In an era of increasing cyberattacks on customers of financial institutions, banks are forced to invest in modern solutions to ensure money security. One such solution is behavioral biometrics, which is being implemented by more and more entities. Bank Pekao recently took this step.
Years ago, one of the most effective tools for protecting customer funds in online banking were traditional scratch cards with one-time codes. They were used to confirm online transactions. Even if a thief obtained the login and password, they still couldn't withdraw the money without the one-time code. Later, scratch cards were replaced by text messages and mobile authentication.
Over the years, fraudsters' techniques have evolved, requiring the implementation of further security measures in online banking systems. One of these was behavioral biometrics. mBank was one of the first to implement this solution in 2018. Today, it is available in a growing number of banks, including ING, BNP Paribas, VeloBank, Credit Agricole, banks from the SGB Group, and, as of a few days, Bank Pekao. One of the providers of this service is the Credit Information Bureau (BIK), which offers a so-called sector-specific solution. In 2022, BIK acquired Digital Fingerprints, a company specializing in behavioral biometrics.
How does behavioral biometrics work?
This is an optional solution. Users who wish to enhance their account security must consent to the use of behavioral biometrics. If they choose to do so, the system will begin analyzing their behavior and remembering certain patterns. Based on this, it will create a profile, which will then be compared with current behavior during each interaction to verify that the person using the account is its rightful owner.
The system will therefore recognize whether an authorized user has logged in to the bank. It will check, among other things, the speed at which characters are typed on the keyboard. For example, the time it takes a human to move between distant keys (e.g., “A” and “O”) is typically longer than for a bot. It will analyze the movements of the hand operating a computer mouse. It will assess the speed, trajectories, clicking pattern, intensity of button use, and scrolling. In the case of smartphones, it will monitor how the phone is held, the pressure applied to the screen, the speed of scrolling, as well as the position and angle of the device.
All of this will happen in real time, as the system operates in the background, remaining unnoticed and requiring no additional actions from customers, such as entering PINs or passwords. If any suspicious behavior is detected, the system will react immediately, for example, by blocking the transaction or requiring additional identity verification.
Before the thief takes the money away
Behavioral biometrics works primarily as a preventative measure. The system can detect fraud attempts, prevent suspicious transactions, and block orders from being placed—before they are completed.
Behavioral biometrics solutions leverage artificial intelligence (AI). This technology allows for the analysis of vast amounts of data in real time and the near-instantaneous detection of patterns and anomalies. AI algorithms can instantly detect even subtle, unusual behaviors, such as a sudden change in typing speed, unusual mouse movements, or even a phone's lack of natural movement in space (which may indicate the presence of a bot).
“Positive pros, negative pros”
Despite its undeniable advantages, behavioral biometrics also has several elements that may raise concerns among users. They sometimes raise concerns about their privacy. However, it's worth remembering that the use of this solution is strictly regulated by law, particularly the General Data Protection Regulation (GDPR) and guidelines from Polish supervisory authorities, such as the Personal Data Protection Office (UODO) and the Polish Financial Supervision Authority (KNF).
However, a practical issue that can cause user irritation is false alarms triggered by the system. This can occur in the initial stages of implementation or after a change in user habits (e.g., using the smartphone with the other hand in the event of a break). Problems with behavioral biometrics can also arise when a married couple uses the same online account. In such cases, however, remember to use separate logins, as these two users have different behavioral patterns.
All indications, however, are that behavioral biometrics will become a permanent fixture in online banking systems. This is especially true given the banks' confidence in its effectiveness. There are forecasts that as many as half of Polish banks will begin using some form of behavioral biometrics by 2025. Further development and optimization of AI algorithms will support the development of this security solution.
