In an effort to prevent fraud, an increasing number of banks and merchants have been monitoring visitors to their websites and apps.
The New York Times, citing security officials, reported that the way a person scrolls through a website, types on a phone or keyboard screen and presses buttons can be as unique as fingerprints and facial features, giving banks and merchants another way to authenticate customers. Collecting data on those things would be invisible to the customer but thanks to sensors in mobile devices and code on websites companies can amass behavioral biometrics data points to prove a person's identity online.
“Identity is the ultimate digital currency, and it’s being weaponized at an industrial scale,” said Alisdair Faulkner, one of the founders of ThreatMetrix, which makes fraud detection software for large merchants and financial companies. He said many of the company's customers are using or are in the process of testing behavioral biometric tools.
Royal Bank of Scotland is among the handful of banks that are collecting biometric behavioral data, having begun doing so two years ago with private banking accounts for its wealthy clients. It’s now expanding that to all of its business and retail accounts, Kevin Hanley, director of innovation at the bank, told the New York Times. As soon as customers log in, software starts recording 2,000-plus movements on the keyboard, mobile app and/or website. On a smartphone, the software will measure the angle at which a customer holds the device, what fingers are used to swipe and tap and how hard or light the customer applies pressure. On a computer, the software collects data on the rhythm of the keystrokes and how they use the mouse, noted the report.
Royal Bank of Scotland tapped BioCatch for the process, using its software to build profiles on customers gestures which are then compared against every time they come back the site. BioCatch claims it can pinpoint fakes 99 percent of the time. “Everyone reacts a little differently to that,” Frances Zelazny, BioCatch’s chief strategy and marketing officer, said in the report. “Some people move the mouse side to side; some people move it up and down. Some bang on the keyboard.”
Still, while banks and merchants are looking for new ways to fight fraud as hackers and scammers grow more sophisticated, privacy advocates are worried about the potential of biometric tools because not many companies disclose when and how they track customers.
“What we have seen across the board with technology is that the more data that’s collected by companies, the more they will try to find uses for that data,” said Jennifer Lynch, a senior lawyer for the Electronic Frontier Foundation. “It’s a very small leap from using this to detect fraud to using this to learn very private information about you.”
The New York Times reported that in most countries around the globe there aren't any laws regarding the collection and use of biometric behavioral data — and that includes Europe, where new privacy rules on the books have exemptions for security and fraud prevention.