
Can I be the first to say
NSS
Cybercriminals are targeting iOS users with malware that steals face scans from the users of Apple devices to break into and pilfer money from bank accounts – thought to be a world first. A Chinese-speaking cybercrime group, dubbed GoldFactory by Group-IB's researchers, started distributing trojanized smartphone apps in June …
I have a good idea. Let's combine biometrics — the worst possible sort of authenticator — with cloud storage of secrets in an authentication mechanism that non-technical users have no hope of understanding, then tell everyone it's so secure that it'll stand up in court as proof of operation! We can call it "passkeys".
The only 100% secure encryption is the kind you can't undo. Otherwise, as long as there's a way to retrieve the data, someone can figure out a way to get around whatever safeguards you put in place. Same goes for passwords and every other kind of security. If you can get in, so can someone else, it's just a matter of desire and effort. So, saying it was inevitable is stating the obvious.
My bank (HSBC) uses voice recognition to help identify customers on the phone. I recently called them. The line was apparently bad. I could hear my interlocutor very well, but they could apparently not hear me very well. I had to say my postcode several times until they repeated it back correctly. Problems with the letter 'H'.
This puzzled me. Is the voice recognition able to discern the sound better than a human. Or is there some fuzziness going on, where somebody could just sound like me and get away with it?
It could be to do with the way they're switching your call through their system but, as I understand it, voice recognition for security is based upon relative phenome intervals and pitch rise/fall, so it doesn't need to be able to decode what's actually being said to work.
Oh, this is CLASSIC. We warned them about using biometrics in today's insecure society, but did they listen??
Of course not!!! I want my SHINY EASY!! My iPwned 23.5 has retina scan and fingerprint sharing with my front door lock! Why would I doubt BIG TECH??!!
...
The future is a big, beautiful, shiny place of promises and wonder. For the criminals, at least! :p
If you're dumb enough to believe a cold call from a "government official" telling you to do some weird stuff you've never done before to enroll your iPhone in MDM and then download an app from somewhere other than Apple's app store that's hardly a "biometrics" flaw.
This is a social engineering attack that relies on people who will believe who someone who calls them out of the blue says they are, and do whatever they are told to do even if it is something they've never done before with their phone (whether that's enroll their iPhone in MDM or sideload something on their Android)
It is no different than similar social engineering attacks that have been happening in the US for years, where someone will call a gullible person and claim they are with the IRS, or law enforcement, and they owe money for back taxes or a court judgment against them they never paid, and they will be arrested if the fine isn't paid immediately. They they are then given instructions to buy a bunch of gift cards and where to send them, or how to acquire crypto for payment (I assume they have a good story why that's required and not a bank transfer or check) and people fall for this every day. This thing is no different other than they are tricking people into installing malware on their phones. Its a callback to social engineering in the 2000s when people would call claiming to be from "Microsoft" and giving instructions on how to install some AV software to kill the virus they say you have, but would in fact install the virus.
However it is done it relies on gullible or simply old and overly credulous people on the other end of the call who will believe whatever lies the scammer feeds them.
"From July 2023, all Thai banking apps had to comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud in the region."
A one-time passcode is an authenticator (a stronger version of a password). A 'face ID' is an identifier (like a user name). When, oh when, will the bank wonks realise that the two are quite different? An authenticator absolutely must be rescindable and changeable (hence the one-time passcode) and as far as I know (barring surgery) one's face can't be changed.
The big problem is that the actual security of accounts is primarily a customer problem, not the bank's (because they can wriggle out by blaming the customer), so a great deal of the provisioning is theatrical. It's not as if they couldn't afford competent security experts, so this all too common idiocy must be down to not really caring.
How many times, a biometric is NOT AUTHENTICATION.
It's the "username", not the "password" and does absolutely nothing to verify that someone is who they claim/appear to be.
And, as demonstrated, anyone can get that username from the user - because it's readily-available and not seen to be "the password". Something accesses your front-facing camera that you also use to log into a device? Oh, look, that have all the data they need to now know what you look like. It doesn't matter what fancy obstacles you try to put in the way (e.g. IR camera, etc.), it's there for them to take, replicate and use forever.
And when that's your username? Who cares. When it's your password? That's just dumb, insecure and wrong.
Stop with the biometrics. Just stop. They are absolutely useless past the point where the computer says "Hello, Dave, would you like to log in?"
Nothing wrong with that, just be sure to use reverse notation with each character also inverted left-to-right or right-to-left as appropriate. This will sufficiently encode said password to be unreadable unless viewed in a mirror. This also makes reading your password yourself easy when you need it if you have a mirror.
I'm curious about the capitalisation of Face ID in the headline which strongly suggests Apple's trademarked biometric system is being compromised. I don't see any reference to Face ID elsewhere in the description of what the trojan does. Isn't it actually that banks have used a crappy, roll-your-own face recognition system that is easily bypassed?
I'm guessing that's the case. An app can't capture the Face ID scan, the scan data is never available to iOS - it never leaves the secure element. This is a social engineering attack that relies on getting people to install a rogue app by enrolling their iPhone in MDM and installing an app that doesn't come from Apple's app store. If you find someone gullible enough to do that, they are probably going to do whatever else you suggest and make it easy for you to steal their money.
They wouldn't need to "steal" a Face ID scan, they've already found themselves a sucker who will use their face to login to whatever app you tell them to at that point!
Granted it's maybe a bit confusingly worded, but... what they seem to be doing is tricking people into installing a compromised app, and that app will then likely ask people to authenticate using FaceID. Chalk another one up to language not having been invented yet to adequately describe a new scenario.