China Daily Global Edition (USA)
Open to attack
Biometric technologies could put people’s safes in danger
Before online payment systems brought so much convenience to our lives — allowing us to book taxis, go shopping or eat at a restaurant without carrying a wallet — the most famous online adage was: “On the internet, no one knows you’re a dog”.
The lack of identity confirmation wasn’t a problem for most people because the “old” web was a place where our online identities could remain separate from our real lives.
However, new technologies that can link bank accounts with the internet are now bringing threats into our daily lives that once only existed in virtual spaces.
For many experts, one of the most worrying examples is that facial features may offer hackers the opportunity to unlock people’s safe boxes.
Researchers with the McAfeeLabs Mobile Research Team — the threat-research division of Intel Security— recently discovered a new variant of a wellknown Android banking Trojan, a form of malicious computer program also known as “malware”, that can hack into personal computers by misleading users about its true content.
In addition to requesting financial information, the Trojan can also request a self-portrait with your identity document, which is useful for cybercriminals because it not only confirms a person’s identity, but also allows outsiders to access their bank account.
Easy to counterfeit
“Biometric technologies, including facial recognition, fingerprint identification and voice recognition, are not suitable for remote authentication, because they are easy to counterfeit,” said Mei Lin, director of the Cyber Physical System R&D Center at the Ministry of Public Security’s Third Research Institute, in an exclusive interview with China Daily.
“For example, if you use your fingerprint to verify your identity infront of a bank employee, you can’t wear fake fingerprint film because it can be discovered too easily. However, if you are using your fingerprint as a means of authentication for online payment with no one watching, it’s both easy and cheap to cheat,” he said.
At least one well-known Chinese online retail platform allows customers to purchase a DIY fake fingerprint kit for just 23 yuan ($3.34). The kit contains enough silica gel to produce 20 fake fingerprint films. Once payment has been received, the vender offers video courses that teach customers how to use the gel to manufacture false fingerprints that will allow a third party to “imitate” them and fool security systems.
According to clients’ comments, the film can deceive fingerprint punch-card machines and screen locks on several brands of cellphone.
In addition, people also face the threat posed by “backdoors” — loopholes in the program that could give hackers the opportunity to steal a person’s fingerprint information.
In March, computer scientists from Germany and the United States unveiled new face-capture technology that can map a user’s facial expressions in real-time onto the face of a celebrity and then generate realistic video showing the celebrity “saying” anything the user chooses.
Meanwhile, last month, the Chinese voice-recognition software manufacturer iFLYTEK Co launched an app that can flawlessly imitate a person’s voice, pronunciation and intonation.
“From a technological point of view, this means it is possible to cheat facial- andvoice-recognition-based identity authentication systems with remote logins,” Mei said.
“In physical space, biological features such as your facial features and fingerprints are the only solid proof of your identity. Onthe internet, they are just digitized information that can be easily duplicated and reused.”
Selfies
Despite the concerns voiced by security experts, the business of remote computer authentication is booming.
For example, HSBC, Bank of Scotland, MasterCard and other financial organizations allow customers to open new accounts simply by providing a selfie.
Now, under a guideline issued by the Ministry of Public Security, banks in China require their customers to open accounts in the presence of a bank employee.
The ministry has also developed the eID system, an encrypted framework for remote-identity authentication, which is used by banks, social security departments and online payment systems.
For example, anyone who tries to log onto their bank account through the system remotely has to type in a secret password generated by a USB key. The password, which changes every minute, links the bank to the client’s personal information in the ministry’s database.
“In this process, the message exchanged on the internet is just a random number sequence, which means hackers cannot intercept any useful information about clients, even if they break through the bank’s security firewall,” said Yan Zeming, who is charge of the eID project at the Third Research Institute.
According to Yan, the eID system has been tested by 60 million bank customers nationwide, and there are plans to expandits coverage via cooperation with social security departments and e-government service systems.
“Safe remote-identity authentication is a precondition of digitizing your life. Facial and fingerprint recognition may look cooler and more convenient, but security is definitely the main priority,” he said.
Greater safety?
Biometric technology, which is new to the general public, is believed to be safer than traditional methods of authentication.
In a survey conducted this year by China Union Pay, an interbank transaction settlement system, 83 percent of respondents said they had used a mobile phone to make a payment in the past year, while 13 percent said they were willing to try biometric technologybased authentication methods.
“I think fingerprint authentication is safer than the onetime password sent to my cellphone, which used to be the most common authentication method. If you lose your phone and it’s found by unscrupulous people, they can easily transfer your money to their account because they will have access to your short messages. With fingerprint-authentication technology, they can do nothing if you are not there,” said Chen Meng, a 35-year-old Shanghai resident who regularly uses online payment systems.
However, in practice, fingerprints may not be as safe as was once believed. Last month, police in Changshu, a city in Jiangsu province, investigated a case in which the victim, a woman named Li, passed out after drinking a cup of water offered by an acquaintance. While Li was unconscious, the acquaintance used Li’s fingerprint to unlock her phone and stole 10,000 yuan from her online payment account.
In another case, the owner of a hair salon in Shanghai loaned her phone to a client who then secretly uploaded her own fingerprint to the phone and repeatedly entered the victim’s “wallets” on Alipay and WeChat — two of the most popular online payment systems in China — and stole 77,000 yuan.
Changing landscape
“The individual cases that have been reported are still causing limited damage because the suspects are stealing from people they know. If the criminals had been professional hackers, they would have better covered up their activity and caused inestimable losses,” said Mei, from the Cyber Physical System R&D Center.
“The essence of the internet is changing because we are digitizing the physical world and putting it online,” he added. “In the past, information was just information, and it was separate from real life. But now, part of real life has been digitized, so we need to rebalance entertainment, convenience and security to facilitate the secure exchange of online information.”
On the internet, they (biological features) are just digitized information that can be easily duplicated and reused.” Mei Lin, director of the Cyber Physical System R&D Center at the Ministry of Public Security’s Third Research Institute