Swipes, Taps and Cursor Movements Can Foil Cyberthieves

Swipes, taps, cursor movements and other ways of interacting with electronic devices can be used to protect online merchants from Net fraudsters.

Many people are familiar with biometric authenticators like irises, fingerprints and voices, but it turns out that how we behave with our machines can be a means of authenticating our identities, too.

“We’re able to profile users based on their interaction on the Web,” said Natia Golan, product manager at BioCatch.

If you’re browsing an e-commerce website, for example, BioCatch can create a profile based on your behavior at the site, and compare it to behavior during subsequent visits.

Then, anyone who appears on the site claiming to be you, but behaving in a way that doesn’t jibe with your profile, can be flagged as a fraud risk.

Blocking Fraudsters

BioCatch’s behavioral profiles catalog more than 500 parameters — things like mouse movement, typing speed, special keys used while typing, and cursor movement.

“Just the way you move your cursor with a mouse has over 200 parameters,” Golan told TechNewsWorld.

The scheme also collects data on interactions with mobile devices. How you swipe, how hard you tap, and the orientation of your device are all data points for a behavioral biometric profile.

In addition to tracking behavior of existing users, BioCatch stores information it can draw on to identify information thieves trying to open new accounts.

“In that case, we’re profiling the fraudulent population,” Golan explained. “We’re able to say if a behavior is criminal behavior or not, because fraudsters behave differently than genuine users.”

For example, cybercriminals may enter credit card information slower than a genuine user would but display expert behaviors, such as using uncommon keyboard shortcuts.

Foiling Malware

BioCatch also can foil automated attacks on e-commerce sites.

“Not only can we detect human behavior at a site, but we can detect nonhuman behavior, too, because they’re so different from each other,” Golan said.

“That’s why we can detect malware very easily,” she continued. “It behaves very mathematically. A real human wouldn’t act that way.”

To preserve the privacy of a site’s users, they’re assigned a number by the site BioCatch is protecting. That number corresponds to the behavioral profile for the user, so BioCatch never knows the identity behind that number.

“We have the information on the behavior,” Golan explained, “but the retailer has the information on the user, and the two are never connected.”

Protecting Charitable Contributions

As important as information security is to all organizations, some organizations can spend more to protect their processes than others. Among those with tight fiscal constraints are not-for-profits.

“Charities are under a lot of pressure; to make as much as possible of each contributed dollar goes to the underlying mission of the not-for-profit,” said Richard Atkinson, CIO of JustGiving.

That kind of pressure can squeeze the margins of a not-for-profit. While an e-commerce site might build margins as high as US$40 into a $100 transaction, a charity’s margins are in the single digits.

Those tight fiscal constraints don’t leave a lot of cash hanging around for security, which is probably why not-for-profits have problems finding skilled people for their security needs. What’s worse, many of them are targets of government hackers.

“Many charities are dealing with issues of interest to state actors,” Atkinson told TechNewsWorld, “so some agencies will try very hard to get hold of the personal information that charities hold.”

Token Security

To protect the payment card information of donors to some 10,000 charities JustGiving represents, it has turned to Protegrity, which uses tokenization to securely store credit card data.

“Unlike encryption, tokenization is much more performance-scalable,” Atkinson said. “It’s also easy for developers and our data team to interact with.”

With tokenization, sensitive data is replaced with unique identification symbols that retain all the essential information about the data without compromising its security.

“The idea of replacing sensitive data with some fake data is great,” Atkinson noted. “We didn’t need to change our data schemes or data flows.”

Moreover, working with Protegrity allowed JustGiving to save time and money while ensuring the security of the payment card information that it collects.

“Within a couple of weeks of taking delivery of our Protegrity keys, we had our first prototype built,” Atkinson said. “If we’d done it ourselves, it would have been six months of trying to build something that’s already been done.”

Feds Mandate HTTPS

As the fallout continues from the massive data breach at the U.S. Office of Personnel Management, the federal government continues to make efforts to tighten up its cybersecurity posture. Last month, for example, federal CIO Tony Scott signed an OMB memo requiring HTTPS to be the required protocol for all federal websites and Web services by the end of 2016.

Most federal websites now use the less-secure HTTP protocol.

Because the unencrypted HTTP protocol does not protect data from interception or alteration, users can be subjected to eavesdropping, tracking, and the modification of received data, according to the CIO’s website.

