Story image

2019: The year attackers steal faces - Forcepoint

07 Jan 2019

Article by Forcepoint APAC sales engineering director William Tam

Last month, one of Perth’s newest bars installed a new security system with facial recognition cameras.

Earlier this year, Sydney Airport and Qantas began trialling ‘couch-to-gate’ biometrics, with an initial phase testing check-in, bag drop, lounge access and boarding.

Once the domain of the military and top government intelligence agencies, facial recognition technology is fast-becoming the norm, with the estimated global market of face recognition software set to reach US$9.78 billion by 2023.

In fact, many major phone models released in 2018 used facial recognition software for unlocking.

Australians are far more accepting of using physical attributes like facial recognition or fingerprints to authenticate their credentials as it is more convenient than remembering different passwords.

But biometric security is by no means immune to vulnerabilities, and while passwords may change, physical biometrics are genetic and specific to each person, making it even more lucrative for hackers to steal them.

The oldest and most effective trick in the book

To an attacker, the successful theft of legitimate credentials must feel a bit like winning the lottery. End users are locked out of their accounts, access to third-party cloud services such as Dropbox and Microsoft Office 365 are cut off, critical data downloaded or wiped entirely.

The soaring number of breaches reveal one simple truth: email addresses, passwords, and personal information (favourite colour, pet name) are no longer sufficient to protect identities online.

In hijacking an end user's identity, phishing still reigns supreme, taking first place in a 2017 study conducted by Google, the University of California, Berkeley, and the International Computer Science Institute.

Closer to home, users are also feeling the effects.

In the latest figures from the Office of the Australian Information Commissioner, phishing made up half of all attacks reported between July – September 2018, while brute-force attacks comprised 12%, and 19% were the result of unknown methods.

The rise and fall of two-factor authentication

While credential theft is the oldest (and most effective) trick in the book, it does not mean that attackers have stopped coming up with new tricks.

Two-factor authentication (2FA) adds an extra layer of security, but even this method has a vulnerability: it is usually accomplished through cell phones.

In 2018, Michael Terpin, a co-founder of the first angel investor group for bitcoin enthusiasts, filed a $224 million lawsuit against a telecommunications company, claiming the loss of $24 million worth of cryptocurrency as a result of a “SIM swap.”

Attackers used phishing and social engineering tactics to trick a customer service representative into porting Terpin’s phone number to an untraceable “burner” phone.

Once this exchange took place, the crime became as simple as clicking a “Forgot Password?” link.

Unravelling biometric authentication

Moving past 2FA, biometric authentication uses data more unique to each end-user.

At first, the possibility of verifying a person’s identity via physiological biometric sensors seemed like a promising alternative to 2FA.

Fingerprints, movements, iris recognition— all of these make life difficult for attackers seeking to access resources by stealing someone else’s identity.

But in recent years, even biometric authentication has begun to unravel. In 2016, researchers at Michigan State University uncovered cheap and easy ways to print the image of a fingerprint using just a standard inkjet printer.

And in 2017, researchers at New York University’s (NYU) Tandon School of Engineering could match anyone’s fingerprints using digitally altered “masterprints.”

Facial recognition has gone mainstream thanks to Apple’s release of the iPhone X, which uses a flood illuminator, an infrared camera, and a dot projector to measure faces in 3D, a method they claim cannot be fooled by photos, videos, or any other kind of 2D medium - and this has stood up to some degree in testing.

A recent test saw a Forbes journalist, Thomas Brewster, break into a number of smartphones using a 3D printed head.

Of the four devices tested, all Android models unlocked with the fake head, while the Apple phone did not.

The reality here is that facial recognition has serious vulnerabilities— and that is why 2019 will be the year hackers will steal the public’s faces.

In 2016, security and computer vision specialists from the University of North Carolina defeated facial recognition systems using publicly available digital photos from social media and search engines in conjunction with mobile VR technology.

Scroll down for security in the age of behavioural biometrics

While passwords may change, physical biometrics are genetic and specific to each person. By the same token, behavioural biometrics provide a continuous authentication layer by incorporating a person’s physical actions, including keystroke, mouse movement, scroll speed, how they toggle between fields, as well as how they manipulate their phone based on the accelerometer and gyroscope.

It is simply impossible for imposters to mimic these actions.

The combination of behavioural biometrics with strong authentication, either based on advanced technology like FaceID or 2FA, is a more sensible approach.

Organisations can identify intruders who hijack open-work with at-login and in-use/continuous authentication, paving the way for risk-based approaches to trigger authentication checkpoints when risk levels rise – for example, when sensitive documents are accessed, particularly when those documents aren’t within the typical work-footprint of a user.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.