the times | Saturday April 9 2022 57Money
Follow us on twitter @timesmoney | @jimconey | @jessiehewitson | @davidbyers26 | @AlihussainST | @katjdenham | @davidbrenchley | @imogent_ | @George_Nixon97B
anks are ramping up use of
technology to monitor your
smartphone and computer in
a bid to stop fraud.
The big high street names
are partnering with tech companies
that can register everything from the
way you hold your mobile phone to
how quickly you type in digits.
From the moment you go to the login
screen of your online banking or open
up your bank’s mobile app, software
running in the background, helped by
sensors built into smartphones, starts
recording hundreds if not thousands of
tiny patterns of your behaviour without
you knowing.
The idea is that your very particular
habits prove your identity as much as
your thumbprint or your passwords.0 What your typing says about you
How quickly you type, whether you use
autofill to enter passwords or copy and
paste your details and the way you
scroll up and down are all habits that
build up a unique picture of you.
This is called behavioural biometrics
and, coupled with other data such as
your location, when you log in and
what device you use, can be used toYour keyboard is watching you
Your bank’s anti-fraud
software even knows
how you hold your
phone, George Nixon
and David Byers write
differentiate you from a fraudster try-
ing to break into your bank account or
make a purchase using your details.
How much you wiggle your mouse
while waiting for a page to load, the
angle at which you hold your phone
and even how hard you press on the
touchscreen can all be used to create a
profile of how you behave.
If your behaviour suddenly changes
— for example, you log in from a
strange place or you suddenly take
longer to type — it could signal to your
bank that something’s amiss and lead to
it asking you for extra details to verify
your identity.
First Direct customers approving an
online purchase using a code sent to
them by text have recently been asked
to type in their email address too. The
bank does not really care what custom-
ers type — it could be “Mickey Mouse”
— the important thing is how they do it.
Their keystrokes, whether they use
autofill or copy and paste and how long
they take to type out the address will be
logged for three months and compared
with other entries.0 Even a six-digit code can say a lot
Almost every online purchase over £30
now requires a second form of authen-
tication, and that is often a code sent by
text or through an app.
A problem for banks has been fraud-
sters intercepting these codes. As a
result the banks now monitor how you
enter them, such as whether you paste
them in or use autofill. It is likely that a
fraudster would enter the code differ-
ently because they would not have yourphone and would need to copy the code
from elsewhere so take longer.0 How banks spot the criminals
Your habits are important. Most of us
do not spend hours and hours on bank
websites. One head of fraud for a high
street bank said: “How many current
accounts do you apply for in your life?
Most normal people wouldn’t do that
more than a handful of times, so if we
can see someone who is very adept at
using the system it’s a tell-tale sign
they’re up to no good.”
If a fraudster is inputting someoneelse’s details they will tend to slow down
if they need to double check the email
address or the surname of the person
whose account it is.
“We watch how people type in their
surname. Because everyone knows
their name, you wouldn’t expect people
to hesitate to check how it is spelt —
but we do see that with applications we
suspect are fraudulent,” a banking
source said.
Liz Ziegler, Lloyds Bank’s fraud and
financial crime director, said: “The
difficulty in spotting scams is that mostoften, the genuine customer will be
logged into their account and will be
tricked into authorising the transaction
themselves. Use of biometrics and
behavioural analysis has become a cru-
cial layer in our defence, looking for the
slightest sign a customer might be
acting under duress.”
Tell-tale signs could include a longer
amount of time spent on a webpage or
app screen than usual or in entering
details such as the bank account name,
making aimless mouse movements or
scrolling while waiting for instructions.
Combined with a transaction far
larger than you would usually make to
an account you have never sent money
to, this should be enough to trigger the
alarm and have the bank or the police
contact you to stop you.0 Who is behind the technology?
