Detecting a fraudulent banking transaction is getting harder. Hackers have access to so much personal information that cracking most bank security mechanisms is getting easier. They are getting smarter at how they take money from accounts. They now take smaller amounts and move the money through local companies rather than offshore. Banks are also struggling to separate fraud committed by customers as opposed to criminals. To help them out, IBM has delivered new behavioural biometric analysis capabilities. The product is called Trusteer Pinpoint Detect and is shipping now.
According to Ravi Srinivasan, Vice President, Strategy, IBM Security: “Given enough time and resources, cybercriminals can defeat passwords and security questions. Behavioral biometrics is about what the user does, not what the user knows. Trusteer Pinpoint Detect now can now better differentiate real users from fraudsters using gesture models, giving banks and other organizations the power to protect the interests of their customers, and ultimately determine the sources of financial fraud.”
How does behavioural biometrics work?
Trusteer Pinpoint Detect monitors how a user interacts with a banking website. It looks at how they move their mouse, how quickly they respond to security questions and the way they navigate the site. This is nothing new. In the early days of Rich Internet Applications companies tracked mouse movement to tune the user experience. The problem with this approach was ensuring that the way users navigated was consistent. It takes a significant number of interactions to create a reliable pattern of behaviour.
This technology is another project to come out of IBM’s research labs in Israel. This technology has been developed at the IBM Cyber Security Center of Excellence at Ben-Gurion University, Israel. What is not clear from any of the publicly available material is how long it takes to build these models per user. It is also important that the models understand how user behaviour differs based on the device the user has at their disposal. IBM says that it is gathering that data along with device attributes to stop device spoofing. User behaviour will also change based on time of day and where they are; office, bar, restaurant, beach, airport, etc.
All this creates a significant challenge in building a complete user profile. It is important that no user is refused access to their bank account because the computer says “No”. It will be interesting to see how quickly some of this makes its ways into IBM Bluemix as a new set of APIs. IBM has already released other APIs around behaviour and biometrics to IBM Bluemix. Developers are already using these to build customer interaction models. There is a danger with releasing too much data and APIs around behavioural biometrics. This is that cyber criminals will use that information to defeat the system
Anything that tightens user security around banking is a good thing. Hackers are finding it easier to gather the information required to defeat most security systems. By taking advantage of user behaviour IBM is also forcing hackers to spend more time trying to gather information about their targets. Consequently this will allow users more time to discover and remove malware that is stealing their credentials. The only concern is how quickly the systems can build effective user models.