When you are browsing a website and the cursor disappears, it might be a computer glitch — or it might be a test to find out who you are.
The way you press, scroll and type on a phone screen or keyboard can be as individual as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors’ physical movements as they use websites and apps.
Some use the technology only to weed out automated attacks and suspicious transactions, but others are going further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices.
The data collection is invisible to those being watched. Using sensors in your phone or code on websites, companies can gather thousands of data points, known as “behavioral biometrics,” to help prove whether a digital user is actually the person she claims to be.
To security officials, the technology is a powerful safeguard. Cyberthieves have obtained billions of passwords and other sensitive personal information, which can be used to steal from customers’ bank and shopping accounts and fraudulently open new ones.
“Identity is the ultimate digital currency and it’s being weaponized at an industrial scale,” said Alisdair Faulkner, one of the founders of ThreatMetrix, which makes fraud detection software for large merchants and financial companies.
Privacy advocates view the biometric tools as potentially troubling. “It’s a very small leap from using this to detect fraud to using this to learn very private information about you,” said Jennifer Lynch, a senior lawyer for the Electronic Frontier Foundation.
The Royal Bank of Scotland, one of the few banks that will talk publicly about its collection of biometric behavioral data, started testing the technology two years ago on private banking accounts for wealthy customers. It is now expanding the system to all of its 18.7 million business and retail accounts, said Kevin Hanley, the bank’s director of innovation.
When their clients log in to their accounts, software begins recording more than 2,000 different interactive gestures. On phones, it measures the angle at which people hold their devices, the fingers they use to swipe and tap, the pressure they apply and how quickly they scroll. On a computer, the software records the rhythm of their keystrokes and the way they wiggle their mouse.
RBS is using software designed by a small New York company called BioCatch. It builds a profile on each person’s gestures, which is then compared against the customer’s movements every time they return. The system can detect impostors with 99 percent accuracy, BioCatch said.
Biometric systems can sometimes detect medical conditions. If a customer with a once-steady hand develops a tremor, her automobile insurance company might get worried. That is potentially a problem if the customer’s bank, which detected the tremor through its security software, is also her insurer.
“This is the kind of data that usually has some kind of consumer protections around it, but here there’s none at all,” said Pam Dixon, the executive director of the World Privacy Forum. “Companies are using these systems with no notice of any kind.”