In brief: Banks and merchants are increasingly tracking your physical movements – how you tap, scroll and type on a mobile device or keyboard when using websites and apps – to fight fraud. But are they encroaching on our privacy to do so?
The data points, called “behavioral biometrics,” are used to combat suspicious transactions and automated attacks although as The New York Times highlights, some are taking the data collection process much further.
Humans are creatures of habit. We often do things the same way each time and respond to stimuli in predictable ways. These actions and reactions can be as unique as a fingerprint or facial feature and companies are using these metrics to their advantage.
Take Royal Bank of Scotland, for example. It uses security software from BioCatch which builds a profile of each user’s gestures then compares current behavior against the profile to spot suspicious activity. According to BioCatch, it can spot impostors with 99 percent accuracy.
A few months back, the software detected unusual behavior coming from one wealthy customer’s account. After logging in, the “user” utilized the mouse’s scroll wheel which is something the actual account owner had never done before. The imposter then typed in data using the number keys at the top of the keyboard rather than the number pad on the side as the customer typically does.
The behavior triggered the system which prevented any money from leaving the customer’s account. After an investigation, it was discovered that the bank account had been hacked and someone was trying to transfer out a seven-figure sum. Thanks to the software, the bank was able to intervene in real-time and prevent the theft.
This is just one example of behavioral biometrics in action and arguably, in an ideal setting. In the real world, a user’s behavior isn’t always that consistent. People act differently if tired, injured, intoxicated, distracted or in a hurry. Furthermore, we behave differently when lounging on the couch versus sitting upright at a desk or when in bed.
Nevertheless, behavioral biometrics are appealing to companies because they’re essentially frictionless. No special hardware is needed to capture data points and no access codes need to be entered. What’s more, customers don’t even know the collection process is taking place. As Neil Costigan, the chief executive of BehavioSec, points out, you simply watch them, silently, while they go about their normal account activities.
Businesses may call it a frictionless experience but some privacy advocates see it as dangerous.
Consider this example. A customer that once had a steady hand develops a tremor. That’s an issue if her bank also happens to be her auto insurer. Would the company be justified in dropping her due to the risk of added liability?
Pam Dixon, executive director of the World Privacy Forum, said this is the kind of data that usually has some kind of consumer protections around it but companies are now using such systems with no notice of any kind.
Because the practice is so new and largely unknown, most countries don’t have laws governing the collection and use of biometric behavioral data. Europe’s new privacy laws feature exemptions for security and fraud prevention, the Times notes. California has a new digital privacy law that requires companies using behavioral biometrics to disclose the practice but it doesn’t go into effect until 2020.
BioCatch has profiles on roughly 70 million people, a small number compared to some of its competitors. With personal data like this being collected in droves, critics argue that they’re simply magnifying the potential risk to consumers.
What are your thoughts on behavioral biometrics? Should companies be tracking our every movement? Were you even aware that the practice was taking place?
GIFs courtesy Andrew Roberts