loader image
Close
  • Use Case
    • Banking and finance
    • E-commerce and retail
    • Telecommunications and media providers
    • Administration
    • Healthcare
    • Technology and IT
  • Types of activity
    • Account sharing and device sharing
    • Employee authentication
    • Hardware-free MFA/ 2FA for clients
    • Remote working
    • Compliance with PSD2, SCA regulations
    • Anti-fraud system
    • Detection of bots and remote desktops
  • Solution
    • Behavioural biometrics
    • Device Fingerprinting
    • PureSecure
    • Mobile behavioural biometrics
  • Knowledge zone
    • Onepgers
    • Presentations
    • E-book
    • Webinars
    • Video
  • News
    • Blog
    • Expert texts
  • Company
    • About us
    • About BIK group
    • Privacy policy
    • European union
  • Contact
  • Use Case

    Banking and finance

    E-commerce and retail

    Telecommunications and media providers

    Administration

    Healthcare

    Technology and IT

    Account sharing and device sharing

    Employee authentication

    Hardware-free MFA/ 2FA for clients

    Remote working

    Compliance with PSD2, SCA regulations

    Anti-fraud system

    Detection of bots and remote desktops

  • Solution

    Behavioural biometrics

    Mobile behavioural biometrics

    Device Fingerprinting

    PureSecure

  • Knowledge zone

    Onepgers

    Presentation

    E-book

    Webinars

    Video

  • News

    Blog

    Expert texts

  • Company

    About us

    About BIK group

    Privacy policy

    European Union Projects

  • Contact
  • English
    • Polski
    • English

  • Use Case

    Banking and finance

    E-commerce and retail

    Telecommunications and media providers

    Administration

    Healthcare

    Technology and IT

    Account sharing and device sharing

    Employee authentication

    Hardware-free MFA/ 2FA for clients

    Remote working

    Compliance with PSD2, SCA regulations

    Anti-fraud system

    Detection of bots and remote desktops

  • Solution

    Behavioural biometrics

    Mobile behavioural biometrics

    Device Fingerprinting

    PureSecure

  • Knowledge zone

    Onepgers

    Presentation

    E-book

    Webinars

    Video

  • News

    Blog

    Expert texts

  • Company

    About us

    About BIK group

    Privacy policy

    European Union Projects

  • Contact
  • English
    • Polski
    • English

Press Release

Several million people in Poland will test Behavioural Biometrics – interview in Subiektywnieofinansach.pl

This interview has been posted initially here ([PL]https://subiektywnieofinansach.pl/czy-analiza-sposobu-pisania-na-klawiaturze-moze-zastapic-login-i-haslo-do-banku-kilka-milionow-polakow-sprawdzi-dzialanie-biometrii-behawioralnej/)

Maciej Bednarek, Subiektywnie o Finansach: What is Behavioural Biometrics?

Mateusz Chrobok, CEO Digital Fingerprints: – We look at the way you act. For us, it’s most important – not what you do, but how you do it. Based on this, we build mathematical models, which represent your behaviour.

In case of someone else trying to use your account, detected behaviour will be different than your modelled one. Thanks to that, we can provide additional security measures in multiple scenarios.

There are a couple of types of Behavioural Biometrics. We focus on the man-to-machine interactions via keyboard, mouse or touchpad. At first, the mathematical model describing user behaviour is like a child, learning new things. In time, the model becomes better at distinguishing whether it is you who uses the account.

How will Behavioural Biometrics work in mBank?

–We are implementing it to protect clients from frauds. There are many instances of attack, and in future, it will only increase. Someone is logging into a bank, using an open wi-fi network, is risking session hijacking. You log into the bank, and someone else will do something on your behalf.

If we detect it, and we can do so based on behaviour changes – the way input devices (i. e. keyboard or mouse) are used – we will send a notification to the bank, and it should react accordingly. Bank anti-fraud systems are complex entities, composed of several parts. They can analyse your environment, your device. Behavioural Biometrics can be one of the components mentioned above, but still, it is up to a bank to make a final decision about how to react. The more ingredients, the harder it becomes to attack the client.

