Password theft is an ongoing problem. Finger print and voice recognition is still years away. What’s a bank to do if it wants to verify the thousands of customers using its mobile app? One way is their behavior — or at least their typing behavior.
Banks in Europe’s Nordic region have begun rolling out a new kind of security technology for their mobile apps that tracks the pressure and speed of how customers type a pin number into their smartphones. This way even if a friend knows someone’s pin, they wouldn’t be able to get in thanks to all the automatic nuances in the way people type, such as rhythm and pressure on the keys.
“We’re monitoring the small stuff,” says Neil Costigan, founder of Behaviosec, the Swedish security startup behind the recent roll-out. “The flight between the keys, which corners of the keys you tend to hit, where you pause. Do you circle in on a button or do you go straight to it and hit it?”
Nordic banks including
The startup claims a high success rate on verification: it reached 99.7% session accuracy when it trialled its behavior-tracking technology in conjunction with a pin number for Danske Bank. Now it says it’s seeing interest from U.S. payments providers and smartphone manufacturers themselves.
If the technology takes off, it could add a whole new layer of security for apps and phones that would be much harder for fraudsters to rip off. Hackers can put millions of user accounts at risk by raiding a database of passwords, but it’s far harder to spoof someone’s typing behavior remotely, especially on smart phones.
The goal according to Costigan, who founded Behaviosec in 2011 as a spin-off from the Lulea University of Technology in Sweden, is to build the technology into smartphones so that the entire device becomes contextually aware of who’s using them, just by tracking keystroke styles. It could know for instance, if a child has picked up a tablet and started browsing YouTube videos or important files.
In trials right now, Behaviosec’s algorithms can detect a false user in between 20 to 60 seconds of them picking up a smartphone, says Costigan. That’s probably too long for professionals who want to protect intellectual property, but recent funding from DARPA could bring that time down. Behaviosec’s latest research takes into account how people hold and move their phone — based on data from a device’s gyroscope and accelerometer — to authenticate users even more quickly.
In its current form, the technology works by first watching how someone types or swipes through a pin code on, say, a mobile banking app. After a while it builds a model of that person’s behavior which it then uses to weigh up against new users.
“It’s constantly learning,” says Costigan. “The behavior is always watched and your profile is constantly updated... The way you would normally do this in the past was a statistical analysis and you would map and make up models of people."
But the machine learning technology behind this has since jumped forward thanks, surprisingly, to the gaming industry. Modern day computer games increasingly incorporate artificial intelligence technology to learn about a player’s behavior to make games more fun to play. In other words, walk down a corridor and turn left five times and the sixth time there will be a bad guy to trying to shoot you.
“The game learns your behavior and adapts to it,” says Costigan. “We do similar stuff. We watch your behavior and predict what it should be, and if it’s not that we can flag something up and say, ‘Hey something’s not right.’”
Though Costigan talks about developing “profiles,” he says it’ll be years before computers have the somewhat worrying power to identify you out of thousands of others, based on how you type. It’s one thing to say who someone is not, another to recognize who someone is. “It could get to that point," he says, "but it’s the distant future and would take an enormous amount of memory and computation.”
