In order to fight fraud—and learn more about their customers—banks and retailers are tracking your physical movements online.
“The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features,” the New York Times writes. This unique online behavior is called behavioral biometrics, and now banks and other institutions are using that information to identify you.
The Royal Bank of Scotland has spoken openly about the practice, which it began testing two years ago. It tracks more than 2,000 different physical movements a user can make on their phone or device. This includes things like how many fingers you use to tap or swipe, what angle you hold your smartphone at, the rhythm of your keystrokes on a keyboard, and how quickly or slowly you scroll on a page. The software it uses builds a profile for each user, and once complete, the system can correctly detect an account impostor with a 99 percent accuracy rate.
In one example of the system’s success, it was used to identify that a wealthy customer’s account had been hacked. Once the user logged on, the system detected that they used the scroll wheel on their mouse—something they’d never done before—and then used the numerical strip at the top of the keyboard, rather the one on the side of the keyboard, another anomaly. After these red flags went off, the bank blocked cash from leaving the account. Not all cases are this cut-and-dry, though, as a user’s behavior changes from day to day, device to device, or depending on their mood.
Clearly, tracking a user’s physical movements online can be an excellent security measure for these sites and organizations. However, privacy advocates are concerned about the practice, as very few companies clearly state that they’re collecting behavioral biometric data. Jennifer Lynch, a senior lawyer with the Electronic Frontier Foundation, told the New York Times that it’s also only a small leap for institutions to use that data not for other purposes besides fraud detection. For example, what if these systems detect the early onset of a health condition, and what if their bank is also their insurer?
It’s certainly a potentially problematic situation. For more on the pros and cons of behavioral biometrics, head over to the New York Times.