TSB - The Unique Way You Type!

ev51

Just read through and e-mail from TSB about authorising online payments using a one-time password from 28 January. Seemed OK until I got to:

“And to be extra secure…

It’s in all our interests to help combat fraud, so as an additional layer of security when you approve your purchase using a one-time password, you’ll also be asked for your email address at the point of purchase.

We won’t store your email, instead we’ll use biometric data analysis when you type in your one-time password and email as it recognises the unique way you type. So should anyone else try to use your debit or credit card to make an online purchase, we’ll be alerted to it because of the way they enter your details.”

Biometric data analysis? Anyone think this a step too far in the payment approval process / are other banks implementing this too?

RG2015

It's also on the following TSB page online. (Just page search "unique")

I cannot believe that I am the only person to type with two fingers at a rate of ten words per minute.

https://www.tsb.co.uk/fraud-prevention-centre/strong-customer-authentication/

Edit: I am getting old. It really is a thing known as typing DNA. 

Zanderman

When I read that post just now I assumed the email must be a hoax, as the 'unique way you type' angle seems ludicrous.

But no, it's on the TSB website here: https://www.tsb.co.uk/fraud-prevention-centre/strong-customer-authentication/ 

About 2/3 down the page.

I could, vaguely, understand it if the system was how you type on a mobile - as there will be some sort of pattern to that. 

But actually the context of the wording suggests this is a system TSB are planning for those without the app or access to a mobile.  In other words people using a keyboard on a computer.  Is it really possible to detect a pattern to how people type on a keyboard?  And if so is that pattern really constant enough to identify people?  I'd have thought not, especially if it's not your usual keyboard (I use, for instance, at least 4 pcs in two different households plus a laptop, a tablet and a phone regularly.  All of the pcs have subtly different styles of keyboard - soft keys, hard keys, differently angled etc)

Sounds very odd to me.

Edited to add: I certainly can't see how there would be a pattern to how I type OTPs as I usually cut and paste them, no typing at all.  And my wife often pastes her email address in situations where t has to be precise.  So TSB would have to disable any pasting.  

Molehusband

ev51 said:

Just read through and e-mail from TSB about authorising online payments using a one-time password from 28 January. Seemed OK until I got to:

“And to be extra secure…

It’s in all our interests to help combat fraud, so as an additional layer of security when you approve your purchase using a one-time password, you’ll also be asked for your email address at the point of purchase.

We won’t store your email, instead we’ll use biometric data analysis when you type in your one-time password and email as it recognises the unique way you type. So should anyone else try to use your debit or credit card to make an online purchase, we’ll be alerted to it because of the way they enter your details.”

Biometric data analysis? Anyone think this a step too far in the payment approval process / are other banks implementing this too?

I'm a customer of TSB and haven't received that email. Are they sending it to all customers or do I have to log in to obtain the information? I'm aware that they use a one time password which they send as text message but, like you, I am confused about their "the unique way you type" check. Do they give any clue as to how such a check works? For example, I sometimes type a wrong character and have to correct it, but not every time. So, if on my first pass through this check, they detect I mistype 2 characters, does it mean to say from then on for all online purchases I have to mistype 2 characters otherwise I will fail the "Biometric data analysis" and my transaction will be rejected?

EssexExile

I had it today in an email that wanted me to check they had the right phone numbers in readiness for sending the OTPs. It said log in to make sure they have the right numbers, to log in I had to get a OTP sent to my phone. How would that work if they didn't have the right number?

General_Grant

EssexExile said:

I had it today in an email that wanted me to check they had the right phone numbers in readiness for sending the OTPs. It said log in to make sure they have the right numbers, to log in I had to get a OTP sent to my phone. How would that work if they didn't have the right number?

I haven't visited the site since receiving the email which I have deleted but recall it mentioned that they could also send the code to a landline for those who don't have a mobile or would find it difficult to use.  So if you want the option of using a landline (if you have one), you could check they have both numbers.

Currently, using my laptop, sometimes I need a OTP to log in and at other times it's just a case of using a password and characters from the "memorable information" in relation to the user ID.

ETA:  I've just checked my details and find they have an incorrect place of birth recorded and no way of changing it.  I'll just have to remember my unique place of birth in the TSB universe.

SiliconChip

Here's an article entitled The Rythm of Identity Management, which uses methods proved in the identification of enemy morse code operators in the second world war.

https://www.baselinemag.com/c/a/Security/The-Rhythm-of-Identity-Management 

glennevis

There's nothing new under the sun.

When I saw the email the first thing I thought of was WW2 and Bletchley Park. Didn't the listeners get to know the rhythm of the morse code as it was tapped out and hence identify some of the individual wireless operators.

I wonder what TSB's algorithm will make of my keypresses since I have set up GBoard with a shortcut so one letter and one number expands to my full email address. I wonder, can their algorithm cope with such apparently fast typing?

Ergates

It's real, TSB aren't the only bank to be using and and it does work - to a degree.

It's not a unique as a fingerprint, but there is a general pattern to the way we type - especially words/phrases we're familiar with, like our email addresses.  So, whilst you couldn't really use it as the sole method to identify a person, you can use it as an additional layer of identity checking.   e.g. if someone who normally types 2 fingered suddenly started typing fluently, that might be enough to warrant further checks.

Moreover, it's very good at detecting bots and/or people cutting and pasting (which is what fraudsters often do - store your details in a file and paste them into the fields).

Notepad_Phil

Ergates said:

Moreover, it's very good at detecting bots and/or people cutting and pasting (which is what fraudsters often do - store your details in a file and paste them into the fields).

Unfortunately I reckon quite a lot of non-fraudsters do that for at least part of the login process too.  I know that I do, and I'd have to consider leaving any company who started to restrict cut and paste or started to put me through additional security checks if I had used cut and paste - and no, I don't keep my entire username and password in plain text.

Ergates

You cut and paste your email address?  Though, even if you did, that would be part of your normal "typing" behavior, so it would just become your baseline.   I've not seen any suggestion that banks would want to stop people pasting in data into fields.