For example, researchers have hacked into smartphones that have fingerprint scanners by pressing the print of the rightful owner into a piece of Play-Doh and holding that impression against the reader. What those results indicate is that people should not assume that biometrics options are a foolproof choice for cyber security needs.
However, another choice, known as behavioral biometrics, could provide the increased security that people who use biometrics want. Behavioural biometrics track various characteristics, such as how much pressure a person puts on a smartphone’s screen when using an app, their average typing speed, how they scroll through a page and more.
Does the evidence show that behavioural biometrics genuinely improve cyber security? Let’s take a look at some examples and supporting information that could help answer that all-important question.
An Online Marketplace Substantially Reduced Account Takeovers
One online marketplace that operates a mobile app for its users found itself dealing with countless instances of fraudulent account takeovers every day. Dealing with the problem required engaging in costly and time-consuming manual account reviews. The company hoped that a behavioural biometrics solution could help them get to the bottom of the security issue.
It rolled out a tool that aims to stop this kind of fraudulent activity at an early stage. It detects anomalies in both devices and user behaviour and relies on machine learning to spot possible discrepancies. Plus, this behavioural biometrics tool creates a real-time trust score to help distinguish between authentic customers and bots that are trying to commit fraud.
The seven types of e-commerce fraud explained
It continually analyses how users behave when they interact with the company’s website or app, but it does so invisibly in the background. The company reportedly reduced its fraud costs by more than €1,200,000, plus prevented more than 2,000 account takeovers daily.
Behavioural Biometrics Can Reduce Friction for Frequent Travelers
BioCatch, a company working in the behavioural biometrics space, wrote a blog post that pointed out how, if a person frequently travels for business or otherwise, it becomes increasingly difficult for companies to verify the identities of those individuals by using traditional IP address and device-based measures.
However, BioCatch’s system measures more than 2,000 physical and cognitive-behavioural attributes to verify that a person is authorised to access a website, regardless of their geographic location. Although there are many techniques related to cyber security, biometrics that assess the behaviours arguably have some advantages that other methods don’t.
Mainly, behavioural biometrics tools track things that people themselves probably don’t know they do. For example, a person may not realise their average typing speed is slightly slower with their right hand. Nevertheless, a behavioural biometrics tool could recognise that detail.
Also, cyber criminals often use keyboard shortcuts that genuine users may not know or use regularly. The hackers want to get as much done as they can in short windows of time, and keyboard shortcuts help accomplish that goal.
Behavioural Biometrics Stopped an Attempted Bank Account Hack
Banks are particularly interested in the potential of behavioural biometrics. The Royal Bank of Scotland started testing this option on bank accounts held by wealthy customers in 2016. The brand was so pleased with the results that it extended the technology to 18.7 million business and retail accounts two years later.
The Capital One breach shows that we need new ways to share financial data
An example of how behavioural biometrics stopped fraud for the banking brand came when someone was trying to set up a new payee on an account and transfer a seven-figure sum. The biometrics software detected two things the rightful user had never done before. First, the person used the scroll wheel on their mouse. They also typed in numbers using the row of keys at the top of the keyboard rather than the group on the right side.
Based on those two unusual biometrics examples, the system blocked the transfer, and the funds never left the customer’s account. When applied to cyber security, biometrics create a profile of the authorised user and make comparisons to it on the person’s future visits. When the hacker’s behaviour didn’t match what the user did, the system picked up on the change.
When Might Behavioral Biometrics Not Work Well for Cyber Security?
The biometrics examples above show that focusing on how someone behaves could, indeed, be a move in the right direction for companies that want to enhance their cyber security efforts. However, behavioural biometrics may not correctly show intrusion attempts in every case.
For example, what if a person’s bank uses behavioural biometrics, and that customer has a stroke that affects their typing speed and accuracy? It may turn out that the individual cannot log into their account because of that health issue. Also, because customers usually don’t know if a bank has behavioural biometrics tools working in the background or not, they wouldn’t connect the problem to their recent stroke.
A similar situation could happen if a person has one arm in a cast or sling. Then, they could only type with one hand. Also, if the affected side was their dominant one, the overall interaction with a phone or physical keyboard could be substantially slower than usual.
Some people are wary of brands identifying them through behaviours, such as the way they type. Several years ago, researchers brought up how a typing analysis could be a breach of privacy. They proceeded to create a proof-of-concept Chrome extension called Keyboard Privacy that can randomise a person’s typing characteristics so that they appear to come from someone entirely different.
Only about 3,600 people have installed that plugin, so Keyboard Privacy is not likely to make behavioural biometrics useless on a widespread scale. However, this example raises a more significant concern. That plugin only randomises the input as a person types. It does not make an individual appear as someone else. Still, how long might it be before a hacker creates something that can achieve that?
Behavioural Biometrics Companies Must Keep Their Data Safe
Something that could adversely impact the security of behavioural biometrics is if hackers break into the database containing such profiles. As of yet, there are no reported successful or failed attempts of such at a behavioural biometrics company. However, a biometrics brand called Suprema had its Biostar 2 database thrown into the spotlight during the summer of 2019.
Cyber security researchers found that Suprema’s database was mostly unprotected and that the information within it was often not encrypted. The content inside included facial photos, fingerprint data and usernames and passwords. The team reported that they were able to change the data and add new users.
Facial biometrics: assuring genuine presence of the user
Behavioural Biometrics — Not Perfect, but Worth Considering
Some of the cyber security biometrics examples here highlight why the option is not without possible shortcomings. Even with those present, however, companies should remember some of the positive outcomes and consider behavioural biometrics worth investigating.