Companies are quietly building profiles on how we tap, swipe and type to fight fraud

[Shawn Knight]

In brief: Banks and merchants are increasingly tracking your physical movements – how you tap, scroll and type on a mobile device or keyboard when using websites and apps – to fight fraud. But are they encroaching on our privacy to do so?

The data points, called “behavioral biometrics,” are used to combat suspicious transactions and automated attacks although as The New York Times highlights, some are taking the data collection process much further.

Humans are creatures of habit. We often do things the same way each time and respond to stimuli in predictable ways. These actions and reactions can be as unique as a fingerprint or facial feature and companies are using these metrics to their advantage.

Take Royal Bank of Scotland, for example. It uses security software from BioCatch which builds a profile of each user’s gestures then compares current behavior against the profile to spot suspicious activity. According to BioCatch, it can spot impostors with 99 percent accuracy.

A few months back, the software detected unusual behavior coming from one wealthy customer’s account. After logging in, the “user” utilized the mouse’s scroll wheel which is something the actual account owner had never done before. The imposter then typed in data using the number keys at the top of the keyboard rather than the number pad on the side as the customer typically does.

The behavior triggered the system which prevented any money from leaving the customer’s account. After an investigation, it was discovered that the bank account had been hacked and someone was trying to transfer out a seven-figure sum. Thanks to the software, the bank was able to intervene in real-time and prevent the theft.

This is just one example of behavioral biometrics in action and arguably, in an ideal setting. In the real world, a user’s behavior isn’t always that consistent. People act differently if tired, injured, intoxicated, distracted or in a hurry. Furthermore, we behave differently when lounging on the couch versus sitting upright at a desk or when in bed.

Nevertheless, behavioral biometrics are appealing to companies because they’re essentially frictionless. No special hardware is needed to capture data points and no access codes need to be entered. What’s more, customers don’t even know the collection process is taking place. As Neil Costigan, the chief executive of BehavioSec, points out, you simply watch them, silently, while they go about their normal account activities.

Businesses may call it a frictionless experience but some privacy advocates see it as dangerous.

Consider this example. A customer that once had a steady hand develops a tremor. That’s an issue if her bank also happens to be her auto insurer. Would the company be justified in dropping her due to the risk of added liability?

Pam Dixon, executive director of the World Privacy Forum, said this is the kind of data that usually has some kind of consumer protections around it but companies are now using such systems with no notice of any kind.

Because the practice is so new and largely unknown, most countries don’t have laws governing the collection and use of biometric behavioral data. Europe’s new privacy laws feature exemptions for security and fraud prevention, the Times notes. California has a new digital privacy law that requires companies using behavioral biometrics to disclose the practice but it doesn’t go into effect until 2020.

BioCatch has profiles on roughly 70 million people, a small number compared to some of its competitors. With personal data like this being collected in droves, critics argue that they’re simply magnifying the potential risk to consumers.

What are your thoughts on behavioral biometrics? Should companies be tracking our every movement? Were you even aware that the practice was taking place?

GIFs courtesy Andrew Roberts

Permalink to story.

https://www.techspot.com/news/75959-companies-quietly-building-profiles-how-tap-swipe-type.html

 

[OutlawCecil]

Ugh if stuff like this bothers you, you need to cancel your internet, cut all your cords, and move to the middle of nowhere with your tinfoil hat. Nobody should care about information that is collected based on habits. I for one don't care how many companies know I use the numberpad vs the number keys or anything else along those lines. That algorithm is pure genius and should be rolled out in full force. Assuming it's smart enough not to interfere with everyday use, I'd enable that in an instant if it were an option.

 

[senketsu]

Disagree, in the example in the article about the hacked account, it is made to sound like you benefit.
Actually it is the Bank that benefits, any fraud on my accounts I report and I have no loss. The bank eats it.
This tech is a boon for Banks, not you.

 

[Uncle Al]

Perhaps one day we'll see a government that recognizes the important of personal freedom from snoopers. Of course that will probably be when we populate the next planet .... or two .....

 

[Bubbajim]

Ugh if stuff like this bothers you, you need to cancel your internet, cut all your cords, and move to the middle of nowhere with your tinfoil hat. Nobody should care about information that is collected based on habits. I for one don't care how many companies know I use the numberpad vs the number keys or anything else along those lines. That algorithm is pure genius and should be rolled out in full force. Assuming it's smart enough not to interfere with everyday use, I'd enable that in an instant if it were an option.

