Mouse jitters give away fraudsters

Online fraudsters might want to try some method acting classes before they attempt to log in to an online banking session using a stolen user name and password. New technology from Fair Isaac  claims to be able to spot fishy Web sessions by, among other things, comparing mouse movements and typing mannerisms with those of the account holder.

The company announced its new multi-factor authentication product, Falcon One for Online Access  Wednesday. The product uses neural network technology to monitor online transactions and learn customer behavior patterns. The product is targeted at U.S. banks, which are under pressure to implement guidance from the U.S. Federal Financial Institutions Examination Council's (FFIEC),  a cross-agency group, to find alternatives to simple username and password security for online bank accounts.

Falcon One works with other Fair Isaac anti-fraud technology as part of the company's EDM (Enterprise Decision Management)  solution. It tracks online behavior, such as how a customer has used online banking in the past. That data is combined with analysis of the computer initiating an online transaction, said Ted Crooks  , vice president of Global Fraud Solutions at Fair Isaac.

Like other anti-fraud companies, Fair Isaac notes the IP address an account holder typically uses for online banking and raises flags when a session is initiated from a new address. But the company digs deeper into the remote host, noting details such as the system clock setting and screen resolution to determine whether the machine is different from that used in prior sessions, Crooks said.

The software also monitors other characteristics of account holders, such as their style of typing and mouse movements to determine whether the user attempting a transaction is the actual account holder. Characteristics such as the speed and character pattern that account owners type, as well as whether they are a jittery or staid mouse user are individual and nearly impossible to mimic, Crooks said.

The company also monitors traffic on outbound communications channels, noting how a customer links to an online banking session and whether there are delays in online session traffic that could signal a "man in the middle" attack, he said.

Despite the wealth of data gathered from online banking customers, Crooks said that Fair Isaac is sensitive to concerns about snooping. The Falcon One Software combines back-end analysis with a Web browser plug-in that collects data without breaking the browser security model, or "sandbox," he said.

None of the data collected necessarily signals fraud. Instead, the company weighs the data to calculate a risk measurement for the online sessions. Banks can take that information and decide whether to change the course of a session. For example, users could be asked to enter an additional one-time password that is sent to their cell phone or a pre-approved e-mail address, Crooks said.

Online risk monitoring companies such as Fair Isaac, RSA Security , and Cyveillance  have become more prominent in recent years, as online fraud has exploded. An April 2006 report by RSA Security found that online fraud is evolving, with phishing and pharming attacks "the most sophisticated, organized and innovative technological crime waves" facing online businesses.

Fraudsters have new tools at their disposal and are able to adapt more rapidly than ever, RSA said in its report.