field.

The Adaptive Authentication feature allows for frictionless operation for the user. Based on its AI intelligence and intelligence sets, it enables frictionless flow and only creates the need for further authentication based on what it has intelligently gathered about that session. Two different users will have different login experiences based on their history and behavioral analysis that tells the system whether to proceed with the transaction or pause it, protecting users from account takeovers or new account frauds.

Integration is straightforward using JSON integration. It is easy to integrate with banking solutions or middleware solutions that financial institutions already have, both from the front end and back end. Whether it is a single-paged application or a multi-page application, there are different snippets and code bases for various types of integrations with back-end applications.

IBM Trusteer captures customer ID and user ID at every session, enabling it to follow users through their journey through the banking application. It has its own real-time dashboard that allows fraud analysts to quickly make decisions about ongoing activities and determine whether to deny or allow transactions. It protects sensitive information of users through session and transaction-based monitoring, capturing CSID, customer ID, and user ID, enabling analysts to take swift, real-time action.

During integration, it is difficult to fully integrate within a specified time, primarily because code snippets must be installed on every page. This makes the process more challenging based on user experience.

IBM is aware of these concerns and appears to be making plans to ensure that snippet integration to different pages becomes more seamless in application to shorten integration timelines. These concerns involve installing single page, multi-page, back-end B2B integration, and front-end SPA integration. There are numerous integration touch points that IBM should streamline to make integration much easier.

The reviewer has been using IBM Trusteer for four years.

IBM Trusteer is not easy to set up and is somewhat cumbersome.

IBM Trusteer is easy to scale up. Once implemented on a platform, it is simple to move to another platform and add other pages.

The solution is somewhat expensive. IBM could improve their pricing structure. It comes with both licensing and professional services as separate entities that must be purchased before proceeding. It would be beneficial if IBM could extend the professional service knowledge to others, helping reduce costs by allowing self-implementation. Currently, it appears that only IBM can fully handle implementation and support. Sharing this knowledge with others could reduce costs in different regions and enable local pricing for support and implementation.

The reviewer works for a company that sells other IBM solutions including Guardium, OpenPages, and IAM solutions. They are resellers rather than users and continue to support IBM products. On a scale of 1-10, they rate IBM Trusteer an 8.