WHY THIS MATTERS IN BRIEF
You can change your password but you can’t change your face… and biometric authentication systems are now being hacked at scale.
As we all begin moving away from using passwords which can be easily cracked and stolen and use biometrics instead criminals are catching up and finding new ways to spoof these systems as well. So far we’ve seen criminals cloning executives voices to steal $243,000 from an energy firm, and now in what’s widely regarded as a first of a kind and the largest hack of its kind a Chinese government facial recognition ID authentication tool was recently hacked, according to media reports. The biometric data stolen was then used to create fake tax invoices.
Using Artificial Intelligence (AI) the criminals managed to make the high-resolution images of people look “alive” – essentially by using AI to generate sophisticated synthetic video snippets of the people’s faces – for the crime, with each “nodding, shaking, blinking and opening their mouths,” according to the South China Morning Post (SCMP), presumably to beat a biometric Presentation Attack Detection (PAD) system.
According to SCMP, reporting on an article in the Xinhua Daily Telegraph, the sophisticated biometric spoof attack and theft is being attributed to a pair of hackers with the surname Wu and Zhou.
They allegedly netted 500 million yuan, or $76.2 million, operating for less than two years. Shanghai authorities in January posted online that the two had been prosecuted.
The Morning Post reported that the team purchased biometric information on the black market. Armed with the personal data and augmented pictures, the hackers used a shell company to send fraudulent tax invoices to the company’s “clients.”
The hackers hijacked phone cameras so that people would try to authenticate themselves with video, but that information went nowhere.
The Morning Post also reports online services for defeating face biometric systems are available for 30 to 250 yuan ($4.58 to $38.15) on the Dark Web.