At which moment do you begin to gather data about user behaviour?

-The moment you enter the login page of the bank. After logging in, your browser retrieves information whether you are a client using the Digital Fingerprints service – whether you agreed for behavioural data gathering.

If not, no data will be retrieved by us. If you did, all the data gathered before logging in are sent to us. Thanks to this approach, our solution can work as early as possible. From that point, data transfer is continuous, and we continuously verify whether it’s you in front of your screen.

In case of you stepping away from your PC and someone else stepping in to do a money transfer for a different amount, to a separate account, we are capable of protecting you.

There are a couple of millions of clients in mBank. What if two users behave similarly? What guarantee can you provide that you will detect the difference?

-We performed multiple tests in our laboratory, and now we have a pilot deployment for a select group of mBank clients. The more data we have, the better our solution works.

In case of us having two users behaving in a very similar fashion, we can use different additional features, such as mouse movement trajectory or the speed of how different elements are clicked.

A person changes in time, i. e. by breaking an arm. All this causes changes in the way uses, for example, the keyboard. What then?

–From my perspective, change is one of the essential values of Behavioural Biometrics. Classic biometrics does not change. If someone gains access to your fingerprints, you may have a problem, since it is impossible to replace them. But your behaviour can be changed.

For sudden changes, our models adjust naturally. The model will be stronger when learning about your variance and forgetting your older characteristics.

And in case of the aforementioned broken arm, there are no ideal systems, but we have foreseen that we will have to learn of a possible mistake. In case of you logging into the banking system with a broken hand, a consultant could call you to verify that this “strange” occurrence is indeed you since our solution has detected it.

If you verify that it was you, then we get the information that our solution was wrong. We do not want to know that something happened to your arm, but we will use this change when readjusting our models, meaning that we adjust to your change.

And what if I switch from PC to a Mac? I will be writing differently, less fluently at the start, and I will make mistakes, search for buttons and shortcuts longer. How does Behavioural Biometrics solve this problem?

–During our testing phase, we swapped our devices. The output of our solution is displayed on a scale from 1 to 1000, 1 meaning a 100% certainty that the user is himself, 1000 meaning that for sure it is not the user. When I was using my computer, the output was fluctuating at a level of 100, when I was using my colleagues PC – at about 350. This means that even after switching to a different device, our solution still did not see me as someone else. The system was designed to take usage of other devices into consideration.

But let me go back to the learning process – the more we use different devices, the better our solution can learn about it.

Nowadays banks are already gathering much data about us. Now, clients learn that even more will be collected. Should they be afraid?

–When it comes to data gathering, we should always be cautious. We need to be constantly vigilant of how the data will be used. I’m a vast GDPR fan when it comes to defining data processing.

Starting research on this solution we have clearly stated – either data that we will process will be used only for ensuring security and never to be sold to third parties, or we won’t work. (Manifesto)

Besides the data that we gather is contextless. We do not know what you type or where you send money, and we do not want to know since then we would have sensitive data in our hands.

But even in the unlikely case of someone stealing this data, there is no way for the thief to know what data maps to what user. Bank provides a stream representing the behaviour of a specific user. We retrieve our model for this user and verify that the behaviour matches with it. We do not want to know the identity of the user.

But the bank knows who the user is.

–That is true, the bank has the information needed for client identification, and it can assign the outcome to a specific user. It is normal since the bank needs to know who it protects.

But let us assume that the darkest scenario occurs – our data is leaked. What will a potential attacker learn from them? He would have only a part of the data stream that we didn’t yet forget and the mathematical models. The attacker will not know who do they belong to. Not to mention change – if you log into the bank once again, after your visit your model will change, which means that the stolen data will no longer be valid.

How much time is needed for a machine to learn my behaviour?

–That depends on the expected quality of a model and how many features are exclusive to you. In the case of people using internet banking, such as accountants, one session may be sufficient. In this study, the most important thing is not time, its data. I believe that when it comes to a typical user, for a model to be created all that is needed are 5 to 6 sessions.

