Behavioural Biometrics: Tracking how you interact with technology
20 August 2018 10:43 GMT Posted by • Nicholas Clark Bryan

The way you interact with technology, how you type, use your apps or even hold your phone are all as personal as any physical identifier such as a fingerprint or iris pattern. These markers are now being used by banks and other companies to help fight cybercrime and fraud.

The data collection goes on in the background with the user being completely unaware their movements are being followed. With the use of sensors and web sites codes companies can record thousands of data points to build a ‘behavioural biometric’ of the user and work out whether the person accessing the account is who they claim to be.

Significant data breaches happen almost daily and with criminals able to access billions of stolen passwords or other sensitive personal information behavioural biometrics are offering security officials a powerful safeguard. Identity is fast becoming the most valuable digital currency and consequently fraud detection software manufacturers are beginning to implement new behavioural biometric tools in an effort to keep pace with the criminals. Over a dozen technology vendors of all sizes have already built behavioural biometrics into the security software they sell to banks and retailers.

Behavioural biometrics can be used in a range of ways from guarding against automated attacks and suspicious transactions to building large databases of people based on how they interact with technology.

This technology is already in use with the Royal Bank of Scotland who started testing the technology with its wealthier customers in 2016 and is now planning to roll it out among the entirety of its customer base. RBS use software designed by New York firm BioCatch. It tracks more than 2,000 different gestures or motions on how people use their phone and measures the rhythm of keystrokes and the way they use their mouse. BioCatch’s software can even throw little interferences at the user, such as disappearing the mouse for a fraction of a second, to see how the user reacts. As the reaction is so individual its incredibly hard for a fraudster to fake and as such BioCatch state that they are able to detect imposters with 99% accuracy.

American Express, who have also invested in BioCatch, have begun using its technology on new applications rooting out fraud even before they have any personal data on the individual. For example, the behavioural biometric system looks at how the applicant types the information, do they pause while entering their name or address – something that would usually be fluid while a fraudster may pause to look at notes or copy and paste in the information.

One of the main advantages Behavioural Biometrics is offering is that it runs in the background with the visible and obtrusive gateways that are often highly frustrating to users. There is no need to type an authentication code or take a photo of yourself helping achieve a frictionless customer experience.

However, privacy watchdogs are concerned about the implementation of the new systems. Pam Dixon of the World Privacy Forum told the New York Times, “This is the kind of data that usually has some kind of consumer protections around it, but here there’s none at all. Companies are using these systems with no notice of any kind.”

It is true that most countries have no legislation surrounding the collection and use of behavioural biometric data. The new GDPR rules have exceptions for security and fraud and while behavioural biometrics is included in California’s new digital privacy law, stating that companies must disclose that they are using it, it will not take effect until 2020.

While banks and merchants do sometimes hold the data internally they often work with outside vendors who hold the data. According to Dixon this further magnifies the risk. These databases contain the virtual identity of hundreds of millions of people from around the world. A virtual goldmine for any cybercriminals. Furthermore, the data from behavioural biometrics – how you act – can’t be changed if its stolen like a password or pin code can.

While the idea of companies or governments being able to identify people form their behaviours may seem like science fiction it is very real. Major players in the technology and financial industry as well as other large companies are already making use of it.

Posted By: Nicholas Clark Bryan