There’s endless talk these days about bots, both the kind used on Facebook to converse intelligently with users and the more malevolent type that is used to perform brute force attacks, web scraping and spam. The term actually refers to any automated tool or script that’s designed to perform a specific task, and clearly there are good bots and bad bots.
Attack of The Bots
The bad bots have been very busy wreaking havoc through ever-evolving fraudulent attacks. Just recently hackers used a bad bot, dubbed GiftGhostBot, to test a list of potential gift card account numbers at a rate of 1.7 million gift card numbers per hour. Once able to identify gift card numbers, they drained balances for resale on the dark web. These attacks reportedly struck 1,000 websites. Last year, at least five major Russian banks, including the the state-owned Sberbank, were subjected to a swathe of DDoS attacks over a two-day period. According to Kaspersky Lab, the longest attack, that lasted for 12 hours and peaked at 660,000 requests per second, came from a botnet of at least 24,000 hacked devices located in 30 countries.
How do bots do their evil deeds? They can be programmed to do most tasks a human can perform on a computer, provided that it includes specific, logical steps. Bots can undertake all kinds of hacking activities including data theft, brute force attacks, click fraud and form spam, among others. Some intelligent bots can be programmed to interact directly with web pages, spamming forms or throwing password dictionaries at user login fields, which makes them particularly threatening to ecommerce websites. Many attempt to mimic human behavior online by randomly pausing and moving around on a site.
All this has a lot of people really worried. The numbers speak for themselves: according to RSA Research, account takeovers accounted for more than $2.3 billion in losses last year. It’s no wonder that some 70% of security professionals believe that usernames and passwords provide insufficient security and will be phased out within the next few years.
Can Bots Mimic Human Behavior?
Here’s where behavioral biometrics comes to the rescue: while advanced bots running in headless browsers (i.e., web browsers without a graphical user interface) are more sophisticated than their predecessors, most are still detectable on desktops because they cannot completely mimic actual human behavior such as shopping and browsing patterns, the manner of checking your mail, the type of files typically downloaded, and more.
In the meantime, bot attacks on mobile devices are gaining strength. Fraudsters are now building apps that masquerade as legitimate apps but are actually stealing account credentials. If your smartphone doesn’t have proper mobile antivirus protection, it can easily be attacked by malware and botnets. Once a bot has penetrated your device, it can lie in wait until you login to any app and takeover, copy your credentials or even copy your fingerprint (to read more about why fingerprints are not included in behavioral biometrics, read this).
This type of cyber warfare is only going to increase because according to the Cybercrime Report Q4 2016 from ThreatMetrix, 55% of all online transactions now come from mobile devices. A growing number of consumers are shifting to their super-convenient mobile phones for all sorts of high-risk financial transactions including banking, and cyber attackers are eagerly following in their wake.
Behavioral Biometrics To The Rescue
From the get-go, behavioral biometrics is an effective means to fight fraudulent attacks on mobile devices as well. Here, too, the human factor prevails in thwarting automated bots. Even if a bot has invaded your device, every user has a unique way of holding and using their device which a bot cannot emulate. Each person grasps it a certain angle, applies a certain amount of pressure, swipes at a specific speed and has a personal typing style. Finger sizes and pressure are distinctive, as are signatures. These parameters can be used to automatically differentiate between human and non-human behavior, making the process of securing a mobile device even quicker.
Furthermore, using machine learning, behavioral biometrics can use all of these criteria to analyze an individual’s personal way of operating his or her mobile device and create a unique user profile. Once this authentication profile is established, the system is able to automatically identify and repel attempted account takeovers and fraudulent transactions.
SecuredTouch’s patented technology takes 100 physical behavior parameters, including those mentioned above and many others, and using a gyroscope, accelerometer, and other existing sensors already embedded in the mobile device, creates a unique profile which cannot be replicated by even the most sophisticated bot. It’s an epic battle, but mankind is prevailing over the bots simply because of its one-of-a-kind human qualities.