Passwords are incredibly insecure, so websites and apps are quietly tracking your mouse movements and smartphone swipes without you knowing to make sure it’s really you

Passwords and other more traditional security measures are actually not that secure, so companies have been using

caption
Passwords and other more traditional security measures are actually not that secure, so companies have been using “behavioral biometrics,” and you probably don’t even know it.
source
Thomson Reuters

  • Passwords, PIN numbers, and fingerprints play a relatively small and insecure role in keeping your online accounts and data safe.
  • Companies use security measures called behavioral biometrics that you likely don’t know about, like tracking your mouse movements and the typical behavior in your accounts, measuring the angle you typically use your device, and measuring how fast you swipe around an app.
  • Behavioral biometrics are more secure and convenient than more typical security measures.
  • Visit Business Insider’s homepage for more stories.

Once you enter your password to access your accounts, you might imagine the website dusting off its hands in satisfaction that its verification process is complete and that, yes, it now knows it was you who just logged in and not an imposter.

But it doesn’t stop there – websites and the companies behind them often monitor your behavior as a security measure, too.

“We look into behavioral biometrics,” Etay Maor, a security advisor at IBM Security, told Business Insider. “We’ve been doing this for years … most of the industries I talk to look into these things.”

Behavioral biometrics are similar to regular biometrics, like fingerprints. But instead of recognizing a fingerprint, your actions and behavior within a website or app where you have an account with sensitive information are monitored to authenticate you.

You’ve probably encountered some examples of behavioral biometrics. For example, if you’ve ever seen an alert that says “You’re logging in from a device you don’t usually use,” where a website recognizes that you’re logging in from a new device.

There’s also location-based security alerts, where your account is being accessed from a location that you don’t typically frequent. Someone recently tried to access one of my accounts from Kuala Lumpur, but I was in bed in Connecticut when this attempt happened. I got an alert, and took the appropriate actions to better secure that account.

But there are other forms of behavioral biometrics that occur while you’re using an app or when you’re in your online accounts, and you likely have no idea it’s happening.

The way you move your mouse once you log in, how fast you swipe around an app, what you typically do within an app or website, and even the angle at which you hold your phone are being monitored, and they’re examples of behavioral biometrics.

Even when you’re not using your devices, behavioral biometrics are in play. In fact, not using your devices is a biometric in itself. If your bank account was hacked while you’re asleep and fraudulent transactions are being made, for example, banks can tell that the devices you usually use are offline. Your phone might be laying still and flat (because it’s on your bedside table) and your laptop is in sleep mode. From that information, and considering the activity going on, a bank might suspect that something is awry, and it can push out an alert of suspicious activity.

Indeed, your behavior is unique to you, like a fingerprint. And it’s more secure than passwords, PINs, and even your actual fingerprint, according to Maor.

“Passwords are not secure today because there are so many ways for hackers to guess and generate passwords. We’re in weird stage where passwords are becoming harder for a human to remember and yet still extremely easy for a machine or algorithm to guess,” Maor said.

Microsoft will make it an option to use passwords and encourage users to use PIN numbers instead, which the company argues are more secure.

caption
Microsoft will make it an option to use passwords and encourage users to use PIN numbers instead, which the company argues are more secure.
source
Microsoft

That’s why Microsoft is ditching the common password and is encouraging users to log into Windows 10 using PINs and its Windows Hello facial recognition, where that data is stored in your devices. The company argues that on-device storage for security data is more secure than passwords stored in a company’s servers.

Still, even PINs and standard biometrics aren’t the ultimate in security. “If it’s something that a human knows or remembers, an attacker can extract that,” Maor said, whether it’s by hacking or social engineering, where an attacker can convince you to give them your password by, say, pretending to be tech support for a website.

Even regular biometrics like fingerprints and irises can be socially engineered out of you. At the end of the day, passwords, PINs, and standard biometrics won’t stop a “determined attack.”

With behavioral biometrics, your typical behavior isn’t something that can be easily replicated. “An attacker can’t extract your mouse movement, or your behavior from you. Maybe to a certain extent, but that’s a totally different level of attack,” Maor said.

It seems spooky, and it raises privacy concerns. And Maor recognizes that. “It sounds a bit Orwellian because it sounds like you’re being followed all the time. But yeah, as soon as you go into the website, we try to protect you by making sure it really is you without you knowing that we’re doing this.”

Behavioral biometrics also have a practical use, as they’re simply less annoying than traditional authentication methods, like remembering passwords or multi-factor authentication. Behavioral metrics that take place under the radar offer a better experience while also keeping you more secure. Maor argues that if a company tries to authenticate you by making it too difficult or time consuming to enter your account, you’ll go to another company or service.

Still, passwords, PINs, and fingerprints are still necessary first lines of defence, but they’re only used to identify you. The real security that’s used to authenticate you happens in the background, without you even knowing.