Selfie-based authentication is on the rise, alarming security experts

zohaibahd

zohaibahd

Posts: 228   +5
Staff
The big picture: Selfies are increasingly taking on a surprising new role: verifying your identity online. Some banks and even governments have started mandating live selfie captures during video calls to prove who you are before accessing services. However, giving tech companies your selfie is far from a smart cybersecurity move, as a new report has highlighted.

Multiple security experts and market analysts who spoke to The Register discussed this practice, highlighting just how unsafe it is and advising on ways it can be improved.

The selfie authentication trend has been brewing for years, says Akif Khan, a VP analyst at Gartner who advises organizations on implementing the technology. He told the publication that interest in selfie ID verification has been very high and steadily growing, with an "uptick" recently as the pandemic drove more services online.

Concerns became overt last week when Vietnam made face scans from phone banking apps compulsory for any digital transaction over $400. Vietnamese media voiced skepticism that selfies would improve security. Within days, some apps were already failing the vibe check by accepting simple still photos instead of live selfie videos.

The rise of selfie ID aligns with anti-money laundering (AML) and know-your-customer (KYC) regulations that require identity checks, though the specifics vary globally across jurisdictions and are frequently updated. This creates conflicting requirements when balanced against data privacy regulations in each region.

How companies mishandle selfie data is a problem too, according to Kevin Reed, CISO at Acronis. He told the publication that businesses frequently fail to properly manage and dispose of selfie verification images after use, leaving them exposed to theft if cyber criminals find value in the data trove.

A Resecurity report previously highlighted a Singapore payment provider that had users submit a photo holding their ID next to a handwritten sign to presumably prove liveness. Reed dismissed this technique as only "slightly better" than still selfies since it is still easily editable. Meanwhile, Khan wasn't confident about this technique either, calling it a "stopgap" measure while they work on a proper solution.

A better solution is "liveness" detection technology from third-party vendors integrated into apps and websites.

Liveness check vendors deploy a range of techniques to validate that users are physically present. These include movements during the selfie capture, like expressing emotions or turning the head. Khan noted that these checks are aided by machine learning and can also detect injection attacks from deepfakes. They analyze depth, edges, light reflection, and even signs of blood flow during verification.

Permalink to story:

Selfie-based authentication is on the rise, alarming security experts

 
This is not new to be honest. Using Face ID to login to your banking or government app are clear examples of usage of facial or biometric for authentication.

In any case, there is no one authentication method that is 100% foolproof. In this age, I suppose it is not impossible to even 3D print a person's face to try and bypass facial recognition security.
 
Watzupken said:
This is not new to be honest. Using Face ID to login to your banking or government app are clear examples of usage of facial or biometric for authentication.

In any case, there is no one authentication method that is 100% foolproof. In this age, I suppose it is not impossible to even 3D print a person's face to try and bypass facial recognition security.
Click to expand...
Face ID is not selfie though, and it's used for completely different purposes. Face ID is used to prove to your phone that you're the phone owner. Verifying yourself to your bank is a completely different story.
 
bviktor said:
Face ID is used to prove to your phone that you're the phone owner. Verifying yourself to your bank is a completely different story.
Click to expand...
Verifying your face to your iPhone is equivalent to verifying it to Apple and the iCloud. And banks have been requiring biometric data from customers for literally centuries, through the highest technology available at the time: signature verification.
 
Endymio said:
And banks have been requiring biometric data from customers for literally centuries
Click to expand...
You either don't know what biometric data is or what literally means. Or maybe you don't know what centuries are? heck, it could be all three!
 
yRaz said:
You either don't know what biometric data is or what literally means. Or maybe you don't know what centuries are? heck, it could be all three!
Click to expand...
Oops! bio: life, metric: measure. Biometrics: unique physical or behavioral characteristics used for identification.

How a person signs their name is highly unique, and no different than a voiceprint or any other biometric data. You might (incorrectly) argue that signatures can be faked, whereas fingerprints and facial recognition cannot. But copying a signature without a reference sample is essentially impossible. Conversely, if you have a sample fingerprint or facial keypoint data, you can spoof biometric systems with these just as you can copy a signature.

Or were you disputing that banking institutions have for centuries collected signatures? I could take the theme much further by pointing out that Britain began using sepia-ink fingerprints on documents starting in the 1860s, and nearly 5000 years before that, people in the Indus Valley civilization were placing their fingerprints on clay tablets for identification purposes.
 
Endymio said:
Oops! bio: life, metric: measure. Biometrics: unique physical or behavioral characteristics used for identification.

How a person signs their name is highly unique, and no different than a voiceprint or any other biometric data. You might (incorrectly) argue that signatures can be faked, whereas fingerprints and facial recognition cannot. But copying a signature without a reference sample is essentially impossible. Conversely, if you have a sample fingerprint or facial keypoint data, you can spoof biometric systems with these just as you can copy a signature.

Or were you disputing that banking institutions have for centuries collected signatures? I could take the theme much further by pointing out that Britain began using sepia-ink fingerprints on documents starting in the 1860s, and nearly 5000 years before that, people in the Indus Valley civilization were placing their fingerprints on clay tablets for identification purposes.
Click to expand...
So I guess you have me in a bit of a technicality. Signatures are hard to forge now because we've developed advanced analytic systems to see if they are fake or not, but not everyone had access to the abilities forge signatures back then either. security through obscurity.

I wasmt even considering signatures as a security measure as signatures are pretty useless these days.

I have a difficult time believing the fingerprint side of things but my belief is irrelevant to the truth. That actually sounds really interesting so I'd appreciate a link as I'm having a difficult time finding one.
 
  • Like
Reactions: Endymio
yRaz said:
I have a difficult time believing the fingerprint side of things but my belief is irrelevant to the truth. That actually sounds really interesting so I'd appreciate a link as I'm having a difficult time finding one.
Click to expand...
Three thumbs up for the open mind. I'm a bit skeptical myself of suppositions based on 5000 year old evidence, but archeologists have worked from thinner evidence. My statement was based on a book in my own library -- however, the first two links below briefly allude to both the Indus Valley and neighboring Mesopotamia doing this, whereas the final link is a more comprehensive source that starts with Chinese efforts in this direction around 200 BC.

FINGERPRINTS - The History of Fingerprinting & the Study of Dermatoglyphics!

fingerprints.handresearch.com fingerprints.handresearch.com

forensicsdigest.com

History of Fingerprints - Forensics Digest

The history and development of finger prints as a means of identification is really fascinating. Many
forensicsdigest.com forensicsdigest.com

 
You must log in or register to reply here.

Similar threads

midian182
AMD's brand is now more valuable than Intel, Samsung, and Xbox, but Apple still reigns as king
Replies
20
Views
77
godrilla
godrilla
midian182
Experts warn of hacking risks as AI-powered vending machines that sell ammo expand across the US
Replies
9
Views
58
plplplpl
plplplpl
midian182
X struggles to grow daily active users amid stiff competition from Meta's Threads
Replies
8
Views
52
texasrattler
T

Latest posts

Back