You type fast and hard on your computer keyboard while your boss uses a two-fingered, hunt-and-peck style. You hold your mobile phone in your left hand and text with your right, but your left-handed sister does the opposite. You always log into your bank account lying in bed and holding your phone above your face.
Increasingly, security companies are tracking these distinct behaviors to protect you, financial institutions and e-commerce sites against fraud. The technology also reduces irritating false positives -- when you have to prove you're really you before making a financial transaction.
Fraudsters can hack your credit card number, name, password, PIN, bank account number and more. But they can't steal the way you hold your mouse or tap your keys.
"The way you move your mouse is different for each person," says Natia Golan, senior product manager at BioCatch, in Tel Aviv. "We're looking not just at typing speed, but at what kind of keys you are using. Are you using tabs? How hard do you swipe? Are you holding your mobile in a certain way? Every time you type do you put your tablet on a table or desk?"
These behavior-based technology algorithms are offered by at least three security/behavior biometrics firms and used by financial institutions, e-commerce sites and others worldwide. The technology can flag attempted account takeover, card-not-present fraud and other online fraud in real time, even if the fraudster steals or hacks a verified device such as your mobile phone, tablet or computer.
These algorithms can also verify that you are who you say you are if you forget to give your credit card issuer a heads up before, say, taking your first trip to Argentina.
"We're looking to really understand what that person looks like in the digital world," says Ryan Wilk, director of customer success at NuData Security in Vancouver, British Columbia. "By knowing how you type, how you hold your mobile device, how much of your finger is actually landing on the machine, we can determine if it's truly the correct human interacting with that device."
High stakes
A lot of money is at stake -- both in terms of theft and loss of customer business. "For corporate accounts, we're talking about a lot of money, accounts that have millions of dollars that can be stolen," Golan says.
As for false positives, consumer irritation sometimes evolves into a lost customer. Someone who can't get a legitimate transaction to go through is likely to move on to another e-commerce site or credit card and may never return -- cutting into a lifetime of potential profit, Wilk says.
"A $20 buy can turn into thousands and thousands of dollars over a lifetime of spending" he says. "You're building up that level of trust and consumer relationship."
How it works
The technology doesn't replace other anti-fraud technology, but adds another important layer. "Institutions are going with the assumption that data is compromised," says Julie Conroy, research director at research firm Aite Group. "They're building their defenses to be multi-pronged, multi-layerered. I've spoken with a number of banks who either have this technology in pilots or have rolled it out on their mobile/online channels."
The hundreds of behaviors tracked include typing speed, typing strength, how much of your finger hits a key, whether you're right- or left-handed, how you move your mouse, how and if you use the tab key, whether you use other keyboard shortcuts, and the angle you hold your mobile device. More behaviors can be tracked for mobile devices because these are often used in three dimensions, compared to two dimensions for a computer.
Major banks contacted by CreditCards.com (including Chase, Bank of America and Wells Fargo) declined to comment on their anti-fraud technology.
But technology vendors say, depending on how involved the consumer's transactions are, the technology needs three to 10 sessions -- sometimes more -- to develop a user profile. That profile yields fraud detection rates of 83 to 99 percent (often higher for mobile devices) with false positive rates of only 1 to 2 percent.
Each company's simple JavaScript is embedded in the clients' online banking or e-commerce applications and captures information such as where the consumer's -- or fraudster's -- mouse is, pressure on touch screens, area under each finger as well as typing speed and style on a computer keyboard or mobile device. For mobile phones and tablets, the gyroscope and accelerometer assist to provide information, says Neil Costigan, CEO of the behavioral biometrics firm BehavioSec in Lulea, Sweden.
"We find people have small nuances," he says. "Some people quickly move to a button, rest there and then click it. Some people zoom in."
Compared to legitimate users, fraudsters quickly navigate online financial and e-commerce sites because they have practice from previous fraud forays, BioCatch's Golan says.
Another tell is that fraudsters are often speedy, more efficient typists than typical consumers, Golan says. Fraudsters know more keyboard shortcuts -- for example, they know that "shift tab" is the opposite of tab. "The fraudster knows the shortcuts," she says. "He knows every time he presses 'tab,' the cursor lands on the address. Most people, every time they press the tab key, will need to look again at the window to see where the cursor is before they start typing. The fraudster types really fast and it looks different when you analyze his interaction."
On the other hand, fraudsters are not as familiar with some of the data they're inputting -- that would be the names, addresses and other info of the consumers they impersonate, Golan says.
"When you have to fill in information about yourself, you're very confident about your name, phone number and address," she says. "If the fraudster needs to copy the information from another window, he will type it very slowly."
Stopping suspected fraud
Each entity using the technology can set its own risk parameters. For example an e-commerce site selling low-value goods might opt to let more risk through to reduce false positives and the potential customer loss, NuData's Wilk says. But an online retailer selling jewelry at $10,000 or more might set the bar lower because the stakes are higher if a fraudster succeeds. An entity also might react to a deviation depending on what you -- or the person posing as you -- is trying to do, he says.
"Suppose it's the same device, the same connection, but something has changed," Wilk says. "The typing is not the way you normally do. It could be that you're typing only with your right hand because you're holding coffee or a briefcase in your left hand. Even though the log-in looks risky, the system could let the user continue through. But now the first thing the user wants to do is change the email account. The typing style was the first risky event. Now the user wants to do something risky within the account."
At that point, the e-commerce site or financial institution could push for a second-factor verification such as a text message or voice call, Wilk says.
Or, you may be tested without even realizing it -- with what's called an invisible challenge such as making your cursor disappear, Golan says. "Imagine you are working on your computer and the mouse cursor disappears," she says. "You do a swipe with your mouse to see where it went. Each person does that swipe in a different way. That's another way we can differentiate between users."
Improvement rates fuzzy
In one pilot with a top five retail bank in the UK, BioCatch showed a fraud detection rate of 83 percent with false positives of just 1 percent, according to a case study. NuData helped one of its e-commerce clients reduce by 20 percent the number of good customers whose transactions had to be reviewed before they could proceed -- a situation the financial institutions call "customer insult," Wilk says.
Financial institutions are reluctant to reveal just how much this technology improves their rate of catching fraud, says BehavioSec's Costigan.
"It's very commercially sensitive and banks just won't share it with us," Costigan says. "That would be the million dollar question if I could get our customers to say what the return on investment was." But BioCatch works with its clients on annual contracts and, he says, "We don't have anybody not renewing."
See related: Advances in fraud analytics promise to stop crooks, not you, Video: Digital fingerprints can be hacked, too, If we go to biometric IDs, will hackers try to steal your face?
