With little fanfare, so-called behavioral biometrics began appearing on the radar screens of payment card security executives about two years ago. Now, however, experts predict behavioral biometrics will assume a more prominent role in protecting payment transactions as e-commerce and mobile commerce continue gaining share of retail sales and the Internet of Things makes payments possible from billions of devices.
In contrast to physical biometrics, which measures and records everything from facial characteristics to handprints to voices and irises for use in authenticating transactions, behavioral biometrics, sometimes called passive biometrics, are less intuitive. These forms of biometrics track patterns in the way a person moves, behaves, or uses something physically. Handwriting, gait, and other physical motions “all can be measured,” David Lott, payments risk expert at Federal Reserve Bank of Atlanta, said Wednesday at a panel session about behavioral versus physical biometrics that he moderated at the CNP Expo in Orlando, Fla., a conference about online and mobile payments.
Some behavioral biometrics can identify unique patterns in the way someone holds and uses a smart phone.
Some behavioral biometrics can identify unique patterns in the way someone holds and uses a smart phone.
Other examples come from Vancouver, British Columbia-based NuData Security Inc. NuData’s technology can identify unique patterns in the way someone holds and uses a smart phone or personal or laptop computer by measuring everything from how fingers touch the keyboard or tap the screen, the force of taps, to the person’s cadence and how a phone moves while being held.
“There’s hundreds and hundreds of data points you can collect,” said panelist Ryan Wilk, vice president of customer success at NuData.
The resulting user profile “is very difficult to spoof, very difficult to attempt to steal,” Wilk said. “That’s the beauty of passive biometrics—that unlike a physical biometric or a user name and password, something that someone else can take from you, it’s very difficult to take your passive biometric, to take your natural interaction, and attempt to spoof.”
Mastercard Inc. saw enough potential in NuData’s technology that in late March it announced an agreement to buy the firm for an undisclosed price. NuData’s flagship NuDetect product separates legitimate users from potential fraudsters based on their online, mobile-app and smart-phone interactions, and flags high-risk behavior. The technology assesses, scores, and learns from each online or mobile transaction to enable merchants and card issuers to make near real-time authorization decisions, Mastercard said.
While Mastercard’s acquisition of NuData may signal that behavioral biometrics are gaining traction, other panelists pointed out that the many forms of biometrics all have their strengths and weakness. Their usage depends on their capabilities, cost, and operational issues, as well as the particular needs of the merchant, bank, or other entity using them.
“There is no single authentication modality that’s bullet proof, and there is no single modality choice that’s the best choice in all cases,” said Lott.
Biometrics also poses questions about consumer privacy as their adoption increases. Privacy rules are stricter in Europe than in the United States, where panelists said they believe regulators will stay out of the way if merchants and financial institutions confine their usage to fraud and risk control. Problems could arise if companies use biometrics for consumer tracking and marketing purposes.
“Then it hurts the entire industry,” said panelist Bernard McManus, head of global fraud management and strategy for Sony PlayStation.