2019: The year attackers steal faces - Forcepoint
Article by Forcepoint APAC sales engineering director William Tam
Last month, one of Perth’s newest bars installed a new security system with facial recognition cameras.
Earlier this year, Sydney Airport and Qantas began trialling ‘couch-to-gate’ biometrics, with an initial phase testing check-in, bag drop, lounge access and boarding.
Once the domain of the military and top government intelligence agencies, facial recognition technology is fast-becoming the norm, with the estimated global market of face recognition software set to reach US$9.78 billion by 2023.
In fact, many major phone models released in 2018 used facial recognition software for unlocking.
Australians are far more accepting of using physical attributes like facial recognition or fingerprints to authenticate their credentials as it is more convenient than remembering different passwords.
But biometric security is by no means immune to vulnerabilities, and while passwords may change, physical biometrics are genetic and specific to each person, making it even more lucrative for hackers to steal them.
The oldest and most effective trick in the book
To an attacker, the successful theft of legitimate credentials must feel a bit like winning the lottery. End users are locked out of their accounts, access to third-party cloud services such as Dropbox and Microsoft Office 365 are cut off, critical data downloaded or wiped entirely.
The soaring number of breaches reveal one simple truth: email addresses, passwords, and personal information (favourite colour, pet name) are no longer sufficient to protect identities online.
In hijacking an end user's identity, phishing still reigns supreme, taking first place in a 2017 study conducted by Google, the University of California, Berkeley, and the International Computer Science Institute.
Closer to home, users are also feeling the effects.
In the latest figures from the Office of the Australian Information Commissioner, phishing made up half of all attacks reported between July – September 2018, while brute-force attacks comprised 12%, and 19% were the result of unknown methods.
The rise and fall of two-factor authentication
While credential theft is the oldest (and most effective) trick in the book, it does not mean that attackers have stopped coming up with new tricks.
Two-factor authentication (2FA) adds an extra layer of security, but even this method has a vulnerability: it is usually accomplished through cell phones.
In 2018, Michael Terpin, a co-founder of the first angel investor group for bitcoin enthusiasts, filed a $224 million lawsuit against a telecommunications company, claiming the loss of $24 million worth of cryptocurrency as a result of a “SIM swap.”
Attackers used phishing and social engineering tactics to trick a customer service representative into porting Terpin’s phone number to an untraceable “burner” phone.
Once this exchange took place, the crime became as simple as clicking a “Forgot Password?” link.
Unravelling biometric authentication
Moving past 2FA, biometric authentication uses data more unique to each end-user.
At first, the possibility of verifying a person’s identity via physiological biometric sensors seemed like a promising alternative to 2FA.
Fingerprints, movements, iris recognition— all of these make life difficult for attackers seeking to access resources by stealing someone else’s identity.
But in recent years, even biometric authentication has begun to unravel. In 2016, researchers at Michigan State University uncovered cheap and easy ways to print the image of a fingerprint using just a standard inkjet printer.
And in 2017, researchers at New York University’s (NYU) Tandon School of Engineering could match anyone’s fingerprints using digitally altered “masterprints.”
Facial recognition has gone mainstream thanks to Apple’s release of the iPhone X, which uses a flood illuminator, an infrared camera, and a dot projector to measure faces in 3D, a method they claim cannot be fooled by photos, videos, or any other kind of 2D medium - and this has stood up to some degree in testing.
A recent test saw a Forbes journalist, Thomas Brewster, break into a number of smartphones using a 3D printed head.
Of the four devices tested, all Android models unlocked with the fake head, while the Apple phone did not.
The reality here is that facial recognition has serious vulnerabilities— and that is why 2019 will be the year hackers will steal the public’s faces.
In 2016, security and computer vision specialists from the University of North Carolina defeated facial recognition systems using publicly available digital photos from social media and search engines in conjunction with mobile VR technology.
Scroll down for security in the age of behavioural biometrics
While passwords may change, physical biometrics are genetic and specific to each person. By the same token, behavioural biometrics provide a continuous authentication layer by incorporating a person’s physical actions, including keystroke, mouse movement, scroll speed, how they toggle between fields, as well as how they manipulate their phone based on the accelerometer and gyroscope.
It is simply impossible for imposters to mimic these actions.
The combination of behavioural biometrics with strong authentication, either based on advanced technology like FaceID or 2FA, is a more sensible approach.
Organisations can identify intruders who hijack open-work with at-login and in-use/continuous authentication, paving the way for risk-based approaches to trigger authentication checkpoints when risk levels rise – for example, when sensitive documents are accessed, particularly when those documents aren’t within the typical work-footprint of a user.