back to article Cybercriminals are stealing iOS users' face scans to break into mobile banking accounts

Cybercriminals are targeting iOS users with malware that steals face scans from the users of Apple devices to break into and pilfer money from bank accounts – thought to be a world first. A Chinese-speaking cybercrime group, dubbed GoldFactory by Group-IB's researchers, started distributing trojanized smartphone apps in June …

  1. Wellyboot Silver badge
    Holmes

    Can I be the first to say

    NSS

    1. MiguelC Silver badge
      Coat

      Re: Can I be the first to say

      No problem, now affected punters just have to change their faces. No biggie.

  2. alain williams Silver badge

    Grow a beard to change your face

    I suppose that that is what you have to do as you would do with a compromised password.

    Not so easy for the ladies.

    Was this not inevitable ?

    1. Pascal Monett Silver badge
      Facepalm

      Re: Grow a beard to change your face

      Yeah.

      Thank $Deity biometrics are so secure, right ?

      1. Michael Wojcik Silver badge

        Re: Grow a beard to change your face

        I have a good idea. Let's combine biometrics — the worst possible sort of authenticator — with cloud storage of secrets in an authentication mechanism that non-technical users have no hope of understanding, then tell everyone it's so secure that it'll stand up in court as proof of operation! We can call it "passkeys".

    2. aerogems Silver badge

      Re: Grow a beard to change your face

      The only 100% secure encryption is the kind you can't undo. Otherwise, as long as there's a way to retrieve the data, someone can figure out a way to get around whatever safeguards you put in place. Same goes for passwords and every other kind of security. If you can get in, so can someone else, it's just a matter of desire and effort. So, saying it was inevitable is stating the obvious.

  3. Joe-Thunks

    Related story

    My bank (HSBC) uses voice recognition to help identify customers on the phone. I recently called them. The line was apparently bad. I could hear my interlocutor very well, but they could apparently not hear me very well. I had to say my postcode several times until they repeated it back correctly. Problems with the letter 'H'.

    This puzzled me. Is the voice recognition able to discern the sound better than a human. Or is there some fuzziness going on, where somebody could just sound like me and get away with it?

    1. Catkin Silver badge

      Re: Related story

      It could be to do with the way they're switching your call through their system but, as I understand it, voice recognition for security is based upon relative phenome intervals and pitch rise/fall, so it doesn't need to be able to decode what's actually being said to work.

  4. Snake Silver badge

    Wahahahaaaaa!!

    Oh, this is CLASSIC. We warned them about using biometrics in today's insecure society, but did they listen??

    Of course not!!! I want my SHINY EASY!! My iPwned 23.5 has retina scan and fingerprint sharing with my front door lock! Why would I doubt BIG TECH??!!

    ...

    The future is a big, beautiful, shiny place of promises and wonder. For the criminals, at least! :p

    1. Doctor Syntax Silver badge

      Re: Wahahahaaaaa!!

      A variant on phishing but using facial features. Perhaps we should call it "fishing"?

      1. Anonymous Coward
        Anonymous Coward

        Re: Wahahahaaaaa!!

        Mugging. As in using a picture of the victim's "mug" (face).

        1. Snake Silver badge
          Thumb Up

          Re: Mugging

          That gets my vote!

    2. DS999 Silver badge

      This is not a biometrics flaw at all

      If you're dumb enough to believe a cold call from a "government official" telling you to do some weird stuff you've never done before to enroll your iPhone in MDM and then download an app from somewhere other than Apple's app store that's hardly a "biometrics" flaw.

      This is a social engineering attack that relies on people who will believe who someone who calls them out of the blue says they are, and do whatever they are told to do even if it is something they've never done before with their phone (whether that's enroll their iPhone in MDM or sideload something on their Android)

      It is no different than similar social engineering attacks that have been happening in the US for years, where someone will call a gullible person and claim they are with the IRS, or law enforcement, and they owe money for back taxes or a court judgment against them they never paid, and they will be arrested if the fine isn't paid immediately. They they are then given instructions to buy a bunch of gift cards and where to send them, or how to acquire crypto for payment (I assume they have a good story why that's required and not a bank transfer or check) and people fall for this every day. This thing is no different other than they are tricking people into installing malware on their phones. Its a callback to social engineering in the 2000s when people would call claiming to be from "Microsoft" and giving instructions on how to install some AV software to kill the virus they say you have, but would in fact install the virus.

      However it is done it relies on gullible or simply old and overly credulous people on the other end of the call who will believe whatever lies the scammer feeds them.

      1. Doctor Syntax Silver badge

        Re: This is not a biometrics flaw at all

        The young are never over-credulous? Nor the middle-aged?

  5. Mike 137 Silver badge

    Yet again the same stupid error

    "From July 2023, all Thai banking apps had to comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud in the region."

