Ethical Data Processing, Continuous Authentication

and Behavioural Biometrics

Mateusz ChrobokCEOmateusz@fingerprints.digital +48 514 579 805 with help of

Problem: AuthenticationAccount Take Over (ATO) If any of users struggle with identity theft – account take over is the next step to care about.

Session Take Over (STO) Cybercriminals perform man-in-the-middle attacks and steal the information that is used to authenticate user.

Stolen credentials Using sticky notes, using same passwords or simple passwords for multiple services sooner or later ends in compromise of credentials.

Friendly Frauds is an uphill battle even for best equipped organisations as these are very difficult to detect especially with PSD2 regulations.

For the security measures service owners acquire a lot of data such as: • IP addresses • Geolocation • Device fingerprinting • Browser fingerprinting • Personally Identifiable Information (PII) •

Trying to get all data

Overkill for inference

Feed the data to Machine learning to get predictions

Result Inference based on forbidden signals: - Race - Ethnical information - Sex - other sensitive data (salary, age, social status)

EU: Racial Equality Directive US: Civil Right Act

To name one of many actors - Facebook:

• Used information about your phone number for more than security (advertising, retargeting).

• With Cambridge Analytica created campaigns that impact people choices.

• Selling user data for Ad companies & Others

• Manipulate emotion of their users for science.

Facebook data use policy “for internal operations, including troubleshooting, data analysis, testing, research and service improvement,”

Misuse of data

Law to the Rescue

People are mostly unaware. It is time to take measures to protect the end users.

EU introduces GDPR, Singapore introduces PDPA, California introduces CCPA.

We are in the fight for providing business value according to the law regulations.

A battle to provide business value with proper data protection

Behavioural BiometricsContinuous authentication

Classic authentication uses information to verify user only during single operation such as logging in or sending wire transfer. This is known widely as “Doorkeeper Problem”.

Continuous authentication starts protecting you before the moment of login and finishes upon the end of the session. With that approach, it is possible to react to Session Takeover Attacks and Account Takeover Attacks.

How it works

Anonymised behavioural biometrics HCI data is collected Machine Learning models are iteratively created for each user User is continuously scored against models when using app Security Operation Centre is notified in real time when user’s behaviour does not match

Behavioural BiometricsData anonymisation

Digital Fingerprints anonymises data from your interaction with a computer. We only acquire information on how you do things not what you do. For example, keyboard – we look at the way you write and how often you use manipulation keys such as backspace, return or delete. We are compliant with GDPR requirements to allow for opt-in and opt out. We fully respect the law to be forgotten and delete data of users if they wish so.

Classical biometrics

PIN, Face Recognition, Fingerprints, Iris Recognition

Disadvantages: - Difficult to change the traits, - Sometimes easy to crack - Does not always work - Only work at the moment of authentication - Possible to spoof in some cases

Behavioural BiometricsFinal effect: Behavioural biometrics continuous authentication

Fraud detection Account takeover protection Protection against stolen credentials Session takeover protection

Happy users with less false positives

Thanks for your time!Stay secure by behaving the way you are

Mateusz ChrobokCEOmateusz@fingerprints.digital +48 514 579 805

All trademarks in this presentations are property of their respective owners