Slashdot Mirror

← Back to Stories (view on slashdot.org)

Banks and Retailers Are Tracking How You Type, Swipe and Tap (nytimes.com)

Posted by msmash on from the closer-look dept.

When you're browsing a website and the mouse cursor disappears, it might be a computer glitch -- or it might be a deliberate test to find out who you are. The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors' physical movements as they use websites and apps. From a report: Some use the technology only to weed out automated attacks and suspicious transactions, but others are going significantly further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices. The data collection is invisible to those being watched. Using sensors in your phone or code on websites, companies can gather thousands of data points, known as "behavioral biometrics," to help prove whether a digital user is actually the person she claims to be. To security officials, the technology is a powerful safeguard. Major data breaches are a near-daily occurrence. Cyberthieves have obtained billions of passwords and other sensitive personal information, which can be used to steal from customers' bank and shopping accounts and fraudulently open new ones.

26 of 54 comments (clear)

  1. Permissions by The-Ixian · · Score: 3, Informative

    The permissions will become more granular to allow users who care to lock down what apps can access certain sensors and data.

    I audit my app permissions regularly and disable anything that I don't think the app needs.

    Until that happens, though, I can just not use my banking app from my phone.

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Permissions by AmiMoJo · · Score: 5, Insightful

      I noticed ages ago that when I visit my bank's web site the browser gets slow and even typing is fairly unresponsive on the secret code entry screen. So I disabled Javascript for that site and now it's fine.

      Whatever their stupid security system is, apparently disabling it is the fix.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Permissions by zlives · · Score: 1

      lets not tarry on the "stupider and stupider" usage, the statement would however reflect that as younger people have joined /., it has gotten "stupider and stupider".

    3. Re:Permissions by Sir_Eptishous · · Score: 1

      A millennial wouldn't know what a BBS is...

      --
      We play the game with the bravery of being out of range
    4. Re:Permissions by omnichad · · Score: 1

      This is an online banking web site. The system is not designed well enough to use JavaScript for anything else. Just bolted on to the login. Parent post also said they disabled it for only one site.

    5. Re:Permissions by Darinbob · · Score: 2

      I disable javascript all the time. It makes the web faster, you get fewer ads, you get fewer malware infections served up by ads, and if the site absolutely won't work without it then good for you as that's one more site you never visit again. Kids who gleefully serve up their private information are half the problem here, companies aren't going to bother being nice to customers if no one pushes back.

    6. Re:Permissions by BrianMarshall · · Score: 1
      I was on Bloomberg's website a couple of hours ago. I had opened a story in a new window and then got distracted by something else. When I closed the story later, the main page had turned to...

      You Have Violated Our Terms of Service

      and I had to do a couple Captchas- clicking the squares with vehicles in them.

      --
      "When the going gets weird, the weird turn pro" -- HST
  2. Funky by cascadingstylesheet · · Score: 1

    Funky.

    The way I browse/type/click, I'm surprised I haven't been brought in for some sort of evaluation by now.

    1. Re: Funky by Impy+the+Impiuos+Imp · · Score: 1

      I use only https so nobody but me and the porn sites I frequent knows what I'm up to. Oh, and Amazon and Google ads, who they report my activities and what I click on, with IP address. So everyone on the planet knows, and we're all waiting for a leak of this data ALA South Park.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  3. I browse on TV by nospam007 · · Score: 3, Interesting

    I don't have cable, just a notebook in the garage, connected to my 60 inch TV where I watch all my legal and illegal stuff.
    When I'm too lazy to reach for the keyboard, I just use the onscreen one with the mouse, either with my left or right hand, depending on what I'm doing at that time.
    I doubt that they recognize me that way.

  4. So that's why my transaction dies when I'm drunk? by skids · · Score: 2

    Seriously though... has it occurred to them that they may end up denying people's transactions at critical moments of stress due to behavioral differences. Like, I really need to get this hotel room after walking 5 miles in sub-zero weather from my dead car, but I can't transfer goddamn money to checking?

