Biometric Authentication: Still Not Ready For Prime Time

April 4, 2024

To combat widespread financial fraud, the Bank of Thailand announced a policy change in March 2023 that all Thai financial institutions must forgo email and SMS verification and instead use facial recognition for any major actions from customers, such as opening a new account, adjusting a daily transfer limit, or initiating a transaction of more than 50,000 baht.

The intent was to safeguard customer accounts against cybercriminals.

However, just three months after it began, even this increased security measure was jeopardized.

A new malware, "GoldPickaxe," was developed by a large (but unidentified) Chinese-language group, and was soon seen on iOS and Android devices, masquerading as a government service app. The app is used to introduce a sophisticated banking Trojan for tricking people into giving up their personal IDs, phone numbers, and face scans, which it steals to later log into those victims' bank accounts. The Trojan has so far targeted elderly victims into scanning their faces into the app, which then uses deepfake technology to bypass the Bank of Thailand's cutting-edge biometric security checks.

The malicious app seems to be highly effective for two reasons: deepfake technology has caught up with biometric authentication mechanisms and most users have not realized that yet. Nate Nelson, "iOS, Android Malware Steals Faces to Defeat Biometrics With AI Swaps" darkreading.com (Feb. 15, 2023).

 

Commentary

 

Given the increasingly quick response from cybercriminals to new defense strategies, relying on one exclusive system or technique to defend an organization's network should be reconsidered.

For many years, a multi-layered approach was considered critical to secure a network. That approach may still be the best, even as individual elements of that multi-layered approach become more sophisticated and challenging.

Biometrics will be important, but they are not fool-proof as the above account makes clear. If a person is social-engineered to give up their biometrics, that will place their accounts at risk.

Using two-factor authentication methods, whether a phone authentication app, a text message, a physical security key, or by using Bluetooth, USB, or NFC devices to authenticate a login remains the best practice.

 

Finally, your opinion is important to us. Please complete the opinion survey:

What's New

"Search and Destroy" Malware Rises: What Best Practices Can Help Protect Organizations?

Malware that turns off network security software has increased 26 percent from last year in response to better cyber defenses. We examine the importance of training.

Training Required For Password Best Practices

Not all employees follow cybersecurity best practices, which can put organizations at risk of a cyberattack. We examine passwords and the need for training.

Recent Data Breach Increases Risk Of A Convincing Social Engineering Scam

Cybercriminals claim to have stolen the personal financial data of more than half a billion Ticketmaster customers. Learn about the risk.