"I don't care about my right to privacy, so neither should you", basically.

What kind of relationship do you want with the government and businesses in your life? Are you an equal citizen participating in the negotiation we call "society", or are you okay with the slow and steady road back to serfdom, from which the majority of our species had only just begun to exit?

 

[OutlawCecil]

"I don't care about my right to privacy, so neither should you", basically.

What kind of relationship do you want with the government and businesses in your life? Are you an equal citizen participating in the negotiation we call "society", or are you okay with the slow and steady road back to serfdom, from which the majority of our species had only just begun to exit?

It's easy to view this as a breach of privacy (as the article attempts to spin it) when you don't understand the way technology and software work. Almost every company collects non-user-specific statistic data to help the creators understand how most people use their software. This is no different. There is no man in black, watching how YOU use technology who is secretly narrowing his search down to the very specific person you are. All of this is automated and any data collected can in no way leak personal information of yours. This is creating a "habbit" profile for you and nothing more. Again, if it scares you, you shouldn't be online because this is how software works already, it's just a different spin on security.

 

[Bubbajim]

It's easy to view this as a breach of privacy (as the article attempts to spin it) when you don't understand the way technology and software work. (etc...)

You've pointed out the problem in your own attempt to say that there's no problem. See how these two bits of your post are different, but were presented as though they're logically and ethically the same:

Almost every company collects non-user-specific statistic data to help the creators understand how most people use their software. This is no different ...

This is creating a "habbit" (sic) profile for you

Non-user-specific data is different to a profile of you. If I have neither been informed of, nor consented to, such practices then it is a breach of privacy and trust. This is not the usual A/B split testing that you have in every website, app or program, this is by design personally identifiable information. It's a behavioural finger print, the DNA of how you move and interact with your personal devices.

I get that you don't care about the difference, but you do see how others might not be happy with that difference, right?

 

[OutlawCecil]

Non-user-specific data is different to a profile of you. If I have neither been informed of, nor consented to, such practices then it is a breach of privacy and trust. This is not the usual A/B split testing that you have in every website, app or program, this is by design personally identifiable information. It's a behavioural finger print, the DNA of how you move and interact with your personal devices.

I get that you don't care about the difference, but you do see how others might not be happy with that difference, right?

Ok lets try this. Lets say WORST case scenario, the bank/software is hacked and your "habit profile" is stolen. Absolute worst case scenario, what do the hackers do with your data? Go! I'll wait.

My answer: Absolutely nothing. It's junk data and cannot be used for anything. Thus it should not be considered privacy related.

 

[lostinlodos]

Waahhh! Really that’s all I can take away from the vast majority of the sky-is-falling privacy “concerns”.
Let me put my beliefs right out there in black and white text. “I don’t care about my right to privacy so neither should you”. One) he/she didn’t say that. You inferred it.
Two this isn’t privacy it’s security and the example give despite the attempt to spin it with faulty if not false, examples of how users change from time and place.
While I think there should be an opt out; and a penalty for doing so like a lower level of protection or a high-risk fee, it needs to be an opt OUT.

The pro-privacy movement isn’t as big as many tech writers pretend it is. The internet is already VANDALISED by eu-mandated cookie notices I have to click ok to all the time. Every time my browsers update I have to dig through the settings and find how to opt IN to tracking to keep the useful targeted advertising. Targeting gives me something useful to potentially create a click through and even a purchase; this helping the sites I visit remain free.
I willingly carry shipping card and digital bonus cards. They track my purchases and send me “just for you” coupons. So what if they know I bought their products?
At least are this stuff is useful. Has a point. Compared to spam.
This is about security. If you have a problem they should have an opt out option and charge you a monthly high risk fee and move on.

 

[Bubbajim]

Waahhh! Really that’s all I can take away from the vast majority of the sky-is-falling privacy “concerns”.
Let me put my beliefs right out there in black and white text. “I don’t care about my right to privacy so neither should you”. One) he/she didn’t say that. You inferred it.
Two this isn’t privacy it’s security and the example give despite the attempt to spin it with faulty if not false, examples of how users change from time and place.
While I think there should be an opt out; and a penalty for doing so like a lower level of protection or a high-risk fee, it needs to be an opt OUT.

