As Predicted: Scammers Are Now Scanning Faces To Defeat Biometric Security Measures
from the another-vulnerability dept
For quite some time now we’ve been pointing out the many harms of age verification technologies, and how they’re a disaster for privacy. In particular, we’ve noted that if you have someone collecting biometric information on people, that data itself becomes a massive risk since it will be targeted.
And, remember, a year and a half ago, the Age Verification Providers Association posted a comment right here on Techdirt saying not to worry about the privacy risks, as all they wanted to do was scan everyone’s face to visit a website (perhaps making you turn to the left or right to prove “liveness”).
Anyway, now a report has come out that some Chinese hackers have been tricking people into having their faces scanned, so that the hackers can then use the resulting scan to access accounts.
Attesting to this, cybersecurity company Group-IB has discovered the first banking trojan that steals people’s faces. Unsuspecting users are tricked into giving up personal IDs and phone numbers and are prompted to perform face scans. These images are then swapped out with AI-generated deepfakes that can easily bypass security checkpoints
The method — developed by a Chinese-based hacking family — is believed to have been used in Vietnam earlier this month, when attackers lured a victim into a malicious app, tricked them into face scanning, then withdrew the equivalent of $40,000 from their bank account.
Cool cool, nothing could possibly go wrong in now requiring more and more people to normalize the idea of scanning your face to access a website. Nothing at all.
And no, this isn’t about age verification, but still, the normalization of facial scanning is a problem, as it’s such an obvious target for scammers and hackers.
Filed Under: age verification, facial recognition, hacking, scammers, scams
Comments on “As Predicted: Scammers Are Now Scanning Faces To Defeat Biometric Security Measures”
This comment has been flagged by the community. Click here to show it.
The site owner doing his best to convince people that it’s impossible and seemingly immoral to protect children online by all means necessary. 🙄
Re:
It is functionally impossible. Any method can be circumvented. That doesn’t mean parents should give up. It’s their responsibility to protect their children from harm and educate their children on how to filter the things that can’t be avoided. It’s not a third party’s responsibility to give up their privacy or security because you have adopted a moral panic authoritarian battle cry and a soapbox.
There’s also a lot of things some people want to “protect” children from that they don’t need protecting from, such as the fact that gay and transgender people exist. Would you be okay with society restricting children’s access to religions that have notoriously been involved in child abuse?
“By all means necessary” functionally means either killing the internet or keeping children from communication devices until they’re adults, neither of which are tenable options.
This comment has been flagged by the community. Click here to show it.
Re: Re:
*mentally-ill people exist
Re: Re: Re:
Mentally-ill people do exist. You, for instance.
Transgender people, however, are not, in and of themselves.
This comment has been flagged by the community. Click here to show it.
Re: Re: Re:2
I am both trans and mentally ill. The illness comes solely from the way bigots like you treated people like me.
Pick up a biology textbook, and stop being an arse
This comment has been flagged by the community. Click here to show it.
Re: Re: Re:3
Said the hate-mongering hypocrite.
Re: Re: Re:3
In what way is it bigotry to not buy into the premise that transgender people are, by their very nature, mentally ill?
This comment has been flagged by the community. Click here to show it.
Re: Re: Re:3
There are only two sexes in humans, and sex is immutable. Gender identity ideology is a deranged spiritual belief system.
You’ll never be other than your sexed body.
Re: Re: Re:4
Jewish scholastic and legal tradition has recognized eight (8) genders, and the fact that not everyone fits neatly into a binary male/female biological sex, for well over two (perhaps even three) millennia.
Other cultures have, historically, have also noticed these manifestations of a more complicated reality, that don’t fit neatly into a strictly binary, XX/XY or male/female paradigm.
In modern times, scientists are discovering the concrete, physiological/biological underpinnings of this observable reality.
It would appear that your personal prejudices and cultural preconceptions are blinding you to observable facts.
Re: Re: Re:4
There are chromosomally more than two sexes.
https://en.wikipedia.org/wiki/Sex_chromosome_anomalies
It has nothing to do with spirituality. It’s a social observation regarding the perception of gender roles and efforts to change or restrict those. You are practicing “gender identity ideology” by making assertions about it. Your ideology just differs from the people you disagree with. That you think it must be tied inextricably to biological sex is just your particular bent.
Apparently you aren’t familiar with the concept of people feeling disconnected from a sense of identity with their body, not related at all to a perception of gender, and even feeling disconnected from a sense of identity with their brain.
You’re a ghost sending out electrical signals from the gray matter you haunt to run a meat sack with a skeletal framework. Your ghost is just particularly hateful and confidently incorrect.
