Hackers spoofed biometric authentication videos to steal millions in China

A Chinese government facial recognition ID authentication tool recently was hacked, according to media reports. The biometric data stolen was used to create fake tax invoices.

High-resolution images of people were made to look live, for the crime, with each “nodding, shaking, blinking and opening their mouths,” according to the South China Morning Post, presumably to beat a biometric presentation attack detection (PAD) system. 

According to Morning Post, reporting on an article in the Xinhua Daily Telegraph, the sophisticated biometric spoof attack and theft is being attributed to a pair of hackers with the surname Wu and Zhou.

They allegedly netted 500 million yuan, or US$76.2 million, operating for less than two years. Shanghai authorities in January posted online that the two had been prosecuted.

The Morning Post reported that the team purchased biometric information on the black market. Armed with the personal data and augmented pictures, the hackers used a shell company to send fraudulent tax invoices to the company’s “clients.”

The hackers hijacked phone cameras so that people would try to authenticate themselves with video, but that information went nowhere.

The Morning Post also reports online services for defeating face biometric systems are available for 30 to 250 yuan ($4.58 to $38.15).

Article Topics

authentication  |  biometric data  |  biometric liveness detection  |  biometrics  |  China  |  data protection  |  facial recognition  |  identity verification  |  presentation attack detection  |  spoofing