Why you can’t solve the password problem with more passwords
Tue 8 Nov 2016
Oren Kedem, Vice President of Product Management at BioCatch, wonders if we can really solve the password problem with more passwords…
The increased frequency of headline-grabbing database breaches over the last several years has brought the very concept of passwords into question, and not without good reason. In March Lorrie Cranor, chief technologist at the Federal Trade Commission, challenged the notion that forcing users to change their passwords regularly is anything but a liability in terms of good security practice. In the last couple of years the UK government has come to the same conclusion (though the message hasn’t quite spread through the entire government network yet).
However, most governmental solutions to the password problems involve…more passwords. Different types of passwords, different password policies, different thinking about how passwords are formulated.
The GOV.UK Verify scheme aims to swap the sprawl of multiple logins across multiple schemes (which risks either password duplication or weakly-designed multiple passwords) for the smaller target of a central verifying agency (which gives attackers a single point of focus, albeit a well-resourced one).
With both governments agreeing that password managers, while preferable to badly-invented passwords, are susceptible to compromise, the topic seems recursive – with passwords presented as both the problem and the solution.
Even the publicity for the UK’s Verify scheme unconsciously illustrates the mind-set: ‘Each certified company has different ways of verifying your identity, and the options are growing all the time.’
Frequent changes in passwords are one of the reasons why passwords are so easy to break. People keep a constant memorable format and make minor changes so that they can keep track of their passwords. The reality is that passwords need to be eliminated completely. They are simply ineffective in stopping fraud. There are other, more behind the scenes authentication measures that should be used, leveraging behavioral biometrics and our mobile devices.
The problems with attempting biometric mimicry
The analysts and tech pundits are wrong about our ability to generate unique IDs. Not only are we very good at it, but in fact we really can’t help ourselves. The way we move a mouse, tilt a mobile phone, hesitate at key points during a secure interface, all constitute unique biometric identifiers which are very, very difficult to spoof, simulate or replay, with the right biometric profile established for the user. But can biometric analysis be fooled?
It is difficult to artificially generate a touch event in a mobile device that appears genuine. Typically, users hold a device in one hand and touch the phone with another. Every touch with one hand applies pressure on the hand holding the device which in turn causes the phone to move and generate hundreds of three-dimensional acceleration and gyro data points. The data generated throughout this process is not random; it’s correlated with the many physiological traits people possess – the size of their hand, hand tremor, muscle structure and so on. Fraudsters will have a hard time generating genuine activity of this kind.
Response to invisible challenges – One way to expose spoofing is through the use of ‘invisible challenges’. The approach is to invoke subtle changes to the user interface that people subconsciously respond to. One example could be changing the trajectory of the mouse as it moves towards the submit button by 2-3%. Users will not notice this small deviation but will correct the route of the mouse in order to hit the button. This type of human reaction changes from person to person. A script generating synthetic behavioral data will not respond to the invisible challenge and would expose the spoofing attempt.
The case for mobile biometric systems
Those who are abandoning the mouse as a device input in the age of the trackpad and the swipe might wonder how suited biometric solutions are to the more restricted mobile banking space. Is the mobile biometric scenario better than desktop (because of the more closed system) or worse (because the equipment is on the move, and assumptions of trust might run a little too high)..?
Well…both. Mobile provides a much richer set of behavioral data from which a profile can be built – acceleration, gyro, orientation and touch. So, behavioral profiles are stronger, and also provide face, voice and fingerprint biometric solutions.
The downside of mobile is that biometric signatures are stored on the device (with the exception of behavioral biometric profiles). So, when a user switches phones (a frequent occurrence) the slate is wiped clean and the user’s enrollment needs to start from scratch. The only authentication control that is persistent across devices is the behavioral biometric profile.
Biometric approaches by type of attack
Bank fraud attacks can generally be categorized into three groups: Account Takeover, RAT/Malware and Social Engineering all involve impersonating the user and can all be detected through behavioral biometrics.
Account Takeover – in this attack the user’s credentials are first stolen (e.g. though phishing attack), and later the fraudster accesses the online banking site from his own computer and perpetrates the fraud. Behavioral Biometric Authentication can be used to identify the fact that although the credentials are valid, the behavior of the fraudsters is inconsistent with that of profiled genuine user.
RAT/Malware – in this attack cybercriminals infect the user’s device with malware and then use it to submit a fraudulent transaction from the user’s own device. The behavior generated through the use of malware/RAT can easily be profiled using behavioral biometrics and later used to distinguish between genuine and malicious behavior.
Social Engineering – in this attack the fraudster connives the user (typically over the phone) to install a remote support tool (such as TeamViewer) giving him access to the computer. When working through a remote support tool over the internet, the fraudsters’ ‘user experience’ is impacted by network latency. This ‘latent’ behavior is registered using behavioral biometrics solutions which can be used to detect these types of attacks.
Machine learning in biometrics
Machine learning will play an integral part in developing biometric authentication systems. However, machine learning is only as good as the data used for the algorithms. With all things being equal the quality, variety and amount of data that is being processed makes the difference in authentication performance.
Most behavioral biometric solutions only passively collect behavioral data. BioCatch’s patented ‘Invisible Challenges’ technology allows us to generate quality data by invoking a response from the user without the user being aware. These data allow for quicker profile creation, shorter enrollment time, and faster and more accurate scoring.