Modernizing Authentication — What It Takes to Transform Secure Access
A user's online actions and behaviors inside of a browser can help define who they are. That's the basis of a new patent from IBM researchers designed to help limit the risk of e-commerce fraud.
"At a high-level what we have patented is the ability to help prevent fraudulent transactions before they occur," IBM Master Inventor Brian O'Connell told eSecurityPlanet. "We look at a lot of Web browser metrics that we transmit to a server on the backend and before a transaction takes place. We compare the transaction to a profile based on previous interactions from the user with the website."
Twist on Two-factor Authentication
Based on an existing profile, it is possible to make a determination on whether or not the transaction is legitimate, O'Connell explained. The system is fundamentally a form of two-factor authentication for users, he added.
The user behavior that IBM examines involves a number of different attributes. Those attributes include how long a user typically hovers their mouse over a link before it is clicked, how a user scrolls through a page, and whether he uses the page-up/page-down keyboard buttons or just the mouse wheel.
"By measuring the attributes we are able to determine how likely a person is who they say they are," O'Connell said.
In a two-factor system, a user needs a second password (or factor) in order to gain access to a site or service. With IBM's invention, that second factor is the user's own browser behavior. In other forms of two-factor authentication, the user is typically aware of the factor being used, explained IBM Master Inventor Keith Walker.
"In this case, people are exhibiting behaviors as they interact with a Web page entirely subconsciously," Walker said.
Fraud detection systems have long leveraged anomalous behavior to help identify potential fraud. Noticing if a user is making a transaction from a different location than normal is a common fraud detection tactic today. The IBM patent is complementary to the traditional approach to fraud detection, Walker said.
More Patents on the Way
"In our patent we do reference current technology, so if a user is making a transaction and it's 3 a.m. and it's atypical for them, then that is an indication fraud might be going on," Walker said. "All this technology can work together."
Walker and O'Connell originally filed the patent for a "user-browser interaction-based fraud detection system" in April of 2006. U.S. Patent #8,650,080 was officially granted in February of this year, though IBM is only now officially announcing the patent. Walker noted that the time it takes for patents to be granted varies and is beyond his control. That said, he added that parts of the invention are now found inside IBM's Trusteer Pinpoint technology.
IBM has many more inventions that are patent pending to further mitigate the risks of online fraud. Walker noted that there is a patent in the system now related to fraud detection on mobile devices, for example.
"We took the concept of user behavior detection and thought through how to implement the invention in a keyboard-less touchscreen interface, where user behavior is very different than on a keyboard," Walker said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.