A few weeks ago I had an email from my bank telling me they were introducing a new security measure for online transactions. In addition to a one-time passcode sent to my phone, they'd ask for my email address. Here's what they said:
"We’re not actually checking your email address; it’s how you enter it that matters (including your keystrokes). It’s known as ‘behavioural biometric’ data and it should be unique to you. We’ll record this data..."
"How" I enter it? I didn't give this much attention at the time. But on Friday I attempted to make an online card payment (with a totally different bank account). On the screen that asked for the one-time passcode sent to my phone, it also asked for my email address. But the part of the email address already displayed (first character, plus the bit after "@") didn't resemble any of my email addresses.
I then realised it was an email address I hadn't used in two decades, and I couldn't remember the front part exactly, so I cancelled the transaction, rather than be flagged as possible fraudster (flagged accounts can cause difficulties, if you make a further few innocent errors - like being locked out).
Okay, I thought, no problem - they just have out-of-date contact details. So I phoned customer services this morning and.... ended up in The Twilight Zone! I told the guy on the phone what had happened, expecting him to ask for my current email address. But he told me it didn't make any difference what email address I entered, and that entering the wrong one wouldn't have invalidated the transaction. "ERRR, WHAT...?", I say, "SO HOW IS IT A VERIFICATION OF MY IDENTITY? WHAT'S THE POINT? He says they're gathering biometric data on "how" I enter the email address, not actually checking the correctness of the email address. "BUT WHAT DATA, EXACTLY, AND FOR WHAT PURPOSE?", I ask.
He doesn't really know, except that it's some "high-end" biometric data gathering operation that will have future uses. "CAN I OPT OUT OF IT?", I ask. He doesn't think that's possible, he sheepishly replies.
So, two unrelated banks that I have accounts with have implemented this rather odd, unspecified biometric data gathering recently. No doubt it has good intentions, but WTF! I don't think the 'decision' guys in their important meetings are considering all the implications while they roll out this intrusive micro-interaction technology.
Anyone else experienced something similar?
Here's a fairly recent article about this, if anyone is interested (apparently nobody is!): https://techcrunch.com/2022/01/10/the-road-to-disastrous-biometric-data-collection-is-paved-with-good-intentions/
"There has been a rather fervent acceleration in planned biometric data collection in recent months. If you’re not worried about it, you should be. In fact, silly as it sounds, try being more worried about it than seems normal..."