back to article Selfie-based authentication raises eyebrows among infosec experts

The use of selfies to verify identity online is an emerging trend in some parts of the world since the pandemic forced more business to go digital. Some banks – and even governments – have begun requiring live images over Zoom or similar in order to participate in the modern economy. The question must be asked, though: is it …

  1. DS999 Silver badge

    There are ways to mitigate the risk

    If it can do a depth map like Face ID does, or if it is live asking you to do something rather than just a live shot of your face that could be clipped from social media.

    There will still be risk, sure, but online transactions by their nature will always have an element of risk. Even in person transactions carry some risk since these days the "bank where people know you personally" is less and less common. They show up at a different branch than the one closest to you with your bank card and fake ID that's sold off eBay for $50 they're getting your money 9 times out of 10.

    While I personally wouldn't use it, they should be required by law to support some type of hardware 2FA device for those who have really high value transactions or are simply paranoid. For me I'd be satisfied with Face ID on my phone to verify me, because the bar of "they have to steal my phone and fake out Face ID" is high enough for me to feel comfortable.

    If I was so wealthy that I thought I might be personally targeted by criminals to steal my phone as above I might want to raise the bar, but at some point the "grab me and threaten to hit me over the head with a $5 hammer" scenario becomes the weak point in one's banking security.

  2. Pascal Monett Silver badge

    "typically takes under 20 seconds to complete"

    If it says "under 20 seconds", that means more than 10. So, in order to purchase takeaway (I'm guessing), you have to not only consent for your facial biometrics to be captured by some two-bit outfit that will be hacked in under 20 minutes, but you also have to submit to a dystopian-future-style interrogation for a quarter of a minute to prove that you are just an innocent citizen.

    Thanks, but no thanks.

    Oh, and those small companies have not implemented this as a stopgap. If I know anything about small companies, they are not looking for a better solution. This is the solution.

    1. lglethal Silver badge
      Go

      Re: "typically takes under 20 seconds to complete"

      "This is the solution."

      Until they're hacked again. In which case they will install the next "stopgap" solution...

    2. Triggerfish

      Re: "typically takes under 20 seconds to complete"

      400 usd is an expensive takeaway in Vietnam.

      It doesn't get used for transactions below this value.

  3. Anonymous Coward
    Anonymous Coward

    My 85 year old mother was asked to do this selfie #$&@

    Legitimate corporation here in Aus.

    She had to hold her DL next to her face and take a selfie livestream.

    No one was allowed to help her!

    Because the person at the other end heard voices (us trying to advise her), we then went down a whole new rabbit hole to prove there was no coercion.

    She’s 85, she doesn’t do tech, her husband had just died.

    Bastards!

    Arseholes!

  4. mark l 2 Silver badge

    I know they claim their systems can detect deepfakes, but I wonder what their success rate on actual detection is? As I can guarantee that the criminals will find a way around their detection as deepfakes and AI tools improve

    1. I am the liquor

      They say they can detect it "because the [authentication service] vendor is controlling the capture." But are they really controlling the capture? Not unless they control the device. Their app may think it's capturing from the phone's camera, but it can't know for sure.

  5. david 12 Silver badge

    keyfob id

    Keyfob ID devices were so simple and so effective. I miss them.

    1. Dan 55 Silver badge

      Re: keyfob id

      And they're still the most secure. Everything since is just a method of lowering costs and handwaving away concerns.

  6. Dinanziame Silver badge
    Windows

    Doesn't sound great

    I would particularly worry about one of these two bits outfit storing the selfies, then getting their database stolen. Especially since it won't be the most tech savvy companies using such a low level security measure. At least, when your credit card number gets stolen, you can change it.

    1. DJO Silver badge

      Re: Doesn't sound great

      when your credit card number gets stolen, you can change it.

      No problem, if credentials are stolen give all customers free plastic surgery.

      Another issue is that not all identical twins are best of chums and pretty much everybody will have at least one doppelganger out there - faces are not sufficiently unique for 100% accurate identification.

  7. Mike 137 Silver badge

    ".... nothing is foolproof," admitted Khan

    Unfortunately it's not the fools we have to contend with, it's highly dedicated smart adversaries with an overriding vested interest in ripping folks off -- it's their business after all.

    The big problem the defence has is that we keep adding layer upon layer of complex point fixes on top of inherently fragile systems and processes instead of starting from analysis of the entire threat landscape to create new simple processes appropriate to that landscape.

    1. Anonymous Coward
      Anonymous Coward

      Re: ".... nothing is foolproof," admitted Khan

      "Unfortunately it's not the fools we have to contend with, it's highly dedicated smart adversaries with an overriding vested interest in ripping folks off -- it's their business after all."

      Perhaps, but half of UK consumer fraud is depressingly low-tech confidence tricksters, with no high tech involved whatsoever. In rough numbers we're talking £1.5m every single day lost to authorised payment fraud. If there were bank heists of that scale every day, government and plod would do something about it pretty quick. But fraud has always been seen as a dull semi-crime, something that never justified the Todd, blues and twos, or shooters. So, like smoking weed, it is permitted by wanton lack of enforcement, and the best response you'll get from officialdom is a wringing of hands.

  8. plunet

    Payment providers have been using facial recognition for payment authorisation at checkouts in China for several years already.

  9. sarusa Silver badge
    Devil

    'could be'

    > Or ML could be making it safe

    And NFTs COULD BE something offered by people other than thieves and hucksters. I'll just be waiting over here...

  10. Tron Silver badge

    More idiocy.

    I use a PC with no camera. The only time I've had to use a moving facial image was the UK gov, either the Covid app or a passport application - I can't remember which. A right pain to get it to work on a smartphone I rarely use. Restricting people to using phones rather than PCs by demanding biometric IDs is daft and will exclude even more people than tech already does. Governments are going to use MFA and biometric IDs to track and monitor citizens. But the more ID info we hand over, the more will get nicked.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like