Cybercriminals are stealing Face ID scans to break into mobile banking accounts

1

1_rick

Supreme [H]ardness
Joined
Feb 7, 2017
Messages
5,476
https://www.theregister.com/2024/02/15/cybercriminals_stealing_face_id/

Cybercriminals are targeting iOS users with malware that steals Face ID scans to break into and pilfer money from bank accounts – thought to be a world first.

A Chinese-speaking cybercrime group, dubbed GoldFactory by Group-IB's researchers, started distributing trojanized smartphone apps in June 2023, however, the latest GoldPickaxe version has been around since October.

GoldPickaxe and GoldPickaxe.iOS target Android and iOS respectively, tricking users into performing biometric verification checks that are ultimately used to bypass the same checks employed by legitimate banking apps in Vietnam and Thailand – the geographic focus of these ongoing attacks.
Click to expand...

You can change a compromised password. You can't change your face or fingerprints.
 
That's the problem with biometrics.

If the face/fingerprint/iris/whatever equivalent of a digital checksum is stolen, then what are you supposed to do? Get new eyes?

Passwords can be changed easily. Your face, not so much.

The convenience is just not worth the risk.

Use password or RSA-like crypto authentication. Everything else is useless.

1708030985792.png


Windows Goodbye.
 
Zarathustra[H] said:
If the face/fingerprint/iris/whatever equivalent of a digital checksum is stolen, then what are you supposed to do? Get new eyes?
Click to expand...
The main takeaway from this story to me is more a surprise that Apple stores usable biometric data on the device, instead of some visual hash type of thing. For example, I'd learned like a decade ago that Disneyland's fingerprint implementation stores only the checksum of a simplified representation of the result, to disambiguate visitors, but doesn't store any of the data per se, kind of like how most websites don't store the password but only the hash and check against that when users authenticate.

Article said:
Once the biometrics scans were captured, attackers then used these scans, along with deepfake software, to generate models of the victim's face.
Click to expand...
This is very handwavy of the details involved but the fact usable biometric data is extractable is the issue. It's examples like this, where the true security of an implementation is an unknown—even from reputable companies, that will re-enforce privacy-conscientious users to just avoid use of such tech.
 
Okatis said:
The main takeaway from this story to me is more a surprise that Apple stores usable biometric data on the device, instead of some visual hash type of thing. For example, I'd learned like a decade ago that Disneyland's fingerprint implementation stores only the checksum of a simplified representation of the result, to disambiguate visitors, but doesn't store any of the data per se, kind of like how most websites don't store the password but only the hash and check against that when users authenticate.


This is very handwavy of the details involved but the fact usable biometric data is extractable is the issue. It's examples like this, where the true security of an implementation is an unknown—even from reputable companies, that will re-enforce privacy-conscientious users to just avoid use of such tech.
Click to expand...
The article states they trick people into letting the apps scan them, not that it takes it from a stored face Id done by apple etc. It's a Trojan, not an infection.
 
Okatis said:
The main takeaway from this story to me is more a surprise that Apple stores usable biometric data on the device, instead of some visual hash type of thing. For example, I'd learned like a decade ago that Disneyland's fingerprint implementation stores only the checksum of a simplified representation of the result, to disambiguate visitors, but doesn't store any of the data per se, kind of like how most websites don't store the password but only the hash and check against that when users authenticate.


This is very handwavy of the details involved but the fact usable biometric data is extractable is the issue. It's examples like this, where the true security of an implementation is an unknown—even from reputable companies, that will re-enforce privacy-conscientious users to just avoid use of such tech.
Click to expand...

Yikes. Disney takes your fingerprints now?

1708033645494.png
 
Okatis said:
Was just about to edit my post with this correction, yeah. For some reason I'd glossed over it.
Click to expand...
Yea, social engineering to get people to install testflight or device management software first to the be able to side load in the trojan app.
 
GoldenTiger said:
The article states they trick people into letting the apps scan them, not that it takes it from a stored face Id done by apple etc. It's a Trojan, not an infection.
Click to expand...
Either way, once your face data is out there, there's no getting rid of it, ever, and there's no way it's not getting sold. So this may not be Apple's fault, which is fine, but it's still bad.
 
1_rick said:
Either way, once your face data is out there, there's no getting rid of it, ever, and there's no way it's not getting sold. So this may not be Apple's fault, which is fine, but it's still bad.
Click to expand...
Oh of course. :) Not contesting that, was just clarifying it isn't a virus.
 
Zarathustra[H] said:
Yikes. Disney takes your fingerprints now?
Click to expand...
For years. To prevent reuse/abuse of season passes and park hopper tickets (I have heard of people in the past going in as a group, then having one person run all the passes out of the park to bring in more people).

On the topic itself, the initial headline made it sound like the Secure Enclave had been broken, since that's where the biometric data on an iPhone goes.
 
Zarathustra[H] said:
That's the problem with biometrics.

If the face/fingerprint/iris/whatever equivalent of a digital checksum is stolen, then what are you supposed to do? Get new eyes?

Passwords can be changed easily. Your face, not so much.

The convenience is just not worth the risk.

Use password or RSA-like crypto authentication. Everything else is useless.

View attachment 635311

Windows Goodbye.
Click to expand...
But that's exactly what Windows hello does? Stores a secret in the tpm, so only works with that device. Add bitlocker with tpm+preboot pin. What's the problem?
 
Darunion said:
Yea, social engineering to get people to install testflight or device management software first to the be able to side load in the trojan app.
Click to expand...
Yeah and because of this, it's a non-issue. At least for now. Apple needs to have a way to prevent this from happening with TestFlight apps.
 
On iOS they have to trick you into enrolling your device in their MDM platform so they can roll out the beta software.
Android is a lot more straight forward, but ouch not cool.
 
Good thing my bank account info is no where on any of my Apple Devises. And for Windows Computer no passwords for any bank or PP accounts are saved.
 
You must log in or register to reply here.
Back
Top