A few weeks ago I had an email from my bank telling me they were introducing a new security measure for online transactions. In addition to a one-time passcode sent to my phone, they'd ask for my email address. Here's what they said:
"We’re not actually checking your email address; it’s how you enter it that matters (including your keystrokes). It’s known as ‘behavioural biometric’ data and it should be unique to you. We’ll record this data..."
"How" I enter it? I didn't give this much attention at the time. But on Friday I attempted to make an online card payment (with a totally different bank account). On the screen that asked for the one-time passcode sent to my phone, it also asked for my email address. But the part of the email address already displayed (first character, plus the bit after "@") didn't resemble any of my email addresses.
I then realised it was an email address I hadn't used in two decades, and I couldn't remember the front part exactly, so I cancelled the transaction, rather than be flagged as possible fraudster (flagged accounts can cause difficulties, if you make a further few innocent errors - like being locked out).
Okay, I thought, no problem - they just have out-of-date contact details. So I phoned customer services this morning and.... ended up in The Twilight Zone! I told the guy on the phone what had happened, expecting him to ask for my current email address. But he told me it didn't make any difference what email address I entered, and that entering the wrong one wouldn't have invalidated the transaction. "ERRR, WHAT...?", I say, "SO HOW IS IT A VERIFICATION OF MY IDENTITY? WHAT'S THE POINT? He says they're gathering biometric data on "how" I enter the email address, not actually checking the correctness of the email address. "BUT WHAT DATA, EXACTLY, AND FOR WHAT PURPOSE?", I ask.
He doesn't really know, except that it's some "high-end" biometric data gathering operation that will have future uses. "CAN I OPT OUT OF IT?", I ask. He doesn't think that's possible, he sheepishly replies.
So, two unrelated banks that I have accounts with have implemented this rather odd, unspecified biometric data gathering recently. No doubt it has good intentions, but WTF! I don't think the 'decision' guys in their important meetings are considering all the implications while they roll out this intrusive micro-interaction technology.