Biometrics have been touted as the ultimate credential - because after all, faces, fingerprints and irises are unique to every human being.
Attackers are increasingly cunning, and it's becoming clear that biometric screens are just as easy to bypass as the multitude of other existing tools.
Attesting to this, cybersecurity company Group-IB has discovered the first banking trojan that steals people's faces.
Unsuspecting users are tricked into giving up personal IDs and phone numbers and are prompted to perform face scans.
The method - developed by a Chinese-based hacking family - is believed to have been used in Vietnam earlier this month, when attackers lured a victim into a malicious app, tricked them into face scanning, then withdrew the equivalent of $40,000 from their bank account.
This discovery reveals the alarming, growing threat that biometrics pose.
Face swap deepfake attacks increased by 704% between the first and second halves of 2023, according to a new iProov Threat Intelligence Report.
The biometric authentication company also discovered a 672% increase in the use of deepfake media being used alongside spoofing tools and a 353% increase in the use of emulators and spoofing to launch digital injection attacks.
As a result, Gartner predicts that by 2026, 30% of enterprises will no longer consider biometric tools reliable by themselves.
Some say biometrics are even more dangerous than traditional login methods - the stealing of our unique biological characteristics could eternally expose us because we can't change these features as we could a password or passkeys.
Threat actors can then use this sensitive information to create deepfakes that swap in synthetic faces for the victims.
Their tools work across iOS and Android devices and have largely been used to target the elderly.
For now, their tactics are so effective in Thailand because the country now requires users to confirm large banking transactions via facial recognition as opposed to one time passwords.
The State Bank of Vietnam has expressed its intentions to mandate facial authentication for all money transfers beginning in April.
Victims were requested to take pictures of themselves and snap a photo of their identity card.
In the iOS version, the trojan even offers victims instructions - such as to blink, smile, face left or right, nod down or open their mouths.
Hackers could then potentially - and easily - impersonate into the victim's bank application.
If you need to do so, call your bank directly; do not click on bank alert pop-ups.
Unfamiliar apps: Some malware are disguised as legitimate apps.
Overall strange behavior, such as a phone making calls on its own, sending messages without consent or accessing apps without input.
This Cyber News was published on venturebeat.com. Publication date: Thu, 22 Feb 2024 01:13:05 +0000