Selfie-based authentication raises eyebrows among infosec experts
- Reference: 1720416607
- News link: https://www.theregister.co.uk/2024/07/08/selfie_authentication_security/
- Source link:
Just last Monday the Southeast Asian nation of Vietnam began requiring face scans on phone banking apps as proof of identity for all digital transactions of around $400 and above.
The nation's residents are not able to opt out of the banking rules, despite Vietnam regularly finding itself [1]ranked poorly when it comes to internet privacy or cyber security.
[2]
Local media has [3]weighed in to suggest that selfies will not improve security. And just days into the new regime, some apps have already been called out for accepting still photos instead of a live image of the individual.
[4]
[5]
Concerns aren't limited to Vietnam. Late last month, US cyber security firm Resecurity [6]flagged similar concerns when it found a spike in leaked identity documents containing selfies of Singaporeans on the dark web.
Many of those selfies were provided to [7]fintech and e-commerce providers and later leaked. Resecurity asserted that some were captured by cyber crime groups that run fake telemarketing or customer support scams and gather selfies so they can sell them to other miscreants.
The rise of selfies for identity verification
"Using selfies for identity verification has been growing steadily for around the last five years, but the inflection point was during the pandemic when people were forced to engage digitally," VP analyst at Gartner, Akif Khan, told The Register.
Khan, who regularly helps guide organizations through the process of implementing selfie-based authentication, rated interest as "very high." He's seen steady growth with a recent "uptick."
[8]
Fintech veteran, policy wonk, and CEO at consultancy New World Advisors Katie Mitchell agreed with Khan. "As more financial services are online, there's been a need to replicate account opening services for that environment," she told The Register.
"Subsequently, there's the need now for proof of personhood for lots of things we do online."
According to Mitchell, anti-money-laundering (AML) and know your customer (KYC) processes are sometimes covered by laws and and coordinating bodies like the [9]Financial Action Task Force , an intergovernmental AML organization.
[10]
Whoever defines AML and KYC processes, they are seldom globally interoperable – they vary by jurisdiction and are constantly updated.
"Separately those jurisdictions will have data protection and privacy laws as well. Those don't necessarily refer to the processes of biometric collection that are required for account verification and opening in a way that's comprehensive. There's a gap in arbitrage there," explained Mitchell
[11]UK's Total Fitness exposed nearly 500K images of members, staff through unprotected database
[12]An attorney says she saw her library reading habits reflected in mobile ads. That's not supposed to happen
[13]Whistleblower raises alarm over UK Nursing and Midwifery Council's DB
[14]Quarter of polled Americans say they use AI to make them hotter in online dating
According to Acronis CISO Kevin Reed, that lack of regulation is sometimes the problem. But at other times, it's the organization that collected and managed the selfie that is at fault.
"Getting a selfie for KYC purposes is not a problem on its own – the problem is that this data is not properly handled and in many cases is never discarded after the verification is complete," Reed told The Reg . That dilemma is compounded when lots of people have access to the files.
"If they are of any value to criminals – and a data pack allowing a crim to complete KYC is certainly valuable – someone will try to steal them," explained Reed.
Resecurity's report featured an example of a Singapore-based digital payments provider whose ID verification method involved an individual holding their government ID along with a piece of paper with a specific message hand written on it.
Reed called this method "slightly better" than a simple photo – but not "a significant improvement" as it's easily editable.
"I would say that process would deter a casual attacker, but any one vaguely motivated would find way around it," Gartner's Khan told The Reg of still selfies. In his experience, businesses that rely on simple still selfies are typically smaller outfits that have experienced fraud and have implemented a selfie-based stopgap as they scramble to put a proper solution in place.
Liveness checks are part of the solution
Khan's clients use vendors whose product includes liveness checks integrated into websites or mobile apps. The process of authenticating that the image is a real person in real time is typically completely outsourced.
The outsourcer will look for markers on the ID – like a hologram, security features, the way light reflects, plus the depth and edges of a physical credential.
They will also often require video from the individual undergoing the check – asking for a facial expression or a head turn. Some liveness checks even search for signs of blood flow.
After liveness is determined and the ID is deemed not forged, biometrics are compared to the ID.
And because the vendor is controlling the capture, it can even detect deepfake injection attacks.
