How Unconscious Patterns Are Shaping The Future Of Financial Cybersecurity

Senior Vice President and Head of Identity & Access Management Solutions at HID Global.

There’s a great short story from Orson Scott Card called Dogwalker. Originally published in 1989, it’s about a team of e-criminals who attempt to pull off a grand heist on a wealthy target. Using psychological profiling, they are finally able to determine the 15-character password they need, though they are ultimately unsuccessful.

That’s because the group’s intended target—paranoid about the possibility of theft—had a habit of always entering an incorrect password before inputting the correct one. When the criminals didn’t follow this pattern, they were easily outed as imposters.

This fictional case hinges on deliberate behavior. In reality, the majority of our behavioral patterns are ones we’re not consciously aware of or can even control. And this simple recognition is poised to change the future of financial cybersecurity—and the ever-present danger of fraudulent transactions.

Behavioral Biometrics

When we hear “biometrics,” most of us think first about physical biometrics. We’ve become accustomed to holding our fingertips and faces to our smartphones to unlock them or confirm a financial transaction.

However, whenever we interact with our devices, we are also constantly providing unique and measurable behavioral information that can be reliably used to confirm our identities. The angle at which we hold our phones, the speed with which we type our passwords and the locations we frequently visit—the combination of these factors creates a reliable and predictable blueprint. Behavioral biometrics describe how (and sometimes where and why) we do the things that we do.

Unobtrusive And Processed On-Device

In contrast to other authentication techniques, the analysis of behavioral biometric data does not require comparing it with data from other individuals. Behavioral biometrics track an individual’s interaction with the device itself—the way a screen is held, the manner of typing, the speed a mouse is moved and the cadence of a gesture. Because of this, analysis can happen without removing any data from the phone (i.e., to another location for storage or processing, where it could potentially be stolen or misused).

Behavioral biometric analysis is also less intrusive yet arguably safer than other forms of authentication, like one-time passwords (OTPs) delivered via SMS, which have been proven to be insecure. Passwords themselves are becoming outdated, both for their clunkiness and their cybersecurity vulnerabilities. Obviously, the safest authentication solutions involve multiple factors, but ideally, the parts should work together seamlessly and unobtrusively without compromising security.

Stopping Fraud Before It Happens

Far too often, when fraudulent activity is detected, analysis happens after the fact (i.e., after someone has already made a charge to someone else’s account). In the case of banking, if a customer is a victim of bank fraud, they can be refunded, but the criminal has already made their purchase, and the cost of the theft is taken as a loss by the bank or insurance company. Financial losses from cybercrime are no joke—projected to cost over $10.5 trillion annually by 2025—but the hits to an organization’s brand and reputation after a breach are arguably more damaging.

Biometric behavioral inputs can, however, enable banks and financial services providers to flag potential fraud before the transaction is pushed through, enabling them to do something about it. Going back to Dogwalker—even if someone has the correct password for the person they are trying to impersonate, if the device they are using is different, the way they input the password is slower or their IP address is new, their behavior can be flagged. At this point, the bank can halt the transaction or require additional authentication factors before proceeding.

Legal Considerations And The Importance Of Consent

Where do behavioral biometrics fit in terms of legal definitions, and how do regulatory authorities classify them? In a word: inherence. Strong consumer authentication (SCA), a specific requirement outlined in the European Union’s Payment Services Directive (PSD2), is based on the presence of at least two knowledge-based (e.g., passcode), physical (e.g., token) or inherent elements. The European Banking Authority notes that “inherence, which includes biological and behavioral biometrics, relates to physical properties of body parts, physiological characteristics and behavioral processes created by the body and any combination of these.”

Like all personal data, behavioral biometric information is valuable, and people have a right to know how their data is collected, processed and protected. Regulations like Europe’s GDPR and California’s CCPA include requirements that are specific to behavioral biometrics. For example, a bank or other financial service provider must develop a clear and concise way to inform its customers that their biometric data is being collected, how it is stored and how that data is used, and then allow its customers to give or withdraw consent to its collection and processing.

However, even as more privacy regulations are being enacted around the world to protect consumers’ personal information, navigating the gaps and differences between their unique requirements is complicated for organizations—not to mention for consumers.

The Promise Of Behavioral Biometric Technologies

The manner in which each of us interacts with our devices is truly unique. For instance, there are thousands of ways to describe and measure how we type on a keyboard, let alone the myriad of other interaction points we use daily. Combining these overlooked yet distinctive patterns—the pace in which we walk, the manner in which we pull our phone from our pocket, the milliseconds we pause before responding to a security prompt—with other multifactor (MFA) authentication elements, allows for the identification of individuals with stunning accuracy.

By leveraging biometrics for identity authentication, users may be able to experience the highest levels of security simply by being themselves, with less friction and fewer delays or hoops to jump through.

The cyber gang in the story who botched their heist by focusing solely on explicit security factors could have succeeded by recognizing the importance of implicit behavioral markers as well. For stronger cybersecurity, your organization should not underestimate the importance of these markers, either. I believe behavioral biometrics are integral to the future of financial cybersecurity.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?