Re: Re: Re:5
In fact, neurologists have been able to identify the precise, small part of the brain (a few hundreds of neurons) that causes people to perceive their gender is different from that indicated by their external sexual organs.
You might say, “It’s only natural.”
Re: Re: Re:
I can’t rightly call being delusional a mental illness. That would make everyone mentally ill.
Re: Re: Re:
Yes, mentally ill people do exist and most of them vote for Republicans and shout stupid shit like “Fuck your feelings” and “Trump cares about us”.
Re: Re: Re:
“over-confident ignoramuses exist”
This comment has been flagged by the community. Click here to show it.
Re:
Ah, everyone knows you straight freaks just want to molest them anyway.
Re:
While we definitely need to protect children, we need to do it in ways that doesn’t cause harm to other people, especially vulnerable minorities. Sometimes the costs are just too great.
Re: Re:
The single most effective way to protect children is to teach them how to be cautious, how to think, and how to protect themselves.
Everyone trying to bubble them up are ultimately harming the children.
Re: Re: Re:
You can teach your children to swim, or you can try to scare/keep them away from/ “protect them from” open water till they are mature adults (or longer).
One of these approaches to keeping young people safe from drowning, though not perfect, is vastly more effective than the other one is (and helps them actually become functional adults with mature sound judgement as well).
Re:
Aww, was the post too complicated for you to understand?
Re:
I want to protect my children from you. So please leave.
Re:
this fucking idiot doing there best to not read by all means necessary 🙄
Re: Re:
Reading isn’t really something they practice. Anything not in a pop-up book is likely to be too deep for them to understand.
Re:
…hallucinated nobody mentally competent, ever.
kinda brings the huuuuuuge problems with the vending machines being equipped with facial recognition technology into focus, eh
Re:
vending machine own (and other purveyors of facial recognition tech on the not-quite-consenting): “If you think about it, that is really their problem”
As elaborated here: https://www.nuklearpower.com/2004/01/01/episode-367-address-verification-shmaddress-verification/
“These images are then swapped out with AI-generated deepfakes that can easily bypass security checkpoints”
This makes no sense. Take a real pic and then swap it out with a deepfake? Was this article written by ai?
Re:
Perhaps to get past the bank’s authentication, they have to provide a video saying something like “My name is Joe Smith and I would like to log into my Werbo bank account, the code shown on my screen is 3178”. So the attackers would need to fake that using the video footage they stole from the victim.
Re:
“Was this article written by an AI,” is an awfully poor shot.
The danger of age verification is it’s likely that the data will be accessed by hackers. Every day some app or database or company is attacked by hackers once a hacker has your data address date of birth it can be used to maybe scam you in the future
Re:
… that it’s impossible to do without forcing everyone to upload their government ID, which will allow anyone who wants to — including the government — to track your every move online.
This isn’t hard to understand.
It is possible to use facial recognition/biometrics as an option for login procedures but only if you treat is as a username and not as a password.
Re:
Or treat it as one factor in multi-factor authentication: You need a password and biometrics
Re: Re:
But biometrics should never be a “password”. The security community has know this forever.
Curiously related?
https://www.techdirt.com/2024/02/27/error-message-exposes-vending-machines-use-of-facial-recognition-tech/
Here’s lookin’ at you, kid.
We’ve known that biometric”security” is anything but for quite some time. It’s trendy, it’s sexy, it’s all kinds of things, but one thing it isn’t is reliable. And it suffers (badly) from the key revocation problem.
Meanwhile, group-ib are all over the logs of my servers, attacking DNS and SMTP services. Oddly enough, I don’t recall giving them permission to conduct penetration tests of my operation.
Re:
That does it. From now on when ever I intend to purchase a vending machine item, I will don an old Reagan mask or maybe a Nixon one. I am not a crook.
And this is MM not understanding the issues and celebrating censorship engaged in by private companies!!! /s
Phishing for faces
Phishing is a risk associated with the Internet as a whole, as the author rightly explains.
Facial Age Estimation can be conducted on-device, so the image need never leave the user’s control.
But just as when it is processed on a server, users must still trust the provider to manage data as they declare they will eg to delete images immediately or to process locally on device.
For that reason, we support close regulation of our sector with providers securing certification through independent audits to resssure users about data security, privacy and accuracy etc. Thess requirements are being documented in the latest IEEE and ISO standards.
So while phishing is a risk when accessing any secure or age restricted websites, it is manageable and we are doing more than many sectors to mitigate that risk.