An HTTPS-only standard would eliminate inconsistent, subjective agency determinations over which content or browsing activity might be sensitive in nature, and create a stronger privacy standard government-wide, it said.

While it’s laudable that the feds are mandating HTTPS, there are risks to using it that the government should try to address as it embraces the protocol.

Encrypted Attacks

Using HTTPS means the entities issuing digital certificates — which have been criticized for their lack of security — are going to be flooded with requests from federal agencies.

“As the quantity goes up, as it becomes more difficult to know your customer, that introduces new risks,” said Kevin Bocek, vice president for security strategy and threat intelligence at Venafi.

Going to HTTPS also will increase the amount of encrypted traffic on federal networks. On its face, that sounds like a good thing, but it too has a downside.

“If I’m a bad guy, more encrypted traffic is good for me,” Bocek told TechNewsWorld. “Now, when I launch my attacks, no one is going to decrypt my traffic.”

What can the federal government do make sure its move to HTTPS doesn’t backfire? “They need to think like their adversaries,” Bocek said. “They need to stop thinking like good guys who live in a world where unicorns dance and security controls always work.”

Breach Diary

  • July 6. Group of 14 of the world’s pre-eminent cryptologists and computer scientists release paper maintaining special access to encrypted communications by governments cannot be allowed without putting the world’s most confidential data and critical infrastructure at risk.
  • July 7. FireKeepers Casino Hotel reports data breach of its computer systems compromised payment card information used for food, beverage and retail purchases from between Sept. 7 and April 15, as well as Social Security and driver’s license numbers, health benefit selections, and medical billing information for current and former employees.
  • July 7. Attorneys general from 47 states send letter to Congress opposing any federal law that would pre-empt state data breach and security laws.
  • July 8. National Treasury Employees Union files lawsuit against U.S. Office of Personnel Management stemming from massive data breach at agency. Union is seeking, among other things, lifetime free credit monitoring for its members.
  • July 8. Adobe patches Zero Day vulnerability (CVE-2015-5119) found in Angler, Fiddler, Nuclear and Neutrino exploit kits. Flaw was discovered in some 400 GB of data stolen from Gray Hat company Hacking Team posted to the Internet on Monday.
  • July 9. U.S. Office of Personnel Management reports that a recent massive data breach compromised the sensitive information of 21.5 million people, including Social Security numbers for current and former federal workers, contractors, friends and families.
  • July 9. Service System Associates acknowledges point-of-sale systems breached and information on customer payment cards compromised. Breach took place from March 23 to June 25. SSA, which serves gift shops at zoos and cultural centers nationally, did not identify customers affected by the breach, but security blogger Brian Krebs reported at least two dozen shops were impacted.
  • July 9. TerraCom and YouTel America agree to pay $3.5 million civil penalty stemming from FCC complaint that companies failed to adequately protect the personal information of more than 300,000 customers when it stored the data on unprotected servers accessible by anyone with an Internet connection.
  • July 9. Electronic Frontier Foundation files lawsuits against U.S. Justice Department and California Attorney General’s office seeking information on Hemisphere program, which places AT&T employees within law enforcement agencies to help investigators get quick access to call records stored with the company.
  • July 10. Katherine Archuleta, director of the federal Office of Personnel Management, resigns.

Upcoming Security Events

  • July 18. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free.
  • July 21. “As A Service” Offerings and Clients’ Cybersecurity Concerns Drive Changes in IT Services Portfolios. 1 p.m. ET. Webinar by BTR. Free with registration.
  • July 22-24. RSA Asia Pacific & Japan. Marina Bay Sands, Singapore. Registration: before June 21, SG$700; after June 20, SG$850.
  • July 25. B-Sides Cincinnati. Cincinnati Museum Center, 1301 Western Ave., Cincinnati, Ohio. Free.
  • Aug. 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1,795; before July 25, $2,195; after July 24, $2,595.
  • Aug. 4-5. B-Sides Las Vegas. Tuscany Hotel and Casino, 255 E. Flamingo Rd., Las Vegas, Nevada. Free.
  • Aug. 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
  • Aug. 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
  • Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
  • Sept. 16. ISMG Data Breach Prevention and Response Summit. The Westin San Francisco Airport, 1 Old Bayshore Highway, Millbrae, California. Registration: $695.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels