Security researchers develop browser plug-in to dupe biometric behavioural profiling
Security researchers have developed a Chrome browser extension that is designed to outwit websites which use keyboard behaviour biometrics to authorize the identities of users, in an effort to raise awareness about the behavioural biometric technology and its potential privacy risks, according to a report by Tripwire.
Using keyboard behaviour biometrics, one is able to distinguish among different typists by monitoring how they type, such as the length of time between each keypress, the length of time you take pressing each key, and how long it takes to type a particular string of characters.
However, fraudsters could potentially abuse this biometric information for identity theft purposes.
Recognizing this, PasswordsCon founder Per Thorsheim and independent IT security consultant Paul Moore recently developed and tested a solution that can take an individual’s regular keyboard interaction with a website, and alter the characteristics that are undetectable to humans to ultimately dupe any website attempting to identify the user.
KeyboardPrivacy is a proof-of-concept Chrome extension which enables users to disguise their typing to make it appear as though it is someone else’s to protect their privacy.
In a YouTube video, Thorsheim first visits a website that successfully uses keyboard behaviour biometrics to identify users, then demonstrates how it can be tricked by the KeyboardPrivacy plugin.
In a blog post detailing KeyboardPrivacy, Moore explains that he and Thorsheim created the plugin not as means to prevent websites from using keyboard behaviour biometrics as an authentication method, but rather to as a way to raise awareness of the potential security risks of the emerging technology.
“As I mentioned earlier, it’s more important to strike a good balance between security & privacy; it’s rarely possible to increase one without measurably degrading the other (password managers being an exception),” Moore writes in the blog post. “If you’re happy to leak this information to every site, or if you’re forced to do so by a financial institution, you can disable the plugin on a per-site basis.
“Even if your behavioral profile is leaked to a 3rd-party, it’s of no use unless you happen to disable it on their site too. The single biggest problem with passwords is not length or strength, but re-use. Your behavioral biometrics (knowingly or not) are essentially secrets which you unwittingly share with every site.”
The researchers explain that it is unclear how many websites use keyboard behaviour biometrics, and if they do, whether or not they actually notify their users that they are using this technology.
Websites that use biometric behavioural profiling could have greater consequences for users than simply changing their passwords if their biometric behavioural profile is stolen, Moore said.
“The single biggest problem with passwords is not length or strength, but re-use,” Moore concluded. “Your behavioural biometrics (knowingly or not) are essentially secrets which you unwittingly share with every site.”