***

It's one admission security providers hate to voice: all user IDs, passwords, PINs, tokens, certificates, encryption keys, and so on are stealable and subject to abuse. And once a hacker gets hold of physical cards and secret PINs, as well as super-secret double code, there is nothing that prevents him from stealing his victim's identity.

The argument is that such stealing of data is "hard" and "unlikely," and only possible if the hacker is stubborn and determined. Of course, but let's remember the giraffe story: When fruit that hung on lower branches was all consumed, evolution kicked in and created zebras with longer necks (now called giraffes) that could reach the higher branches. Similarly, when easy security prey is harder to get, the hacking community evolves and carries out more difficult stunts.

As phishing dries out, owing to columns like this one, pharming comes forth. In the big picture the distinction between a user and his predator is just the possession of some keys, tokens, passwords, PINs-all subject to compromise.

The battle with the hackers is really one of imagination. So far, the hackers have been more imaginative, while security providers are fighting the last war. Let's wrest the initiative from these evil-doers: Imagine a cybervictim who is robbed of all those information packets that he uses to prove who he is. A hacker takes his place. Is the battle lost?

Not necessarily. The good guys have one last-ditch effort to win the day. Even if a hacker is in possession of all of his victim's pieces of ID information, there is going to be one critical distinction between the two: behavior. What the hacker does with his ID parameters is different from what his victim would have done. And hence the emerging battleground in the war over cybersecurity is behavior.

Checking a password is a binary process-you either have it or you don't. But behavior is fuzzy. You cannot be too strict, because people act with a substantial measure of randomness. Some credit card companies would deny a purchase done abroad from a credit card holder that for years has only used the card domestically. But people do decide to go overseas after years of being home-bound.

A more refined algorithm would take into account the nature of the purchase. A restaurant is probably okay. If the purchase is for an overseas sofa, then it's more suspicious. My colleague, Ori Eisen, developed an algorithm that would identify users who enter random letters for their names.

In general, behavior may be judged three ways: (1) relative to the past behavior of the same user; (2) relative to the typical behavior of similar users; and (3) relative to timely external events. As indicated in the example above, it is dangerous to rely on few behavioral parameters-too many unjustified rejections.

When we meet an acquaintance face-to-face, we process a myriad of identification parameters, mostly visual, but also audio, touch, and smell. From the many thousands of parameters, quite a few can be off, but the integrated conclusion is what matters. Computers have to emulate this and reach the accept/reject decision based on as many parameters of behavior as possible.

But we run into a technical problem here. Many of the prevailing algorithms become very slow when they need to process a decision on the basis of a large number of parameters. This geeky problem is gradually handled with an appropriately geeky solution: Neural-like networks that emulate brain processing, and reach a binary decision on the basis of many thousands of parameters, imposing no perceptible delay.

Hackers are not standing still. We have seen sophisticated thieves that fit their activity to blend into the normal patterns of their victims. If you happen to use your credit card six to eight times a month at the CVS drugstore, for about $45 each visit, would you know that one of these charges is not yours? Wealthy and flamboyant spenders are the prized victims for upscale hackers, since it is almost impossible to spot a fraudulent charge in their wild spending patterns.

Because behavior, unlike the yes/no password check, is so iffy, the conclusion is too often a "maybe." Such unresolved suspicion should lead to some human check, but this is very costly. So the challenge for the security industry is to come up with a war arsenal that is not just theoretically effective, but also cost-effective.

Optimism is permitted, because the battle on spotting behavior is increasingly a mathematical campaign, and here the white hats have a better chance than the black hats.