I learned that several large banks, and some household-name online retailers, are using this kind of software. Almost none would go on the record about it. I kept asking: Why not? If this is such a great security tool, shouldn’t you tout it?
Of the two dozen analysts, entrepreneurs, security experts and banking executives I spoke with during my reporting, only a handful were willing to be named. Most financial companies cited internal policies of never talking publicly about specific security measures. The more information you make public about your defenses, the theory goes, the easier it is for bad actors to evade them.
But a few also admitted that they didn’t want their customers to be creeped out. The idea of companies watching how we type and tap is unnerving. One retailer I often shop at uses behavioral trackers, I found out. Now, when I’m scrolling through shoes and tossing them into my shopping cart, I have a jarring mental image of computers silently recording my clicks, pauses, mouse swoops and typos.
We’re still in the early days of this kind of surveillance. Right now, it’s largely the province of banks and large retailers — companies with a strong financial motive to identify and block digital thieves.
The scale of the problem they face is staggering. Shuman Ghosemajumder, the chief technology officer at Shape Security, which makes fraud-blocking software, said he knew of one high-end retailer that had a 99 percent attack rate last year on its login page. Only one in 100 visitors was a legitimate shopper; the rest were criminals trying to break into those customers’ accounts.
Soon, though, this kind of technology could be used much more broadly.
Google experimented a few years ago with eliminating passwords entirely on Android phones and instead using a mix of physical and behavioral biometrics to identify users. (A company spokesman wouldn’t comment on what became of that project.) Darpa, the Pentagon’s research agency, has tested it out for protecting workstations and devices.
There are lots of good arguments for highly personalized security authentication. As giant data breaches like those at Yahoo and Equifax remind us far too often, keeping our personal information secret has become impossible. No one wants to log into one of their online shopping accounts and discover that a thief has gained access and gone on a spending spree.