In this article, Christopher Bailey, CTO, NuData writes on behavioural profiling defeating typing biometrics by using browser extensions such as Chrome. Mr Bailey gives reasons why these types of browser extensions are rarely detailed enough to circumvent fraud prevention technologies and why people need biometric technology to help protect them from ID theft and fraud.
Passive behavioural biometrics is quickly gaining adoption from online shopping companies and banks because it is an extremely effective way to protect users from having their accounts stolen, even when their passwords have fallen into the wrong hands. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with stolen information.
The technology works by analysing a wide range of user’s behaviours to paint of picture of how they behave. E.g. how the navigate, how they type, and even how they hold their device. Even if somebody knows a user’s password, it’s incredibly difficult to behave exactly how they do.
As with all technological advances, there are users who view anonymous passive behavioural analysis as a breach of privacy and seek to mask certain behaviours. For example, masking their typing patterns or device fingerprint by using browser plugins or specialized tools such as Keyboard Privacy or FraudFox. In the world of online security, this practice of altering inputs (spoofing) is not uncommon, but rarely detailed enough to circumvent fraud prevention technologies.
Fraudulent users have long sought anonymity through fake identities, device fingerprint masking, IP address masking via VPN or proxies, or using anonymity networks such as Tor. Leading fraud prevention vendors recognize this is a fact of life and include the detection of spoofing techniques as part of their product suite.
There is always a fine balance between keeping user’s safe from fraud (security) and user privacy. It is important to recognize that all companies are bound by strict PII and PCI laws which protecting users’ data privacy, and to strengthen that, sophisticated fraud prevention solutions do not require nor have no knowledge of the end user’s real-world identity such as their name or address.