Keystroke FIngerprinting

Ripper · March 26, 2016

Online companies are now using keystroke fingerprinting as a way to uniquely identify every person, and track them more effectively. This is, as far as I'm concerned, not cool.

There's a Chrome extension to block it, but in Firefox the only thing to do is block scripts on domains of concern. Linux is working on way to block this in all applications.

pibbur who · March 26, 2016

Hmmm.

Pibbur who likes the ripper's post, but not what it is describing.

Ripper · March 26, 2016

The ripper, whose hamfisted typing frequently betrays him, including in the title of this thread.

Zloth · March 26, 2016

I'm having a real hard time believing you can UNIQUELY identify anyone this way. An individual's typing is going to vary quite a bit hour to hour. You could probably measure such things and figure out a range. Then, when somebody is typing, you could match them to all the people in your database that have a range that covers what you're doing now. That's not going to be unique, though.

Maybe you could use it to tell which member of a family is using a shared computer?

P.S. Ham fisted? Come on over here Ripper, I want to bake your hand. SHAKE! Shake your hand... ah rats. Guess it's chicken strips again tonight.

Ripper · March 26, 2016

Yes, I found it surprising how effective the technique is. Unfortunately, it is remarkably effective - almost as effective as a unique biometric identifier.

Have a read on here. There's also a demo by BehavioSec here.

Zloth · March 27, 2016

That's not looking terribly effective to me. 80%?? That's a one in five shot of being wrong. If some Evil Corporate/Government Entity got access to your profile, they couldn't identify you at all. They might be able to figure out that somebody they suspect is you actually isn't you but, if they do get a match, it could be you or it could be any one of millions (billions?) of other people in the world that match that profile.

It says that's after just 44 keystrokes but will it really get much better with more of them? It seems like they would need to get confidence closer to a 999,999 out of a million to be interesting. How could you do anything with something that is even 99% effective?

Hurls · March 27, 2016

Yes I had seen this but wasn't aware of chrome extension - thank you ripper!

This is also being VERY actively employed with this article being the tip of a very substantial body of work founded by homeland security in the land of the (formerly?) free.
https://www.researchgate.net/publication/274634803_Investigating_the_Effect_of_Fraud_on_Mouse_Usage_in_Human-Computer_Interactions

BTW if you want a full copy of the paper PM me

Ripper · March 27, 2016

Zloth said:
That's not looking terribly effective to me. 80%?? That's a one in five shot of being wrong. If some Evil Corporate/Government Entity got access to your profile, they couldn't identify you at all. They might be able to figure out that somebody they suspect is you actually isn't you but, if they do get a match, it could be you or it could be any one of millions (billions?) of other people in the world that match that profile.

It says that's after just 44 keystrokes but will it really get much better with more of them? It seems like they would need to get confidence closer to a 999,999 out of a million to be interesting. How could you do anything with something that is even 99% effective?

The thing is that behavioural biometrics are a different sort of animal than traditional biometrics. A traditional biometric identifier is a one-off, pass/fail comparison of a piece of very unique data - like a fingerprint or an iris scan. By comparison, a keystroke analysis of a few words would certainly be insufficient to identify an individual with certainty.

But behavioural biometrics don't work on that pass/fail type of check. They rely on statistical information over time, and work out the probabilities. So, if it recognises the way you type multiple phrases, consistently during a session, the probability of identifying you goes up sharply. When you combine this with other information that trackers have about your browsing habits, and other information that your browser reveals about your devices, the probability of uniquely identifying you becomes very high indeed.

GothicGothicness · March 29, 2016

Quite scary stuff... and a very clever way to identify someone as well.

On the other hand you could very easily trick it by typing in different ways from time to time.

Zaleukos · March 29, 2016

Part of my group at university did biometrics back in the early 2000s, so I find this both fascinating from an intellectual POV and disturbing from an integrity POV.

Zloth said:
That's not looking terribly effective to me. 80%?? That's a one in five shot of being wrong. If some Evil Corporate/Government Entity got access to your profile, they couldn't identify you at all. They might be able to figure out that somebody they suspect is you actually isn't you but, if they do get a match, it could be you or it could be any one of millions (billions?) of other people in the world that match that profile.

It says that's after just 44 keystrokes but will it really get much better with more of them? It seems like they would need to get confidence closer to a 999,999 out of a million to be interesting. How could you do anything with something that is even 99% effective?

80% could probably still be good enough for advertising if combined with some other techniques for multimodal identification.

Keystroke FIngerprinting

Ripper

Зичу Вам успіхів

pibbur who

Guest

Ripper

Зичу Вам успіхів

Zloth

I smell a... wumpus!?

Ripper

Зичу Вам успіхів

Zloth

I smell a... wumpus!?

Hurls

Non-twitch gamer

Ripper

Зичу Вам успіхів

GothicGothicness

SasqWatch

Zaleukos

Bum