Open to at­tack

Bio­met­ric tech­nolo­gies could put peo­ple’s safes in danger

China Daily (Hong Kong) - - FRONT PAGE - Con­tact the writer at cheng yingqi@chi­

Be­fore on­line pay­ment sys­tems brought so much con­ve­nience to our lives — al­low­ing us to book taxis, go shop­ping or eat at a restau­rant with­out car­ry­ing a wal­let — the most fa­mous on­line adage was: “On the in­ter­net, no one knows you’re a dog”.

The lack of iden­tity con­fir­ma­tion wasn’t a prob­lem for most peo­ple be­cause the “old” web was a place where our on­line iden­ti­ties could re­main sep­a­rate from our real lives.

How­ever, new tech­nolo­gies that can link bank ac­counts with the in­ter­net are now bring­ing threats into our daily lives that once only ex­isted in vir­tual spa­ces.

For many ex­perts, one of the most wor­ry­ing ex­am­ples is that fa­cial fea­tures may of­fer hack­ers the op­por­tu­nity to un­lock peo­ple’s safe boxes.

Re­searchers with the McAfee Labs Mo­bile Re­search Team — the threat-re­search di­vi­sion of In­tel Se­cu­rity — re­cently dis­cov­ered a new vari­ant of a well­known An­droid bank­ing Tro­jan, a form of ma­li­cious com­puter pro­gram also known as “mal­ware”, that can hack into per­sonal com­put­ers by mis­lead­ing users about its true con­tent.

In ad­di­tion to re­quest­ing fi­nan­cial in­for­ma­tion, the Tro­jan can also re­quest a self-por­trait with your iden­tity doc­u­ment, which is use­ful for cy­ber­crim­i­nals be­cause it not only con­firms a per­son’s iden­tity, but also al­lows out­siders to ac­cess their bank ac­count.

Easy to coun­ter­feit

“Bio­met­ric tech­nolo­gies, in­clud­ing fa­cial recog­ni­tion, fin­ger­print iden­ti­fi­ca­tion and voice recog­ni­tion, are not suitable for re­mote au­then­ti­ca­tion, be­cause they are easy to coun­ter­feit,” said Mei Lin, direc­tor of the Cy­ber Phys­i­cal Sys­tem R&D Cen­ter at the Min­istry of Pub­lic Se­cu­rity’s Third Re­search In­sti­tute, in an ex­clu­sive in­ter­view with China Daily.

“For ex­am­ple, if you use your fin­ger­print to ver­ify your iden­tity in front of a bank em­ployee, you can’t wear fake fin­ger­print film be­cause it can be dis­cov­ered too eas­ily. How­ever, if you are us­ing your fin­ger­print as a means of au­then­ti­ca­tion for on­line pay­ment with no one watch­ing, it’s both easy and cheap to cheat,” he said.

At least one well-known Chi­nese on­line re­tail plat­form al­lows cus­tomers to purchase a DIY fake fin­ger­print kit for just 23 yuan ($3.34). The kit con­tains enough sil­ica gel to pro­duce 20 fake fin­ger­print films. Once pay­ment has been re­ceived, the vender of­fers video cour­ses that teach cus­tomers how to use the gel to man­u­fac­ture false fin­ger­prints that will al­low a third party to “im­i­tate” them and fool se­cu­rity sys­tems.

Ac­cord­ing to clients’ com­ments, the film can de­ceive fin­ger­print punch-card ma­chines and screen locks on sev­eral brands of cell­phone.

In ad­di­tion, peo­ple also face the threat posed by “back­doors” — loop­holes in the pro­gram that could give hack­ers the op­por­tu­nity to steal a per­son’s fin­ger­print in­for­ma­tion.

In March, com­puter sci­en­tists from Ger­many and the United States un­veiled new face-cap­ture tech­nol­ogy that can map a user’s fa­cial ex­pres­sions in real-time onto the face of a celebrity and then gen­er­ate re­al­is­tic video show­ing the celebrity “say­ing” any­thing the user chooses.

Mean­while, last month, the Chi­nese voice-recog­ni­tion soft­ware man­u­fac­turer iFLYTEK Co launched an app that can flaw­lessly im­i­tate a per­son’s voice, pro­nun­ci­a­tion and in­to­na­tion.

“From a tech­no­log­i­cal point of view, this means it is pos­si­ble to cheat fa­cial- and voice-recog­ni­tion-based iden­tity au­then­ti­ca­tion sys­tems with re­mote lo­gins,” Mei said.

“In phys­i­cal space, bi­o­log­i­cal fea­tures such as your fa­cial fea­tures and fin­ger­prints are the only solid proof of your iden­tity. On the in­ter­net, they are just dig­i­tized in­for­ma­tion that can be eas­ily du­pli­cated and reused.”


De­spite the con­cerns voiced by se­cu­rity ex­perts, the busi­ness of re­mote com­puter au­then­ti­ca­tion is boom­ing.

For ex­am­ple, HSBC, Bank of Scot­land, MasterCard and other fi­nan­cial or­ga­ni­za­tions al­low cus­tomers to open new ac­counts sim­ply by pro­vid­ing a selfie.

