Slashdot Mirror

← Back to Stories (view on slashdot.org)

Banks and Retailers Are Tracking How You Type, Swipe and Tap (nytimes.com)

Posted by msmash on from the closer-look dept.

When you're browsing a website and the mouse cursor disappears, it might be a computer glitch -- or it might be a deliberate test to find out who you are. The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors' physical movements as they use websites and apps. From a report: Some use the technology only to weed out automated attacks and suspicious transactions, but others are going significantly further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices. The data collection is invisible to those being watched. Using sensors in your phone or code on websites, companies can gather thousands of data points, known as "behavioral biometrics," to help prove whether a digital user is actually the person she claims to be. To security officials, the technology is a powerful safeguard. Major data breaches are a near-daily occurrence. Cyberthieves have obtained billions of passwords and other sensitive personal information, which can be used to steal from customers' bank and shopping accounts and fraudulently open new ones.

54 comments

  1. Permissions by The-Ixian · · Score: 3, Informative

    The permissions will become more granular to allow users who care to lock down what apps can access certain sensors and data.

    I audit my app permissions regularly and disable anything that I don't think the app needs.

    Until that happens, though, I can just not use my banking app from my phone.

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Permissions by AmiMoJo · · Score: 5, Insightful

      I noticed ages ago that when I visit my bank's web site the browser gets slow and even typing is fairly unresponsive on the secret code entry screen. So I disabled Javascript for that site and now it's fine.

      Whatever their stupid security system is, apparently disabling it is the fix.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Permissions by Anonymous Coward · · Score: 0

      So I disabled Javascript for that site and now it's fine.

      Half the sites I try to visit now pop up some obnoxious shit over top of what I want to read... until I disable Javascript and reload.

      Javascript is a cancer on the modern internet. disabling it fixes way more than it breaks

    3. Re:Permissions by zlives · · Score: 1

      lets not tarry on the "stupider and stupider" usage, the statement would however reflect that as younger people have joined /., it has gotten "stupider and stupider".

    4. Re:Permissions by Anonymous Coward · · Score: 0

      There's Nuke Anything for stuff that covers half your screen even if javascript is disabled. e.g. cookie policy bullshit that can't go away because you don't run the javacsript needed by the 'X' button.

    5. Re:Permissions by Sir_Eptishous · · Score: 1

      A millennial wouldn't know what a BBS is...

      --
      We play the game with the bravery of being out of range
    6. Re:Permissions by omnichad · · Score: 1

      This is an online banking web site. The system is not designed well enough to use JavaScript for anything else. Just bolted on to the login. Parent post also said they disabled it for only one site.

    7. Re:Permissions by Darinbob · · Score: 2

      I disable javascript all the time. It makes the web faster, you get fewer ads, you get fewer malware infections served up by ads, and if the site absolutely won't work without it then good for you as that's one more site you never visit again. Kids who gleefully serve up their private information are half the problem here, companies aren't going to bother being nice to customers if no one pushes back.

    8. Re:Permissions by Anonymous Coward · · Score: 0

      Spot on. Disabling javascript is a must. And if a site doesn't work without it fuck 'em. There's plenty of other sites to visit.

      As for that web assembly idea that is simply full on retard.

    9. Re:Permissions by Anonymous Coward · · Score: 0

      Nope also a BBS would confuse a millennial to no end. For example there's no world-revolves-around-only-me section like Instagram.

      Some millennial right now is blaming a baby boomer for this post. They'd be wrong - a Gen X'er wrote this.

    10. Re:Permissions by BrianMarshall · · Score: 1
      I was on Bloomberg's website a couple of hours ago. I had opened a story in a new window and then got distracted by something else. When I closed the story later, the main page had turned to...

      You Have Violated Our Terms of Service

      and I had to do a couple Captchas- clicking the squares with vehicles in them.

      --
      "When the going gets weird, the weird turn pro" -- HST
    11. Re:Permissions by Anonymous Coward · · Score: 0

      I disable javascript all the time. It makes the web faster, you get fewer ads, you get fewer malware infections served up by ads, and if the site absolutely won't work without it then good for you as that's one more site you never visit again.

      But you need a search engine that shows all the alternative content to you. Enter Duck Duck Go.

    12. Re:Permissions by Anonymous Coward · · Score: 0

      The permissions will become more granular to allow users who care to lock down what apps can access certain sensors and data.

      I audit my app permissions regularly and disable anything that I don't think the app needs.

      Until that happens, though, I can just not use my banking app from my phone.

      App? Who in their right mind who knows anything about security accesses their bank account using their phone?

  2. Funky by cascadingstylesheet · · Score: 1

    Funky.

    The way I browse/type/click, I'm surprised I haven't been brought in for some sort of evaluation by now.

    1. Re: Funky by Anonymous Coward · · Score: 0

      There have been passwords packages that also monitor how you type it.

    2. Re: Funky by Impy+the+Impiuos+Imp · · Score: 1

      I use only https so nobody but me and the porn sites I frequent knows what I'm up to. Oh, and Amazon and Google ads, who they report my activities and what I click on, with IP address. So everyone on the planet knows, and we're all waiting for a leak of this data ALA South Park.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    3. Re: Funky by Anonymous Coward · · Score: 0

      There have been passwords packages that also monitor how you type it.

