Behavior is the New Credential

are living through a paradigm shift in how we prove we are who we say we are online. Instead of asking What do you know? (password, PIN, mother’s maiden name) or What do you look like? (Face ID, fingerprint) the question has become How do you behave?

Generative AI and advancements in malware technology such as RATs (Remote Access Trojans) have enabled cybercriminals to scale attacks and even bypass security measures like Face ID or MFA, once considered bulletproof.

Behavioral biometrics analysis is now becoming standard practice at banks, which are liable for covering losses from cybercrimes unless the security measures they put in place meet the challenges of these new attack surfaces.

Computational Motor Control Theory

Scroll strokes recorded by eight different users | source: U.C. Berkeley “Touchalytics”

When you scroll through a dropdown menu or drag a slider on your phone, your brain is executing an intricate feedback loop, correcting imperceptible errors in the path as you travel each unconscious millimeter and millisecond of the gesture.

In its infancy, behavioral biometrics sought to differentiate human behavior from bot behavior. Researchers soon discovered that the same technology could also be applied to distinguishing one human’s behavior from the behavior of another human.

Computational motor control theory, a multidisciplinary field that combines neuroscience with biomechanics and computer science, provides researchers with the framework for understanding the most discriminating features of human behavior.

Research shows that what we think of as “robotic” – these unconscious neural corrections – are actually what make a person’s behavioral profile so impossible to recreate. A 2012 study at the University of California at Berkeley called Touchalytics, which analyzed scroll patterns across 41 participants as they sifted through text and images on their smartphones, proved that after only 11 scroll strokes behavioral models could identify a specific user from the group without error.

Digital Tells

The Berkeley study identifies 30 behavioral features unique to each user’s scrolling habits, including stroke length, trajectory, velocity, direction, curvature, inter-stroke time and even the area of the finger each participant used was found to be unique. For example, some users stop completely when lifting their finger at the end of a scroll stroke. Others lift while the finger is still moving in what the scientists call the “ballistic” scroll.

Geometric features of a stroke; source | U.C. Berkeley “Touchalytics”

But behavioral intelligence reaches far beyond scrolling. Typing rhythms, field navigation, even the imperceptible shifts in how a user holds their phone discriminate one user from the next.

The AI Arms Race

Certain behavioral signals, taken in isolation, can help banks spot obvious fraud. A device found to be upside down during a transaction, for example, is a major red flag. Superhuman typing speeds, impossibly straight cursor movements, or devices initiating a transaction while in lock screen mode can also sound the alarm.

However, behavioral biometrics systems are much more than rule-based systems. Using linear algebra and statistics, AI models can combine highly nuanced human-computer interface signals to create user-specific models that continuously authenticate a user, even after they have passed through the point-in-time gateways, like logins or FaceID.

At the AppGate Center of AI Excellence — where I work as a machine learning engineer — we train user-specific behavioral models based on cell phone sensor data. These models enable us to provide live analysis of whether the movements on your device, or any device logged into your bank account, are actually you.

Our user-specific anomaly detection models, combined with global, rule-based signals, help banks protect against Account Takeover (ATO) and Device Takeover (DTO) attacks. In many cases, behavioral models offer better protection than traditional biometric markers, such as fingerprints or facial recognition technology.

Cyber Supply Chain

The elderly are by far the most common victims of Account Takeover (ATO) or identity fraud. The traditional attack is usually a multi-step, multi-entity operation, often starting with a phishing URL, or social engineering (well researched psychological manipulation over the phone) through which criminals harvest a victim’s credentials and sell them to a different criminal organization or organizations on vast dark web marketplaces, such as the notorious Genesis Market, a dark web forum that hosted more than 80 million credentials stolen from more than 2 million people.

Screenshot of the surface web homepage of Genesis Market after FBI takeover, April 2023 | Source: Wikipedia

These digital fingerprints are exchanged in the marketplace like a common commodity, and often changing hands several times before reaching the developer or bot that actually attempts to hack into your account. This complex supply chain makes it much harder for authorities to catch the culprit or culprits once fraud has been reported.

Common ATO means criminals bypass the point-in-time authentication (login) from a separate device, usually unknown to the bank. However, the standard cybersecurity measures used by most banks leverage some form of device intelligence, OTPs, MFA or other device verification to stop an attack. But new, scarier trends are emerging where criminals can render even these methods obsolete.

Emerging attack surfaces

Today malware exists that can intercept online forms, remotely log keys as you type, and even hack directly into your phone to intercept MFAs in what is called Device Takeover (DTO), ATO’s terrifying cousin. And with the rise of generative AI, the fear that cybercriminals are only getting started is coming true.

For example, a deepfake tool used in the cybercrime world called ProKYC allows threat actors to beat two-factor authentication, facial recognition and even live verification checks using deep fake videos. A notorious RAT (Remote Access Trojan) called BingoMod, distributed via smishing (SMS phishing URLs), masquerades as a legitimate anti-virus application in Android phones, leveraging permissions on the device that allow a remote threat actor to quietly steal sensitive information, such as credentials and SMS messages, and execute money transfers originating from within the infected phone.

Once the device has been compromised, all of the bank’s traditional forms of verification are in full control of the attacker. From the bank’s perspective, the device fingerprint is correct, the IP address is correct, MFA codes and authenticator apps all line up. Due to the rise of social engineering, even security questions, i.e. your mother’s maiden name, provide little comfort.

This implies that the only safeguard against cybercrime is the authenticity of a individual’s human behavior.

Continuous authentication, fewer interruptions

Growing sophistication in cyberattacks, and in turn more sophisticated cybersecurity, has led to one positive outcome for online banking customers: better user experiences.

Since behavioral models can authenticate users continuously, the need to constantly send MFA or OTPs decreases and a legitimate banking session actually goes much smoother for customers.

Behavioral biometrics systems enable less interruptions of user experiences while providing more security. | Source: Marlene Rodriguez

The product I currently work on, which is called 360 Risk Control, fuses together signals from bot detection, device intelligence, desktop behavioral biometrics models and mobile device behavioral biometrics into a single continuous risk assessment analysis that runs throughout every banking session, long after the point-in-time authentication (e.g. login, FaceID).

When risk signals spike, the system can escalate authentication, request additional verification, or even halt the transaction entirely. But when behavior matches the user’s established profile, the session continues seamlessly.

In this way, behavioral biometrics represents a sea change, from active (users are required to do something) to passive (natural behavior becomes the credential), from point-in-time authentication to continuous authentication, from fragmented user experiences to intrinsic and safe user workflows.

Further Reading:

“Touchalytics” – https://arxiv.org/pdf/1207.6231

“ProKYC” – https://www.catonetworks.com/blog/prokyc-selling-deepfake-tool-for-account-fraud-attacks/

“BingoMod” – https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data

FBI Internet Crime Report – https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf