Behavioral biometrics in mobile banking – user-unique authentication enables safer transactions
This a guest post by Giovanni Verhaeghe, director of marketing and product strategy at VASCO Data Security.
Almost daily, new and evolved fraud exploits targeting mobile banking apps are in the news, as Internet criminals have become increasingly skilled at and interested in compromising mobile devices. Sophisticated attack methods have rendered the legacy “user and password” protection scheme obsolete. Even some two-factor authentication seems increasingly insufficient, as hackers are constantly finding clever new ways to lull users into entering their passwords into fake interfaces on fraudulent apps.
Financial institutions are challenged to embrace new authentication methods that are dynamic enough to prevent hackers from compromising customers and the institution, but without unduly impeding the usability of the consumer’s banking app. Mobile devices are especially vulnerable, as users for some reason tend to worry less about security than when using their computers or laptops and also, because users often don’t consider whether they’re conducting transactions over networks that are known to be secure. And on the institution’s side, mobile banking is just that: mobile. It can’t offer the locational confirmation that a user is genuine, and not a fraudster using stolen credentials.
The various layers of mobile security that FIs implement are constantly being tested and occasionally compromised, as hackers find and exploit device and operating system weaknesses that – once discovered and exploited – must be immediately addressed.
In response to perpetual probing by would-be hackers and fraudsters, many financial institutions are seeking to add innovative new layers to their defensive strategies to increase application security without adding new complexity to the customer’s experience. For example, checking the location and time of the transaction against the consumer’s known patterns lets the FI introduce additional authentication challenges to quickly detect potentially fraudulent attacks. If someone tries to make a transaction in the middle of the night on the other side of the world and has not notified their bank of foreign travel, it’s usually a strong indicator that something’s not right. Blocking such a transaction until an additional verification is completed is the best thing to do.
Recent mega-breaches — which unlocked massive amounts of PII that make social engineering attacks more likely to succeed – have added new urgency to the drive to tighten mobile banking security, as has the increase over the last year in mobile banking “overlay” attacks, where a fraudulent app lulls users into revealing login details by presenting an interface screen nearly identical to that of the user’s trusted financial institution.
In response, many security-aware institutions are considering adding behavioral elements to their authentication layers. Examples include finger pressure when the user touches a smartphone screen for a particular function, the user’s typing speed, navigation preferences and hundreds of other behaviors. Together, these habits and preferences form a pattern that can confirm that a user is authentic, or that the device was likely stolen and is being used by a would-be thief, or even that the authentic user might unknowingly be using a fake interface placed by criminals rather than their bank’s actual application.
This security mode has become known as behavioral biometrics. By capturing how the user typically employs their device for a period of time, behavioral biometrics algorithms can define a type of “trace” pattern. If the user’s actions match this “trace” there’s an extremely high probability that their actions are legitimate, and there’s no need for the FI to introduce additional authentication steps that might interfere with and compromise the user’s experience. However, a sudden change in behavior may indicate that something is wrong. The bank can then pause the transaction or other operation and request an additional verification check.
Because behavioral biometrics is a discrete way of verifying transactions, it shifts the weight of security away from the user, who usually does not perceive the behavioral biometrics layer unless an action triggers a demand for additional action. This means that the time spent to authenticate a user is minimized, and they can spend more time using the application. In summary, the session is safe to the level users expect.
Behavioral biometrics reduces fraud while minimizing the occurrence of false positives. It also does not invade the customer’s privacy, unlike first generation biometrics which captured unique physical characteristics such as fingerprints, iris scans, facial biometrics or voice patterns. The behavioral pattern of a user is stored in a mathematical equation that is useless for perpetrators seeking personal data to exploit.
Behavioral biometrics provides transaction-to-transaction security, that makes it very difficult for criminals to crack it as there is no single weakness that can be exploited. It’s an approach that is orders of magnitude harder to hack and therefore safer for the institution, while preventing concerns about the capture of physical characteristics that could – if hacked – be perpetually exploited. After all, your left iris pattern remains your left iris pattern throughout your lifetime – regardless of whether some company storing your physical biometrics gets hacked.
Behavioral biometrics also frees consumers from the often inconvenient and occasionally awkward authentication steps that legacy biometrics demand. “Excuse me, but are you winking at me or just logging in?”
Most importantly, behavioral biometrics frees the user from remembering and invoking complex additional layers of authentication, and serves as the foundation for a loyal relationship that supports the bank in offering an ever-expanding set of trusted services and products.
About the author
Giovanni Verhaeghe is director of market and product strategy for VASCO Data Security. He has been working for over 13 years in the Internet security market and holds several degrees in applied informatics and a Management degree.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.