    A one-time passcode is an authenticator (a stronger version of a password). A 'face ID' is an identifier (like a user name). When, oh when, will the bank wonks realise that the two are quite different? An authenticator absolutely must be rescindable and changeable (hence the one-time passcode) and as far as I know (barring surgery) one's face can't be changed.

    The big problem is that the actual security of accounts is primarily a customer problem, not the bank's (because they can wriggle out by blaming the customer), so a great deal of the provisioning is theatrical. It's not as if they couldn't afford competent security experts, so this all too common idiocy must be down to not really caring.

  6. Lee D Silver badge

    How many times, a biometric is NOT AUTHENTICATION.

    It's the "username", not the "password" and does absolutely nothing to verify that someone is who they claim/appear to be.

    And, as demonstrated, anyone can get that username from the user - because it's readily-available and not seen to be "the password". Something accesses your front-facing camera that you also use to log into a device? Oh, look, that have all the data they need to now know what you look like. It doesn't matter what fancy obstacles you try to put in the way (e.g. IR camera, etc.), it's there for them to take, replicate and use forever.

    And when that's your username? Who cares. When it's your password? That's just dumb, insecure and wrong.

    Stop with the biometrics. Just stop. They are absolutely useless past the point where the computer says "Hello, Dave, would you like to log in?"

    1. pdh

      Given the prevalence of surveillance cameras in our society today, using a face scan for authentication is like writing your password on your forehead.

      1. aerogems Silver badge
        Coat

        I remember the forward to a book, where the author says how he's taken to writing down ideas for future books anywhere he can, including the foreheads of children he passes on the street. If it's good enough for them, why isn't it good enough for the rest of us?

      2. hayzoos
        Joke

        Nothing wrong with that, just be sure to use reverse notation with each character also inverted left-to-right or right-to-left as appropriate. This will sufficiently encode said password to be unreadable unless viewed in a mirror. This also makes reading your password yourself easy when you need it if you have a mirror.

  7. Dan 55 Silver badge

    Apps on devices connected 24x7 to the Internet

    Why was anyone ever convinced this was a good idea?

    No apps or at most an app which is a browser pointing to the bank's website and an offline card reader to generate a 2FA code.

  8. A. Coatsworth Silver badge
    Headmaster

    >>comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud blame the user olympically and refuse any responsibility in possble frauds

    FTFY

  9. monty75

    Face ID?

    I'm curious about the capitalisation of Face ID in the headline which strongly suggests Apple's trademarked biometric system is being compromised. I don't see any reference to Face ID elsewhere in the description of what the trojan does. Isn't it actually that banks have used a crappy, roll-your-own face recognition system that is easily bypassed?

    1. DS999 Silver badge

      Re: Face ID?

      I'm guessing that's the case. An app can't capture the Face ID scan, the scan data is never available to iOS - it never leaves the secure element. This is a social engineering attack that relies on getting people to install a rogue app by enrolling their iPhone in MDM and installing an app that doesn't come from Apple's app store. If you find someone gullible enough to do that, they are probably going to do whatever else you suggest and make it easy for you to steal their money.

      They wouldn't need to "steal" a Face ID scan, they've already found themselves a sucker who will use their face to login to whatever app you tell them to at that point!

      1. Sven Coenye
        Black Helicopters

        Re: Face ID?

        In muggee's defense, Thailand and Vietnam are military dictatorships. If you get a call from someone "from the government" telling you to do something, challenging the instructions may not be the first thing on the mind.

        1. DS999 Silver badge

          Re: Face ID?

          True, the circumstances of the fraud may make compliance rates higher - but one would think the penalties for impersonating the government would be a lot higher (unless you are giving the dictator kickbacks mafia style)

    2. aerogems Silver badge

      Re: Face ID?

      Granted it's maybe a bit confusingly worded, but... what they seem to be doing is tricking people into installing a compromised app, and that app will then likely ask people to authenticate using FaceID. Chalk another one up to language not having been invented yet to adequately describe a new scenario.

  10. cb7

    My Natwest bank app keeps pestering me to add my face to the biometric approval options.

    I know a 25 year old who can unlock his 50 year old dad's phone using face recognition alone.

    "You are your strongest password" says Natwest as it nags me again.

    Like FUCK OFF ALREADY!!!!

    1. Steve Davies 3 Silver badge
      Holmes

      Facial recognition

      You only have one face but 10 digits (or most people will have 10) for fingerprint ID.

      I won't use my voice or face as ID.

      Apple are stupid (IMHO) for dropping TouchID on their phones apart from the SE model.

      1. David Hicklin Silver badge

        Re: Facial recognition

        > Apple are stupid (IMHO) for dropping TouchID on their phones apart from the SE model.

        Which is why that model will eventually replace my iPhone7 one day

      2. Pixel Green
        Thumb Up

        Re: Facial recognition

        If you run out of fingers, I've heard some people have had their toes transplanted in their place.

        20 breaches. That's all we're good for. Throw in your face as a bonus and you get 21.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like