Story image

2019: The year attackers steal faces - Forcepoint

07 Jan 2019

Article by Forcepoint APAC sales engineering director William Tam

Last month, one of Perth’s newest bars installed a new security system with facial recognition cameras.

Earlier this year, Sydney Airport and Qantas began trialling ‘couch-to-gate’ biometrics, with an initial phase testing check-in, bag drop, lounge access and boarding.

Once the domain of the military and top government intelligence agencies, facial recognition technology is fast-becoming the norm, with the estimated global market of face recognition software set to reach US$9.78 billion by 2023.

In fact, many major phone models released in 2018 used facial recognition software for unlocking.

Australians are far more accepting of using physical attributes like facial recognition or fingerprints to authenticate their credentials as it is more convenient than remembering different passwords.

But biometric security is by no means immune to vulnerabilities, and while passwords may change, physical biometrics are genetic and specific to each person, making it even more lucrative for hackers to steal them.

The oldest and most effective trick in the book

To an attacker, the successful theft of legitimate credentials must feel a bit like winning the lottery. End users are locked out of their accounts, access to third-party cloud services such as Dropbox and Microsoft Office 365 are cut off, critical data downloaded or wiped entirely.

The soaring number of breaches reveal one simple truth: email addresses, passwords, and personal information (favourite colour, pet name) are no longer sufficient to protect identities online.

In hijacking an end user's identity, phishing still reigns supreme, taking first place in a 2017 study conducted by Google, the University of California, Berkeley, and the International Computer Science Institute.

Closer to home, users are also feeling the effects.

In the latest figures from the Office of the Australian Information Commissioner, phishing made up half of all attacks reported between July – September 2018, while brute-force attacks comprised 12%, and 19% were the result of unknown methods.

The rise and fall of two-factor authentication

While credential theft is the oldest (and most effective) trick in the book, it does not mean that attackers have stopped coming up with new tricks.

Two-factor authentication (2FA) adds an extra layer of security, but even this method has a vulnerability: it is usually accomplished through cell phones.

In 2018, Michael Terpin, a co-founder of the first angel investor group for bitcoin enthusiasts, filed a $224 million lawsuit against a telecommunications company, claiming the loss of $24 million worth of cryptocurrency as a result of a “SIM swap.”

Attackers used phishing and social engineering tactics to trick a customer service representative into porting Terpin’s phone number to an untraceable “burner” phone.

Once this exchange took place, the crime became as simple as clicking a “Forgot Password?” link.

Unravelling biometric authentication

Moving past 2FA, biometric authentication uses data more unique to each end-user.

At first, the possibility of verifying a person’s identity via physiological biometric sensors seemed like a promising alternative to 2FA.

Fingerprints, movements, iris recognition— all of these make life difficult for attackers seeking to access resources by stealing someone else’s identity.

But in recent years, even biometric authentication has begun to unravel. In 2016, researchers at Michigan State University uncovered cheap and easy ways to print the image of a fingerprint using just a standard inkjet printer.

And in 2017, researchers at New York University’s (NYU) Tandon School of Engineering could match anyone’s fingerprints using digitally altered “masterprints.”

Facial recognition has gone mainstream thanks to Apple’s release of the iPhone X, which uses a flood illuminator, an infrared camera, and a dot projector to measure faces in 3D, a method they claim cannot be fooled by photos, videos, or any other kind of 2D medium - and this has stood up to some degree in testing.

A recent test saw a Forbes journalist, Thomas Brewster, break into a number of smartphones using a 3D printed head.

Of the four devices tested, all Android models unlocked with the fake head, while the Apple phone did not.

The reality here is that facial recognition has serious vulnerabilities— and that is why 2019 will be the year hackers will steal the public’s faces.

In 2016, security and computer vision specialists from the University of North Carolina defeated facial recognition systems using publicly available digital photos from social media and search engines in conjunction with mobile VR technology.

Scroll down for security in the age of behavioural biometrics

While passwords may change, physical biometrics are genetic and specific to each person. By the same token, behavioural biometrics provide a continuous authentication layer by incorporating a person’s physical actions, including keystroke, mouse movement, scroll speed, how they toggle between fields, as well as how they manipulate their phone based on the accelerometer and gyroscope.

It is simply impossible for imposters to mimic these actions.

The combination of behavioural biometrics with strong authentication, either based on advanced technology like FaceID or 2FA, is a more sensible approach.

Organisations can identify intruders who hijack open-work with at-login and in-use/continuous authentication, paving the way for risk-based approaches to trigger authentication checkpoints when risk levels rise – for example, when sensitive documents are accessed, particularly when those documents aren’t within the typical work-footprint of a user.

Zoom’s new Rooms and Meetings features
Zoom has released information about the upcoming releases for its Rooms and Meeting offerings for 2019.
Aussie company set to democratise direct-to-orbit IoT access
Adelaide-based Myriota has released a developer toolkit that has been trialled and tested by a smart waste management platform.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Poly appoints new A/NZ managing director, Andy Hurt
“We’re excited to be bringing together two established pioneers in audio and video technology to be moving forward and one business – Poly."