Scanning a thumbprint to access your bank account seems completely safe, right? Well, a notorious German hacker names Jan Krisller – a.k.a. Starbug – demonstrated how easy it is to duplicate a fingerprint or even an iris, using a high-res photo. He used Angela Merkel’s photo.
Other hacks have foiled fingerprint scanners with gummy bears — also made in Germany. (Hmmm….)
Banks and fintech companies have recognized that biometrics aren’t foolproof and that fingerprints can be stolen, and seem to be moving to the next step in cybersecurity: behavioral recognition.
Just last week, NatWest, a U.K.-based bank that serves over 14 million customers, announced that it has successfully completed the testing of behavioral recognition technology provided by BioCatch. The Boston-based startup allows NatWest to analyze more than 500 points of human behavior, including hand-eye coordination, pressure, hand tremors, cursor navigation and scrolling, among (many) other things.
“Different people have different, unique ways of interacting with devices or applications,” Uri Rivner, vice president of business development and cyber strategy at BioCatch, told Bank Innovation. “After several sessions – 10 is the magic number – we are able to model a unique user baseline, so when we see a transaction, we can notify the bank if the way a person interacted with the app or keyboard is in line with our baseline.” The authentication process begins at login, and can last throughout the entire session, Rivner said.
Launched in 2011, BioCatch raised $11.6 million in total funding so far. The startup now partners with “major banks” around the world, according to Rivner. “In the U.S., you already have same-day ACH payments, and it’s all about faster, frictionless payments in the U.K., so banks everywhere started looking at adopting additional layers to cybersecurity, without adding layers of friction.”
Leumi Card, a subsidiary of Israel’s Bank Leumi, will also be adding behavioral biometrics to its mobile security. Last week, the bank partnered with an Israeli startup called SecuredTouch. The company uses attributes such as finger size, touch pressure, touch surface to verify in realtime whether the account holder is the one using the banking app. This way, the startup also looks to eliminate the need for passwords.
Eliminating passwords is on Verifyoo’s agenda as well. Instead of typing in complicated passwords or answering security questions, Teal Aviv, Israel-based Verifyoo’s solution prompts users to recreate characters that appear on the screen. The company then analyses that data, and uses it to authenticate a person in the future. Check out the video demo below:
“There is no doubt the world is moving toward dynamic authentication methods, and one of those is behavioral,” CEO Roy Dalal, told Bank Innovation. “Our aim is to reduce that authentication process to the point of login, so that if a person passed the authentication process once, there will be no need in authorizing any of his further actions during that session.”
Banks and other financial institutions recognize the need for this type of solutions, Dalal said. “Static biometrics [fingerprints, eye scan] are not enough anymore, and my feeling is we are nearing this shift to mass adoption.” Verifyoo is still in its initial seed funding phase.
As the next step, BioCatch is exploring new channels for leveraging its technology, “beyond traditional suspects,” Rivner said, referring to channels rather than industries. “Chatbots, for example, is one of them,” he said. “Some of the banks have already started talking to us about it, we see a lot of potential there.”