The pro-privacy movement isn’t as big as many tech writers pretend it is. The internet is already VANDALISED by eu-mandated cookie notices I have to click ok to all the time. Every time my browsers update I have to dig through the settings and find how to opt IN to tracking to keep the useful targeted advertising. Targeting gives me something useful to potentially create a click through and even a purchase; this helping the sites I visit remain free.
I willingly carry shipping card and digital bonus cards. They track my purchases and send me “just for you” coupons. So what if they know I bought their products?
At least are this stuff is useful. Has a point. Compared to spam.
This is about security. If you have a problem they should have an opt out option and charge you a monthly high risk fee and move on.

I'm happy for you that you find it useful and even pleasurable to be tracked incessantly online in order to be profiled and sold to. I'm sure you realise though that people can think differently to you. To say "this isn't privacy it's security" is silly, because they're two sides of the same coin. When it comes to CCTV, facial recognition, postal interception, online and offline tracking, or any other 'security' measure, do you also think they're nothing to do with privacy?

 

[lostinlodos]

I'm happy for you that you find it useful and even pleasurable to be tracked incessantly online in order to be profiled and sold to. I'm sure you realise though that people can think differently to you. To say "this isn't privacy it's security" is silly, because they're two sides of the same coin. When it comes to CCTV, facial recognition, postal interception, online and offline tracking, or any other 'security' measure, do you also think they're nothing to do with privacy?

The article itself is about a bank using AI. In such a case I’m not solely for it; I want to see this rolled out as quickly as possible!
On the flip side I understand where a minority of pro-privacy users see a problem. I’ll state and then bypass the reality. Social statistics the people most concerned with privacy are the ones breaking the law and not wishing to get caught. That’s a simple well documented fact.
That majority aside; I see a potential issue, even a 1984 big brother issue, as plausible when public tracking is left unchecked.
The prof is front and centre today for anyone who is willing to open their eyes. Alex Jones being blocked on every major digital platform. Facebook, or was it Twitter, (all this social media crap blends together for someone like me who never felt like posting pictures of my breakfast was valuable) blocking a post editor from linking to their own article...!
I don’t use and of that social media stuff not for privacy concerns, but for lack of care. If you want to know what I ate yesterday you can ask. I’m not posting a photo. If you don’t want to see me naked in my own house don’t look on my windows.
On the other hand if you want to ring the doorbell and give me coupons for my bagels and lotion for my naked skin feel free.
But that’s another issue all together. And when it comes to tracking and targeting; I’d much rather see adds for some new horror or sci-do film than generic tisements for whatever those two big shoot ‘em up online games are. (I Honestly can’t remember the names at the moment, night something or other).

Compounding biometric pattern data used for security into the tracking and targeting debate as this article attempts to do is nothing more than the aforementioned sky-is-falling nonsense. They are two distinct topics; each important to be discussed on their own. When you must throw them together you’re best off unplugging from the Internet and adjusting your tinfoil hat.

 

[lostinlodos]

Fort night?

 

[Bubbajim]

The article itself is about a bank using AI. In such a case I’m not solely for it; I want to see this rolled out as quickly as possible!
On the flip side I understand where a minority of pro-privacy users see a problem. I’ll state and then bypass the reality. Social statistics the people most concerned with privacy are the ones breaking the law and not wishing to get caught. That’s a simple well documented fact.

(etc...)

Please link something to prove your assertion that most people concerned with privacy are criminals. I'm not sure that that' a simple well documented fact.

Anything that creates an involuntary power imbalance should be rigorously questioned, then fought if necessary. I think that, in the age of ubiquitous hacking, the creation of profiles like this is wrong. I understand that other people disagree with me, that's fine.

But I would just caution that your underlying assumptions suggest you think the world is, and will always be, filled with benign agents - businesses, governments etc. I do not believe this to be the case, hence my suspicion of anything that creates profiles that a person did not ask for.

I believe society should be the voluntary participation of individual citizens engaging in negotiations with one another. "Security" measures like ID cards, CCTV, drag-net snooping policies, and behavioural profiles make subjects, not citizens, of us all. This is not "tinfoil hat" crap, nor is it "sky is falling", it's an opinion on encroaching authoritarianism.