Before the computer age, spies sent some reports by Morse code. Each had his or her own way of sending dots and dashes, which was called their “fist.” Intelligence officers worried if an agent had been caught and replaced by an enemy would record transmissions and analyze the “fist” to figure out if the message was trustworthy.
A Swedish startup called BehavioSec is doing something similar with an app being tested by Nordic banks for secure logins over mobile devices. It tracks their pressure and speed when typing a PIN code to determine if the sender is the person who is associated with an account.
According to a report on Forbes.com, the company says that by the end of the year every Internet bank user in Sweden, Norway and Denmark will use its technology to doubly verify users by their typing behavior and PIN number.
It’s another way security vendors are trying to come up with new technologies to fight hackers who never tire of finding ways to steal passwords.
Unlike tokens (passwords or smartcards) which can be stolen, behaviour is individualistic, says the company. Its approach can measure typing or swiping of numbers or letters. BehavioSec says its technology not only can be used on mobile devices, it can also be used on Web sites to combat fraud.
It is developing three products: BehavioAion, wbich monitors keystroke and mouse behaviour in real time after login; BehavioWeb, for consumer verification; and BehavioMobile, for mobile devices.
According to the Forbes report, the company says it reached 99.7 per cent session accuracy when it trialled its technology in conjunction with a pin number for Danske Bank.
On the other hand, the technology isn’t fast: BehavioSec’s algorithms can detect a false user in between 20 to 60 seconds of them picking up a smartphone, the company says. It is working to bring the time down.
Will this be the solution that defeats cyber-crime. Not alone. For one thing, I wonder how the algorithms cope with people like me, who with a backhand occasionally send a mouse flying when the cursor gets in the way of my typing. Or when I smack the keyboard in frustration when a browser freezes.
I suspect a layered approach will always be needed in the near future: a fingerprint swipe plus behavior-based analytics, for example. But if proven the technology will be an option for IT security pros.