Analysing 'digital handwriting' to secure mobile banking
THE rise of mobile banking has made all of us more accustomed to sending money and making purchase on the move - but when our phones are only secured with four-digit PIN codes, how safe is our money? One Swedish security start-up thinks it has the solution to smartphone security: by studying our 'handwriting' when we use our phones, they can tell if we're really who we say we are.
"The rhythm of how you type, how hard you hit the keys, how fast you move from one key to the next, that's what we look at," says Dr Neil Costigan, a cryptographer, serial entrepreneur and CEO of Behaviosec, who have developed the technology and are currently rolling it out across banks in Scandinavia. "There's consistency and pattern there that can tell us that you're you."
Behaviosec's algorithms are the digital equivalent of something like gait analysis. Our handwriting (which can even include how we hold the phone; tilt and orientation measured by on-board accelerometers) is complex, nuanced and instinctive. We don't really think about how fast we're typing or where we hit the keys but a whole range of factors (everything from our confidence with technology to the length of our fingers) influences this, adding an layer of identification that can't be stolen or forgotten.
Dr Costigan explains that technology has been shown to be more than 99.7 per cent accurate in trials with Danish financer Danske Bank and that the technology has been so well received in Scandinavia that by the end of this year every mobile banking user in Denmark, Norway and Sweden will be signed up - and Western companies are getting interested too.
The technology has already received substantial funding from US military agency DARPA (otherwise known as the Defense Advanced Research Projects Agency) which has been responsible for funding everything from self-driving cars to the internet itself. Silicon Valley companies are also interested - although Dr Costigan says that he can't disclose the names of any potential investors, beyond the fact that they're "big guys" in the industry.
For these companies the technology's potential goes way beyond just PIN codes. The military, for example, might want to know if someone's tablet or smartphone has been picked up by the wrong guy and Behaviosec's algorithms can tell them that, figuring out from someone taps and browse material if they're recognized user in 20 to 60 seconds. The same methodology could be used to secure devices around the home - if a child picks up a tablet, the system could spot this and lock down, say, web access, or emails.
The technology certainly has some limitations (it's not great at working with long, complex passwords for example; people tend to write those down and copy them out laboriously) but Dr Costigan says that is main benefit is convenience. It takes away the burden of security from the user, running in the background to learn their behaviour, updating this data to make sure that even if someone's typing speed changes, they don't get locked out.
"To be honest I think there's a little bit too much said about how broken passwords are," says Dr Costigan. "I just think that at the moment the alternatives are just too inconvenient for the consumer. What we're doing is making the password stronger by looking at you."