This interview has been posted initially here ([PL]https://subiektywnieofinansach.pl/czy-analiza-sposobu-pisania-na-klawiaturze-moze-zastapic-login-i-haslo-do-banku-kilka-milionow-polakow-sprawdzi-dzialanie-biometrii-behawioralnej/)
Maciej Bednarek, Subiektywnie o Finansach: What is Behavioural Biometrics?
Mateusz Chrobok, CEO Digital Fingerprints: – We look at the way you act. For us, it’s most important – not what you do, but how you do it. Based on this, we build mathematical models, which represent your behaviour.
In case of someone else trying to use your account, detected behaviour will be different than your modelled one. Thanks to that, we can provide additional security measures in multiple scenarios.
There are a couple of types of Behavioural Biometrics. We focus on the man-to-machine interactions via keyboard, mouse or touchpad. At first, the mathematical model describing user behaviour is like a child, learning new things. In time, the model becomes better at distinguishing whether it is you who uses the account.
How will Behavioural Biometrics work in mBank?
–We are implementing it to protect clients from frauds. There are many instances of attack, and in future, it will only increase. Someone is logging into a bank, using an open wi-fi network, is risking session hijacking. You log into the bank, and someone else will do something on your behalf.
If we detect it, and we can do so based on behaviour changes – the way input devices (i. e. keyboard or mouse) are used – we will send a notification to the bank, and it should react accordingly. Bank anti-fraud systems are complex entities, composed of several parts. They can analyse your environment, your device. Behavioural Biometrics can be one of the components mentioned above, but still, it is up to a bank to make a final decision about how to react. The more ingredients, the harder it becomes to attack the client.
At which moment do you begin to gather data about user behaviour?
-The moment you enter the login page of the bank. After logging in, your browser retrieves information whether you are a client using the Digital Fingerprints service – whether you agreed for behavioural data gathering.
If not, no data will be retrieved by us. If you did, all the data gathered before logging in are sent to us. Thanks to this approach, our solution can work as early as possible. From that point, data transfer is continuous, and we continuously verify whether it’s you in front of your screen.
In case of you stepping away from your PC and someone else stepping in to do a money transfer for a different amount, to a separate account, we are capable of protecting you.
There are a couple of millions of clients in mBank. What if two users behave similarly? What guarantee can you provide that you will detect the difference?
-We performed multiple tests in our laboratory, and now we have a pilot deployment for a select group of mBank clients. The more data we have, the better our solution works.
In case of us having two users behaving in a very similar fashion, we can use different additional features, such as mouse movement trajectory or the speed of how different elements are clicked.
A person changes in time, i. e. by breaking an arm. All this causes changes in the way uses, for example, the keyboard. What then?
–From my perspective, change is one of the essential values of Behavioural Biometrics. Classic biometrics does not change. If someone gains access to your fingerprints, you may have a problem, since it is impossible to replace them. But your behaviour can be changed.
For sudden changes, our models adjust naturally. The model will be stronger when learning about your variance and forgetting your older characteristics.
And in case of the aforementioned broken arm, there are no ideal systems, but we have foreseen that we will have to learn of a possible mistake. In case of you logging into the banking system with a broken hand, a consultant could call you to verify that this “strange” occurrence is indeed you since our solution has detected it.
If you verify that it was you, then we get the information that our solution was wrong. We do not want to know that something happened to your arm, but we will use this change when readjusting our models, meaning that we adjust to your change.
And what if I switch from PC to a Mac? I will be writing differently, less fluently at the start, and I will make mistakes, search for buttons and shortcuts longer. How does Behavioural Biometrics solve this problem?
–During our testing phase, we swapped our devices. The output of our solution is displayed on a scale from 1 to 1000, 1 meaning a 100% certainty that the user is himself, 1000 meaning that for sure it is not the user. When I was using my computer, the output was fluctuating at a level of 100, when I was using my colleagues PC – at about 350. This means that even after switching to a different device, our solution still did not see me as someone else. The system was designed to take usage of other devices into consideration.
But let me go back to the learning process – the more we use different devices, the better our solution can learn about it.
Nowadays banks are already gathering much data about us. Now, clients learn that even more will be collected. Should they be afraid?
–When it comes to data gathering, we should always be cautious. We need to be constantly vigilant of how the data will be used. I’m a vast GDPR fan when it comes to defining data processing.
Starting research on this solution we have clearly stated – either data that we will process will be used only for ensuring security and never to be sold to third parties, or we won’t work. (Manifesto)
Besides the data that we gather is contextless. We do not know what you type or where you send money, and we do not want to know since then we would have sensitive data in our hands.
But even in the unlikely case of someone stealing this data, there is no way for the thief to know what data maps to what user. Bank provides a stream representing the behaviour of a specific user. We retrieve our model for this user and verify that the behaviour matches with it. We do not want to know the identity of the user.
But the bank knows who the user is.
–That is true, the bank has the information needed for client identification, and it can assign the outcome to a specific user. It is normal since the bank needs to know who it protects.
But let us assume that the darkest scenario occurs – our data is leaked. What will a potential attacker learn from them? He would have only a part of the data stream that we didn’t yet forget and the mathematical models. The attacker will not know who do they belong to. Not to mention change – if you log into the bank once again, after your visit your model will change, which means that the stolen data will no longer be valid.
How much time is needed for a machine to learn my behaviour?
–That depends on the expected quality of a model and how many features are exclusive to you. In the case of people using internet banking, such as accountants, one session may be sufficient. In this study, the most important thing is not time, its data. I believe that when it comes to a typical user, for a model to be created all that is needed are 5 to 6 sessions.
Nowadays Behavioural Biometrics can be an additional element improving security when using internet banking. Could it soon replace logins and passwords?
–From the computational perspective, it is still too early for that. When it comes to identifying the user using Behavioural Biometrics, I bet we’ll need to wait at least ten more years. But, if Behavioural Biometrics would be used only to verify (we use only login, without password), it could be achieved in a couple of years. It all depends on how fast this technology will develop. I believe that in one year I will be able to show a system that, basing solely on how you type in your login, will be able to verify your identity.
Digital Fingerprints S.A. ul. Żeliwna 38, 40-599 Katowice. KRS: 0000543443, Sąd Rejonowy Katowice-Wschód, VIII Wydział Gospodarczy, Kapitał zakładowy: 128 828,76 zł – opłacony w całości, NIP: 525-260-93-29
Biuro Informacji Kredytowej S.A., ul. Zygmunta Modzelewskiego 77a, 02-679 Warszawa. Numer KRS: 0000110015, Sąd Rejonowy m.st. Warszawy, XIII Wydział Gospodarczy, kapitał zakładowy 15.550.000 zł opłacony w całości, NIP: 951-177-86-33, REGON: 012845863.
Biuro Informacji Gospodarczej InfoMonitor S.A., ul. Zygmunta Modzelewskiego 77a, 02-679 Warszawa. Numer KRS: 0000201192, Sąd Rejonowy m.st. Warszawy, XIII Wydział Gospodarczy, kapitał zakładowy 7.105.000 zł opłacony w całości, NIP: 526-274-43-07, REGON: 015625240.