The recent Wall Street Journal article, Accounts Raided in Global Bank Hack, discusses the latest example of the Zeus Trojan being used to steal credentials and access user accounts. Nearly $3 million was stolen in the scheme in which accounts were illegally accessed at J.P. Morgan Chase & Co., Ally Financial Inc. and PNC Financial Services Group Inc. Funds from the accounts of those financial institutions were then transferred to "mule" accounts at the Bank of America Corp. and TD Bank Financial Group before being sent to Eastern Europe.
“Hackers used malicious computer software known as Zeus Trojan, disguised in seemingly benign email. When the email recipient clicks on a link or attachment in the email, the virus monitors the victim's computer activity to grab user names and passwords.”
This is exactly the type of cyber attack that Delfigo’s authentication platform, working in conjunction with a banks existing security ecosystem, is designed to address. First off, keystroke biometric technology would have detected an automated system or BOT. The reason, mathematically the keystroke timings of an automated system or BOT are too pure and clear. For example:
The top half of the picture to the right demonstrates the keystroke timing vector for a human being. It looks sort of like an EKG (all over the place), therefore, unique. However, the bottom part of the picture demonstrates the keystroke timing vector of an automated system or BOT. The signature would look very square and perfect. This is particularly true for the “dwell” times since there will be no variance.
A series of “triggers” would detect the BOT in real time and deny access. However, what if the stolen credentials had been manually typed in? Once again, keystroke biometrics would have identified a mismatch between the human hacker's keystroke ID and that of the legitimate user on record.
In addition, also consider that the legitimacy of the hacker's login attempt, whether manual or automated, would have been challenged based on other factors as well. The ID and password would have been flagged as being delivered from a IP address that did not match the user profile; and elements of the device ID would have conflicted with existing attributes on record. In almost any scenario that involved a high risk activity such as a change to an account profile or a transfer of assets, the system would have challenged the transaction and either denied access on the spot, or escalated to a secondary authentication layer.
Despite the well known fact that “first factor” authentication, in the form of a standard login (username and password), provides little in the way of security, many institutions continue to rely upon it as a primary option. This is for the most part a result of older two factor authentication solutions that required cumbersome hardware that inconvenienced users and escalated support costs. A keystroke biometric solution provides a lightweight alternative that requires no change in user behavior, and substantially eliminates maintenance and support costs because there is no hardware or software to distribute or maintain.