But as Kessler points out, not only does behavioral biometric authentication require a black hat hacker to capture the user's average keystroke patterns--meaning the hacker would have to monitor several account accessions--but they would also have to know which sort of security algorithm the bank was using, and which characteristics the bank system was measuring. Such an attack would imply that a hacker not only was targeting a specific bank, but that he or she had specific, internal information about the bank's security configurations.
Hackers, on the other hand, have so far been mainly interested in mass attacks that target low-hanging fruit. And while there's little doubt that hackers are becoming more sophisticated by the hour, or that the criminal potential of hacking has been recognized by global organized crime--which is happy to heap resources in the laps of skilled hackers--such very specific attacks have so far been blessedly rare.
"There is that chink in the armor, but it's small," says Kessler. "It's not a big concern in implementing one of these systems, because the level of sophistication involved, and the amount of internal information the attacker would need about the target, would mean they wouldn't even want to take this route."
Bankers should not take comfort in that fact: Computer security is a game, and attackers in the hacker community are constantly surprising the defenders in the world's financial institutions. But anything that makes a hacker's life more miserable is a good thing, as far as bankers are concerned.
(Contact: Josh Kessler, TowerGroup, 773-348-8134)