Face can’t keep your banking
safe anymore

In Asia, a disturbing threat has emerged where malicious actors get victims’ facial data and create convincing deepfake videos to gain access to their bank accounts. This raises the question: How can you ensure the safety of your money in the face of this new threat?

While biometrics have long been considered as a reliable authentication mechanism the increasing accessibility to deepfake technology has opened doors for cybercriminals to exploit it for their nefarious purposes.

In a shocking case of a banking trojan that steals people’s faces, fraudsters based in China have targeted older adults in Vietnam and Thailand to drain their bank accounts. These hackers disguise themselves as bank call centre agents and trick victims into sharing their identity documents and phone numbers. They then request facial scans from their victims, enabling them to carry out their fraudulent activities.

AI-generated deepfakes replace the images captured during the face scans. These deepfakes are extremely realistic and can bypass certain security checkpoints. One unfortunate victim, who downloaded a malicious app and was convinced to perform a face scan, lost more than R7.6-million ($40,000).

_{Anna Collard, SVP for content strategy at KnowBe4 Africa.}

Should we be worried?

Although this threat was discovered in Asia, consumers should nevertheless be concerned Using AI-generated deepfakes to bypass security checks shows a level of sophistication by these attackers and shows that criminals are embracing new and emerging technologies in their attacks.

Physical borders do not limit cybercriminals, and they will go wherever opportunities exist. In South Africa, mobile banking and mobile adoption is quite big. This, coupled with a relatively low level of consumer awareness, makes our region an attractive target for these criminals. The real-world impact, technical sophistication and lack of known defences make this an emerging cybersecurity risk consumers should be aware of and prepared to address as it continues to develop.

Are biometrics still safe?

The latest tactic has many IT experts questioning whether biometric identification is still safe to use. 

Unlike passwords or other credentials that can be changed, biometric identifiers like fingerprints and facial features are permanent and cannot be replaced. Also, criminals can use them repeatedly to impersonate victims and gain unauthorised access to their accounts, leading to banking fraud or a loss of their identity.

Despite the cause for alarm, Collard does not believe it’s time for individuals or organisations to give up biometric authentication just yet. Biometrics are usually more user-friendly than traditional passwords or patterns for locking phones and apps. This means they are more secure, as users are less likely to use weak or reused passwords. Also, biometric traits are unique and more difficult to steal compared to a password that could be guessed, phished, or hacked.

Increasing need for caution

However, organisations should not abandon using biometrics authentication but they need to keep pace with deepfake technology by implementing advanced liveness detection. Traditional liveness detection methods can be bypassed by advanced deepfake techniques that can inject fake imagery directly into the data stream. Because of this, companies must implement more sophisticated liveness detection, such as 3D-facial scanning and challenge-response tests.

Rather than relying on a single method of cybersecurity protection, I recommend a multifaceted strategy. The best approach would be to use biometrics with other mechanisms, such as strong passwords or phishing-resistant, multi-factor authentication methods. A layered approach always provides more protection than relying on one factor only because there is no such thing as a silver bullet in security.