Nowadays Behavioural Biometrics can be an additional element improving security when using internet banking. Could it soon replace logins and passwords?

–From the computational perspective, it is still too early for that. When it comes to identifying the user using Behavioural Biometrics, I bet we’ll need to wait at least ten more years. But, if Behavioural Biometrics would be used only to verify (we use only login, without password), it could be achieved in a couple of years. It all depends on how fast this technology will develop. I believe that in one year I will be able to show a system that, basing solely on how you type in your login, will be able to verify your identity.

Cross-posted: https://www.linkedin.com/pulse/several-million-people-poland-test-behavioural-mateusz-chrobok/


We won pitch off battle at in-ference
Previous Article
Models’ quality adapted to your needs
Next Article

Digital Fingerprints © Copyright 2022
Created by <code-One>

Use Case

Banking and finance
E-commerce and retail
Telecommunications and media providers
Administration
Healthcare
Technology and IT

Solutions

Behavioural biometrics
Device Fingerprinting
PureSecure
Mobile behavioural biometrics
About us
About group
EU project
Privacy policy
Contact

Digital Fingerprints S.A. ul. Żeliwna 38, 40-599 Katowice. KRS: 0000543443, Sąd Rejonowy Katowice-Wschód, VIII Wydział Gospodarczy, Kapitał zakładowy: 1 128 828,76 zł – opłacony w całości, NIP: 525-260-93-29

Biuro Informacji Kredytowej S.A., ul. Zygmunta Modzelewskiego 77a, 02-679 Warszawa. Numer KRS: 0000110015, Sąd Rejonowy m.st. Warszawy, XIII Wydział Gospodarczy, kapitał zakładowy 15.550.000 zł opłacony w całości, NIP: 951-177-86-33, REGON: 012845863.

Biuro Informacji Gospodarczej InfoMonitor S.A., ul. Zygmunta Modzelewskiego 77a, 02-679 Warszawa. Numer KRS: 0000201192, Sąd Rejonowy m.st. Warszawy, XIII Wydział Gospodarczy, kapitał zakładowy 7.105.000 zł opłacony w całości, NIP: 526-274-43-07, REGON: 015625240.

Zarządzaj zgodami plików cookie
Aby zapewnić jak najlepsze wrażenia, korzystamy z technologii, takich jak pliki cookie, do przechowywania i/lub uzyskiwania dostępu do informacji o urządzeniu. Zgoda na te technologie pozwoli nam przetwarzać dane, takie jak zachowanie podczas przeglądania lub unikalne identyfikatory na tej stronie. Brak wyrażenia zgody lub wycofanie zgody może niekorzystnie wpłynąć na niektóre cechy i funkcje.
Funkcjonalne Always active
Przechowywanie lub dostęp do danych technicznych jest ściśle konieczny do uzasadnionego celu umożliwienia korzystania z konkretnej usługi wyraźnie żądanej przez subskrybenta lub użytkownika, lub wyłącznie w celu przeprowadzenia transmisji komunikatu przez sieć łączności elektronicznej.
Preferencje
Przechowywanie lub dostęp techniczny jest niezbędny do uzasadnionego celu przechowywania preferencji, o które nie prosi subskrybent lub użytkownik.
Statystyka
Przechowywanie techniczne lub dostęp, który jest używany wyłącznie do celów statystycznych. Przechowywanie techniczne lub dostęp, który jest używany wyłącznie do anonimowych celów statystycznych. Bez wezwania do sądu, dobrowolnego podporządkowania się dostawcy usług internetowych lub dodatkowych zapisów od strony trzeciej, informacje przechowywane lub pobierane wyłącznie w tym celu zwykle nie mogą być wykorzystywane do identyfikacji użytkownika.
Marketing
Przechowywanie lub dostęp techniczny jest wymagany do tworzenia profili użytkowników w celu wysyłania reklam lub śledzenia użytkownika na stronie internetowej lub na kilku stronach internetowych w podobnych celach marketingowych.
Manage options Manage services Manage vendors Read more about these purposes
Zobacz preferencje
{title} {title} {title}