Now, un­der a guide­line is­sued by the Min­istry of Pub­lic Se­cu­rity, banks in China re­quire their cus­tomers to open ac­counts in the pres­ence of a bank em­ployee.

The min­istry has also de­vel­oped the eID sys­tem, an en­crypted frame­work for re­mote-iden­tity au­then­ti­ca­tion, which is used by banks, so­cial se­cu­rity de­part­ments and on­line pay­ment sys­tems.

For ex­am­ple, any­one who tries to log onto their bank ac­count through the sys­tem re­motely has to type in a se­cret pass­word gen­er­ated by a USB key. The pass­word, which changes ev­ery minute, links the bank to the client’s per­sonal in­for­ma­tion in the min­istry’s data­base.

“In this process, the mes­sage ex­changed on the in­ter­net is just a ran­dom num­ber se­quence, which means hack­ers can­not in­ter­cept any use­ful in­for­ma­tion about clients, even if they break through the bank’s se­cu­rity fire­wall,” said Yan Zem­ing, who is charge of the eID project at the Third Re­search In­sti­tute.

Ac­cord­ing to Yan, the eID sys­tem has been tested by 60 mil­lion bank cus­tomers na­tion­wide, and there are plans to ex­pand its cov­er­age via co­op­er­a­tion with so­cial se­cu­rity de­part­ments and e-gov­ern­ment ser­vice sys­tems.

“Safe re­mote-iden­tity au­then­ti­ca­tion is a pre­con­di­tion of dig­i­tiz­ing your life. Fa­cial and fin­ger­print recog­ni­tion may look cooler and more

On the in­ter­net, they (bi­o­log­i­cal fea­tures) are just dig­i­tized in­for­ma­tion that can be eas­ily du­pli­cated and reused.” Mei Lin, direc­tor of the Cy­ber Phys­i­cal Sys­tem R&D Cen­ter at the Min­istry of Pub­lic Se­cu­rity’s Third Re­search In­sti­tute

con­ve­nient, but se­cu­rity is def­i­nitely the main pri­or­ity,” he said.

Greater safety?

Bio­met­ric tech­nol­ogy, which is new to the gen­eral pub­lic, is be­lieved to be safer than tra­di­tional meth­ods of au­then­ti­ca­tion.

In a sur­vey con­ducted this year by China UnionPay, an in­ter­bank trans­ac­tion set­tle­ment sys­tem, 83 per­cent of re­spon­dents said they had used a mo­bile phone to make a pay­ment in the past year, while 13 per­cent said they were will­ing to try bio­met­ric tech­nol­o­gy­based au­then­ti­ca­tion meth­ods.

“I think fin­ger­print au­then­ti­ca­tion is safer than the one­time pass­word sent to my cell­phone, which used to be the most com­mon au­then­ti­ca­tion method. If you lose your phone and it’s found by un­scrupu­lous peo­ple, they can eas­ily trans­fer your money to their ac­count be­cause they will have ac­cess to your short mes­sages. With fin- ger­print-au­then­ti­ca­tion tech­nol­ogy, they can do noth­ing if you are not there,” said Chen Meng, a 35-year-old Shang­hai res­i­dent who reg­u­larly uses on­line pay­ment sys­tems.

How­ever, in prac­tice, fin­ger­prints may not be as safe as was once be­lieved. Last month, po­lice in Chang­shu, a city in Jiangsu prov­ince, in­ves­ti­gated a case in which the vic­tim, a woman named Li, passed out af­ter drink­ing a cup of wa­ter of­fered by an ac­quain­tance. While Li was un­con­scious, the ac­quain­tance used Li’s fin­ger­print to un­lock her phone and stole 10,000 yuan from her on­line pay­ment ac­count.

In an­other case, the owner of a hair sa­lon in Shang­hai loaned her phone to a client who then se­cretly up­loaded her own fin­ger­print to the phone and re­peat­edly en­tered the vic­tim’s “wal­lets” on Ali­pay and WeChat — two of the most pop­u­lar on­line pay­ment sys­tems in China — and stole 77,000 yuan.

Chang­ing land­scape

“The in­di­vid­ual cases that have been re­ported are still caus­ing lim­ited dam­age be­cause the sus­pects are steal­ing from peo­ple they know. If the crim­i­nals had been pro­fes­sional hack­ers, they would have bet­ter cov­ered up their ac­tiv­ity and caused in­es­timable losses,” said Mei, from the Cy­ber Phys­i­cal Sys­tem R&D Cen­ter.

“The essence of the in­ter­net is chang­ing be­cause we are dig­i­tiz­ing the phys­i­cal world and putting it on­line,” he added. “In the past, in­for­ma­tion was just in­for­ma­tion, and it was sep­a­rate from real life. But now, part of real life has been dig­i­tized, so we need to re­bal­ance en­ter­tain­ment, con­ve­nience and se­cu­rity to fa­cil­i­tate the se­cure ex­change of on­line in­for­ma­tion.”


Lin Yuhui checks some of the sketches he has drawn of peo­ple in pub­lic places.


A re­searcher dis­plays a face-recog­ni­tion sys­tem.

Newspapers in English

Newspapers from China

© PressReader. All rights reserved.