Phone surveillance
Behavioural biometrics adds an extra layer of security at the client sideiStock/MarcoPiunti

Security isn't an add-on; in today's world security precludes business. Neil Costigan is the CEO of BehavioSec, a behavioural biometrics company using continuous machine learning to authenticate users based on the way they type, swipe, and hold their devices.

To illustrate the imperative call for security and the ingenuity of attackers, Costigan recounted a cautionary tale about a trading platform in Asia which sacrificed security at the client side to make way for user convenience. Creators felt that if they made it impossible to withdraw money from the app, instead requiring a manual step such as going into a physical branch where KYC and identity verification would be guaranteed, user data would never be compromised.

However, fraudsters exploited the weak security and commandeered a number of accounts to make lots of small trades, eventually managing to manipulate the market by building consumer accounts that could then trade with the stolen profiles, - including hedges and quick buys - before enjoying the cash out.

It's especially interesting to Costigan; the ingenuity of this attack vector meant it went unspotted, but it would have been picked up by BehavioSec technology, which has been out in the market and battle tested for the last couple of years by some 15 million users.

He told IBTimes: "Really what we are doing is monitoring passively how someone uses their device - the rhythm of how they type, how hard they hit the keys how quick they move from one key to the next, how they swipe, how much pressure they put on the screen and how they hold the phone. We build up a biometric behaviour pattern of the person's rhythm and deft of touch on their device or browser. So we have this transparent security layer that fits in the architecture. It enables a move away from a reliance on asking consumers once for 'something they know' at the door, towards a continuous process of non-invasive, frictionless verification."

Costigan explained that a device like a smart phone can have a quite a rich mix of sensors, so that when the app is running it can query the accelerometer (an instrument for measuring the acceleration of a moving or vibrating body), the giroscope and the screen positioning and the key events and so on. The smart part is the ability to merge them all together and use machine learning on the resulting data set.

Costigan said: "We merge lots of things. For example, the accelerometer on its own is not good enough uniquely, but if you merge it on top of a key stroke rhythm it adds an extra quality, and extra value. Pressure is very good if it's available on the phone screen - not all devices have pressure - but that really increases the quality."

BehavioSec recently released a report looking into digital behaviour. It looked at the rather casual way people use their digital identity, especially in the case of things like social media. Banks are naïve if they think the average person is some sort of risk-averse smart user.

"There are cases where people don't see a big issue of sharing passwords. I have friends who say – 'yeah my kids use my Facebook account because I didn't want them to have their own'. This means they know your password and they can watch and see and write and you don't have any control over where that is going. And, by the way, do you use that password for anything else, and it turns out it is their password for work, or email. They don't see the knock on effect of something trivial that can go further."

Costigan said enterprises need to take on the responsibility of safeguarding data, rather than putting the burden on users. "You are given this complex thing to remember by, say, your office or something. We all know people just write it down. There's no way they have remembered it and swallowed that piece of paper like some spy movie. They put it on notes and stick them on the screen. By making the password complex you actually make the problem worse.

"A password is only as secure as a user's desire or ability to safeguard it. Today we prioritise convenience – meaning laborious tasks such as multiple authentication processes are often side-stepped."

He said phone fraud is typically done via the "shoulder surf", where someone watches you type in your PIN for a banking app or how you log onto your phone. "It's very easy to spot from a distance. Our technology embedded in something like a payment app or a mobile app means an attacker won't be able to replicate how hard you hit the keys when you input the numbers, or how quick you move across the screen."

Costigan pointed out there are other use cases when people do not value an asset enough to really care about security; an example would be somebody sharing access to a paywall. "A lot of people don't see what's wrong with sharing credentials. I maybe have an account with FT or whatever and I want you to read this article - here is my username and password.

"They will gladly share that, not seeing the impact or what's wrong with it. Our technology you can spot different people on accounts so I think there's applications for our technology way beyond the initial authentication, verification for banking and payments."