Selfies for sale: Stolen data for biometric spoofs available on mainstream internet
Some advice about biometrics from a fraudster discovered by Montreal-based cybersecurity firm Flare Systems: “Major cryptocurrency exchanges like Coinbase have strict anti-fraud policy and I DO NOT RECOMMEND (sic) to use them, some require selfie with CC, some photo of CC etc.”
Instead, the cybercriminal, selling complete sets each containing and ID photo, address confirmation, and “selfie with ID” for $3 each, advises using a pair of specific pair of smaller exchanges that allegedly have weaker anti-fraud measures.
Flare Systems Chief Science Officer David Hétu tells Biometric Update in an interview that the company typically finds ID data, including selfies for use in presentation attacks against biometric systems, on the internet. The dark web is the domain of materials that attract more law enforcement attention, like drugs and illegal pornography.
The company launched its business gathering intelligence on malicious actors, but now also looks at its clients themselves for things like employees oversharing online. There is a wealth of potential material online for criminals already, according to Hétu. Fortunately, “between what is possible and what people actually do, there is a huge gap.”
Otherwise, the global financial system would be imperiled.
“Everything is out there,” Hétu observes. “If you’re looking for fake IDs, that something that’s incredibly easy to order online today. You have people selling either scans of IDs or the real documents, and these from what we hear are going to be varying quality from very poor to excellent, where it’s almost impossible to distinguish them from the real thing.”
This data is available and being resold on the public internet, so this is where Flare Systems must look for intelligence on identity fraud and what is happening with images of people.
The goods and services sold on the dark web are typically those for which law enforcement agencies already have dedicated units, which keeps those who sell them in the digital shadows. A website selling cocaine on the web would be acted against immediately, or if a person crossed a border with illegal drugs, forensic resources would be deployed to connect that particular sample with others, and tracing its source. By contrast, Hétu says, attention on and enforcement of identity data fraud is lacking all around the world.
Identity fraud and document sales also tends to be international, and Hétu points out that “as soon as you mention the word international, law enforcement are going to run away, pretty much, just because launching international investigations takes a lot of time and resources, and you’re not sure what you’re going to get.”
Law enforcement is usually incentivized to close cases quickly, not pursue individual bad actors half a world away.
This means the data is even more widely available than it is widely used, according to Hétu.
The packages of identity data are often sold as being a “complete set,” “pack,” or “fulls,” and advertised as being able to defeat many of the new restrictions and technologies being implemented.
Whatever measures are put in place are bound to involve some degree of friction, and Hétu relates an experience in which someone he knows was unable to pass an ID document and selfie biometric check, because the service provider’s facial recognition engine returned a false non-match when the individual attempted authentication.
“The most security-conscious companies are probably losing customers because of this,” he says.
Authenticating customers or knowing your customers at scale without meeting in person remains incredibly difficult in Hétu’s view.
Deepfakes have not yet reached the online criminal mainstream, according to Flare’s investigations, and researchers never really see other biometrics like fingerprint templates, or DNA data advertised by those who deal in stolen ID data, Hétu reports.
“A biometric is really useful when you’re meeting someone in person, so they’re coming to your bank branch and you can actually scan them,” Hétu observes. “Even over the phone I’m seeing more and more voiceprints being used to authenticate people, and to the best of my knowledge, these are not things that for sale on the dark web, or even on the internet.”
He raises the notion of “cost and signals,” suggesting that not just the use of traditional password, but even a rudimentary biometrics implementation “doesn’t significantly raise the bar for malicious actors trying to get into these systems, or trying to use a legitimate service for nefarious reasons.”
A sacrifice on the part of the person (or ‘cost’) makes the signal trustworthy.
“How can you increase the cost so that I will still tell you that I’m David, and prove it to you, while making sure that people who are not David cannot pay the cost or it makes no sense for them to pay the cost,” Hétu explains.
The selfie adds to the cost of the signal, but not sufficiently to make a major impact on fraud. Adding other technologies like liveness checks, or forcing the user into a different channel, where another biometric can be applied, such as a verification phone call with voice recognition, could increase the cost much more for bad actors than for legitimate users.
Some signals are easily reproduced, and information is readily available on how to avoid triggering suspicion from many automated risk systems, Hétu says, giving the example of instructions for how long to browse a site before attempting a transaction.
“There’s kind of a special recipe for each company, because the malicious actors have reverse-engineered their security protocols, and then they’re offering solutions to counter them.”
For the most sophisticated selfie biometric authentications, however, it is not worth the effort for malicious actors to reverse-engineer them.
“If I was a CISO in a company or a CEO, that’s what would ask all of my vendors,” Hétu says: ‘How does your solution make it more costly for the malicious actors to send me the signal, then one of my users, and if you can prove to me that you’re improving this cost, then we’re going to buy your solution.’”