      Because you can never copy-paste a password.

  3. I browse on TV by nospam007 · · Score: 3, Interesting

    I don't have cable, just a notebook in the garage, connected to my 60 inch TV where I watch all my legal and illegal stuff.
    When I'm too lazy to reach for the keyboard, I just use the onscreen one with the mouse, either with my left or right hand, depending on what I'm doing at that time.
    I doubt that they recognize me that way.

    1. Re:I browse on TV by Anonymous Coward · · Score: 0

      God damn you're a loser wow.

    2. Re:I browse on TV by Anonymous Coward · · Score: 0

      And your replying to them, what does that make you? I mean other than an Anonymous Coward.

    3. Re: I browse on TV by Anonymous Coward · · Score: 0

      ....and you completely missed the joke, flew right over your head it did. Try harder next time.

  4. So that's why my transaction dies when I'm drunk? by skids · · Score: 2

    Seriously though... has it occurred to them that they may end up denying people's transactions at critical moments of stress due to behavioral differences. Like, I really need to get this hotel room after walking 5 miles in sub-zero weather from my dead car, but I can't transfer goddamn money to checking?

    --
    Someone had to do it.
  5. Oh ffs by Anonymous Coward · · Score: 0

    "The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features."

    Who comes up with this crap like this...and who the hecks believes it?
    Flat Earthers?!

    1. Re:Oh ffs by Darinbob · · Score: 1

      Hollow earthers. We don't talk about them.

  6. Bullshit. by Rick+Schumann · · Score: 1

    We're doing this for your protection, citizen, and you should be grateful that we're looking over your shoulder to ensure that you're not being defrauded!

    GET YOUR NOSE OUT OF MY BUSINESS, YOU ASSHOLES.

    Yet another reason I'll never own a smartphone.

    1. Re:Bullshit. by JaredOfEuropa · · Score: 1

      Speaking of protection: if you're protecting customers' bank accounts with a password only, you're doing it wrong. SMS confirmation isn't good enough either; for banking it should be air-gapped 2FA.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:Bullshit. by Anonymous Coward · · Score: 0

      You know how many idiot banks consider SMS to be 2FA? When I call and ask for *real* 2FA (like RFC 6238) and they've of course never heard of such a thing. Inspires confidence. Of course some banks (ahem, US Bank) do not support any kind of 2FA, but at least I can do 40-character passwords that I rotate every week.

  7. It works both ways by JoeyRox · · Score: 1

    We can identify banks by how much vaseline they had to use to screw us up the arse.

  8. Re:So that's why my transaction dies when I'm drun by Anonymous Coward · · Score: 0

    very likely yes, and in that circumstance it would hopefully require a step-up of authentication instead of a normal passthrough just to make sure you are you and not somebody else.

  9. Re:So that's why my transaction dies when I'm drun by Anonymous Coward · · Score: 0

    If they're smart, misdetection will only serve as a speed bump and allow you to phone in to rectify things. In my experience, that's how things already work (speed-bump, rectify), they just have more data points now whether to activate the speed bump.

  10. if scripts are allowed to run it's not me by Anonymous Coward · · Score: 1

    they know it's not me if the browser runs their scripts

  11. I use the bank of Czash by Archfeld · · Score: 1

    In God I trust all others are subject to review...

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  12. Re:So that's why my transaction dies when I'm drun by smooth+wombat · · Score: 1

    Why not use a credit card?

    Oh right. Your phone. I keep forgetting. A phone is the only way to do transactions any more.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  13. What could possibly go wrong? by krygny · · Score: 1

    So, I get a little lazy and they accuse me of not being me. Or a more lazy and sloppy than usual. That's okay, at least THEY have my money.

    And some people claim there's a market for smart guns and other biometric devices that are specifically intended not to work as intended, when intended.

    --
    Research shows that 67% of those who use the term "research shows", are just making shit up.
    1. Re:What could possibly go wrong? by Anonymous Coward · · Score: 0

      Lazy nothin, how about traumatic event, traumatic accident, onset Parkinson's, stroke, aneurysm, depression, anxiety, etc etc etc.

      This is goddamned stupid as a security measure. I doubt people even act the same throughout the day, let alone day to day. If you have to estimate, guess, or drop data and use only 'point-matching' then there will be huge security gaps to be exploited alongside massive inconvenience to your customers.

      And don't get me started on putting delicate electronics in a device that constantly emits explosions but is small enough to carry in your hand. Materials science isn't advanced enough for that yet.

  14. Almost everybody is using mouse heatmap by Martin+S. · · Score: 2

    All the big sites are doing this. There are at least a dozen analytic tools capable of doing mouse tracking and heatmaps; full journey tracking will be next. Hotjar, mouseflow, smartmove, inspectlet are just a few off the top of my head.

    1. Re:Almost everybody is using mouse heatmap by Anonymous Coward · · Score: 0

      There are at least a dozen analytic tools capable of doing mouse tracking and heatmaps; full journey tracking will be next. Hotjar, mouseflow, smartmove, inspectlet are just a few off the top of my head.