BioCatch is one of the companies. It
was founded in Israel in 2011 and works
with American Express, Barclays and
NatWest. Its website says that it pro-
tects 200 million people worldwide and
prevents six million incidents of fraud a
year, and helped one “top five UK
bank” to save £500,000 a month in
fraud losses. Another company, Call-
sign, founded in London in 2012 by the
former Lloyds internet security
employee Zia Hayat, works with banks
including HSBC and Lloyds.
Mastercard bought the behavioural
biometrics firm NuData in 2017.0 Does it work?
Despite all the new technology bank
customers still lose money to scams.But there are some encouraging signs.
For example banks have analysed how
you speak to enable voice ID since 2016.
Losses to telephone banking fraud have
fallen from £13.1 million in the first half
of that year to £7.3 million in the first
half of last year.
But behavioural data isn’t a silver bul-
let, and it could even be set off if you’ve
broken your finger and have to use your
weaker hand or are on the phone to a
friend while logging into online bank-
ing or confirming a purchase.
“The reality is that behavioural bio-
metrics will not work every time,”
LexisNexis, a data company, said.
The collection of all these data raises
questions about privacy, especially
when so much of it is done without your
knowledge. You have no say in the
matter because banks have a public
interest justification for collecting your
data without consent if they can prove
it is to prevent fraud.
Jon Baines, a data protection special-
ist at law firm Mishcon de Reya, said:
“The data protection regulator has said
that they need to be sure it is propor-
tionate to do so, and ensure they collect
only the minimum data necessary.”
Callsign said it only kept behavioural
data at certain times, such as when a
customer was logging in. It said things
such as your name, age or home ad-
dress were not collected.
Michelle Stevens from the financial
research site Finder said: “It is under-
standable that consumers are wary of
their biometric data being used and
shared so much, but this era has already
begun and feels unavoidable now.”We watch how people
type in their surname.
Fraudsters are slower
G
illie Nicholls
wants to close her
charity’s HSBC
account in protest at its
fees, but is struggling to
find somewhere that
will take the group
(George Nixon writes).
In August HSBC
started charging small
community groups and
charities £5 a month to
hold an account, plus
extra fees for cashing in
cheques and other
services. Since then
many other banks have
closed to switches,
leaving groups stranded.
Nicholls, 62, from
Guildford, Surrey, has
run Les Amis Burkina
Faso, which raises
money to fund projects
in the west African
country, from her
kitchen table with her
husband and her friend
Judith since 2007.
She needed a charity
account to hold the£15,000 she raised in the
first year and has been
with HSBC since. She
has raised thousands of
pounds for causes such
as a refuge for women
who have escaped forced
marriages.
Nicholls pays any
costs of running the
account, such as
overseas payment fees,
out of her own pocket,
so 100 per cent of
donations go to the
charity’s causes.
Since HSBC brought
in the charges, her costs
have gone up. In 2020-21
she paid about £36 a
month. Last month she
was billed £45.18 for
account fees, depositing
cash and cheques and
sending money overseas.
Most donations come
by bank transfer but
many benefactors are
elderly and prefer to pay
by cash or cheque. She
said: “I don’t understandwhy I have to pay to pay
in money. Nobody at the
charity gets paid. That
£45 would have paid
for a young child’s
education for a year —
that’s what they have
robbed us of.”
In a letter to HSBC’s
UK chief executive, Ian
Stuart, in February,
Nicholls said: “I work
part-time in a school
office, taking home just
over £800 a month.
Your new policy of
charging us for every
deposit of cash and
cheques means that I
am going to be
considerably worse off.
“This charity is not a
business. I pay myself
nothing; people help me
for nothing; we give up
our own time and
money to make a big
difference.”
She is yet to receive a
response to this letter or
to a follow-up on March- She would switch but
said that none of the
other banks would have
the charity because they
were “terrified of
anything to do with
west Africa”.
HSBC closed our charity
account, page 59
‘Bank’s fees would
have paid for a
child’s education’
Gillie Nicholls, right, on a visit to Burkina Faso for her charity in 2018. She is furious at the new charges levied by HSBCHow to
survive the
cost of
childcare
Pages 62-63