IBM researchers have developed a technique that website operators, cloud service providers and mobile application developers could use to spot a fraudster who has stolen an account holder's credentials.
The patented technology builds a profile on each person using a site or app based on his navigation habits recorded through the browser. Metrics are collected through the computer mouse and keyboard and the touchscreen on a tablet or smartphone.
"Everyone has a distinct way, at a very subconscious level, of interacting with the browser," Keith Walker, an IBM master inventor, said Tuesday.
Details gathered to increase the accuracy of correctly identifying people include how long they hover over a link or button before clicking and whether they scroll through pages using a touchpad, mouse or page up and page down keys.
Mouse movements alone can be distinctive. Some people will move directly to objects to click, while others will do the "digital equivalent of doodling," Walker said.
"They'll just randomly move their mouse around for no apparent reason," he said.
The researchers found they could build a profile in roughly 15 minutes in one session or over several sessions. The prototype system used to test the technique had 100 percent accuracy for the 20 people used in the research.
"In a large scale, it (accuracy rate) would not be 100 percent," Walker said. "It would be less, but it would be very, very high."
The analytical software that would compare activity to an account holder's profile could be on the web server or somewhere else on the network. If the percentage of matching activity fell below a pre-configured threshold, then the site could ask for the answer to a security question or perform some other type of authentication.
The sensitivity of the trigger would depend on the transaction. For example, a banking site could require near 100 percent identification of the user for transfers involving large amounts of money.
IBM has received a patent for the technology, called a "user-browser interaction-based fraud detection system." The invention is not meant to replace user names and passwords, but rather to catch fraudsters before they cause much damage.
The system would be useful on any eCommerce site or cloud-based service where sensitive user information is stored, such as credit card numbers, bank account information or personal data like home and email addresses and date of birth.
Sign up for CIO Asia eNewsletters.