Getting to grips with mobile security
Biometric methods of identification are becoming increasingly important as service providers try to balance security needs with user convenience. This is particularly true in banking and financial services, where there is a natural target for criminals and a regulatory imperative to move towards two-factor authentication.
On top of this, in a mobile-enabled banking world banks are faced with identifying customers accurately though diverse channels and devices, from constantly changing locations, and at any time of day or night.
And the criminals are still clever, still probing for new weaknesses as their existing methods are countered by the cyber-security specialists.
Uri Rivner, vice president of business development and cyber-strategy at three-year old Israeli security specialist BioCatch, is a well-known figure in that world. Before joining BioCatch, he was head of new technologies, identity protection at RSA, now the security division of EMC, and is a regular blogger and speaker on the subject of security and cyber-crime.
His description of the situation is that “cyber-criminals have built a formidable Dark Cloud that targets enterprises across all sectors – well beyond financial services. Fraudsters are successfully stealing data through state-of-the art crimeware, stealthy infection techniques, social engineering, and more”.
He jumped ship from RSA to join BioCatch three years ago after coming across the company. “It has a very cool twist to behavioural biometrics,” he says. “My first reaction to hearing what BioCatch does was a this-is-so-clever grin. My second reaction was ‘wow, if this actually works, it’s game-changing stuff’.”
What it does is ‘invisible biometrics’ for mobile and web applications, using a mixture of physiological and cognitive to build and monitor a user profile. It operates transparently, in the background, to give continuous authentication of user identity on an ongoing basis “without enrolment or any form of conscious user participation”.
“What we do is analyse your behaviour as you interact with online application – in the banking sector that’s obviously going to be online or mobile banking,” Rivner says. “Let’s say you’re using a PC, with a keyboard and mouse; there are logical things to watch, such as your hand/eye coordination. As you move the mouse, your eyes follow the cursor on the screen, your brain calculates the path and your hand makes the physical movement. Different people have different hand/eye coordination. That’s a physiological measurement.”
Moving to a mobile device, things get interesting. “On a mobile it gets more intuitive, because when you hold the device you have a certain shake to your hand, when you touch it you press it in certain way, when you scroll or swipe you do it in certain ways,” he says.
Using the accelerometers that are built into modern smartphones, BioCatch records data on all of these movements, acting as a sort of seismograph. “We can not only detect it, we can try to see if it is consistent, because if it is and you don’t look like other people, that is a very good way to analyse your behaviour and see if it is you operating within your account.”
On top of the physiological parameters, it also looks for markers of individual cognitive behaviours. “People make positive choices,” he says. “Using an online application, when you type the log-in, how do you move to the password field? With the mouse? Or with the TAB key? Typically a user will choose one of these options. No-one tells you which to use, but you basically develop some sort of habit and that becomes the way you navigate.”
Similarly, some users will use the mouse wheel to scroll, others will use arrows on the keyboard. “Again, nobody tells you: it’s a cognitive choice – it’s the way your brain perceives the task. What we are doing is analysing the way that users are navigating inside the application and interacting with it. The system will spot the individual characteristics – where you are very consistent, and where you are very distinct.”
More basic examples of invisible biometrics are already in use: some ATMs measure how the user inputs the PIN to create a ‘signature”, for instance – which is not unlike the way that individual Morse code operators can be distinguished from their particular rhythms. The voice biometrics used in telephone banking are another example of background checking.
“We measure more than 500 parameters, both physiological and cognitive,” he says. “On a mobile it will be more physiological and on a PC it will be more cognitive – simply because mobile give us a lot more physiological measurements, as you are holding and touching it.”
These create an individual profile for each user. “You might have a parameter that you are very consistent on so you don’t look like other people – but I might not be consistent on the same parameter, or I am straight in the middle of the bell-curve with everyone else,” says Rivner. “So we first have to understand what all of the parameters for that application are across the general customer base, and then we build an individual model of your behaviour – say you are very consistent on parameters four, 60 and 375. If someone else is inside your account they will not have the same parameters.”
It takes 10 sessions for the systems to gather enough data to build an individual profile, a process that the user is unaware of. “They have to act normally,” he says. “That’s the point.”