Banks Can Now Identify You By How You Type

What’s a bank to do if it wants to verify the thousands of customers using its mobile app? One way is their behaviour — or at least their typing behaviour.

Banks in Europe’s Nordic region have begun rolling out a new kind of security technology for their mobile apps that tracks the pressure and speed of how customers type a pin number into their smartphones.

This way even if a friend knows someone's pin, they wouldn't be able to get in thanks to all the automatic nuances in the way people type, such as rhythm and pressure on the keys.

"We're monitoring the small stuff," says Neil Costigan, founder of Behaviosec, the Swedish security startup behind the recent roll-out.

"The flight between the keys, which corners of the keys you tend to hit, where you pause. Do you circle in on a button or do you go straight to it and hit it?"

Nordic banks including Danske Bank have trialled Behaviosec's tracking technology and found it worked so well that by the end of the year, every Internet bank user in Sweden, Norway and Denmark will be doubly verified by their typing behaviour, not just their pin number, Costigan claims.

He can't name his banking clients due to contractual obligations but claims millions of people will be tracked by the technology.

The startup claims a high success rate on verification: it reached 99.7% session accuracy when it trialled its behaviour-tracking technology in conjunction with a pin number for Danske Bank. Now it says it's seeing interest from U.S. payments providers and smartphone manufacturers themselves.

If the technology takes off, it could add a whole new layer of security for apps and phones that would be much harder for fraudsters to rip off.

Hackers can put millions of user accounts at risk by raiding a database of passwords, but it’s far harder to spoof someone's typing behaviour remotely, especially on smart phones.

The goal according to Costigan, who founded Behaviosec in 2011 as a spin-off from the Lulea University of Technology in Sweden, is to build the technology into smartphones so that the entire device becomes contextually aware of who's using them, just by tracking keystroke styles.

In trials right now, Behaviosec's algorithms can detect a false user in between 20 to 60 seconds of them picking up a smartphone, says Costigan. Behaviosec's latest research takes into account how people hold and move their phone — based on data from a device’s gyroscope and accelerometer — to authenticate users even more quickly.

In its current form, the technology works by first watching how someone types or swipes through a pin code on, say, a mobile banking app. After a while it builds a model of that person’s behaviour which it then uses to weigh up against new users.

"It's constantly learning," says Costigan. "The behaviour is always watched and your profile is constantly updated… The way you would normally do this in the past was a statistical analysis and you would map and make up models of people."

Though Costigan talks about developing "profiles," he says it’ll be years before computers have the somewhat worrying power to identify you out of thousands of others, based on how you type.

Forbes.