      And yet, for those of us who ruthlessly block analytic/ad companies, third party shit, useless javascript ... that shit is relegated to the shitpile where it belongs.

      My browser doesn't even make the request, so they can suck my balls.

    2. Re:Almost everybody is using mouse heatmap by Anonymous Coward · · Score: 0

      Ugh why is this site's UX like this?? Who told them to make it this way??? Why didn't they ask me?!?!

  15. Re:So that's why my transaction dies when I'm drun by Anonymous Coward · · Score: 0

    Yes, from an unfamiliar location from someone who says they are you, but is not acting exactly like you.
    Yeah, I'm on board with this and you should be too. This is no different than the a CC company denying
    your CC card because you're trying to purchase something unusual. It's not a big deal for that "extra"
    verification phone call. If I'm going on a trip, I'll call the CC company ahead and let them know what's
    going on (dunno if they still make those notes on an account since its been a while since I've done that)
    so that when I swipe at an unusual location, the CC "expects" that and things don't bounce. As long as
    they're not key-logging, I think it's a (although still in its infancy) "good thing."

    CAP === 'catchers'

  16. If someone gets a hold of my profile... by mspring · · Score: 3, Interesting

    ...representing my typing, scrolling, swiping, how difficult would it be to programmatically mimic me?

  17. Re:So that's why my transaction dies when I'm drun by skids · · Score: 1

    My point is that this extra verification step may come at an extremely inconvenient or stressful time, and may in fact be a big deal in some situations, adding more stress or delay to an already tenuous situation. And given the metric they are using, the likelihood of it kicking in at just those times is much higher than its general-case probability.

    --
    Someone had to do it.
  18. blue skies. by Anonymous Coward · · Score: 0

    In other news. the sky discovered to appear blue.

  19. why a dog by Anonymous Coward · · Score: 0

    You know why a dog licks his balls? Because he can.

  20. Thank you, that makes you easy to distinguish by raymorris · · Score: 1

    Your bank, and other web sites you log into, are trying to determine whether the person trying to log in as "nospam007" really is you - the same person who logged into your account the last eight times.

    If you consistently use a weird setup, that makes it so much easier. Unless the hacker trying to access your account also uses the on-screen keyboard on a 60" TV, it's really easy to tell the difference.

    What's less useful is when people use a very common set-up, with all defaults, and only the most common plugins. That makes it harder to tell the difference between the account holder and someone else trying to access their account.

    I'm speaking as someone who developed a system like this ten years ago. For several years it was the most-used security system, used on the largest number of web sites. I've since taken a corporate job with a much larger company.

  21. Re:So that's why my transaction dies when I'm drun by Anonymous Coward · · Score: 0

    My point is that this extra verification step may come at an extremely inconvenient or stressful time, and may in fact be a big deal in some situations, adding more stress or delay to an already tenuous situation. And given the metric they are using, the likelihood of it kicking in at just those times is much higher than its general-case probability.

    hand over the money or we shoot your kids is a good example where the extra verification might take lives...

  22. Nice maybe, till stolen by omfglearntoplay · · Score: 1

    Once this is stolen, then the bad guys will also have all this information. Matter of time.

  23. Re:So that's why my transaction dies when I'm drun by skids · · Score: 1

    I was thinking something slightly less blunt, like "I've got 150 seconds to do this transaction or I miss my flight out of the country and the local mafia is hot on my heels for that expose I wrote for the AP." But OK.

    --
    Someone had to do it.
  24. We use your credit cards by Anonymous Coward · · Score: 0

    It's easier to just use credit card data. You can track everybody online and offline with that. Most credit card services are giving away that data or selling it for next to nothing.

  25. Re:So that's why my transaction dies when I'm drun by jetkust · · Score: 1

    Why not use a credit card?

    Oh right. Your phone. I keep forgetting. A phone is the only way to do transactions any more.

    The credit card got blocked due to fraud detection.

  26. Re:Bullshit.cocksuckers.peeping toms and other by Anonymous Coward · · Score: 0

    "We're doing this for your protection, citizen, and you should be grateful that we're looking over your shoulder to ensure that you're not being defrauded!"

    thats why ive never ever in 25 years been ripped off via a credit card cause i use prepaid cards you jerkoffs thats how you should use cards on the net any other way means YOU GET WHAT YOU GOD DAMN DESERVE YOU FUCKING RETARDS....like when is society gonna finally say well your retarded we have to put you in a home with care cause your a menace and greater cost to society. LIKE AMERICA YOU ELECTED TRUMP ? PROOF the retardation is growing ...more proof AVG american world math score used to be 23 , its now what 38 or some crap....your getting worse and worse.

    GET YOUR NOSE OUT OF MY BUSINESS, YOU ASSHOLES. COCKSUCKERS, PEEPNG TOMS and other sick MOTHERFUCKING LAMER ASSWIPE GAY DRAGON BALL LICKERS

  27. whne i have a HARD needa cash by Anonymous Coward · · Score: 0

    i just prostitute your mom.....oddly i'm not making much .