•Criminals advance across platforms, eye mobile web, native Android, iOS
As biometric registrations continue to prevail in many countries, especially in Nigeria, governments and businesses have been warned and alerted to the rise in attacks on biometrics across the globe.
Specifically, a new biometric threat intelligence report from iProov, observed that in the past year, there was a 149 per cent increase in threat actors using emulators to attack mobile platforms, adding there has also been a 295 per cent increase in novel face swaps.
Founder, and Chief Executive Officer of iiDENTIFii, Gur Geva, a premier partner of iProov in Africa, said: “Biometric attacks continue to grow in volume, intensity and sophistication. If we are to successfully combat these risks, we need to uncover and understand the anatomy of biometric attacks.”
The report noted that as governments and businesses continue to unlock new value and efficiency through digital services, one key challenge remains. It said organisations need to be assured that the person on the other side of the screen is human, and are who they claim to be.
Already, in Nigeria there have been so many platforms, where peoples’ biometrics have been demanded. It started with the Bank Verification Number (BVN); Drivers License; National Identity Number (NIN); Nigeria Immigration Service (NIS), SIM card registration, among others.
The strategy behind these platforms, apart from easy identification of the people, is also to curb criminal activities in the country. However, despite various biometrics, criminal activities remain very high.
For instance, about N3.62 billion frauds have been perpetrated through the Automated Teller Machines (ATM); Point of Sales (PoS), mobile and other electronic channels and cash, as of the third quarter of 2022.
FITC disclosed this in its ‘Report on Frauds and Forgeries in Nigerian Banks’ quarter three, 2022, adding bank personnel carried out all cash theft cases reported within the period.
Specifically, the 18-page document revealed that in the third quarter of 2022, 19, 314 cases were reported, compared to 20, 195 witnessed in the same period in 2021, which was a decrease of 4.36 per cent.
However, the total amount involved dropped from N34.8 billion to N9.62 billion, a decrease of 72.34 per cent. But the total amount lost in the same period last year was N853,167,293.61 (2021) against N3.62 billion in Q3, 2022, representing an increase of 324.50 per cent.
According to FITC, outsider involvement in the frauds increased, moving from 14,243 in Q3, 2021 to 16,125 a year after, which was a 324.50 per cent rise. Insider (staff) involvement increased significantly from 32 in Q3, 2021 to 112 in Q3, 2022, a 250 per cent rise.
Within this period, 14 appointments were terminated in Q3, 2021 while 20 bank staff were relieved of their duties a year after.
Indeed, in the iProov report, it observed that Interpol’s first-ever Global Crime Trend report estimated that over 70 per cent of respondents (all from law enforcement) expect crimes such as ransomware and phishing attacks to increase significantly in the next three to five years, saying this renders traditional verification technologies such as one-time passwords (OTPs) outdated and a security risk.
It pointed out that biometrics such as iris and retina offer a deeper method of verification but fall short in terms of liveness – they cannot bind a digital identity to a real-world individual in motion. In addition to this, the technology used to capture this biometric data may not always be as accessible or inclusive as required.
Geva said, “We have worked with our local public and private sector partners to champion face-verification authentication in South Africa and beyond.” He said by scanning their facial features using their smartphone or tablet, individuals can verify their identity.
However, he said as this space grows, so do the threats to its safety. “Cybercriminals continue to find new, sophisticated ways to intercept this technology. With this in mind, organisations need to remember that not all face verification technologies can keep up with the rapidly changing threat landscape or have the same level of security, resilience and ability to adapt to novel threats,” he stated.
According to the report, biometric security threats currently fall into two categories, which are presentation attacks and digital injection attacks.
It explained that presentation attacks refer to photos, videos or even masks being held up to a screen to fool the technology into mapping the features of the identity being defrauded.
In the case of digital injection attacks, it said imagery is injected directly into the video stream, either through emulators, hacking tools, or virtual cameras.
Geva explained: “In 2022, we witnessed injection attacks occur five times more frequently than persistent presentation attacks across the web. This is because injection attacks are far more scalable than presentation attacks, as they do not require the manual creation of a physical artefact or any physical presentation, but rather the creation of a highly automated attack machine.”
The report observed that 2022 saw dramatic changes in digital injection attacks, stressing that criminals are now advancing across platforms, targeting mobile web, native Android, and native iOS via emulators. It said with the emergence and growth of sophisticated face swaps, low-skilled criminals now have the means to launch advanced attacks.
Threat actors, according to it, launched motion-based attacks simultaneously and at scale against hundreds of systems globally.
Three types of synthetic injection attacks dominated the threat landscape in 2022: two-dimensional image face swaps, image-to-video deepfakes and video face swaps.
The iProov report defines face swaps as “a form of synthetic imagery created using two inputs where a criminal combines traits from one face, such as motion, with the appearance of another face to create a new synthetic 3D video output.”
