It seems like there’s news of a new massive data breach daily. Many consumers are on edge, wondering whether their Social Security number, birth date and address are a part of the attack. Conventional security tools are lacking and identity theft is rising, so companies must act sooner rather than later. Could behavioral biometrics be the solution they need?
The Role of Behavioral Biometrics in Identity Verification
Behavioral biometrics falls under the “something you are” authentication factor. It applies physical and digital actions to statistical models or analytics software to distinguish between genuine account holders and fraudsters. It is a type of passive verification that runs in the background as an individual interacts with their device.
Examples of behavioral biometrics include mouse movement, keystroke and scroll speed. On mobile, it tracks device orientation, swiping pattern and touch pressure. Someone’s eye movement, signature style, reading speed and gestures can also contribute to their profile.
Despite how complex tracking behavior may seem, this type of biometrics is highly accurate. In one study on identity verification via mobile devices, this tool achieved a 96.47% true acceptance rate and a 0.1% false acceptance rate. Despite only evaluating touch screen and sensor data, its error rate was minimal.
Even if a fraudster has legitimate credentials or knowledge, this tool exposes them for who they really are. Unlike personally identifiable information (PII) — which includes birth dates, names and addresses — behaviors cannot be reliably mimicked.
Why People Need Behavioral Biometrics for Protection
Behavioral biometrics gives people a way to detect and prevent identity theft. They need it because many conventional detection systems become virtually worthless when an attacker has legitimate credentials. As long as someone logs into their account with the correct password and knows the answer to the security question, those tools don’t raise the alarm.
Bad actors don’t typically steal a person’s identity and immediately take out loans or open new credit cards. Instead, they test the waters by logging in a few times to ensure everything works and they’ve gone unnoticed.
That said, thanks to modern technology, it doesn’t take a sophisticated cybercriminal to get away with identity theft. Cracking basic security to steal legitimate credentials has become easier than ever. For instance, using artificial intelligence, a hacker only needs one second to bypass an eight-character password.
Lately, identity theft frequency has been rising. Experts estimate there is a new victim every 22 seconds, meaning 33% of adults in the United States will have their identity stolen within their lifetime. Behavioral biometrics may be the only way to address this issue.
Why Standard Biometrics Aren’t Good Enough Anymore
Authentication factors cover something a person has, knows or is. For a while, the latter was considered the best type of security because it couldn’t be stolen. Just a few years ago, iris and fingerprint scans were considered the best identity verification measures.
As this technology evolved, face and speech identification became standard. However, with the emergence of AI-powered deepfakes, any hacker with access to a generative model can steal a person’s voice and look. Behavior is the only thing this tool can’t consistently replicate on a large scale.
Moreover, unlike other biometrics that require a camera, second device or optical scanner to function, behavior biometrics doesn’t need any special tool. It functions regardless of device because companies can tweak their process to align with whatever hardware is available.
How This Biometric Protects Against Identity Theft
Behavioral biometrics can protect people against identity theft in several ways.
- Identify Fraudulent Accounts
Determining whether new accounts are fraudulent is challenging since there’s no history. However, companies that track behavior could use the individual’s setup actions to verify their identity immediately, protecting existing customers.
- Develop Personal Risk Profiles
Behavioral biometrics lets businesses develop risk profiles for customers. What they do online tells a lot about how prone they are to identity theft. For example, reusing passwords or visiting sites that don’t use HTTPS can compromise their PII.
Decision-makers can use these details to determine their risk level. In response, the information technology (IT) team can develop personalized recommendations or require at-risk users to adopt additional security tools.
- Expose Account Takeovers
Account takeover is difficult to track with traditional security measures because the access is legitimate. However, the attacker’s behavior is often starkly different from the typical habits of the legitimate account holder. The IT team can use this data to freeze and restore the profile.
- Uncover Synthetic Identities
This tool lets businesses intervene in real time, enabling them to protect against synthetic identity theft. Detecting them becomes difficult when criminals use a combination of real and fake PII. Any activity on their end legitimizes their account, making tracing challenging.
Equifax — one of the big three credit bureaus — reports one out of every three supposed false positives it detects is a synthetic identity. With behavioral biometrics, they could quickly identify subtle discrepancies and close fraudulent accounts.
- Unmask Cybercriminals
IT teams can track every account’s behavior — not just potential victims. This way, they can expose the fraudsters, money mules and hackers who use their platform to steal, sell, transfer and use PII for identity theft long before they target victims.
Balancing the Benefits and Drawbacks of Integration
Behavioral biometrics passivity is convenient but lacks privacy. Will business leaders sell that data to third parties? How long will they store it? Is at-rest encryption an option or will it take up too much storage space? Navigating regulations and alleviating consumers’ fears should be a priority for any company seeking to implement this tool.
Security is another potential issue. As much as this wealth of data helps the IT team, it could also help cybercriminals if it falls into the wrong hands. Companies must secure these datasets to ensure detailed sensor, behavioral, location and activity information isn’t fed to a malicious botnet or algorithm.
About the Author
Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.