The whole process will usually be aided by machine learning and typically takes under 20 seconds to complete. The vendors either store the data for a defined period of time or purge it immediately.
Verification stills on dark web could be useless
Khan thinks concern about identity theft from still images and picture IDs found on the dark web is overblown, as most entities will require liveness checks for opening bank accounts and other tasks.
The flat images Resecurity warned about therefore become more and more useless as liveness checks evolve.
"I work in security – nothing is foolproof," admitted Khan. He added that the real concern is what happens when accessibility, diversity, and inclusion measures come into play.
It's important to make sure all people can adequately access these verification systems – but in making exception processes to ensure all users can employ liveness checks, vendors need to be careful not to inadvertently create a workaround.
He warned, "You have to think about how to be inclusive while stopping a threat actor from pretending." ®
Get our [15]Tech Resources
[1] https://online.stevens.edu/info/countries-ranked-by-internet-privacy/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zou4uY5EXf40dCEk81BCcgAAARA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://e.vnexpress.net/news/news/photos-hoodwink-face-recognition-tools-on-banking-apps-4766038.html
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zou4uY5EXf40dCEk81BCcgAAARA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zou4uY5EXf40dCEk81BCcgAAARA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.resecurity.com/blog/article/cybercriminals-are-targeting-digital-identity-of-singapore-citizens
[7] https://support.straitsx.com/hc/en-us/articles/4410446534553-Why-is-selfie-compulsory-for-Singapore-based-account-verification
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zou4uY5EXf40dCEk81BCcgAAARA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.fatf-gafi.org/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zou4uY5EXf40dCEk81BCcgAAARA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2024/06/17/uks_total_fitness_exposed_nearly/
[12] https://www.theregister.com/2024/05/18/mystery_of_the_targeted_mobile_ads/
[13] https://www.theregister.com/2024/03/22/nmc_database_whistleblower/
[14] https://www.theregister.com/2024/02/12/generative_ai_online_dating_boost/
[15] https://whitepapers.theregister.com/
"typically takes under 20 seconds to complete"
If it says "under 20 seconds", that means more than 10. So, in order to purchase takeaway (I'm guessing), you have to not only consent for your facial biometrics to be captured by some two-bit outfit that will be hacked in under 20 minutes, but you also have to submit to a dystopian-future-style interrogation for a quarter of a minute to prove that you are just an innocent citizen.
Thanks, but no thanks.
Oh, and those small companies have not implemented this as a stopgap. If I know anything about small companies, they are not looking for a better solution. This is the solution.
My 85 year old mother was asked to do this selfie #$&@
Legitimate corporation here in Aus.
She had to hold her DL next to her face and take a selfie livestream.
No one was allowed to help her!
Because the person at the other end heard voices (us trying to advise her), we then went down a whole new rabbit hole to prove there was no coercion.
She’s 85, she doesn’t do tech, her husband had just died.
Bastards!
Arseholes!
I know they claim their systems can detect deepfakes, but I wonder what their success rate on actual detection is? As I can guarantee that the criminals will find a way around their detection as deepfakes and AI tools improve
keyfob id
Keyfob ID devices were so simple and so effective. I miss them.
Doesn't sound great
I would particularly worry about one of these two bits outfit storing the selfies, then getting their database stolen. Especially since it won't be the most tech savvy companies using such a low level security measure. At least, when your credit card number gets stolen, you can change it.
There are ways to mitigate the risk
If it can do a depth map like Face ID does, or if it is live asking you to do something rather than just a live shot of your face that could be clipped from social media.
There will still be risk, sure, but online transactions by their nature will always have an element of risk. Even in person transactions carry some risk since these days the "bank where people know you personally" is less and less common. They show up at a different branch than the one closest to you with your bank card and fake ID that's sold off eBay for $50 they're getting your money 9 times out of 10.
While I personally wouldn't use it, they should be required by law to support some type of hardware 2FA device for those who have really high value transactions or are simply paranoid. For me I'd be satisfied with Face ID on my phone to verify me, because the bar of "they have to steal my phone and fake out Face ID" is high enough for me to feel comfortable.
If I was so wealthy that I thought I might be personally targeted by criminals to steal my phone as above I might want to raise the bar, but at some point the "grab me and threaten to hit me over the head with a $5 hammer" scenario becomes the weak point in one's banking security.