Real World Risk Management Practical HR Resources
welcome
Are you a new user?
REGISTER HERE





RETRIEVE PASSWORD

Biometric Authentication: Still Not Ready For Prime Time

To combat widespread financial fraud, the Bank of Thailand announced a policy change in March 2023 that all Thai financial institutions must forgo email and SMS verification and instead use facial recognition for any major actions from customers, such as opening a new account, adjusting a daily transfer limit, or initiating a transaction of more than 50,000 baht.

The intent was to safeguard customer accounts against cybercriminals.

However, just three months after it began, even this increased security measure was jeopardized.

A new malware, "GoldPickaxe," was developed by a large (but unidentified) Chinese-language group, and was soon seen on iOS and Android devices, masquerading as a government service app. The app is used to introduce a sophisticated banking Trojan for tricking people into giving up their personal IDs, phone numbers, and face scans, which it steals to later log into those victims' bank accounts. The Trojan has so far targeted elderly victims into scanning their faces into the app, which then uses deepfake technology to bypass the Bank of Thailand's cutting-edge biometric security checks.

The malicious app seems to be highly effective for two reasons: deepfake technology has caught up with biometric authentication mechanisms and most users have not realized that yet. Nate Nelson, "iOS, Android Malware Steals Faces to Defeat Biometrics With AI Swaps" darkreading.com (Feb. 15, 2023).

 

Commentary

 

Given the increasingly quick response from cybercriminals to new defense strategies, relying on one exclusive system or technique to defend an organization's network should be reconsidered.

For many years, a multi-layered approach was considered critical to secure a network. That approach may still be the best, even as individual elements of that multi-layered approach become more sophisticated and challenging.

Biometrics will be important, but they are not fool-proof as the above account makes clear. If a person is social-engineered to give up their biometrics, that will place their accounts at risk.

Using two-factor authentication methods, whether a phone authentication app, a text message, a physical security key, or by using Bluetooth, USB, or NFC devices to authenticate a login remains the best practice.

 

Finally, your opinion is important to us. Please complete the opinion survey:

Cybercriminals: Now Targeting Apple Users

Apple devices are emerging as a new target for cybercriminals who are using proven social engineering tricks. What steps can users take to limit their risk?

read more

Ask Jack: Why Shouldn't I Use My Work Computer For Online Games?

Kids like to game on any device. Work devices are no exception. Jack explains why games should not be played on work devices.

read more

Cybercriminals Are Using Booking.Com Refund Ploy As Bait

Everyone likes a refund, cybercriminals know this, so they are using this tactic to spread malware. We examine ways to minimize your risk.

read more

Ask Jack: Is AI A Threat. . . Now?

For months, experts have predicted that artificial intelligence (AI) will change the cyber defense landscape. Jack details a report that states it is now here.

read more