The Case for Behavioral Biometrics

  • Giovanni Verhaeghe, Director Market & Product Strategy at VASCO Data Secrity

  • 14.02.2018 07:45 am
  • undisclosed

With mobile banking apps becoming a staple, cybercriminals have started to take a serious interest in compromising these devices. New, sophisticated methods of attack have rendered the classic username-password scheme outright obsolete. Even the more secure but still basic two-factor authentication seems insufficient as hackers have found ways to dupe users into entering pass codes into fake user interfaces.

The main challenge has always been to devise a security scheme that is dynamic enough to thwart hackers from just going for the technical implementation, without impeding usability. From a user perspective, constantly having to add new credentials like strong passwords and unique user names is a hassle and may be a reason to switch to a different service provider. It also provokes shortcuts in behavior, for example by using the same password for multiple platforms or using simple passwords that are easy to recall. That in itself undermines security as it would be easier for criminals to find weaknesses to exploit. Mobile devices are especially vulnerable as users tend to be less mindful of security than they would be on desktops or laptops.

Layers erected, layers collapse

Newly added security layers are also constantly compromised by buggy implementations or inherent weaknesses of mobile devices and their OSes. Cybercriminals are constantly at work to find new ways to exploit these leaks. Each success means developers need to either improve existing layers of security, or add a new layer that contributes to overall complexity. Technology is not the only element targeted by cybercriminals though, as they are trying to exploit lack of knowledge of users. They can present them with a fake login screen, where the unknowing customer can type in the credentials and any authentication code send by SMS, while the malware secretly changes the target account number, for example.

For these reasons, financial institutions have rightly added more discreet security to their apps that does not normally interfere with usability. For example, by taking into account time and place where users log in to their mobile banking apps, they can quickly detect potentially suspicious login attempts. If someone tries to do a large transaction in the middle of the night from halfway across the world, something usually isn’t right. Blocking the transaction until there has been some additional verification is the best course of action. But they can increasingly add more behavioral elements to the mix beside time and place. Examples include finger pressure when tapping or swiping the touchscreen of the smartphone or typing speed. If something is off, it might be that a device has been stolen or that the user is unknowingly using an overlay put in place by cybercriminals instead of the actual banking app.

Behavior as an added factor

This type of security has become known as behavioral biometrics and can be added as an additional layer to its solutions. By capturing the way the user typically uses the device over a period of time, behavioral biometrics algorithms can define a sort of ‘fingerprint’. If the user’s actions match that fingerprint, there is a higher probability the user’s actions are legitimate and there is no need to interfere and possibly compromise the use experience. However, a sudden change in behavior might indicate something is going on. The bank can then step in and request additional verification.

Because behavioral biometrics is a discrete way to verify transactions, the burden of security shifts away from the user. Users normally won’t notice the layer as it does not demand additional action from them. That in turn means that the time spent authenticating a user is minimalized, so the user spends more time using the actual application. All the while, the session is secured to the level that users would expect. Behavioral biometrics reduces fraud while minimizing the occurrence of false positives. Also, it does not nearly invade into the privacy of clients as do traditional biometrics, like databases of fingerprints, iris scans or voice prints. A user’s behavioral pattern is stored as a mathematical equation that is useless for criminals looking for personal data.

Behavioral biometrics offers security on a transaction-to-transaction basis. It does not just secure one avenue, making it very hard for criminals to overcome as there is no single weakness that can be exploited. At the same time, the user is not being burdened with the discomforts additional security layers normally bring with them.


Other Blogs