Traditionally, banking websites have relied primarily on passwords and PIN codes to make sure people logging in are really who they claim to be.
But users can be tricked by phishing attacks into entering their bank credentials into fake websites, or they can have their login information stolen by malware eavesdropping on their devices, letting thieves access their accounts and potentially steal funds. According to reports from IBM Security’s X-Force team, almost 20 million financial records were breached last year alone, with each costing financial institutions an average of $215.
To help make it easier for banks to detect unauthorized logins, IBM is introducing what it calls behavioral biometrics to its Trusteer Pinpoint Detect anti-bank-fraud toolkit. The new feature will automatically use machine learning to build statistical models of how individual users move the cursor while using banking sites and flag unusual behavior.
"The system automatically learns normal user behavior," says Brooke Satti Charles, financial crime prevention strategist at IBM Trusteer, a formerly independent security company acquired by the computing giant in 2013. And since there’s no new credential for a user to accidentally reveal, the system should be harder for fraudsters to fool than those based on passwords alone, she says.
"It’s about what the user does, not what the user knows," she says.
When the new feature rolls out later this year, it will work in conjunction with existing Pinpoint Detect features that look for unusual changes in a user’s location, device, or software settings. The software itself won’t ever make the decision to lock a user out of an account, Charles emphasizes, but it will flag any suspicious findings for banks’ own systems to review and use to take action.
The system should be sophisticated enough to learn multiple patterns of normal behavior for accounts with multiple users, like joint bank accounts, she says. Since it looks at overall patterns in how a user moves the cursor, not at what elements of the page they actually click on, it shouldn’t penalize account holders who access new areas of their banks’ sites, she says.
"The really cool, unique part is it’s seamless and non-invasive to an end user, so it supports the online customer experience, basically stopping fraud—not productivity," she says.
It also won’t be possible for fraudsters to simply capture users’ exact mouse movements and replay them, since the system will detect that they’re suspiciously identical, like a forged signature that matches too well. And the data and machine learning models that IBM will build in will be anonymized and won’t be able to be used to extract account credentials or other confidential information, Charles says.
When it first rolls out, the new feature will focus on learning how users move laptop and desktop mice and trackpads, but the company may introduce comparable mobile tools in the future. Pinpoint Detect already offers tools to detect malware and compromised operating systems on mobile devices.