Story image

2019: The year attackers steal faces - Forcepoint

07 Jan 2019

Article by Forcepoint APAC sales engineering director William Tam

Last month, one of Perth’s newest bars installed a new security system with facial recognition cameras.

Earlier this year, Sydney Airport and Qantas began trialling ‘couch-to-gate’ biometrics, with an initial phase testing check-in, bag drop, lounge access and boarding.

Once the domain of the military and top government intelligence agencies, facial recognition technology is fast-becoming the norm, with the estimated global market of face recognition software set to reach US$9.78 billion by 2023.

In fact, many major phone models released in 2018 used facial recognition software for unlocking.

Australians are far more accepting of using physical attributes like facial recognition or fingerprints to authenticate their credentials as it is more convenient than remembering different passwords.

But biometric security is by no means immune to vulnerabilities, and while passwords may change, physical biometrics are genetic and specific to each person, making it even more lucrative for hackers to steal them.

The oldest and most effective trick in the book

To an attacker, the successful theft of legitimate credentials must feel a bit like winning the lottery. End users are locked out of their accounts, access to third-party cloud services such as Dropbox and Microsoft Office 365 are cut off, critical data downloaded or wiped entirely.

The soaring number of breaches reveal one simple truth: email addresses, passwords, and personal information (favourite colour, pet name) are no longer sufficient to protect identities online.

In hijacking an end user's identity, phishing still reigns supreme, taking first place in a 2017 study conducted by Google, the University of California, Berkeley, and the International Computer Science Institute.

Closer to home, users are also feeling the effects.

In the latest figures from the Office of the Australian Information Commissioner, phishing made up half of all attacks reported between July – September 2018, while brute-force attacks comprised 12%, and 19% were the result of unknown methods.

The rise and fall of two-factor authentication

While credential theft is the oldest (and most effective) trick in the book, it does not mean that attackers have stopped coming up with new tricks.

Two-factor authentication (2FA) adds an extra layer of security, but even this method has a vulnerability: it is usually accomplished through cell phones.

In 2018, Michael Terpin, a co-founder of the first angel investor group for bitcoin enthusiasts, filed a $224 million lawsuit against a telecommunications company, claiming the loss of $24 million worth of cryptocurrency as a result of a “SIM swap.”

Attackers used phishing and social engineering tactics to trick a customer service representative into porting Terpin’s phone number to an untraceable “burner” phone.

Once this exchange took place, the crime became as simple as clicking a “Forgot Password?” link.

Unravelling biometric authentication

Moving past 2FA, biometric authentication uses data more unique to each end-user.

At first, the possibility of verifying a person’s identity via physiological biometric sensors seemed like a promising alternative to 2FA.

Fingerprints, movements, iris recognition— all of these make life difficult for attackers seeking to access resources by stealing someone else’s identity.

But in recent years, even biometric authentication has begun to unravel. In 2016, researchers at Michigan State University uncovered cheap and easy ways to print the image of a fingerprint using just a standard inkjet printer.

And in 2017, researchers at New York University’s (NYU) Tandon School of Engineering could match anyone’s fingerprints using digitally altered “masterprints.”

Facial recognition has gone mainstream thanks to Apple’s release of the iPhone X, which uses a flood illuminator, an infrared camera, and a dot projector to measure faces in 3D, a method they claim cannot be fooled by photos, videos, or any other kind of 2D medium - and this has stood up to some degree in testing.

A recent test saw a Forbes journalist, Thomas Brewster, break into a number of smartphones using a 3D printed head.

Of the four devices tested, all Android models unlocked with the fake head, while the Apple phone did not.

The reality here is that facial recognition has serious vulnerabilities— and that is why 2019 will be the year hackers will steal the public’s faces.

In 2016, security and computer vision specialists from the University of North Carolina defeated facial recognition systems using publicly available digital photos from social media and search engines in conjunction with mobile VR technology.

Scroll down for security in the age of behavioural biometrics

While passwords may change, physical biometrics are genetic and specific to each person. By the same token, behavioural biometrics provide a continuous authentication layer by incorporating a person’s physical actions, including keystroke, mouse movement, scroll speed, how they toggle between fields, as well as how they manipulate their phone based on the accelerometer and gyroscope.

It is simply impossible for imposters to mimic these actions.

The combination of behavioural biometrics with strong authentication, either based on advanced technology like FaceID or 2FA, is a more sensible approach.

Organisations can identify intruders who hijack open-work with at-login and in-use/continuous authentication, paving the way for risk-based approaches to trigger authentication checkpoints when risk levels rise – for example, when sensitive documents are accessed, particularly when those documents aren’t within the typical work-footprint of a user.

Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
SAS partners with NVIDIA on deep learning and computer vision
“By partnering with NVIDIA, we combine our strengths to augment human intelligence and realise the true potential of AI.” 
Why businesses must embrace automation to ensure success
“For many younger workers, the traditional view of a steady job at one company, perhaps for life, simply doesn’t reflect reality."
Dropbox invests in hosting data inside Australia
Global collaboration platform Dropbox has announced it will now host Australian customer files onshore to support its growing base in the country.
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."