Banks And Retailers Track How You Type, Swipe And Tap

When you’re browsing a website and the mouse cursor disappears, it might be a computer glitch, or it might be a deliberate test to find out who you are.

The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors’ physical movements as they use websites and apps.

Some use the technology only to weed out automated attacks and suspicious transactions, but others are going significantly further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices.

The data collection is invisible to those being watched. Using sensors in your phone or code on websites, companies can gather thousands of data points, known as “behavioral biometrics,” to help prove whether a digital user is actually the person she claims to be.

To security officials, the technology is a powerful safeguard. Major data breaches are a near-daily occurrence. Cyber-thieves have obtained billions of passwords and other sensitive personal information, which can be used to steal from customers’ bank and shopping accounts and fraudulently open new ones.

“Identity is the ultimate digital currency, and it’s being weaponised at an industrial scale,” said Alisdair Faulkner, one of the founders of ThreatMetrix, which makes fraud detection software for large merchants and financial companies. Many of his company’s customers are now using or testing behavioral biometric tools, he said.

Privacy advocates view the biometric tools as potentially troubling, partly because few companies disclose to users when and how their taps and swipes are being tracked.

“What we have seen across the board with technology is that the more data that’s collected by companies, the more they will try to find uses for that data,” said Jennifer Lynch, a senior lawyer for the Electronic Frontier Foundation. “It’s a very small leap from using this to detect fraud to using this to learn very private information about you.”

The Royal Bank of Scotland, one of the few banks that will talk publicly about its collection of biometric behavioral data, started testing the technology two years ago on private banking accounts for wealthy customers. It is now expanding the system to all of its 18.7 million business and retail accounts, according to Kevin Hanley, the bank’s director of innovation.

When clients log in to their Royal Bank of Scotland accounts, software begins recording more than 2,000 different interactive gestures. On phones, it measures the angle at which people hold their devices, the fingers they use to swipe and tap, the pressure they apply and how quickly they scroll. On a computer, the software records the rhythm of their keystrokes and the way they wiggle their mouse.

RBS is using software designed by a small New York company called BioCatch. It builds a profile on each person’s gestures, which is then compared against the customer’s movements every time they return. The system can detect impostors with 99 percent accuracy, BioCatch says.

A few months ago, the software picked up unusual signals coming from one wealthy customer’s account. After logging in, the visitor used the mouse’s scroll wheel — something the customer had never done before. Then the visitor typed on the numerical strip at the top of a keyboard, not the side number pad the customer typically used.

Alarm bells went off. The RBS system blocked any cash from leaving the customer’s account. An investigation later found that the account had been hacked, Mr. Hanley said.

“Someone was trying to set up a new payee and transfer a seven-figure sum,” he said. “We were able to intervene in real time and stop that from happening.” 

That case was unusually blatant. A user’s behavior isn’t constant; people act differently when they’re tired, injured, drunk, distracted or in a hurry. The way people type at an office desk is distinct from when they’re slumped on their sofa at home.

Behavioral monitoring software churns through thousands of elements to calculate a probability-based guess about whether a person is who they claim. Two major advances have fed its growing use: the availability of cheap computing power and the sophisticated array of sensors now built into most smartphones.

The system’s unobtrusiveness is part of its appeal, Mr. Hanley said. Traditional physical biometrics, like fingerprints or irises, require special scanning hardware for authentication. But behavioral traits can be captured in the background, without customers doing anything to sign up.

BioCatch occasionally tries to elicit a reaction. It can speed up the selection wheel you use to enter data like dates and times on your phone, or make your mouse cursor disappear for a fraction of a second.

“Everyone reacts a little differently to that,” said Frances Zelazny, BioCatch’s chief strategy and marketing officer. “Some people move the mouse side to side; some people move it up and down. Some bang on the keyboard.”

Because your reaction is so individual, it’s hard for a fraudulent user to fake. And because customers never know the monitoring technology is there, it doesn’t impose the kind of visible, and irritating, roadblocks that typically accompany security tests. You don’t need to press your thumb on your phone’s fingerprint reader or type in an authentication code.

“We don’t have to sit people down in a room and get them to type under perfect laboratory conditions,” said Neil Costigan, the chief executive of BehavioSec, a Palo Alto, Calif., company that makes software used by many Nordic banks. “You just watch them, silently, while they go about their normal account activities.”

Businesses call that a “frictionless” experience. Privacy watchdogs call it dangerous.

Biometric systems can sometimes detect medical conditions. If a customer with a once-steady hand develops a tremor, her automobile insurance company might get worried. That’s potentially a problem if the customer’s bank, which detected the tremor through its security software, is also her insurer.

