Behavioural biometrics: transforming online security

The consequences of COVID-related lockdowns will take many years to fully establish, but it’s already evident that cybercrime has flourished over the last two years.

In America alone, identity theft cases soared by 42 per cent in 2020, totalling $712 billion.

Similarly, in the UK, the first half of 2021 saw 180,000 separate instances of ID fraud.

It can be difficult to prove you’re actually you in certain circumstances, such as resetting a lost password or replacing a smartphone without deactivating banking app keys first.

The finance sector is uniquely vulnerable to fraud, with constant conflict between banks and fraudsters who are attempting to pass themselves off as legitimate customers.

Because of this endless game of cat-and-mouse, concepts like behavioural biometrics are rising to the fore.

Experts believe this market will increase by 25 per cent year-on-year until 2027, when it will be worth almost $5 billion.

If you’re not sure what behavioural biometrics is, read on, because it’s going to be influencing your online experiences very soon…

What is it?

It’s a process which identifies us by unique characteristics – things we’re often consciously unaware of, but which define us nonetheless.

Your irises and fingerprints have unique biological markings, but behavioural attributes can be equally distinctive.

Handwriting and signatures are two classic examples of behavioural biometrics. However, neither is especially helpful when using computers.

Instead, behavioural biometric testing analyses and interprets how we perform certain tasks, which can be as distinct as how we speak.

How would this work in practice?

You might not consider entering your email address into a form to be significant, but the way you type is now being used by banks including First Direct to monitor potential fraud.

The HSBC subsidiary emailed its customers last week, announcing that one-time passcodes (a form of 2FA) will now be entered alongside customer email addresses.

The bank believes customers enter familiar character strings in a distinctive way, with consistent keystroke speeds and distinct gaps between one keypress and another.

While a criminal might learn someone’s email address, they’re unlikely to type it into a web browser in the same way as a person who enters that address routinely.

Is this form of biometrics foolproof?

It’s not completely foolproof. In truth, nothing is. Even the longest randomly-generated alphanumeric password string could be cracked by a quantum computer, given enough time.

However, each additional verification step hugely reduces the likelihood of a criminal successfully impersonating an unwitting victim.

Could they acquire your bank logins and the smartphone used to send 2FA notifications, and then successfully replicate the way you’d enter your email address?

It’s hard to imitate someone’s typing style in the same way it takes skill to forge a signature – holding the pen identically, pressing down equally strongly, imitating loops and lines, etc.

As such, typing patterns represent another weapon in the ongoing war against cybercrime.