    --
    Someone had to do it.
  5. Bullshit. by Rick+Schumann · · Score: 1

    We're doing this for your protection, citizen, and you should be grateful that we're looking over your shoulder to ensure that you're not being defrauded!

    GET YOUR NOSE OUT OF MY BUSINESS, YOU ASSHOLES.

    Yet another reason I'll never own a smartphone.

    1. Re:Bullshit. by JaredOfEuropa · · Score: 1

      Speaking of protection: if you're protecting customers' bank accounts with a password only, you're doing it wrong. SMS confirmation isn't good enough either; for banking it should be air-gapped 2FA.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  6. It works both ways by JoeyRox · · Score: 1

    We can identify banks by how much vaseline they had to use to screw us up the arse.

  7. if scripts are allowed to run it's not me by Anonymous Coward · · Score: 1

    they know it's not me if the browser runs their scripts

  8. I use the bank of Czash by Archfeld · · Score: 1

    In God I trust all others are subject to review...

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  9. Re:So that's why my transaction dies when I'm drun by smooth+wombat · · Score: 1

    Why not use a credit card?

    Oh right. Your phone. I keep forgetting. A phone is the only way to do transactions any more.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  10. What could possibly go wrong? by krygny · · Score: 1

    So, I get a little lazy and they accuse me of not being me. Or a more lazy and sloppy than usual. That's okay, at least THEY have my money.

    And some people claim there's a market for smart guns and other biometric devices that are specifically intended not to work as intended, when intended.

    --
    Research shows that 67% of those who use the term "research shows", are just making shit up.
  11. Almost everybody is using mouse heatmap by Martin+S. · · Score: 2

    All the big sites are doing this. There are at least a dozen analytic tools capable of doing mouse tracking and heatmaps; full journey tracking will be next. Hotjar, mouseflow, smartmove, inspectlet are just a few off the top of my head.

  12. If someone gets a hold of my profile... by mspring · · Score: 3, Interesting

    ...representing my typing, scrolling, swiping, how difficult would it be to programmatically mimic me?

  13. Re:So that's why my transaction dies when I'm drun by skids · · Score: 1

    My point is that this extra verification step may come at an extremely inconvenient or stressful time, and may in fact be a big deal in some situations, adding more stress or delay to an already tenuous situation. And given the metric they are using, the likelihood of it kicking in at just those times is much higher than its general-case probability.

    --
    Someone had to do it.
  14. Thank you, that makes you easy to distinguish by raymorris · · Score: 1

    Your bank, and other web sites you log into, are trying to determine whether the person trying to log in as "nospam007" really is you - the same person who logged into your account the last eight times.

    If you consistently use a weird setup, that makes it so much easier. Unless the hacker trying to access your account also uses the on-screen keyboard on a 60" TV, it's really easy to tell the difference.

    What's less useful is when people use a very common set-up, with all defaults, and only the most common plugins. That makes it harder to tell the difference between the account holder and someone else trying to access their account.

    I'm speaking as someone who developed a system like this ten years ago. For several years it was the most-used security system, used on the largest number of web sites. I've since taken a corporate job with a much larger company.

  15. Nice maybe, till stolen by omfglearntoplay · · Score: 1

    Once this is stolen, then the bad guys will also have all this information. Matter of time.

  16. Re:So that's why my transaction dies when I'm drun by skids · · Score: 1

    I was thinking something slightly less blunt, like "I've got 150 seconds to do this transaction or I miss my flight out of the country and the local mafia is hot on my heels for that expose I wrote for the AP." But OK.

    --
    Someone had to do it.
  17. Re:So that's why my transaction dies when I'm drun by jetkust · · Score: 1

    Why not use a credit card?

    Oh right. Your phone. I keep forgetting. A phone is the only way to do transactions any more.

    The credit card got blocked due to fraud detection.

  18. Re:Oh ffs by Darinbob · · Score: 1

    Hollow earthers. We don't talk about them.