Computerworld

IBM patents fraudster detection technology for websites, mobile apps

IBM researchers have developed a technique that website operators, cloud service providers and mobile application developers could use to spot a fraudster who has stolen an account holder's credentials.

The patented technology builds a profile on each person using a site or app based on his navigation habits recorded through the browser. Metrics are collected through the computer mouse and keyboard and the touchscreen on a tablet or smartphone.

"Everyone has a distinct way, at a very subconscious level, of interacting with the browser," Keith Walker, an IBM master inventor, said Tuesday.

Details gathered to increase the accuracy of correctly identifying people include how long they hover over a link or button before clicking and whether they scroll through pages using a touchpad, mouse or page up and page down keys.

Mouse movements alone can be distinctive. Some people will move directly to objects to click, while others will do the "digital equivalent of doodling," Walker said.

"They'll just randomly move their mouse around for no apparent reason," he said.

The researchers found they could build a profile in roughly 15 minutes in one session or over several sessions. The prototype system used to test the technique had 100 percent accuracy for the 20 people used in the research.

"In a large scale, it (accuracy rate) would not be 100 percent," Walker said. "It would be less, but it would be very, very high."

Walker and his colleague Brian O'Connell built a client-side app using AJAX, which stands for asynchronous JavaScript and XML. The group of interrelated Web development techniques is used to build apps that run in the browser and can send and retrieve data from a server. AJAX apps load automatically and do not require a plugin.

The analytical software that would compare activity to an account holder's profile could be on the web server or somewhere else on the network. If the percentage of matching activity fell below a pre-configured threshold, then the site could ask for the answer to a security question or perform some other type of authentication.

The sensitivity of the trigger would depend on the transaction. For example, a banking site could require near 100 percent identification of the user for transfers involving large amounts of money.

IBM has received a patent for the technology, called a "user-browser interaction-based fraud detection system." The invention is not meant to replace user names and passwords, but rather to catch fraudsters before they cause much damage.

The system would be useful on any eCommerce site or cloud-based service where sensitive user information is stored, such as credit card numbers, bank account information or personal data like home and email addresses and date of birth.

While there's no timetable for bringing the invention to market, Walker believes it would be a good fit for IBM's Trusteer Pinpoint, which watches for traffic anomalies that would indicate malware on devices connecting to a corporate network.

"We're actively talking to the Trusteer people," O'Connell said.

Security is an area IBM has said it will target as part of its strategy for reversing a string of quarterly revenue declines, due in part to slowing hardware sales. Other growth areas on IBM's radar include cloud services and big data analytics.