“This is the kind of data that usually has some kind of consumer protections around it, but here there’s none at all,” said Pam Dixon, the executive director of the World Privacy Forum. “Companies are using these systems with no notice of any kind.”

In most countries, there are no laws governing the collection and use of biometric behavioral data.

Even Europe’s new privacy rules have exemptions for security and fraud prevention. A new digital privacy law in California includes behavioral biometrics on the list of tracking technologies companies must disclose if they collect, but it does not take effect until 2020.

Banks and merchants sometimes store their customers’ biometric data internally. In many cases, though, they allow the outside vendors they work with to hold it. That magnifies the risks, Ms. Dixon said.

BioCatch has profiles on about 70 million individuals and monitors six billion transactions a month, according to Ms. Zelazny, the company’s strategy executive. American Express, an investor in BioCatch, recently began using its technology on new account applications.

Some of BioCatch’s rivals have even larger networks. Forter, a New York start-up that sells online fraud detection software incorporating behavioral biometrics to big retailers, said its database has records on 175 million people from more than 180 countries. Another competitor, NuData, was acquired last year by Mastercard.

More than a dozen technology vendors, from under-the-radar start-ups to giants like IBM, have built behavioral biometrics into the security software they sell to retailers and banks.

The technology can be useful for rooting out fraud even without personal data on individual customers.

On new account applications, for example, behavioral biometric systems pay close attention to where and when applicants pause. A legitimate applicant typically types personal information, their name, their address, their Social Security number, fluidly, with few breaks. A scammer will often either cut and paste or take breaks to consult their notes.

“This used to be like science fiction,” said Ryan Wilk, a NuData employee who is now a Mastercard vice president. “When we described what we did, people would give us looks like, ‘Is this real?’ Now, it’s become not just a gimmick but a major technology in the financial industry. Lots of big companies are using it.” 

New York Times:

You Might Also Read:

Big Data And AI For Predicting Human Behaviour

« Threat Posed By Satellite Systems
Tomorrow’s Malware Will Attack When It Sees Your Face »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: Navigating cloud security: The importance of posture management tools

ON-DEMAND WEBINAR: Navigating cloud security: The importance of posture management tools

Watch this webinar to see how cloud security posture management (CSPM) tools can fit into your cloud security strategy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Galois

Galois

Galois specializes in the research and development of new technologies that solve the most difficult problems in computer science.

Communications Security Establishment (CSE)

Communications Security Establishment (CSE)

CSE is Canada's national cryptologic agency, providing the Government of Canada with IT Security and foreign signals intelligence (SIGINT) services.

Data Shepherd

Data Shepherd

Data Shepherds primary focus is to protect your business. We achieve this by offering extensive and unique expertise in innovative IT and Cyber security solutions.

Cyber Resilience

Cyber Resilience

Cyber Resilience offer an intensive program designed to help you create strategies to quickly become cyber resilient and to manage cyber risks in a measurable and predictable way.

CloudSEK

CloudSEK

CloudSEK has set its sights on building the world’s fastest and most reliable AI technology, that identifies and resolves digital threats.

Qualcomm Technologies

Qualcomm Technologies

Qualcomm invents breakthrough technologies that transform how the world connects, computes and communicates.

Towerwall

Towerwall

Towerwall offers a comprehensive suite of security services and solutions using best-of-breed tools and information security services.

Whistic

Whistic

Whistic is a cloud-based platform that uses a unique approach to address the challenges of third-party risk management.

Information & Communications Technology Association of Jordan (int@j)

Information & Communications Technology Association of Jordan (int@j)

The Information & Communications Technology Association of Jordan is a membership based ICT and IT Enabled Services (ITES) industry advocacy, support and networking association.

Digital Element

Digital Element

Digital Element is a global IP geolocation and intelligence leader with unrivaled expertise in leveraging IP address insights to deliver new value to companies.

Cybergroot

Cybergroot

Cybergroot provides Cybersecurity Assessment services and professional Information Security trainings.

Strac

Strac

Eliminate Personal Data Risks from your business. Our Dataless SaaS removes the need to manage sensitive data across web, mobile apps, servers and communication channels.

Cyber1

Cyber1

CYBER1 is a leader in cyber security advisory and solutions. We are uniquely placed to help customers achieve cyber resilience and thus, safeguard reputation and value.

Opal Security

Opal Security

Opal is an identity and access management platform that offers a consolidated view and control of your whole ecosystem from on-prem to cloud and SaaS.

TIM Enterprise

TIM Enterprise

TIM Enterprise offers innovative, sustainable and secure 360-degree digital solutions to companies and public administrations.

CyberKinetics

CyberKinetics

CyberKinetics specializes in cloud-based services and solutions for federal agencies and commercial clients with compliance mandates.