Banks Are Tracking the Way We Swipe to Prevent Fraud
Behind the scenes, many banks are also tracking the way you use their apps and websites to collect data about the way you tap, swipe, and click
Banks use all kinds of sophisticated security systems to keep our money safe, but the ones we tend to think about are technical, such as encryption and two-factor authentication.
The Royal Bank of Scotland has revealed that it tracks 2,000 different data points through its app, from the angle you hold your phone to the speed you swipe up and down. By analysing the speed and precision of your movements, it can tell if you are really you.
In some cases, the software used by banks can actually cause small problems with an app and measure your response. For example, it could cause the screen on your online banking to freeze, and then measure how you react: a pause, a click, a shuffle of the mouse pointer.
Is this a clever way to create a ‘fingerprint’ us as individuals, or a creepy invasion of privacy?
Fraud Foiled By a Scroll Wheel
The Royal Bank of Scotland says that it detected and blocked a seven-figure fraudulent transaction in real time using the techniques we’ve outlined.
The user, logged in to a wealthy customer’s bank account, was using the mouse in a different way, suggesting that the person logged in was not the real account owner. It says that it detected the use of a mouse scroll wheel for the first time, along with numbers being typed differently on the keyboard, and immediately locked down the account.
This sounds impressive, and some would argue that tracking us like this is acceptable if it keeps hackers out of our bank accounts.
It’s unclear how widespread behavioural biometrics are, but it’s probably more widespread than we realise. The technology used by the Royal Bank of Scotland is produced by BioCatch, a US company that says it’s monitoring more than 5 billion transactions for fraud every month.
Should Biometric Data be Protected?
Even though this technology is impressive, and is obviously effective, there are legitimate reasons to be worried about what your bank is doing behind the scenes.
First of all, there are always risks of a data breach. Banks are cagey about precisely where and how this usage data is stored for obvious reasons. But if your activity and location is sent to remote servers along with your account identifiers, you may well have cause to ask what kind of encryption and security is in place, and whether these servers are located in a different legal jurisdiction to your own.
If you injure your hand, and you’re using a clumsy, non-dominant hand to type with, there could be a risk that your account is flagged up for unusual activity. Could that impact people with disabilities who may need to vary the way they use their devices according to the severity of their condition?
And if banks are already secretly logging these movements, down to the pressure of a finger on a screen, could they legitimately start capturing photos from our devices and checking we’re who we say we are? It sounds like the stuff of science fiction, but it’s technically all part of the same dataset -- biometric information.
Neil Cogistec, a spokesman for BehavioSec, says that his company just has to watch silently as we go about our business. There are no laws against watching us in this way. But the companies providing biometric analysis are gathering data about individuals on a massive scale, and the potential privacy risks for users don’t seem to be fully understood.