Biometrics Are Not Broken

Keystroke spoofers won’t have an effect on a solution with robust user behavior analytics.

by Ryan Wilk

Passive behavioral biometrics is quickly gaining adoption from online shopping companies and banks because it is an extremely effective way to protect users from having their accounts stolen, even when their passwords have fallen into the wrong hands. How? By understanding how a legitimate user truly behaves in contrast to a potential fraudster with stolen information.

The technology works by analyzing a wide range of user behavior to assemble a picture of how they behave. This includes behavior like how they type, how they navigate a website, even how they hold their device. Humans are creatures of habit and it doesn’t take long to build a model of behavior, one we continue build on every time the user returns to the website. It also acts as a check against anyone who tries to access a user account unlawfully. Even if somebody knows a user’s password, it’s incredibly difficult to behave exactly how the real user does – making a successful attempt nearly impossible.

As with all technological advances, there are users who view anonymous passive behavioral analysis as a breach of privacy and seek to mask certain behaviors.  For example, masking their typing patterns or device fingerprint by using browser plugins or specialized tools such as Keyboard Privacy or FraudFox. In the world of online security, this practice of altering inputs (spoofing) is not uncommon, but rarely detailed enough to circumvent fraud prevention technologies.

Fraudulent users have long sought anonymity through fake identities, device fingerprint masking, IP address masking via VPN or proxies, or using anonymity networks such as Tor. Leading fraud prevention vendors recognize this is a fact of life and include the detection of spoofing techniques as part of their product suite.

There is always a fine balance between keeping user’s safe from fraud (security) and user privacy. It is important to recognize that all companies are bound by strict PII and PCI laws which protecting users’ data privacy, and to strengthen that, sophisticated fraud prevention solutions do not require nor have no knowledge of the end user’s real-world identity such as their name or address.

Biometric input is only one layer of our NuDetect authentication product, and it works in tandem with traditional fraud detection tools. If your entire solution We would address the issue of individuals using behavior obscuring tools the way that we would address spoofers that rely on IP-changing tricks – by using a holistic approach that includes both behavior and device information with 99% certainty.